Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malformed Packet Causes Cisco Router DoS

Posted by CmdrTaco on from the oops-they-did-it-again dept.

MoreBeer writes "Patch 'em if you've got 'em... Cisco Security Advisory: Cisco IOS Malformed OSPF Packet Causes Reload states that a malformed OSPF packet can cause a router 'reload' (reboot). Vulnerable IOS versions include 12.0S, 12.2, and 12.3 ... If you're not screening OSPF at your perimeter and using OSPF Authentication, now would be a GREAT time to start."

37 of 124 comments (clear)

  1. Setup OSPF by BoldAC · · Score: 4, Informative

    I notice that Cisco isn't displaying this on their front page. It seems like they should be screaming for everybody to fix the problem.

    Quick walkthrough that I usually reference:
    Easy example how to setup OSPF Authentication

    AC

    1. Re:Setup OSPF by w1r3sp33d · · Score: 4, Informative

      That would be the same front page that they didn't address the IOS source theft on for several days???

    2. Re:Setup OSPF by Cramer · · Score: 3, Informative

      The home page (www.cisco.com) is not where it belongs. Security notices are available at http://www.cisco.com/go/psirt That's where security people will be looking. (and they'll be subscribed to any number of Cisco emailed alerts.)

  2. Yeah, I better get things patched by Anonymous Coward · · Score: 5, Funny

    Before someone has a chance to reset my r

    1. Re:Yeah, I better get things patched by rwiedower · · Score: 5, Funny

      ...outer. Whew. It's a good thing that man-in-the-middle-attack is working like a charm now.

  3. LessBeer by riptide_dot · · Score: 2, Funny

    Kinda old news actually - the article posted @ 15:00GMT, which is 8:00am my time. But I drank too much beer last night so I wasn't awake...:)

    --
    I was in the park the other day wondering why frisbees get bigger and bigger the closer they get - and then it hit me.
  4. It's simple really... by hot_Karls_bad_cavern · · Score: 4, Insightful

    at the risk of stating the obvious: if you were a new customer and went to a company's site and it was splattered with all manner of warnings, update calls, and exploit workarounds....would you buy that product?

    If you have a cisco, you should already know where the errata, update, exploit-watch pages are and read them everyday. You should already know this. Why would cisco put that shit on the front page?

    1. Re:It's simple really... by Davak · · Score: 3, Insightful

      If you have a glaring security hole, you better tell everybody to patch it because you risk losing your rep.

      Reference:
      Microsoft's previous security plan.

      I love it when I got a company's webpage and they say... "We found out about the error yesterday and we are posting the fix today. Thanks for your support."

      AC

    2. Re:It's simple really... by hot_Karls_bad_cavern · · Score: 4, Interesting

      "... If you have a glaring security hole, you better tell everybody to patch it because you risk losing your rep..."

      If you spent that much on the product, you should be the emails lists about that product. If you really spent a lot, there are plenty of companies that have closed lists for dissemenating exploit info extremely quickly...to the people that should know about it (ie, the people that HAVE the product. If you love reading that companies have fixed things so much, dig about on the site and find the pages with that info...not the front page. i understand what you are saying, but i'm trying to explain to the OP why this might not be on the front page of the site.

    3. Re:It's simple really... by Davak · · Score: 2, Interesting

      We are just going to have to agree to disagree.

      I think security (especially patches for known exploits) should be as public as possible. The trouble-makers scan the security mailing lists more than the average device owner.

      btw, great pics on your site.

    4. Re:It's simple really... by Wescotte · · Score: 2, Insightful

      Would you buy a product from a company that doesn't inform their customers of a serious problem? Personally I'd rather have a company just admit they fucked up and fix it myself.

  5. Bleh by Rosco+P.+Coltrane · · Score: 5, Funny

    Patch 'em if you've got 'em...

    What a crock of shit. Everybody knows Cisco boxes are no route to host

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
    1. Re:Bleh by Anonymous Coward · · Score: 2, Funny

      Hahaha LO^^^^}}}}}}&..=3R"}'}'[NO CARRIER]

  6. OpenBSD by Understudy · · Score: 3, Informative

    May I recommend OpenBSD with carp as a alternative.

