- Test - lists.nanog.org

RE: High Density Multimode Runs BCP?
by Hannigan, Martin 26 Jan '05

26 Jan '05

> -----Original Message----- > From: Thor Lancelot Simon [mailto:tls@netbsd.org] > Sent: Wednesday, January 26, 2005 3:17 PM > To: Hannigan, Martin; nanog(a)merit.edu > Subject: Re: High Density Multimode Runs BCP? > > > On Wed, Jan 26, 2005 at 02:49:29PM -0500, Hannigan, Martin wrote: > > > > > > > > When running say 24-pairs of multi-mode across a > datacenter, I have > > > > considered a few solutions, but am not sure what is > > > common/best practice. > > > > > > I assume multiplexing up to 10Gb (possibly two links > thereof) and then > > > back down is cost-prohibitive? That's probably the > "best" practice. > > > > I think he's talking physical plant. 200m should be fine. Consult > > your equipment for power levels and support distance. > > Sure -- but given the cost of the new physical plant installation he's > talking about, the fact that he seems to know the present maximum data > rate for each physical link, and so forth, I think it does > make sense to > ask the question "is the right solution to simply be more economical > with physical plant by multiplexing to a higher data rate"? > > I've never used fibre ribbon, as advocated by someone else in > this thread, > and that does sound like a very clever space- and possibly cost-saving > solution to the puzzle. But even so, spending tens of thousands of > dollars to carry 24 discrete physical links hundreds of > meters across a Tens of thousands? 24 strand x 100' @ $5 = $500. Fusion splice is $25 per splice per strand including termination. The 100m patch chords are $100.00. It's cheaper to bundle and splice. How much does the mux cost? > datacenter, each at what is, these days, not a particularly high data > rate, may not be the best choice. There may well be some > question about > at which layer it makes sense to aggregate the links -- but to me, the > question "is it really the best choice of design constraints to take > aggregation/multiplexing off the table" is a very substantial one here > and not profitably avoided. Fiber ribbon doesn't "fit" in any long distance (+7') distribution system, rich or poor, that I'm aware of. Racks, cabinets, et. al. are not very conducive to it. The only application I've seen was IBM fiber channel. Datacenters are sometimes permanent facilities and it's better, IMHO, to make things more permanent with cross connect than aggregation. It enables you to make your cabinet cabling and your termination area cabling almost permanent and maintenance free - as well as giving you test,add, move, and drop. It's more cable, but less equipment to maintain, support, and reduces failure points. It enhances security as well. You can't open the cabinet and just jack something in. You have to provision behind the locked term area. I'd love to hear about a positive experience using ribbon cable inside a datacenter. > > Thor >

2 1

An open letter to Mike Delany, mdelany@databasecity.com
by Mark Andrews 26 Jan '05

26 Jan '05

To: "Mike Delany" <mdelany(a)databasecity.com> Thank you for spaming me. You have just been reported to federal authorities (reportingspam(a)aca.gov.au) that may or may not persue the matter further. You are in clear violation of Australian law, "Spam Act 2003", http://scaleplus.law.gov.au/html/comact/11/6735/top.htm. I should also report you to the US authorities because you were also in violation of the US CAN-SPAM act. Received: from mail.databasecity.com (mail.databasecity.com [208.2.76.101]) by sf1.isc.org (Postfix) with ESMTP id C8D4C2862F for <Mark_Andrews(a)isc.org>; Wed, 26 Jan 2005 15:15:28 +0000 (UTC) (envelope-from mdelany(a)databasecity.com) I posted this here because you clearly harvested by address from a nanog mailing (including the entire contents of my last mailing to the list was a sure give away). Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews(a)isc.org

