[scg-sec] Cisco Security Advisory: Cisco IOS Malformed OSPFPacket
Causes Reload
Barry Raveendran Greene
bgreene at cisco.com
Wed Aug 18 13:13:38 EDT 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Add to that, once you know the malformed packet, you have to craft
the attack vector. OSPF does have crude source address checks (i.e.
you need to match the OSPF network mask on that interface). You also
need the know the OSPF area, hello timers, and a bunch of other
things. Then you need to enter an interface on the targeted router
that does not have OSPF in passive mode or turned off. So if my
crafted packet comes in to interface pos 0/0 targeting interface pos
2/1, then pos 0/0 has to have OSPF turned on. If it turned off
(passive or not configured) the crafted packet targeting pos 2/1 will
drop.
Passive interface/no OSPF will not protect against an attack on
another router. So if my peering router has passive interface turned
on the peering link, packets targeting some other router in the
middle of my network will still work.
Bottom line, I had to do some head scratching to figure out a
feasible attack vector into a network - after I turned off all the
various OSPF security techniques in my lab. MD5, Passive-interface
default, and managing what you advertise to the world make it really
hard to go after OSPF.
> -----Original Message-----
> From: scg-sec-bounces at puck.nether.net
> [mailto:scg-sec-bounces at puck.nether.net] On Behalf Of Wendy Garvin
> Sent: Wednesday, August 18, 2004 9:53 AM
> To: Sean Donelan
> Cc: scg-sec at puck.nether.net
> Subject: Re: [scg-sec] Cisco Security Advisory: Cisco IOS
> Malformed OSPFPacket Causes Reload
>
>
>
> The munged packets are not known outside of us, it was found
> internally and we're counting on having a good deal of time
> before it's figured out. OSPF has a big header with lots of
> fields and combinations of fields, it's not intuitive to guess.
>
> If you can monitor for OSPF packets coming in from the edge,
> that should give you some warning, if you need more specifics
> let me know (in email) and I'll call you. Right now I'm on
> all my phones.
>
> -Wendy
>
> > Sean Donelan <sean at donelan.com> [2004-08-18 09:12] wrote:
> > On Wed, 18 Aug 2004, Wendy Garvin wrote:
> > > If you want a technical call on this to come up to speed
> > > quickly, please let me know. Our best technical resource is in
> > > Europe, so let's shoot for no later than 11 PDT/3 EDT.
> >
> > I guess Wendy is back from vacation.
> >
> > The IS-IS backbones probably don't care. But for the OSPF
> backbones,
> > any idea if the magic packet(s) are known outside of the
> vendor? Or
> > do we have a few hours before it is reversed-engineered?
> >
> > Thanks,
> > sean.
> >
> >
> > [ ----- End of Included Message ----- ]
>
> --
> Wendy Garvin - Cisco PSIRT - 408 525-1888 CCIE# 6526
> ----------------------------------------------------
> http://www.cisco.com/go/psirt
> _______________________________________________
> scg-sec mailing list
> scg-sec at puck.nether.net
> https://puck.nether.net/mailman/listinfo/scg-sec
>
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3
iQA/AwUBQSOOO7/UEA/xivvmEQIowQCgs1r0q6dqNpJwsHLX3P2pAc3+r6AAnjZ/
XVwrbVx6RHpBFM5EsYvORVni
=BEFI
-----END PGP SIGNATURE-----
More information about the scg-sec
mailing list