- Test - lists.nanog.org

Cisco Security Advisory: Cisco IOS MPLS VPN May Leak Information
by Cisco Systems Product Security Incident Response Team 24 Sep '08

24 Sep '08

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Cisco IOS MPLS VPN May Leak Information Advisory ID: cisco-sa-20080924-vpn http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml Revision 1.0 For Public Release 2008 September 24 1600 UTC (GMT) - --------------------------------------------------------------------- Summary ======= Devices running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and configured for Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs) or VPN Routing and Forwarding Lite (VRF Lite) and using Border Gateway Protocol (BGP) between Customer Edge (CE) and Provider Edge (PE) devices may permit information to propagate between VPNs. Workarounds are available to help mitigate this vulnerability. This issue is triggered by a logic error when processing extended communities on the PE device. This issue cannot be deterministically exploited by an attacker. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml NOTE: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml Affected Products ================= Products running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and configured for MPLS VPNs or VRF Lite are potentially affected. Cisco IOS releases based on 12.1 are not affected. Vulnerable Products +------------------ Cisco IOS devices are vulnerable if they are configured for MPLS VPN or VRF Lite and have a BGP session between the CE and PE devices, and process extended communities. If a device is configured for MPLS VPN or VRF Lite the command address-family ipv4 vrf <vrf-name> or address-family ipv6 vrf <vrf-name> will be present in the device configuration. The following shows a command executed on a device configured for MPLS VPN: router#show running-config | include address-family [ipv4|ipv6] address-family ipv4 vrf <vrf-name> The following shows a PE device configured for an IPv4 BGP session between the PE and the CE: router bgp <Local AS> address-family ipv4 vrf one neighbor <neighbor IP> remote-as < Remote AS> neighbor <neighbor IP> activate To determine the software running on a Cisco product, log in to the device and issue the "show version" command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS". On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the IOS release name. Other Cisco devices will not have the "show version" command or will give different output. The following example identifies a Cisco product that is running Cisco IOS release 12.4(11)T2: Router#show version Cisco IOS Software, 7200 Software (C7200-ADVSECURITYK9-M), Version 12.4(11)T2, RELEASE SOFTWARE (fc4) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Tue 01-May-07 04:19 by prod_rel_team <output truncated> Additional information on the Cisco IOS release naming conventions can be found on the document entitled "White Paper: Cisco IOS Reference Guide", which is available at http://www.cisco.com/warp/public/620/1.html Products Confirmed Not Vulnerable +-------------------------------- Cisco products not configured for MPLS VPNs or VRF Lite are unaffected by this vulnerability. Cisco products that do not run IOS are unaffected by this vulnerability. Cisco IOS-XR is not affected. No other Cisco products are currently known to be affected by this vulnerability. Details ======= MPLS VPNs allow for the creation of 'virtual networks' that customers can use to segregate traffic into multiple, isolated VPNs. Traffic within each MPLS VPN is kept separate from the others, thereby maintaining a virtual private network. More information on MPLS and MPLS VPNs is available at the following link: http://www.cisco.com/en/US/products/ps6557/products_ios_technology_home.html A bug exists when processing extended communities with MPLS VPNs. If extended communities are used, MPLS VPN may incorrectly use a corrupted route target (RT) to forward traffic. If this occurs, traffic can leak from one MPLS VPN to another. This vulnerability exists whenever an affected PE device has a BGP session running in the MPLS VPN Virtual Routing and Forwarding (VRF). The following two examples of this scenario are the most common: 1) MPLS VPN configuration with BGP running inside the VRF between the PE and CE devices. 2) MPLS Inter-AS option A with BGP running between the Autonomous System Border Routers (ASBR). The mitigation in the Workarounds section filters extended communities on a PE device, preventing them from being received by devices configured for MPLS VPN. This vulnerability was introduced with Cisco bug ID CSCee83237. Cisco IOS images that do not include CSCee83237 are not vulnerable to this issue. It is important to note that this condition cannot be triggered by an attacker and that the condition does not provide ways to determine the flow of traffic between VPNs. This vulnerability is documented in the Cisco Bug ID CSCec12299 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2008-3803. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CVSS Base Score - 5.1 Access Vector - Network Access Complexity - High Authentication - None Confidentiality Impact - Partial Integrity Impact - Partial Availability Impact - Partial CVSS Temporal Score - 4.2 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== This vulnerability may cause traffic to be improperly routed between MPLS VPNs, which may lead to a breach of confidentiality. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table. +-------------------------------------------------------------------+ | Major | Availability of Repaired Releases | | Release | | |--------------+----------------------------------------------------| | Affected | | Recommended | | 12.0-Based | First Fixed Release | Release | | Releases | | | |--------------+----------------------------------+-----------------| | 12.0 | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0DA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0DB | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0DC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | | 12.0(30)S5 | | | | | 12.0(32)S11 | | 12.0S | 12.0(31)S3 | | | | | 12.0(33)S1 | | | 12.0(32)S | | |--------------+----------------------------------+-----------------| | 12.0SC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0SL | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0SP | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0ST | Not Vulnerable | | |--------------+----------------------------------+-----------------| | | | 12.0(32)S11 | | 12.0SX | Vulnerable; first fixed in 12.0S | | | | | 12.0(33)S1 | |--------------+----------------------------------+-----------------| | 12.0SY | Not Vulnerable | | |--------------+----------------------------------+-----------------| | | | 12.0(32)S11 | | 12.0SZ | 12.0(30)SZ4 | | | | | 12.0(33)S1 | |--------------+----------------------------------+-----------------| | 12.0T | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0W | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0WC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0WT | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XB | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XD | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XE | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XF | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XG | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XH | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XI | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XJ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XK | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XL | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XM | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XN | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XQ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XR | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XS | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XT | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XV | Not Vulnerable | | |--------------+----------------------------------+-----------------| | Affected | | Recommended | | 12.1-Based | First Fixed Release | Release | | Releases | | | |-------------------------------------------------------------------| | There are no affected 12.1 based releases | |-------------------------------------------------------------------| | Affected | | Recommended | | 12.2-Based | First Fixed Release | Release | | Releases | | | |--------------+----------------------------------+-----------------| | 12.2 | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2B | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2BC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2BW | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2BX | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2BY | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2BZ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2CX | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2CY | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2CZ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2DA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2DD | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2DX | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2EW | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2EWA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2EX | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2EY | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2EZ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2FX | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2FY | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2FZ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2IRB | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2IXA | Vulnerable; migrate to any | 12.2(18)IXG | | | release in 12.2IXD | | |--------------+----------------------------------+-----------------| | 12.2IXB | Vulnerable; migrate to any | 12.2(18)IXG | | | release in 12.2IXD | | |--------------+----------------------------------+-----------------| | 12.2IXC | Vulnerable; migrate to any | 12.2(18)IXG | | | release in 12.2IXD | | |--------------+----------------------------------+-----------------| | 12.2IXD | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2IXE | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2IXF | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2IXG | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2JA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2JK | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2MB | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2MC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | | 12.2(30)S and later are | 12.2(33)SB2; | | 12.2S | vulnerable. 12.2(25)S and before | Available on | | | are not vulnerable | 26-SEP-08 | |--------------+----------------------------------+-----------------| | | 12.2(28)SB5 | | | | | 12.2(33)SB2; | | 12.2SB | 12.2(31)SB2 | Available on | | | | 26-SEP-08 | | | 12.2(31)SB3x | | |--------------+----------------------------------+-----------------| | | Vulnerable; first fixed in | 12.2(33)SB2; | | 12.2SBC | 12.2SB | Available on | | | | 26-SEP-08 | |--------------+----------------------------------+-----------------| | 12.2SCA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SE | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SEA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SEB | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SEC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SED | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SEE | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SEF | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SEG | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SG | 12.2(37)SG | 12.2(46)SG1 | |--------------+----------------------------------+-----------------| | 12.2SGA | 12.2(31)SGA8 | 12.2(31)SGA8 | |--------------+----------------------------------+-----------------| | 12.2SL | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SM | 12.2(29)SM2 | 12.2(29)SM4 | |--------------+----------------------------------+-----------------| | 12.2SO | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SRA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SRB | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SRC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SU | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SV | 12.2(29b)SV1 | | |--------------+----------------------------------+-----------------| | 12.2SVA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SVC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SVD | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SW | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SX | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SXA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SXB | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SXD | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SXE | Vulnerable; first fixed in | 12.2(18)SXF15 | | | 12.2SXF | | |--------------+----------------------------------+-----------------| | 12.2SXF | 12.2(18)SXF3 | 12.2(18)SXF15 | |--------------+----------------------------------+-----------------| | 12.2SXH | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SY | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SZ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2T | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2TPC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XB | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XD | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XE | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XF | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XG | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XH | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XI | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XJ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XK | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XL | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XM | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XN | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XNA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XNB | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XO | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XQ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XR | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XS | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XT | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XU | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XV | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XW | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YB | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YD | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YE | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YF | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YG | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YH | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YJ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YK | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YL | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YM | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YN | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YO | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YP | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YQ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YR | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YS | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YT | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YU | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YV | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YW | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YX | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YY | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YZ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2ZA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2ZB | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2ZC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2ZD | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2ZE | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2ZF | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2ZG | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2ZH | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2ZJ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2ZL | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2ZP | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2ZU | Not Vulnerable | | |--------------+----------------------------------+-----------------| | | Vulnerable; first fixed in | 12.2(33)SB2; | | 12.2ZX | 12.2SB | Available on | | | | 26-SEP-08 | |--------------+----------------------------------+-----------------| | 12.2ZY | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2ZYA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | Affected | | Recommended | | 12.3-Based | First Fixed Release | Release | | Releases | | | |--------------+----------------------------------+-----------------| | 12.3 | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3B | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3BC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3BW | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3EU | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3JA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3JEA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3JEB | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3JEC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3JK | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3JL | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3JX | Not Vulnerable | | |--------------+----------------------------------+-----------------| | | | 12.4(15)T7 | | 12.3T | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |--------------+----------------------------------+-----------------| | 12.3TPC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3VA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3XA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3XB | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3XC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3XD | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3XE | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3XF | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3XG | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3XI | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3XJ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3XK | Not Vulnerable | | |--------------+----------------------------------+-----------------| | | | 12.4(15)T7 | | 12.3XL | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |--------------+----------------------------------+-----------------| | 12.3XQ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3XR | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3XS | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3XU | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3XW | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3XX | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3XY | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3XZ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3YA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3YD | Not Vulnerable | | |--------------+----------------------------------+-----------------| | | Vulnerable; first fixed in | 12.3(14)YX13 | | 12.3YF | 12.3YX | | | | | 12.4(15)T7 | |--------------+----------------------------------+-----------------| | 12.3YG | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3YH | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3YI | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3YJ | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |--------------+----------------------------------+-----------------| | 12.3YK | 12.3(11)YK3 | 12.4(15)T7 | |--------------+----------------------------------+-----------------| | | | 12.3(14)YM13; | | 12.3YM | 12.3(14)YM10 | Available on | | | | 30-SEP-08 | |--------------+----------------------------------+-----------------| | 12.3YQ | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |--------------+----------------------------------+-----------------| | 12.3YS | 12.3(11)YS2 | 12.4(15)T7 | |--------------+----------------------------------+-----------------| | 12.3YT | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |--------------+----------------------------------+-----------------| | | | 12.4(2)XB10 | | | Vulnerable; first fixed in | | | 12.3YU | 12.4XB | 12.4(9)XG3 | | | | | | | | 12.4(15)T7 | |--------------+----------------------------------+-----------------| | 12.3YX | 12.3(14)YX7 | 12.3(14)YX13 | |--------------+----------------------------------+-----------------| | 12.3YZ | 12.3(11)YZ2 | | |--------------+----------------------------------+-----------------| | 12.3ZA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | Affected | | Recommended | | 12.4-Based | First Fixed Release | Release | | Releases | | | |--------------+----------------------------------+-----------------| | | 12.4(10c) | | | | | | | | 12.4(12a) | | | | | | | | 12.4(13) | | | | | | | 12.4 | 12.4(3h) | 12.4(18c) | | | | | | | 12.4(5c) | | | | | | | | 12.4(7e) | | | | | | | | 12.4(8d) | | |--------------+----------------------------------+-----------------| | 12.4JA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4JK | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4JL | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4JMA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4JMB | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4JMC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4JX | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4MD | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4MR | Not Vulnerable | | |--------------+----------------------------------+-----------------| | | | 12.4(15)SW2; | | 12.4SW | 12.4(11)SW1 | Available on | | | | 28-SEP-08 | |--------------+----------------------------------+-----------------| | | 12.4(11)T2 | | | | | | | | 12.4(15)T | | | | | | | | 12.4(2)T6 | | | 12.4T | | 12.4(15)T7 | | | 12.4(4)T8 | | | | | | | | 12.4(6)T7 | | | | | | | | 12.4(9)T3 | | |--------------+----------------------------------+-----------------| | 12.4XA | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |--------------+----------------------------------+-----------------| | 12.4XB | 12.4(2)XB6 | 12.4(2)XB10 | |--------------+----------------------------------+-----------------| | 12.4XC | 12.4(4)XC7 | 12.4(15)T7 | |--------------+----------------------------------+-----------------| | | | 12.4(4)XD11; | | 12.4XD | 12.4(4)XD7 | Available on | | | | 26-SEP-08 | |--------------+----------------------------------+-----------------| | 12.4XE | 12.4(6)XE3 | 12.4(15)T7 | |--------------+----------------------------------+-----------------| | 12.4XF | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4XG | 12.4(9)XG2 | 12.4(9)XG3 | |--------------+----------------------------------+-----------------| | 12.4XJ | 12.4(11)XJ2 | 12.4(15)T7 | |--------------+----------------------------------+-----------------| | 12.4XK | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |--------------+----------------------------------+-----------------| | 12.4XL | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4XM | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4XN | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4XP | Vulnerable; contact TAC | | |--------------+----------------------------------+-----------------| | 12.4XQ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4XR | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4XT | 12.4(6)XT1 | 12.4(15)T7 | |--------------+----------------------------------+-----------------| | 12.4XV | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4XW | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4XY | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4XZ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4YA | Not Vulnerable | | +-------------------------------------------------------------------+ Workarounds =========== Customers running versions of Cisco IOS that support filtering of extended communities can prevent the corruption of the route target (RT) by applying a BGP route-map that removes RT entries on inbound BGP sessions. The following configuration example applied in the ipv4 address family of a PE device removes extended communities from the CE router: router bgp <Local AS> address-family ipv4 vrf one neighbor <neighbor IP> remote-as <Remote AS> neighbor <neighbor IP> activate neighbor <neighbor IP> route-map FILTER in exit-address-family ! ip extcommunity-list 100 permit _RT.*_ ! ! route-map FILTER permit 10 set extcomm-list 100 delete ! The following configuration example applied in the ipv6 address family of a PE device removes extended communities from the CE router: router bgp <Local AS> address-family ipv6 vrf one neighbor <neighbor IP> remote-as <Remote AS> neighbor <neighbor IP> activate neighbor <neighbor IP> route-map FILTER in exit-address-family ! ip extcommunity-list 100 permit _RT.*_ ! ! route-map FILTER permit 10 set extcomm-list 100 delete ! Note: The capability of filtering extended communities is only available in certain 12.0S and 12.2S based Cisco IOS releases. BGP session between the PE and the CE needs to cleared to make this configuration change effective. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.ht… or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt(a)cisco.com or security-alert(a)cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac(a)cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was reported to Cisco by a customer. This vulnerability cannot be deterministically triggered by an attacker. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce(a)cisco.com * first-bulletins(a)lists.first.org * bugtraq(a)securityfocus.com * vulnwatch(a)vulnwatch.org * cisco(a)spot.colorado.edu * cisco-nsp(a)puck.nether.net * full-disclosure(a)lists.grok.org.uk * comp.dcom.sys.cisco(a)newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-Sep-24 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.… This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkjaLeoACgkQ86n/Gc8U/uCNwQCdEOd3v5A+paECb9s2gMBUr0JH DEwAnRtvu3aQrECRin/QmElp7oudHZJX =EVLU -----END PGP SIGNATURE-----

