[scg-sec] Telnet Vulnerability

Jared Mauch jared at puck.nether.net
Thu Aug 26 16:18:55 EDT 2004 

	Wendy,

	Do you know where any of the Cisco acl infrastructure improvement
code is at, and going to FCS?

	is there a feature number that I can reference with my account
team..

	- jared

On Thu, Aug 26, 2004 at 01:14:46PM -0700, Wendy Garvin wrote:
> 
> Folks,
> 
> The detail about the window size will be withheld from the initial advisory
> in order to give customers time to implement the vty acl. Since we can't
> write ACL's to block a connection based on the window size, there doesn't
> seem to be any value in releasing this detail at first. At some point, we'll
> want IDS vendors to be able to detect this and we'll release the details
> then. The idea is to buy time. We may release this detail to the nsp-sec
> list before we put it in the advisory.
> 
> Thanks, and let me know if you think you see attempted exploitation. I wish
> we could detect this with netflow. If any of you employ IDS systems and can
> write custom signatures, we'd sure like to know if you get attacked.
> 
> Paul - Can Junipers do ACLs based on window size?
> 
> By the way, we're considering this an annoyance attack rather than a
> production affecting attack, as it doesn't affect other TCP based protocols
> like BGP or LDP. The worst we can see happening is that people are locked
> out of managing their routers until they can get someone on site. While this
> is not a good situation, at least the device is still routing and switching
> traffic. We're also interested in knowing if that risk assessment misses
> anything from your deployment point of view.
> 
> Thanks,
> 
> -Wendy
> 
> > Battles, Timothy A (Tim), ALABS <tmbattles at att.com> [2004-08-26 11:51] wrote:
> > 
> > Ohh, and clear line vty x
> > 
> > Will not work.
> > 
> > must be a clear tcp
> > 
> > >-----Original Message-----
> > >From: Jared Mauch [mailto:jared at puck.nether.net]
> > >Sent: Thursday, August 26, 2004 1:43 PM
> > >To: Battles, Timothy A (Tim), ALABS
> > >Cc: scg-sec at puck.nether.net
> > >Subject: Re: [scg-sec] Telnet Vulnerability
> > >
> > >
> > >	so if there is a vty acl, we're safe, or semi-safe (ie: 
> > >hosts in the
> > >acl only that can do 3-way).
> > >
> > >	- jared
> > >
> > >On Thu, Aug 26, 2004 at 02:39:19PM -0400, Battles, Timothy A 
> > >(Tim), ALABS wrote:
> > >> 
> > >> Cisco Day1 VTY Vulnerability
> > >> 
> > >> We have recently by accident discovered the following.
> > >> 
> > >> After completing a 3-Way handshake with IOS and sending a 
> > >Window size of 0, the VTY handler becomes confused 
> > >> and will not allow other session to become established, 
> > >SYN-ACKS will be received from the router.
> > >>  
> > >> In order to clear the session a
> > >> 
> > >> clear tcp tcb xxxxxxxx
> > >> clear tcp line x
> > >> clear tcp line vty x
> > >> 
> > >> 
> > >> needs to be issued.
> > >> 
> > >> 
> > >> Some clarifiers
> > >> This effects both telnet and ssh.
> > >> The packet cannot be spoofed.
> > >> This is IOS only. Day 1
> > >> 
> > >> 
> > >> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> > >> Timothy A Battles
> > >> AT&T IP Network Security Group
> > >> Work: (314)770-3326
> > >> Cell: (314)280-4578
> > >> Fax:  (314)770-9568
> > >> Email: tmbattles at att.com
> > >> 12976 Hollenberg Drive
> > >> Bridgeton, MO 63044-2407
> > >> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> > >> 
> > >> 
> > >> 
> > >> 
> > >> 
> > >> _______________________________________________
> > >> scg-sec mailing list
> > >> scg-sec at puck.nether.net
> > >> https://puck.nether.net/mailman/listinfo/scg-sec
> > >
> > >-- 
> > >Jared Mauch  | pgp key available via finger from jared at puck.nether.net
> > >clue++;      | http://puck.nether.net/~jared/  My statements 
> > >are only mine.
> > >
> > 
> > _______________________________________________
> > scg-sec mailing list
> > scg-sec at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/scg-sec
> > 
> > [    ----- End of Included Message -----    ]
> 
> -- 
> Wendy Garvin - Cisco PSIRT - 408 525-1888 CCIE# 6526
> ----------------------------------------------------
>            http://www.cisco.com/go/psirt

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

More information about the scg-sec mailing list