Date: Tue, 22 Dec 1998 08:03:13 -0800
From: John Bashinski <jbash@CISCO.COM.>
To: [email protected]Subject: Cisco IOS 12.0 security bug and workaround
-----BEGIN PGP SIGNED MESSAGE-----
We've had a report of nmap UDP scans crashing Cisco routers running
Cisco IOS software version 12.0. This was apparently mentioned on
BUGTRAQ, although the BUGTRAQ message has not yet arrived at Cisco.
We've verifed that the problem does exist. We believe that it affects
all Cisco routers running any variant of 12.0 (including 12.0T, 12.0S,
etc.). We do *not* think that it affects any non-12.0 version. However,
we got the bug report only three hours ago, have not yet finished
characterizing it, and can't yet be completely sure which versions
or which platforms are affected.
This is very easy to exploit, and has now been announced very widely.
Administrators should be on the lookout for it.
The problem appears to be caused by packets sent to the router's syslog
port (UDP port 514). A tested workaround is to use an access list to
block incoming syslog traffic. You'd do this with something like this:
access-list 101 deny udp any host <router-addr-1> eq 514
access-list 101 deny udp any host <router-addr-2> eq 514
access-list 101 deny udp any host <router-addr-3> eq 514
... etc ...
access-list 101 permit ip any any
interface <interface-1>
ip access-group 101 in
interface <interface-2>
ip access-group 101 in
... etc ...
The access list needs to block syslog traffic destined for any of the
router's own IP addresses. It should be applied on all interfaces
running IP, including virtual interfaces and subinterfaces (but not
loopback interfaces).
This workaround *does* have a performance impact that may be significant
for some users. The impact isn't usually extreme, but it may make a
difference on a router that's already heavily loaded. Install it with
care if you install it.
This bug may cause different router platforms to crash differently.
Some routers have been observed to reboot and claim that they
were "restarted by power-on"; you won't necessarily get a stack
trace from one of these crashes.
Since this is only partially characterized, you may choose to hold the
workaround in reserve and apply it only if you believe you are being
attacked. We should have a formal notice with full details within the
next few days. We cannot yet make any estimate of when a fix will be
available; we should have more information by the time the formal notice
comes out.
If you find that you are actually attacked with this, please report
the attack to Cisco at "[email protected]".
For more information on Cisco security procedures, see
http://www.cisco.com/warp/customer/791/sec_incident_response.shtml
-- J. Bashinski
Cisco Systems
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3in
Charset: noconv
iQEVAwUBNn/CR0Zi51ggEbh5AQGqxwf8D/GrXbiUe9u6zNv2DpZqitZ1vJ2NaRIr
QNKCHl5hz45udrHK/kQNIBw9i6SbqmXXZXhWpzUsRp8EBmNPIRvm8Yd1ZrtxLDHj
pynfzcT+LOfS0dedfrscnTdf31RMIhxaxI79s0aMOeUpBoV+BAYr3i0eTVx+moim
711aM0AbBitielGryVOtp08vET60db/0NNhRKXMwSxnH8qojSFtTEO/rhm5jonWp
fzmbJMkJSuSK0Gp3OJyInMeG0xtZwOL3GSWoz0WOLNqYHIizIdkWj4sxGnB9g8Q8
YJ7repLd+xRzISk1UNOdfgPRLR72zxQPgpCayHFyg/zWGN24bz3AFA==
=1TXj
-----END PGP SIGNATURE-----