OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Damir Rajnovic (gauscisco.com)
Date: Tue Oct 09 2001 - 09:27:40 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----

    This is not a Cisco security advisory.

    There is a vulnerability in how Cisco routers are handling CDP.
    By sending a large amount of CDP neighbor announcements it is
    possible to consume all available router's memory. That will cause
    a crash or some other abnormal behavior. This vulnerability is
    assigned a Cisco bug ID CSCdu09909. You can see details of it
    if you have a valid CCO account. This vulnerability was
    discovered by fxphenoelit.de

    In order to trigger this vulnerability an attacker must be on the same
    segment as the target router. This vulnerability can not be exploited
    over the Internet unless an attacker has a helper program already
    planted on the internal network.

    The workaround for this vulnerability is to disable CDP. In order to
    disable CDP for the whole router execute the following global command:

      Router# configure terminal
      Enter configuration commands, one per line. End with CNTL/Z.
      Router(config)# no cdp run

    Alternatively, CDP can be disabled on a particular interface. This
    can be done using the following commands:

      Router# configure terminal
      Enter configuration commands, one per line. End with CNTL/Z.
      Router(config)# interface Ethernet0
      Router(config-if)# no cdp enable

    In this particular case we advise all customers to disable CDP for
    the whole router.

    This vulnerability has ben fixed in the following interim images:

    12.2(3.6)B
    12.2(4.1)S
    12.2(3.6)PB
    12.2(3.6)T
    12.1(10.1)
    12.2(3.6)

    All higher IOS releases should contain this fix.

    Please note that interim images are built at regular intervals between
    maintenance releases and receives less testing. Interims should be selected
    only if there is no other suitable release that addresses the vulnerability,
    and interim images should be upgraded to the next available maintenance
    release as soon as possible. Interim releases are not available via
    manufacturing, and usually they are not available for customer
    download from CCO without prior arrangement with the Cisco TAC.

    We would like to thank Phenoelit on his co-operation on this issue.

    Gaus

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.3

    iQEVAwUBO8MJHg/VLJ+budTTAQGpxAgAydE4X125IB9yzCb+uEExB9PjMpfLrRfH
    ONbLmUfLi242ubhqb8kfOc+gGziB3YuNJck+N5YPcdT7ql0jpPOpltVQdoevNFBD
    AhCZT1Eyp/Fi7npv5BDsX/Y4Jd1yTYjGUEIbZJLFJ2lFL9ip4z+bEFYfQ+Bdy0zt
    7k8YckcJt2qxOnhGEZaU5tZMzP/Sc3NysZbUOmlCyI1t1cLocKzd81SC/LNsWyDF
    Rac/7ZFb8LrvNQxVLt3d1/7jpVtuYFgXDdZhDOwaXem1T5r430AYE9hTRLwUwUE5
    U6Sq6kdEjJyGkX3Tqwb/+/g5ERGkrwBtR95eiV13Kw8i2ehqlQ1rNQ==
    =2DU0
    -----END PGP SIGNATURE-----
    ==============
    Damir Rajnovic <psirtcisco.com>, PSIRT Incident Manager, Cisco Systems
    <http://www.cisco.com/warp/public/707/sec_incident_response.shtml>
    Phone: +44 7715 546 033
    4 The Square, Stockley Park, Uxbridge, MIDDLESEX UB11 1BN, GB
    ==============
    There is no insolvable problems. Question remains: can you
    accept the solution?