1 0

seeking AOL postmaster with clue... (sorry)
by Taylor Neill 24 Sep '08

24 Sep '08

I'm pretty much ready to take my life over having to deal with AOL's Postmaster. If anyone has a contact or lead at AOL with a clue, could you please respond off-list? I am at wits end. A thousand apologies for the noise, Taylor Neill

1 0

RE: Atrivo/Intercage
by Tom Sparks (Applied Operations) 24 Sep '08

24 Sep '08

Just to add my $0.02 to this discussion and a disclaimer - I've known Emil for years, I've seen his shop and even the controversy. 200 Paul is a small community, and most of the folks in there know eachother, I've been in there since 2001 or so. Intercage is not a big shop, there are very few people involved in running it and I have a very hard time believing the accusations made by some of the folks around. I also don't believe Intercage was complicit in any net-crime; Thats not to say it didn't exist, but more along the lines of they got lost in the noise of running a business. I'd guess that given the server volume they've got, abuse emails are less than one percent of all the email they get in a week. From what I've seen, the bulk of their customer base is webhosters, Unix Shell providers and some video/audio streamers. Were I to venture a guess on the number of folks reselling those webservers, its probably on the order of thousands... Any time I've had an issue with one of Atrivo's customers, it only took one email to get it dealt with, or I got Emil on IM or on the phone and it was taken care of. My experience with being on the other end of abuse@, I'd say a good 60-75% of the complaints I saw coming in were bogus. Either people complaining about their ZoneAlarm's going off, people complaining about bounced emails with spam and a bunch of automated stuff that was always wrong. The legit complaints were not always easy to deal with either since a good 20-30% of them were unclear on what was actually wrong until you spent some time digging. Basically is what it boils down to for me - its easy to blame an NSP/ISP/Hoster for what their clients do, it takes real dedication to find out whats *actually* going on. -- Tom Sparks (415) 367-7328x1001

8 15

Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
by Russell Mitchell 24 Sep '08

