Cisco Vulnerability Testing Results
Jason Frisvold
friz at corp.ptd.net
Fri Jul 18 20:44:56 UTC 2003
Just for fun we hit an old AGS+ router with 10.2(4) code on it..
Apparently older code is vulnerable too..
So.. everyone running AGS+'s in the core, beware.. *grin*
On Fri, 2003-07-18 at 11:34, Jason Frisvold wrote:
> Ok, update to my testing :
>
> On Fri, 2003-07-18 at 10:48, Jason Frisvold wrote:
> > Hi all,
> >
> > First post.. I hope this is ok ...
> >
> > We tested the Cisco vulnerability and I wanted to share our results
> > with you ...
> <SNIP>
> > Testing scenario is this :
> >
> > Linux Machine (10.0.0.2/24)
> > Cisco 2514
> > Ethernet0 (10.0.0.1/24) is in from the attacker
> > Ethernet1 (192.168.0.1/24) is output to the 2501
> > Cisco 2501
> > Ethernet0 (192.168.0.2/24) is in from the 2514
> <SNIP>
>
> Firstly, HPing (www.hping.org) can craft the packets required for this
> attack very simply... I won't post the exact command string, but it's
> not that hard to figure out... And with HPing, you can easily take down
> an interface in under a second.
>
> Now, on to ACL testing...
>
> 3 ACL tests just to make sure we had everything correct ... We first
> tried the any any ACL that Cisco recommends :
>
> access-list 101 deny 53 any any
> access-list 101 deny 55 any any
> access-list 101 deny 77 any any
> access-list 101 deny 103 any any
> access-list 101 permit ip any any
>
> This produced expected results. When placed on the interface, it
> prevented the router from being attacked.
>
> Next, we tried an ACL with just the interface IP in it :
>
> access-list 101 deny 53 any host 10.0.0.1
> access-list 101 deny 55 any host 10.0.0.1
> access-list 101 deny 77 any host 10.0.0.1
> access-list 101 deny 103 any host 10.0.0.1
> access-list 101 permit ip any any
>
> We applied this to the Ethernet0 interface on the 2514. Attacks to that
> IP were prevented as expected.
>
> Attacks through to the 2501 were not blocked, again as expected.
>
> And finally, attacks to the ethernet1 interface on the 2514, which
> passes through the ethernet0 interface, still caused the ethernet0
> interface to be attacked.
>
> And the last test was an ACL containing all of the IP's on the router:
>
> access-list 101 deny 53 any host 10.0.0.1
> access-list 101 deny 55 any host 10.0.0.1
> access-list 101 deny 77 any host 10.0.0.1
> access-list 101 deny 103 any host 10.0.0.1
> access-list 101 deny 53 any host 192.168.0.1
> access-list 101 deny 55 any host 192.168.0.1
> access-list 101 deny 77 any host 192.168.0.1
> access-list 101 deny 103 any host 192.168.0.1
> access-list 101 permit ip any any
>
> This blocked all attacks on the 2514 while still allowing attacks
> through to the 2501.. This is as expected.
>
> Also, another note. Loopback interfaces, while not vulnerable
> themselves, make it much easier to completely take out routers.. (We're
> assuming that the device is still vulnerable) If the attacker has the
> loopback of the router, they can run an attack at that interface. Every
> input interface will be attacked in succession. As each interface goes
> down and the traffic re-routed, the next interface will fall under
> attack.
>
> Just be sure to add the loopback IP as part of the ACL ... :)
--
---------------------------
Jason H. Frisvold
Backbone Engineering Supervisor
Penteledata Engineering
friz at corp.ptd.net
RedHat Engineer - RHCE # 807302349405893
Cisco Certified - CCNA # CSCO10151622
MySQL Core Certified - ID# 205982910
---------------------------
"Imagination is more important than knowledge.
Knowledge is limited. Imagination encircles
the world."
-- Albert Einstein [1879-1955]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20030718/d3678bfb/attachment.sig>
More information about the NANOG
mailing list