Date: Tue, 21 May 2002 12:37:09 +0200
From: FX <fx@phenoelit.de.>
To: [email protected]Subject: Cisco IOS ICMP redirect DoS
--WIyZ46R2i8wDzkSu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Hi List,
attached is an advisory concerning a DoS condition in Cisco IOS.
A copy of the file can be found at
http://www.phenoelit.de/stuff/CiscoICMP.txt
Regards,
FX
--
FX <fx@phenoelit.de.>
Phenoelit (http://www.phenoelit.de)
672D 64B2 DE42 FCF7 8A5E E43B C0C1 A242 6D63 B564
--WIyZ46R2i8wDzkSu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="CiscoICMP.txt"
Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #(0815++)++>
[ Authors ]
FX <fx@phenoelit.de.>
FtR <ftr@phenoelit.de.>
kim0 <kim0@phenoelit.de.>
Phenoelit Group (http://www.phenoelit.de)
[ Affected Products ]
Cisco IOS - several versions
Known vulnerable combinations:
Cisco 1005 IOS 11.0(18)
Cisco 1603 IOS 11.3(11b)
Cisco 1603 IOS 12.0(3)
Cisco 2503 IOS 11.0(22a)
Cisco 2503 IOS 11.1(24a)
Known to be not vulnerable:
Cisco 1603 IOS 12.1(11)
Cisco 1603 IOS 12.2(5)
Cisco 2503 IOS 11.2(26a)
Cisco 2503 IOS 11.3(11b)
Cisco 2503 IOS 12.0(19)
Cisco Bug ID: CSCdx32056
[ Vendor communication ]
11/16/2001
to
05/05/2002 Contacted Cisco 8 times over past 6 months concerning
status.
05/07/2002 Gaus says Cisco developers assigned a low priority to
the bug.
05/11/2002 Provide a copy of this file to Cisco prior to
publication.
05/20/2002 Final corrections by Cisco included.
05/21/2002 Info from Cisco: Fix available shortly.
[ Overview ]
Cisco Systems IOS is vulnerable to a denial-of-service attack using
ICMP Redirect messages.
When flooded with ICMP redirect messages, the IOS uses up all it's
memory to store the new host routes. The device is then unable to
perform operations that need additional memory such as receiving
routing updates and accepting inbound telnet(1) connections.
[ Description ]
ICMP redirect messages are used in IP networks to inform a sending
device about inefficient routing. Cisco IOS software stores redirect
messages it receives in memory for further consultation. They do not
become part of the normal routing table.
When generating ICMP redirect messages with random IP addresses in the
"offending packet" section of the ICMP frame, IOS will include this IP
address in it's ICMP redirection table. In the vulnerable versions of
IOS, this table has no size limit. Later versions of IOS enforce a
limit of 16000 redirects and therefore limit the amount of used
memory to approximately 1.16MB.
Some device/IOS combinations tested were unable to perform normal IP
routing for a limited time, but most combinations continued to
function as a router. In some cases, even access to the console was
denied because of low memory.
According to Gaus ([email protected]), affected devices should recover
after 4 hours since the redirect table entries time out. However,
vulnerable versions tested did not recover.
[ Example ]
To generate random ICMP redirect messages, a sender tool is available
at http://www.phenoelit.de/irpas/icmp_redflod.c, which has to be
linked with the IRPAS packet library.
linuxbox# cd /where/irpas/is
linuxbox# make libpackets.a
linuxbox# gcc -o icmp_redflod -I. -L. icmp_redflod.c -lpackets
linuxbox# ./icmp_redflod -i eth0 -D <destination_ip> -G <fake_gateway>
On high bandwidth networks, the command line switch -w0 can be used to
increase the sending rate.
[ Solution ]
Filter inbound ICMP redirect messages or update your IOS to either a
not vulnerable release or a fixed version when these become available.
[ Side note ]
Microsoft Windows 98 is also vulnerable to this attack.
Not tested any further.
[ end of file ]
--WIyZ46R2i8wDzkSu--