24 Sep '08

Hello Mark, It really seems YOU _DID_ miss the memo. I think that since no one else is responding to your non-sense, there is no reason for me to either. If you have something accurate to say, I'll be happy to listen. Until then, there's not much I can say. There's no sense in repeating myself. --- Russell Mitchell InterCage, Inc. ----- Original Message ---- From: Mark Foo <mark.foo.dog(a)gmail.com> To: Russell Mitchell <russm2k8(a)yahoo.com> Cc: Bruce Williams <williams.bruce(a)gmail.com>; Christopher Morrow <christopher.morrow(a)gmail.com>; nanog(a)nanog.org; Joe Greco <jgreco(a)ns.sol.net> Sent: Wednesday, September 24, 2008 12:27:50 AM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer Russell: Ferg was just being coy -- what you don't understand is there are about 3 other security mailing lists plotting to TAKE YOUR SERVICE DOWN. You FAIL. Law Enforcement might not take action against you (but appear to be interested now), but the community can. GET OFF THE NET WITH YOUR MALWARE! You mistake me for someone who believes you pack of lies! Don't you understand each time you post to this list gives those of us who know the opportunity to post MORE EVIDENCE of your MALWARE? You disconnected Hostfresh and think that's the extent of your cimes? Gimme a break. Only those who are easily socially engineered would believe your pathetic claims of innocence. You've BEEN HOSTING MALWARE since 2003 -- SEE Nanog post: Re: The in-your-face hijacking example http://www.irbs.net/internet/nanog/0305/0038.html > Let me know if there's anything else you'd like me to state to the public. Answer Ferg's question -- Why are you moving to CERNAL? Do you think this is going to work? That's just another of Emil's networks. > We're on a rocky road right now. But it IS starting to smooth out. That's just the calm before the storm. Go ahead and post a response to each of these allegations: Cybercrime's US Hosts http://www.spamhaus.org/news.lasso?article=636 Report Slams U.S. Host as Major Source of Badware http://voices.washingtonpost.com/securityfix/2008/08/report_slams_us_host_a… A Superlative Scam and Spam Site Registrar http://voices.washingtonpost.com/securityfix/2008/09/estdomains.html?nav=rs… ICANN cast as online scam enabler http://www.theregister.co.uk/2008/09/03/cyber_crime_reports/ 'Malware-friendly' Intercage back with the living http://www.theregister.co.uk/2008/09/24/intercage_back_online/ On Tue, Sep 23, 2008 at 11:50 PM, Russell Mitchell <russm2k8(a)yahoo.com> wrote: > > Hello John Doe, > > I welcome any further comments you have. > We have to get past people such as yourself, and your blasphemous and false statements. > > This is the same issue with the recent media and self-proclaimed "Security Researchers". Fly-by-night mind you. > > To help you out in your claims: > Yes, we did house a client whom had quite a run with their client's from various locations, such as Russia. > That Client is no longer hosted on our network. I myself spent all of monday afternoon, night, and tuesday morning shutting off EVERY machine they had leased in our Billing System. I'm currently working to scan further and see if there's anything I may have missed. > > Yes, Russia is very well known for Virus and Malware writer's. > > Yes, we have had issues with malware distribution from our network. > This was directly and near singularly related to the former client of ours. We did have another client, Hostfresh, whom had their share of malware issues. > > Both have been completely and effectively removed. The server's leased to both of them have been canceled, and their machines have been shutoff. > > Let me know if there's anything else you'd like me to state to the public. > We're on a rocky road right now. But it IS starting to smooth out. > > Thank you for your time. Have a great day. > --- > Russell Mitchell > > InterCage, Inc. > > > > ----- Original Message ---- > From: Mark Foo <mark.foo.dog(a)gmail.com> > To: Bruce Williams <williams.bruce(a)gmail.com> > Cc: Christopher Morrow <christopher.morrow(a)gmail.com>; nanog(a)nanog.org; Joe Greco <jgreco(a)ns.sol.net> > Sent: Tuesday, September 23, 2008 11:08:21 PM > Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer > > NANOG: > > Look, the people posting here who are trashing Intercage are pure security > analysts -- they > know and understand the evil that is Intercage. STOP TRYING TO ASSIST > INTERCAGE > -- you are effectively aiding and abetting the enemy. > > Intercage/Atrivo hosts the malware c&c botnets that DDoS your systems and > networks. > > Intercage/Atrivo hosts the spyware that compromises your users' passwords. > > Intercage/Atrivo hosts the adware that slows your customers' machines. > > Don't take my word for it, DO YOUR OWN RESEARCH: > http://www.google.com/search?hl=en&q=intercage+malware > > You don't get called the ***American RBN*** for hosting a couple bad > machines. They > have and will continue to host much of the malware pumped out of America. > THEY > ARE NOT YOUR COMRADES.. > > These people represent the most HIGHLY ORGANZIED CRIME you will ever > come across. Most people were afraid to speak out against them until this > recent ground swell. > > This is the MALWARE CARTEL. GET THE PICTURE? > > Many links have been posted here that prove this already -- instead of > asking > what customers they cut off, let them show WHAT CUSTOMERS ARE LEGIT-- > because there are NONE. > > > > > > > >> I would suggest a different Step 1. Instead of killing power, simply > > >> isolate the affected machine. This might be as simple as putting up a > > >> firewall rule or two, if it is simply sending outgoing SMTP spam, or > > > it's probably easiest (depending on the network gear of course) to > > > just put the lan port into an isolated VLAN. It's not the 100% > > > solution (some badness rm's itself once it loses connectivity to the > > > internets) but it'd make things simpler for the client/LEA when they > > > need to figure out what happened. > > > > > > -chris > > > > > > > > > > > > > > >

5 4

Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
by Russell Mitchell 24 Sep '08