1 0

RE: High Density Multimode Runs BCP?
by Hannigan, Martin 26 Jan '05

26 Jan '05

> -----Original Message----- > From: owner-nanog(a)merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of > Thor Lancelot Simon > Sent: Wednesday, January 26, 2005 2:09 PM > To: nanog(a)merit.edu > Subject: Re: High Density Multimode Runs BCP? > > > > On Tue, Jan 25, 2005 at 07:23:17PM -0500, Deepak Jain wrote: > > > > > > I have a situation where I want to run Nx24 pairs of GE across a > > datacenter to several different customers. Runs are about > 200meters max. > > > > When running say 24-pairs of multi-mode across a datacenter, I have > > considered a few solutions, but am not sure what is > common/best practice. > > I assume multiplexing up to 10Gb (possibly two links thereof) and then > back down is cost-prohibitive? That's probably the "best" practice. I think he's talking physical plant. 200m should be fine. Consult your equipment for power levels and support distance. Inside plant, dedicated fiber tray Nothing wrong with running a bundle of MM with the SM bundles. This method usually uses fiber shelfs with either pig tailed (factory) or fusion spliced(best) method. Inside plant, no tray, fiber trough Use factory terminated strands(patch) only and save yourself aggravation and get better reliability. Run it loose in the trough from source to destination ports. Inside plant, no tray, no fiber trough Use factory strands(patch) and run it inside a 1/4" or larger innerduct from source to destination ports. Spiral wrap is always recommended on the "last 7'" and some sort of bracing near the port should be provided. Consult the cable manufacture for proper bend radius. Avoid zip ties if possible. Vibration and other factors make them not desirable. There's a multitude of combinations of the above. Without knowing the facility layout and the cross connect/inter connect standard, it's hard to speculate. (the above is as close to a BCP as you can get. Fairly typical central office standards via Bellcore. Er. Telcordia. YMMV -M<

2 1

Contact point for Lockheed Martin...
by Michael Loftis 26 Jan '05

26 Jan '05

Does anyone have a live and clueful contact point for Lockheed? They're running some badly broken proxy software that requests HTTP keepalive service, then 'forgets' about the connection. After forgetting about the connection it makes new ones. Right now I'm playing whack-a-mole as whatever proxy system they're using seems to figure out when I'm blocking them and find another route out of their network. I did have one from 'chase manhattan bank' as well, or IPs controlled by them, and from a different ASN, so maybe this is pretty widespread, maybe not. I need to atleast first find out what proxy software this is because it's getting bloody ridiculous. -- GPG/PGP --> 0xE736BD7E 5144 6A2D 977A 6651 DFBE 1462 E351 88B9 E736 BD7E

1 1

NANOG33 PGP Key Signing
by Majdi Abbas 26 Jan '05

26 Jan '05

When you check in for NANOG33, there will be colored stickers available for your name tag that indicate if you have an interest in signing PGP keys. If people keep trying to peer with you, you've picked the wrong color sticker and should go back. We are meeting at 9:00pm on Monday in the Flamengo Boardroom for the key signing. Those of you that wish to participate, please email an ASCII extract of your public key to msa(a)latt.net by noon on Monday, January 31st. Please include 'NANOG PGP KEY' in the subject, and if possible, don't send your key as a MIME attachment. I realize that some MUAs make this difficult, and I will attempt to fix any MIME-attached keys. Instructions for extracting your key to an ASCII file are below. After 5pm on the 31st, a complete key ring with all of the submitted keys will be available at: http://puck.nether.net/~majdi/nanog33.pgp in binary form, and as an ASCII file at http://puck.nether.net/~majdi/nanog33.txt. Handouts with the details of each key submitted will be provided. All you should bring with you is: * Photo ID (driver's license, passport, etc. Consider bringing 2) * Your key ID, and it's corresponding hexadecimal fingerprint * A pen Thanks, and I'm looking forward to seeing everyone in Vegas! --msa How to extract your public key: ------------------------------- PGP 2.x: pgp -kxa your_email_address mykey.asc PGP 5.x: pgpk -xa your_email_address > mykey.asc GnuPG: gpg --export --armor your_email_address > mykey.asc PGP on Windows: Start the PGPkeys application, select your key in the list, click on the Keys menu, select Export, name the resulting file, and make sure that Include Private Keys is NOT checked. PGP on a Mac: I assume the procedure is similar to the one for Windows, but cannot confirm this. Hopefully it's easy enough to figure out.

1 0

Need to get in contact with Namecheap web hosting
by Nine, Jason 26 Jan '05

26 Jan '05

Does anyone have any ideas how to get in contact with namecheap? Short of driving up there noone is really helpful with our issue. We need to get a serial number incremented on a DNS change, and they cant seem to understand our update. Thanks Jason

2 1

Cisco Security Advisory: Multiple Crafted IPv6 Packets Cause Reload
by Cisco Systems Product Security Incident Response Team 26 Jan '05

