North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Cisco Vulnerability Testing Results

  • From: Jason Frisvold
  • Date: Fri Jul 18 16:48:19 2003

Just for fun we hit an old AGS+ router with 10.2(4) code on it.. 
Apparently older code is vulnerable too..

So..  everyone running AGS+'s in the core, beware.. *grin*

On Fri, 2003-07-18 at 11:34, Jason Frisvold wrote:
> Ok, update to my testing :
> 
> On Fri, 2003-07-18 at 10:48, Jason Frisvold wrote:
> > Hi all,
> > 
> > 	First post..  I hope this is ok ...
> > 
> > 	We tested the Cisco vulnerability and I wanted to share our results
> > with you ...
> <SNIP>
> > Testing scenario is this : 
> > 
> > Linux Machine (10.0.0.2/24)
> > Cisco 2514 
> >    Ethernet0 (10.0.0.1/24) is in from the attacker 
> >    Ethernet1 (192.168.0.1/24) is output to the 2501 
> > Cisco 2501 
> >    Ethernet0 (192.168.0.2/24) is in from the 2514 
> <SNIP>
> 
> Firstly, HPing (www.hping.org) can craft the packets required for this
> attack very simply...  I won't post the exact command string, but it's
> not that hard to figure out...  And with HPing, you can easily take down
> an interface in under a second.
> 
> Now, on to ACL testing...
> 
> 3 ACL tests just to make sure we had everything correct ...  We first
> tried the any any ACL that Cisco recommends :
> 
> access-list 101 deny 53 any any
> access-list 101 deny 55 any any
> access-list 101 deny 77 any any
> access-list 101 deny 103 any any
> access-list 101 permit ip any any
> 
> This produced expected results.  When placed on the interface, it
> prevented the router from being attacked.
> 
> Next, we tried an ACL with just the interface IP in it :
> 
> access-list 101 deny 53 any host 10.0.0.1
> access-list 101 deny 55 any host 10.0.0.1
> access-list 101 deny 77 any host 10.0.0.1
> access-list 101 deny 103 any host 10.0.0.1
> access-list 101 permit ip any any
> 
> We applied this to the Ethernet0 interface on the 2514.  Attacks to that
> IP were prevented as expected.
> 
> Attacks through to the 2501 were not blocked, again as expected.
> 
> And finally, attacks to the ethernet1 interface on the 2514, which
> passes through the ethernet0 interface, still caused the ethernet0
> interface to be attacked.
> 
> And the last test was an ACL containing all of the IP's on the router:
> 
> access-list 101 deny 53 any host 10.0.0.1
> access-list 101 deny 55 any host 10.0.0.1
> access-list 101 deny 77 any host 10.0.0.1
> access-list 101 deny 103 any host 10.0.0.1
> access-list 101 deny 53 any host 192.168.0.1
> access-list 101 deny 55 any host 192.168.0.1
> access-list 101 deny 77 any host 192.168.0.1
> access-list 101 deny 103 any host 192.168.0.1
> access-list 101 permit ip any any
> 
> This blocked all attacks on the 2514 while still allowing attacks
> through to the 2501..  This is as expected.
> 
> Also, another note.  Loopback interfaces, while not vulnerable
> themselves, make it much easier to completely take out routers..  (We're
> assuming that the device is still vulnerable)  If the attacker has the
> loopback of the router, they can run an attack at that interface.  Every
> input interface will be attacked in succession.  As each interface goes
> down and the traffic re-routed, the next interface will fall under
> attack.
> 
> Just be sure to add the loopback IP as part of the ACL ...  :)
-- 
---------------------------
Jason H. Frisvold
Backbone Engineering Supervisor
Penteledata Engineering
[email protected]
RedHat Engineer - RHCE # 807302349405893
Cisco Certified - CCNA # CSCO10151622
MySQL Core Certified - ID# 205982910
---------------------------
"Imagination is more important than knowledge.
Knowledge is limited. Imagination encircles
the world."
      -- Albert Einstein [1879-1955]

Attachment: signature.asc
Description: This is a digitally signed message part