24 Sep '08

Hello John Doe, I welcome any further comments you have. We have to get past people such as yourself, and your blasphemous and false statements. This is the same issue with the recent media and self-proclaimed "Security Researchers". Fly-by-night mind you. To help you out in your claims: Yes, we did house a client whom had quite a run with their client's from various locations, such as Russia. That Client is no longer hosted on our network. I myself spent all of monday afternoon, night, and tuesday morning shutting off EVERY machine they had leased in our Billing System. I'm currently working to scan further and see if there's anything I may have missed. Yes, Russia is very well known for Virus and Malware writer's. Yes, we have had issues with malware distribution from our network. This was directly and near singularly related to the former client of ours. We did have another client, Hostfresh, whom had their share of malware issues. Both have been completely and effectively removed. The server's leased to both of them have been canceled, and their machines have been shutoff. Let me know if there's anything else you'd like me to state to the public. We're on a rocky road right now. But it IS starting to smooth out. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. ----- Original Message ---- From: Mark Foo <mark.foo.dog(a)gmail.com> To: Bruce Williams <williams.bruce(a)gmail.com> Cc: Christopher Morrow <christopher.morrow(a)gmail.com>; nanog(a)nanog.org; Joe Greco <jgreco(a)ns.sol.net> Sent: Tuesday, September 23, 2008 11:08:21 PM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer NANOG: Look, the people posting here who are trashing Intercage are pure security analysts -- they know and understand the evil that is Intercage. STOP TRYING TO ASSIST INTERCAGE -- you are effectively aiding and abetting the enemy. Intercage/Atrivo hosts the malware c&c botnets that DDoS your systems and networks. Intercage/Atrivo hosts the spyware that compromises your users' passwords. Intercage/Atrivo hosts the adware that slows your customers' machines. Don't take my word for it, DO YOUR OWN RESEARCH: http://www.google.com/search?hl=en&q=intercage+malware You don't get called the ***American RBN*** for hosting a couple bad machines. They have and will continue to host much of the malware pumped out of America. THEY ARE NOT YOUR COMRADES.. These people represent the most HIGHLY ORGANZIED CRIME you will ever come across. Most people were afraid to speak out against them until this recent ground swell. This is the MALWARE CARTEL. GET THE PICTURE? Many links have been posted here that prove this already -- instead of asking what customers they cut off, let them show WHAT CUSTOMERS ARE LEGIT-- because there are NONE. > >> I would suggest a different Step 1. Instead of killing power, simply > >> isolate the affected machine. This might be as simple as putting up a > >> firewall rule or two, if it is simply sending outgoing SMTP spam, or > > it's probably easiest (depending on the network gear of course) to > > just put the lan port into an isolated VLAN. It's not the 100% > > solution (some badness rm's itself once it loses connectivity to the > > internets) but it'd make things simpler for the client/LEA when they > > need to figure out what happened. > > > > -chris > > > > > >

5 4

Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
by Russell Mitchell 24 Sep '08

24 Sep '08

Hello Joe, If we can't power down the machine, due to evidence loss. We can't nullroute the IP, as stated, some malware will delete itself or alter itself when Net Access is lost. Now we can filter a single port, in the case of spam, phishing, etc? I'll look further into the JunOS. I'm not too familiar with the rules on the Juniper, so I'll take a look further, and see how to achieve this on a single IP rather then the network. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. ----- Original Message ---- From: Joe Greco <jgreco(a)ns.sol.net> To: Russell Mitchell <russm2k8(a)yahoo.com> Cc: nanog(a)nanog.org Sent: Tuesday, September 23, 2008 8:20:18 PM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer > Hello All,=0A=A0=0AIt seems you all missed the memo.=0AAs of about 11PM PST= > Last night 09/22/08, Esthost has been ENTIRELY Shutdown. They no longer ha= > ve ANY Machine on my network.=0A=A0=0AI'm currently starting to monitor som= > e of the public media, such as google, DroneBL, as well as several Anti-Mal= > ware community websites for abuse.=0A=A0=0ABeing that Esthost is now entire= > ly GONE, we should not have any further issues.=0AIn the case that somethin= > g=A0does arise, such as an exploited host, we're currently developing a gam= > e plan for=A0response to=A0the issues.=0ATo make the best effort towards co= > mbatting=A0abuse on our network, here's what I have planned so far for ANY = > Type of abuse:=0AStep 1,=A0Suspend Power to the affected machine.=0AStep 2,= > Call/Email the client whom the affected machine is leased to.=0AStep 3, Al= > low the client=A0the option to=A0investigate the machine further (Nullroute= > access via KVM)=0AStep=A04, Verify the=A0reported content, domain, user, o= > r exploit=A0is patched/eliminated from the machine.=0AStep 5,=A0Remove the = > Nullroute. Allow the machine to return to the network.=0A=A0=0AAny comments= > ? =0A=A0=0AThis is=A0the result of a zero tolerance policy regarding abuse.= > If it's clear that the server owner is the cause of the abusive material e= > tc, the client will then be immediately cancelled. No questions.=A0=0A=0A= > =0AIt seems that this approach will be the best supported by the anti-abuse= > communities, so please let me know your input.=0A=0AThank you for your tim= > e. Have a great day.=0A=A0---=0ARussell Mitchell=0A=0AInterCage, Inc.=0A=0A= > =0A=0A----- Original Message ----=0AFrom: Paul Wall <pauldotwall(a)gmail.com>= > =0ATo: Mark Foo <mark..foo.dog(a)gmail.com>=0ACc: nanog(a)nanog.org=0ASent: Tues= > day, September 23, 2008 5:46:58 PM=0ASubject: Re: YAY! Re: Atrivo/Intercage= > : NO Upstream depeer=0A=0AHold the rejoicing, Atrivo is back, this time on = > UnitedLayer.=0A=0AI'd contact them, only they seem to change CTOs every mon= > th or two,=0Adoes anybody know who's currently in charge?=0A=0AThank you, a= > nd Drive Slow,=0APaul Wall=0A=0A=0A Speaking of missing memos... mailing lists are not highly compatible with HTML or some clients that like to encode list mail. The above is what your mail looked like to some people. I would suggest a different Step 1. Instead of killing power, simply isolate the affected machine. This might be as simple as putting up a firewall rule or two, if it is simply sending outgoing SMTP spam, or for more complex issues, downing the port facing the machine in question. Killing the power may destroy useful forensic clues about what happened to the system, and may damage the system. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.