    1. Re:OpenBSD by w1r3sp33d · · Score: 2, Interesting
      Perhaps you can help me. I would like a bsd box that can terminate 200 802.1Q vlans, two ATM modules for load balancing FROATM links, eight T1's, and some PRI's used as part of a VOATM/VOFR network between pbx's around the world. Which cards can I buy to do this in a PCI form factor?

      Not to call you out, but you are pretty screwed when it comes to routers, honestly Juniper is the only other choice for most of this scenario. Honestly Cisco is the best / only choice for many environments. Personally I like Juniper for the Nettoons http://www.juniper.net/nettoons/

    2. Re:OpenBSD by xrayspx · · Score: 4, Insightful

      No, in this case, I don't believe you may :-)

      I can't get 1 hour support for an Intel/OBSD server from a service provider with a worldwide reputation. If I do get such support, it would have to be guaranteed that they would have every combination of T1 and FastEther card in stock, power supply, etc that would possibly break.

      Sometimes standardization on one vendor worldwide is a GOOD thing. It's no problem to find Cisco support in Europe, South America, North America, Asia, etc. If a company has a router in Singapore and that router fails, would they rather try to find support for an OpenBSD whitebox, or call 1800-Go-Cisco and have someone go replace it immediately? Many international offices don't have full-time IT staffing, so there may not be anyone within an 8 hour plane flight capable of fixing the issue within the company.

      Cisco and the other infrastructure providers make a lot of money for a very good reason, people trust them and can get support anywhere they happen to be.

      Certainly, for a home user or single office with 20 people, one of whom is a BSD junkie, a Unix based router might be a fine idea. However for global organizations with multiple high-bandwidth links between branches, for example, for whom downtime costs many thousands of dollars per hour, there aren't very many options. It's a good thing that what options there are are very solid.

      --
      I like music
    3. Re:OpenBSD by Understudy · · Score: 4, Informative

      T1 cards are readily avaliable in PCI form

      OpenBSD at work

      Here is one example That uses 802.1Q VLANS.

      # Empire Net (now known as My180.net)
      An ISP in Bend, Oregon, uses OpenBSD on AMD, Intel, and Sun based hardware, for routing, firewalling, IPsec (VPN), bandwidth limiting, web hosting, database servers, network monitoring, intrusion detection, mail servers, backup servers, cache servers, and workstations. One of their OpenBSD routers handles traffic on between a T3 and eight fast ethernet ports, also with several 802.1Q VLANs to separate networks for co-location customers and business park tenants. An OpenBSD mail server handles e-mail storage/retrieval and RADIUS authentication for over 5,000 users. Several OpenBSD web servers each handle over 300 web sites.

      The Frame Relay over ATM (FROATM) is supported and this card works with OpenBSD. From the website:
      Sangoma's T1/E1 WAN cards have PCI bus interfaces and incorporate an integrated combination T1 and E1 DSU/CSU for a direct connection between the client's server and the demarc. The cards support major protocols including ATM, Frame Relay, PPP, HDLC and X.25 under all popular operating systems including Linux, Windows, FreeBSD, OpenBSD, Unix and Sun Solaris.

      You can look at the OpenBSD hardware list for more information.

      Currently Asterik (a VOIP system)is being ported to FreeBSD and OpenBSD. I am not sure if those are complete yet or not but, that can work in coordination with your Voice over ATM (VOATM) and Voice over Frame Relay (VOFR). I realize that VOFR/VOATM is not VOIP but the system is being designed with that support in mind.

      I realize this may not answer all your points but it will help.

    4. Re:OpenBSD by w1r3sp33d · · Score: 2, Interesting
      WOW! What great information on WANizing a BSD box! Thank you very much for the links.

      Asterik is a wonderful little system that I have been a fan of for quite a while. I cannot wait until it can support the large type of environment I generally build and support.

      VoATM and VoFR is really not a big deal when you get into it, just a few extra caveats to watch out for once you have a solid understanding of VOIP. I do feel the need to blast out one rant: I wish people could understand the difference between: Voice over IP, IP Telephony, Voice over Internet, and channelized toll bypass. VoIP and IP Telephony get such a bad rap on /. and elsewhere when people are using non QOS devices across an uncontrolled media to try to deliver voice packets in a timely manner over the internet. End rant, my apologies to all innocent bystanders.

