Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malformed Packet Causes Cisco Router DoS

Posted by CmdrTaco on from the oops-they-did-it-again dept.

MoreBeer writes "Patch 'em if you've got 'em... Cisco Security Advisory: Cisco IOS Malformed OSPF Packet Causes Reload states that a malformed OSPF packet can cause a router 'reload' (reboot). Vulnerable IOS versions include 12.0S, 12.2, and 12.3 ... If you're not screening OSPF at your perimeter and using OSPF Authentication, now would be a GREAT time to start."

11 of 124 comments (clear)

  1. Setup OSPF by BoldAC · · Score: 4, Informative

    I notice that Cisco isn't displaying this on their front page. It seems like they should be screaming for everybody to fix the problem.

    Quick walkthrough that I usually reference:
    Easy example how to setup OSPF Authentication

    AC

    1. Re:Setup OSPF by w1r3sp33d · · Score: 4, Informative

      That would be the same front page that they didn't address the IOS source theft on for several days???

    2. Re:Setup OSPF by Cramer · · Score: 3, Informative

      The home page (www.cisco.com) is not where it belongs. Security notices are available at http://www.cisco.com/go/psirt That's where security people will be looking. (and they'll be subscribed to any number of Cisco emailed alerts.)

  2. OpenBSD by Understudy · · Score: 3, Informative

    May I recommend OpenBSD with carp as a alternative.

    1. Re:OpenBSD by Understudy · · Score: 4, Informative

      T1 cards are readily avaliable in PCI form

      OpenBSD at work

      Here is one example That uses 802.1Q VLANS.

      # Empire Net (now known as My180.net)
      An ISP in Bend, Oregon, uses OpenBSD on AMD, Intel, and Sun based hardware, for routing, firewalling, IPsec (VPN), bandwidth limiting, web hosting, database servers, network monitoring, intrusion detection, mail servers, backup servers, cache servers, and workstations. One of their OpenBSD routers handles traffic on between a T3 and eight fast ethernet ports, also with several 802.1Q VLANs to separate networks for co-location customers and business park tenants. An OpenBSD mail server handles e-mail storage/retrieval and RADIUS authentication for over 5,000 users. Several OpenBSD web servers each handle over 300 web sites.

      The Frame Relay over ATM (FROATM) is supported and this card works with OpenBSD. From the website:
      Sangoma's T1/E1 WAN cards have PCI bus interfaces and incorporate an integrated combination T1 and E1 DSU/CSU for a direct connection between the client's server and the demarc. The cards support major protocols including ATM, Frame Relay, PPP, HDLC and X.25 under all popular operating systems including Linux, Windows, FreeBSD, OpenBSD, Unix and Sun Solaris.

      You can look at the OpenBSD hardware list for more information.

      Currently Asterik (a VOIP system)is being ported to FreeBSD and OpenBSD. I am not sure if those are complete yet or not but, that can work in coordination with your Voice over ATM (VOATM) and Voice over Frame Relay (VOFR). I realize that VOFR/VOATM is not VOIP but the system is being designed with that support in mind.

      I realize this may not answer all your points but it will help.

  3. I admit by tomee · · Score: 5, Informative

    I had to look it up. OSPF

  4. Only IOS devices RUNNING OSPF are vulnerable by w1r3sp33d · · Score: 5, Informative
    That rules out most routers, and most switches. If you have followed best practices in your deployment, no internet edge device should be running OSPF so that shouldn't be a consideration, basically it should boil down to who within the company is trying to crash your routers?

    What a great time to post a link to www.routergod.com! Here are the two parts of Seven of Nine's lecture on OSPF:

    http://www.routergod.com/sevenofnine/

    http://www.routergod.com/sevenofnine/ospf_part_2.h tml

  5. This will work just as easily... by ewtrowbr · · Score: 3, Informative

    conf t

    access-list 150 deny ip 10.0.0.0 0.255.255.255 any
    access-list 150 deny ip 127.0.0.0 0.255.255.255 any
    access-list 150 deny ip 169.254.0.0 0.0.255.255 any
    access-list 150 deny ip 172.16.0.0 0.15.255.255 any
    access-list 150 deny ip 192.168.0.0 0.0.255.255 any
    access-list 150 deny ip 224.0.0.0 15.255.255.255 any
    access-list 150 deny ip 240.0.0.0 7.255.255.255 any
    access-list 150 deny ip 248.0.0.0 7.255.255.255 any
    access-list 150 deny ip host 255.255.255.255 any
    access-list 150 deny 89 any any
    access-list 150 permit ip any any

    interface
    ip access-group 150 in

    exit
    exit
    wr mem

  6. It's your own damn fault by JakiChan · · Score: 4, Informative

    To be honest, if this causes trouble for you then it's your own damn fault. If you accept OSPF packets from the Internet and/or you're not doing OSPF authentication then you deserve to be pwned.

    1. Don't use an IGP on an exterior interface.
    2. Don't send out routing updates on subnets/interfaces that don't need it. (For those of you with L3 switches that means using the passive-interface command on your vlans.)
    3. If your routing protocol offers an authentication option then use it.

    I used to think these things were obvious. Then I started interviewing other "senior" network engineers and realized they may not be...

    (BTW, kiddies, if you say you're a "senior network engineer" and you say that you know OSPF and I ask you if OSPF uses multicast or unicast and when does it use it/them then you had better be able to answer the question...)

    --
    "Where quality is like a dead stinking rat - you just can't miss it."
  7. Alcatel... by zxflash · · Score: 2, Informative

    Seems like the kind of flaw that Alcatel hopes to profit from...
    Alcatel hopes security will get users to switch
    Although as we all know if Alcatel was the market leader more people would be finding flaws in Alcatel products instead of Cisco...

    --

    All the torrents you could want.
  8. Re:amusing failover problem with Cisco gear by Cramer · · Score: 2, Informative
    (First a correction... the "failover cable" is not ethernet, it's serial. Take the cover off and look where on the *ahem*PC MOTHERBOARD*cough* the cable goes.)

    • Cisco was incompetent enough to not include a hardware watchdog in the PIX
    If you knew your history, you'd know Cisco didn't design those machines. Cisco bought that company (I forget the name.) The only thing that makes the Pix a Pix is the flash memory card inside there -- in ealier models, it's an ISA card; they have 16M PCI ones now. With one of those cards, you can turn your Dell into a pix :-) The one's Cisco's been designing (506/515/501...) might have a watchdog in there, but I'm not sure.