2 1

Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
by Russell Mitchell 24 Sep '08

24 Sep '08

Hello Michael, THANK YOU for the Intervention. If anyone would like to continue the chats, drop me an email, and we can continue talks OFF NANOG. Thank you all very much for your time and careful consideration into the issues we're having. Have a great day. --- Russell Mitchell InterCage, Inc. ----- Original Message ---- From: "michael.dillon(a)bt.com" <michael.dillon(a)bt.com> To: nanog(a)nanog.org Sent: Wednesday, September 24, 2008 2:23:01 AM Subject: RE: YAY! Re: Atrivo/Intercage: NO Upstream depeer > It is clear to me -- at least -- that this entire criminal > operation is being operated out of Eastern Europe, and their > foothold in the U.S. is the major issue here. If you believe that this is a criminal operation then you should keep this discussion OFF THE LIST and discourage anyone from taking any action against the bad guys that might disrupt evidence gathering. If this is a criminal matter, then it is best to keep quiet, collect good evidence, and go to court. Better to get a court injunction ordering them to stop sending malware, and then collect evidence showing that they violated the injunction. To do this, they need to have functioning upstream connections to your network. NANOG is not the place to discuss these things. None of this is network operational. The whole discussion amounts to a shouting match between vigilantes and their victims. Some of those victims might also be bad guys, but a shouting match on NANOG does not prove this one way or the other. --Michael Dillon

1 0

Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
by Russell Mitchell 24 Sep '08

24 Sep '08

Hello Paul, GREAT! I am very pleased with that. This is what we need, and I'm sure you can agree, this is what the Internet needs. Thank you very much for your time. Have a great day. --- Russell Mitchell InterCage, Inc. ----- Original Message ---- From: Paul Ferguson <fergdawgster(a)gmail.com> To: Russell Mitchell <russm2k8(a)yahoo.com> Cc: nanog(a)nanog.org Sent: Wednesday, September 24, 2008 12:20:59 AM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Sep 24, 2008 at 12:12 AM, Russell Mitchell <russm2k8(a)yahoo.com> wrote: > > I hope soon, people will realise and accept the truth that we are a > LEGITIMATE Company that DOES Operate in the USA. We are NOT directly or > in-directly related to any Russian's. We do NOT support, write, directly > distribute, or knowingly allow the distribution of malware or other > abusive activities to originate from our network. While the previous > statements are questionable in the public's eye, I hope some time, you > will understand it IS the truth. > > Prove me wrong, PLEASE. AS27595, and all prefixes which you advertise, will be ultra-scrutinized. You can be sure that you, and many others, will know if & when criminal activity re-appears inside prefixes hosted by Atrivo/Intercage. The gloves are off, so to speak. Cheers, - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI2epPq1pz9mNUZTMRAumJAKD5lujVV7CTeZ6iQDEjsELHy7+I1wCfeXFH TxVWvBONxa+jozHf9hq+k2c= =L/4x -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/

1 0

Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
by Russell Mitchell 24 Sep '08

24 Sep '08

Hello Pedram, Until everyone fully understands the truth in ENGLISH, this topic will continue. This is what they demand. As long as there are questions which relate to us, I will continue to respond. When it's set in stone, and the false claims and false statements are corrected, this topic will cease. I hope soon, people will realise and accept the truth that we are a LEGITIMATE Company that DOES Operate in the USA. We are NOT directly or in-directly related to any Russian's. We do NOT support, write, directly distribute, or knowingly allow the distribution of malware or other abusive activities to originate from our network. While the previous statements are questionable in the public's eye, I hope some time, you will understand it IS the truth. Prove me wrong, PLEASE. If you know of any further malware or further abusive activities, such as the claimed C&C Botnets, please PLEASE don't hesitate to tell me. abuse.intercage and russ..intercage and emil.intercage are live and operational. We are currently investigating the rest of our clientel and any site's or communities you can recommend to follow, we will follow. While it is clear that this will not be accepted by the community any time soon, it will eventually be accepted. That is what I am waiting for, however long it takes. I can't stress this enough. We DO need your help to locate and eliminate abusive activities from our network. I know you have information, and I need you to atleast reclaim the faith that we WILL be very active against abuse originating from our network, and we WILL be proactive to locate and eliminate abusive activities on our network. Thank you very much for all your time and future assistance. Have a great day. --- Russell Mitchell InterCage, Inc. ----- Original Message ---- From: Pedram M <pmessri(a)gmail.com> To: nanog(a)nanog.org Sent: Tuesday, September 23, 2008 11:38:54 PM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer Wow, this topic has really gotten old. On Tue, Sep 23, 2008 at 11:31 PM, Paul Ferguson <fergdawgster(a)gmail.com>wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Tue, Sep 23, 2008 at 11:28 PM, Russell Mitchell <russm2k8(a)yahoo.com> > wrote: > > > > Sorry I didn't make this clear enough in the previous responses. > > > > The prefixes that are registered to Inhoster belong to Esthost. > > I'm not sure how or why you think those prefixes belong to us. > > > > These prefixes belong DIRECTLY to us: > > - 69.50.160.0/19 Withdrawn > > - 216.255.176.0/20 Withdrawn > > > > These prefixes belong DIRECTLY to nLayer, and were LEASED to us: > > - 69.22.162.0/23 Withdrawn > > - 69.22.168.0/21 Withdrawn > > - 69.22.184.0/22 Withdrawn > > - 69.31.64.0/20 Withdrawn > > > > The prefixes LEASED to us BY nLayer are being reclaimed at the end of > > this month 09/30/08, as the lease contract is set to cease at that time. > > > > Hopefully, that is clear enough for you. > > > > Thank you for your time. Have a great day. > > --- > > Russell Mitchell > > > > InterCage, Inc. > > > > Clear as mud, thanks. > > - - ferg > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.3 (Build 3017) > > wj8DBQFI2d6uq1pz9mNUZTMRAmkcAJ4toRsggJ325VfjkqK8QJKWQG4UegCg84x+ > KwcuyxtFp7/x3/vScFTkP3I= > =/vFy > -----END PGP SIGNATURE----- > > > -- > "Fergie", a.k.a. Paul Ferguson > Engineering Architecture for the Internet > fergdawgster(at)gmail.com > ferg's tech blog: http://fergdawg.blogspot.com/ > >