    5. Re:OpenBSD by Oddly_Drac · · Score: 2, Interesting

      "However for global organizations with multiple high-bandwidth links between branches, for example, for whom downtime costs many thousands of dollars per hour, there aren't very many options. It's a good thing that what options there are are very solid."

      While I agree with almost all of your points...Dude, CISCO have a vulnerability to malformed packets and they appear to be staying quiet about it. How solid are you trying to tell people is solid? Have you ever tried to get Cisco out to swap out a router? Don't you know about the word 'redundancy'? Don't you even consider that this faith in a company with an 800 number is....umm....naive?

      --
      Oddly Draconis
      Too cynical to live, too stubborn to die.
  7. I admit by tomee · · Score: 5, Informative

    I had to look it up. OSPF

  8. Only IOS devices RUNNING OSPF are vulnerable by w1r3sp33d · · Score: 5, Informative
    That rules out most routers, and most switches. If you have followed best practices in your deployment, no internet edge device should be running OSPF so that shouldn't be a consideration, basically it should boil down to who within the company is trying to crash your routers?

    What a great time to post a link to www.routergod.com! Here are the two parts of Seven of Nine's lecture on OSPF:

    http://www.routergod.com/sevenofnine/

    http://www.routergod.com/sevenofnine/ospf_part_2.h tml

  9. It depends by Flower · · Score: 2, Interesting

    I don't have to patch a single router. We don't use OSPF and it isn't turned on by default. This isn't like there is some hidden service that I'm not expecting the device to be running and now I must absolutely patch.

    --
    I don't want knowledge. I want certainty. - Law, David Bowie
  10. This will work just as easily... by ewtrowbr · · Score: 3, Informative

    conf t

    access-list 150 deny ip 10.0.0.0 0.255.255.255 any
    access-list 150 deny ip 127.0.0.0 0.255.255.255 any
    access-list 150 deny ip 169.254.0.0 0.0.255.255 any
    access-list 150 deny ip 172.16.0.0 0.15.255.255 any
    access-list 150 deny ip 192.168.0.0 0.0.255.255 any
    access-list 150 deny ip 224.0.0.0 15.255.255.255 any
    access-list 150 deny ip 240.0.0.0 7.255.255.255 any
    access-list 150 deny ip 248.0.0.0 7.255.255.255 any
    access-list 150 deny ip host 255.255.255.255 any
    access-list 150 deny 89 any any
    access-list 150 permit ip any any

    interface
    ip access-group 150 in

    exit
    exit
    wr mem

  11. It's your own damn fault by JakiChan · · Score: 4, Informative

    To be honest, if this causes trouble for you then it's your own damn fault. If you accept OSPF packets from the Internet and/or you're not doing OSPF authentication then you deserve to be pwned.

    1. Don't use an IGP on an exterior interface.
    2. Don't send out routing updates on subnets/interfaces that don't need it. (For those of you with L3 switches that means using the passive-interface command on your vlans.)
    3. If your routing protocol offers an authentication option then use it.

    I used to think these things were obvious. Then I started interviewing other "senior" network engineers and realized they may not be...

    (BTW, kiddies, if you say you're a "senior network engineer" and you say that you know OSPF and I ask you if OSPF uses multicast or unicast and when does it use it/them then you had better be able to answer the question...)

    --
    "Where quality is like a dead stinking rat - you just can't miss it."
    1. Re:It's your own damn fault by router_ninja · · Score: 2, Insightful

      I actually agree with your solution(s) as a whole but to be a bit nitpicky (just because of your condescending attitude concerning the "kiddies") #2 alone will not protect you from an exploit of this vulnerability. Passive = not sending ospf but will still receive. But since you have "senior" level knowledge and all, I'm sure you knew this already.

      --
      CINCINNATI BELL IS TEH SUCK.
    2. Re:It's your own damn fault by Zarhan · · Score: 3, Insightful

      (BTW, kiddies, if you say you're a "senior network engineer" and you say that you know OSPF and I ask you if OSPF uses multicast or unicast and when does it use it/them then you had better be able to answer the question...)

      I know most of these things, altough I'm not sure right now (2 am, and I've been on vacation for the last three weeks) what (if any) are the considerations on point-to-point or p-mp (Non-broadcast) links or other more special cases. However, I wouldn't in my right mind call myself a "senior network engineer".

      Oh well, I guess it comes with the fact that the more educated you are, the more modest you get.

      However, I don't really thing that the details are too important. I know OSPF is a link-state protocol where every node in a network knows states of all the other links in an area and calculates Shortest Path using Dijkstra's algorith. IS-IS is similar. RIP is not. If I need to suddenly remember what exact numbering scheme was there for the link-types 1-7 I can always look up a reference (L5 are external routes, L7 are NSSA routes, cannot really remember the rest nor do I care? Show ip route ospf tells me all I need to know on whether it is intra-area or inter-area).

      Just pointing out that you really cannot evaluate someone's knowledge by posing questions about minor details unless you are perhaps hiring somebody with a CCIE (and then you can probably start with more obscure ones about DECNet).

      (Anecdotal note: I was hired as a trainee by my current employer probably because I confessed in the interview setting up LANs with IPX/SPX back in -94 so that all us kids could play Doom. I guess they went for the enthusiasm and my genuine interest. Granted, later I was able to shine when the boss was around and I was just discovering an obscure bug in two different vendors' BGP stacks timer synchronization - Don't know if that had any effect by I got hired permanently).

    3. Re:It's your own damn fault by JakiChan · · Score: 2, Insightful

      Just pointing out that you really cannot evaluate someone's knowledge by posing questions about minor details unless you are perhaps hiring somebody with a CCIE

      Well, if the person you are interviewing says they are an expert on OSPF I think that it is a fair question. What's kinda curious is the number of CCIEs that can't answer the question. I guess when I'm looking for people I want someone who knows what the protocol is supposed to do not just how to configure it.

      As the man said, "You have to learn why things work aboard a starship."

      --
      "Where quality is like a dead stinking rat - you just can't miss it."
    4. Re:It's your own damn fault by Cramer · · Score: 2, Insightful

      ... or people who just finished a Cisco exam. Generally speaking, you're never going to walk into a situation where you need to know all of the LSA types, their uses, and their interactions. It only takes a few seconds to look that stuff up.

      It'd be more productive to ask them how to find bits and pieces of information within the OSPF LSDB.

  12. Alcatel... by zxflash · · Score: 2, Informative

    Seems like the kind of flaw that Alcatel hopes to profit from...
    Alcatel hopes security will get users to switch
    Although as we all know if Alcatel was the market leader more people would be finding flaws in Alcatel products instead of Cisco...

    --

    All the torrents you could want.
  13. In other news, by mobby_6kl · · Score: 3, Funny

    Malformed color scheme Causes Eyes to Bleed

    "Slashdot Security Advisory: Slashdot Color Scheme states that a malformed IT Color Scheme can cause a eyes to 'bleed' (fall out). Vulnerable /. sections include IT and Games. If you're not already using a /. deuglifyer, you should use the fix provided here."

    1. Re:In other news, by Cramer · · Score: 2, Interesting

      "compatable"? Are you kidding?! [E]IGRP is Cisco's proprietry [and patented] routing protocol. However, it is very well publicly documented. If EVERY network device needing to participate in routing is made by Cisco, then yes, [E]IGRP is a good choice. However, this is rarely true and OSPF is the only viable alternative.

      (BTW, Cisco supports EIGRP for more than just IP.)

  14. amusing failover problem with Cisco gear by SuperBanana · · Score: 4, Interesting

    A few years ago I worked at a place where we had two Cisco PIX (the 1U widgets, dunno what model, sorry) in a failover configuration. For those that don't know, you can run two kinds- stateful and non-stateful failover.

    In stateful failover mode, the two units share their connection state info over a dedicated ethernet crossover cable- in theory, if one unit's hardware shits the bed, the other one immediately notices and takes over, and all users will notice is maybe a few seconds pause in everything, if that. It's all very clean and good, the slave even takes over the MAC address of the failed unit (something they've patented, and hence isn't useable in Linux HA; Linux has to force an ARP announcement, which is messier. Goooooo Cisco!)

    Anyway, that's great, except when you have a software defect. Oh, say...where the PIX OS (PIXes didn't run IOS or whatever, they ran a separate OS unique to the PIX family) gets into a certain situation based on state and locks up hard.