2 1

Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
by Russell Mitchell 24 Sep '08

24 Sep '08

Hello Paul, Sorry I didn't make this clear enough in the previous responses. The prefixes that are registered to Inhoster belong to Esthost. I'm not sure how or why you think those prefixes belong to us. These prefixes belong DIRECTLY to us: - 69.50.160.0/19 Withdrawn - 216.255.176.0/20 Withdrawn These prefixes belong DIRECTLY to nLayer, and were LEASED to us: - 69.22.162.0/23 Withdrawn - 69.22.168.0/21 Withdrawn - 69.22.184.0/22 Withdrawn - 69.31.64.0/20 Withdrawn The prefixes LEASED to us BY nLayer are being reclaimed at the end of this month 09/30/08, as the lease contract is set to cease at that time. Hopefully, that is clear enough for you. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. ----- Original Message ---- From: Paul Ferguson <fergdawgster(a)gmail.com> To: Russell Mitchell <russm2k8(a)yahoo.com> Cc: nanog(a)nanog.org Sent: Tuesday, September 23, 2008 11:11:39 PM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Sep 23, 2008 at 10:52 PM, Paul Ferguson <fergdawgster(a)gmail.com> wrote: > On Tue, Sep 23, 2008 at 10:13 PM, Russell Mitchell <russm2k8(a)yahoo.com> > wrote: > >> I believe the blocks your referring to are their 85.255 Blocks? >> Registered to "InHoster". I believe those prefixes are an entity of >> their's, though I don't know for sure. Perhaps ask them? >> > > Thanks, thats right -- Inhoster. Operating out of Odessa and blacklisted > virtually everywhere. > Sorry, my last post on this issue. As you may (or may not) know, Inhoster's domain(s) were suspended due to criminal activity: http://whois.domaintools.com/inhoster.com The prefixes you mention, were deliberately being originated by AS27595 up until the recent kerfluffle and disconnect on Saturday night: Prefixes added and withdrawn by this origin AS in the past 7 days. - 64.28.176.0/20 Withdrawn - 67.210.0.0/21 Withdrawn - 67.210.8.0/22 Withdrawn - 67.210.14.0/23 Withdrawn - 69.22.162.0/23 Withdrawn - 69.22.168.0/21 Withdrawn - 69.22.184.0/22 Withdrawn - 69.31.64.0/20 Withdrawn - 69.50.160.0/19 Withdrawn - 85.255.113.0/24 Withdrawn - 85.255.114.0/23 Withdrawn - 85.255.116.0/22 Withdrawn - 85.255.120.0/23 Withdrawn - 85.255.122.0/24 Withdrawn - 216.255.176.0/20 Withdrawn - 216.255.176.0/22 Withdrawn - 216.255.180.0/22 Withdrawn - 216.255.184.0/22 Withdrawn - 216.255.188.0/22 Withdrawn And they magically reappeared in Cernel (AS36445) almost immediately: Prefix AS Path 64.28.187.0/24 12654 3257 36445 67.210.12.0/23 12654 3257 36445 85.255.112.0/20 12654 3257 36445 93.188.161.0/24 12654 3257 36445 93.188.166.0/24 12654 3257 36445 This was not an accident. So what you are saying is that these prefixes have always belonged to Inhoster? Thanks, - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI2doTq1pz9mNUZTMRAupwAKDxEF9kyS/UoTb/Hl2FwEGM1tsj2gCfYF16 qyG0vUAmfxfdQg/vqHFCxbw= =T+0o -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/

3 2