    Well, guess what happens to its twin, running the same PIX OS version, and sharing the same data? Yup, it crashes too.

    The pair actually did it once right in front of us- one stopped blinking its lights...the master/slave light blipped on the backup unit, and then a few seconds later, it too crashed- and everything ground to a halt.

    It was terribly amusing that Cisco was incompetent enough to not include a hardware watchdog in the PIX box so that if it hung it would reboot itself; my Sonicwall SOHO has this, why can't a PIX for chrissakes? The problem only happened every few days, and would have been manageable(ie ignorable ;-) if they had both simply rebooted themselves. Instead, someone had to trundle in and power cycle both of them, until we figured out that it was state-based, and disabled stateful failover. Then someone just had to check every day to make sure one of them hadn't kicked the bucket.

    --
    Please help metamoderate.
    1. Re:amusing failover problem with Cisco gear by Cramer · · Score: 2, Informative
      (First a correction... the "failover cable" is not ethernet, it's serial. Take the cover off and look where on the *ahem*PC MOTHERBOARD*cough* the cable goes.)

      • Cisco was incompetent enough to not include a hardware watchdog in the PIX
      If you knew your history, you'd know Cisco didn't design those machines. Cisco bought that company (I forget the name.) The only thing that makes the Pix a Pix is the flash memory card inside there -- in ealier models, it's an ISA card; they have 16M PCI ones now. With one of those cards, you can turn your Dell into a pix :-) The one's Cisco's been designing (506/515/501...) might have a watchdog in there, but I'm not sure.
  15. The Mysterious Cisco TAC ... Revealed! by twigles · · Score: 2, Funny

    TAC is a little shell script that pretends to correspond with you a little bit, then tells you to upgrade your IOS. Seriously, I've opened a lot of tickets with TAC in the last few years and that has been their answer in every single one.

    At least they could have used perl or something so the correspondence part didn't take as long.

  16. AGREED by router_ninja · · Score: 2, Interesting
    I've been working with Cisco equipment for over 6 years. The TAC used to be OUTSTANDING. Now they are for shit. In my opinion it all started once they started moving most of the calls to Mexico etc.

    Step 1.) Tell customer to upgrade ios even though you cannot pin point a root cause or data that supports this as a reasonable solution.

    Step 2.) Tell customer they have a worm running rampant in the network. When asked by the customer why you think this is the case, do not repond for several days. When you do respond, ask only if they have taken care of the worm.

    --
    CINCINNATI BELL IS TEH SUCK.
    1. Re:AGREED by Cramer · · Score: 2, Interesting

      You have to get past the first 3 or 4 tiers of toadies to find a real engineer. We had problems with the 7400 for 6 months. We even had our very own IOS build for it (didn't help)... Then one day the arguements got high enough to find a real TAC Engineer (tm) -- his very first question fixed the whole problem: What's the PCB model number (the last two digits, -XX)?... Motherboard engineering defect that had been published for 4 months. (show tech includes the show diag output, so they knew it was bad hadrware with the very first ticket.) It would appear he was the only TAC engineer in RTP who knew about that field notice and recall.

  17. Prob is still there by Alejo · · Score: 2, Insightful
    I wouldn't recomend OpenBSD as replacement for everyone. Actually IMHExperience most network admins don't know the real protocols below their Cisco routers. They are more about the manuals and cisco howtos. Sure there are many great guys knowing a lot, but these are rare lately (in proportion, ppl don't dissapear or forget all they know).

    So I recomend ppl to go study the noncomercial docs (books specs rfcs papers whatever) FIRST, then do the manuals. Else you don't know for real how things work. You're almost a certified acronym freak.

    Very dangerous how nowadays the default to get a "network admin" is looking just for CCNA or CCIE or whatever thing they make up. Not even M$ has a hold of a market like this. Compare in contrast programming (pick language), unix admin... Though i wouldn't be surprised the Java world does the same trick; they have that attitude.

    Also, don't you think its a very bad situation where most internet termination ends up on one single company? When they start to own standards comitees and thus decide what gets in or out? I have very bad experience dealing with this kind. They don't have the researcher's view, or the ppl who do it just because they like the subject.

    IMHO this is companies taking over. With all what that implies. And no government or organization is putting a limit. And the user base doesn't respond as on other cs areas. It feels quite sad for some of us.