26 Jan '05

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Multiple Crafted IPv6 Packets Cause Reload Revision 1.0 For Public Release 2005 January 26 1600 UTC (GMT) - -------------------------------------------------------------------------- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures - -------------------------------------------------------------------------- Summary ======= Cisco Internetwork Operating System (IOS) Software is vulnerable to a Denial of Service (DoS) attack from crafted IPv6 packets when the device has been configured to process IPv6 traffic. This vulnerability requires multiple crafted packets to be sent to the device which may result in a reload upon successful exploitation. Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects. This issue is tracked by CERT/CC VU#472582 This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20050126-ipv6.shtml. Affected Products ================= Vulnerable Products Only the Cisco devices running IOS and configured for IPv6 are affected. A router will display all IPv6 enabled interfaces with the show ipv6 interface command. An empty output or an error message will be displayed if IPv6 is disabled or unsupported on the system. In this case the system is not vulnerable. Sample output of show ipv6 interface command is shown below for a system configured for IPv6. Router#show ipv6 interface Serial1/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::A8BB:CCFF:FE00:D200 Global unicast address(es): 2001:1:33::3, subnet is 2001:1:33::/64 [TENTATIVE] Joined group address(es): FF02::1 FF02::1:FF00:3 FF02::1:FF00:D200 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds Router# A router that has IPv6 enabled on a physical or logical interface is vulnerable to this issue even if ipv6 unicast-routing is globally disabled. The show ipv6 interface command can be used to determine whether IPv6 is enabled on any interface. Products Confirmed Not Vulnerable * Products that are not running Cisco IOS are not affected. * Products running any version of Cisco IOS that do not have IPv6 configured interfaces are not vulnerable. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= IPv6 is the "Internet Protocol Version 6", designed by the Internet Engineering Task Force (IETF) to replace the current version Internet Protocol, IP Version 4 (IPv4). A vulnerability exists in the processing of IPv6 packets that can be exploited to cause the reload of a system. Crafted packets received on logical interfaces (that is, tunnels including 6to4 tunnels) as well as physical interfaces can trigger this vulnerability. Multiple crafted IPv6 packets need to be sent to exploit this vulnerability. Such crafted packets can be sent remotely. This issue is documented in Cisco bug ID CSCed40933 ( registered customers only) . Impact ====== Successful exploitation of this vulnerability results in a reload of the device. Repeated exploitation could result in a sustained DoS attack. Software Versions and Fixes =========================== +-----------------------------------------------------+ | Major | Availability of Repaired Releases | | Release | | |------------+----------------------------------------| | Affected | | | | | | 12.0-Based | Rebuild | Interim | Maintenance | | | Release | | | | | |------------+-------------+---------+-------------+--| | | 12.0(23)S | | | | | | and before | | | | | | are not | | | | | | vulnerable. | | | | | |-------------+---------+-------------+--| | | 12.0(24)S6 | | | | |12.0S |-------------+---------+-------------+--| | | 12.0(25)S3 | | | | | |-------------+---------+-------------+--| | | 12.0(26)S2 | | | | | |-------------+---------+-------------+--| | | 12.0(27)S1 | | | | | |-------------+---------+-------------+--| | | | | 12.0(28)S | | |------------+-------------+---------+-------------+--| | 12.0SX | 12.0(25)SX8 | | | | |------------+-------------------------------------+--| | 12.0SZ | 12.0(27)SZ | | |------------+-------------------------------------+--| | Affected | | | | | | 12.2-Based | Rebuild | Interim | Maintenance | | | Release | | | | | |------------+-------------------------------------+--| | | 12.2(2)B - 12.2(4)B7 Migrate to | | | | 12.2(13)T14 or later | | |12.2B |-------------------------------------+--| | | 12.2(4)B8 AND FWD Migrate to 12.3 | | | | (7)T or later | | |------------+-------------------------------------+--| | 12.2BC | Migrate to 12.3(9a)BC | | |------------+-------------------------------------+--| | 12.2BX | Migrate to 12.3(7)XI1 | | |------------+-------------------------------------+--| | 12.2BZ | Migrate to 12.3(7)XI1 | | |------------+-------------------------------------+--| | 12.2CX | No plan. | | |------------+-------------------------------------+--| | 12.2CZ | No plan. | | |------------+-------------------------------------+--| | 12.2EW | 12.2(18)EW1 | | |------------+-------------------------------------+--| | 12.2EWA | | | 12.2(20)EWA | | |------------+-------------+---------+-------------+--| | 12.2JK | 12.2(15)JK2 | | | | |------------+-------------------------------------+--| | 12.2MC | Migrate to 12.3(11)T | | |------------+-------------------------------------+--| | | 12.2(14)S9 | | | | | |-------------+---------+-------------+--| | | 12.2(18)S5 | | | | | |-------------+---------+-------------+--| | 12.2S | 12.2(20)S3 | | | | | |-------------+---------+-------------+--| | | 12.2(22)S1 | | | | | |-------------+---------+-------------+--| | | | | 12.2(25)S | | |------------+-------------------------------------+--| | 12.2SE | 12.2(25)SE | | |------------+-------------------------------------+--| | 12.2SU | 12.2(14)SU1 | | | | |------------+-------------------------------------+--| | 12.2SV | 12.2(23)SV | | |------------+-------------------------------------+--| | 12.2SW | 12.2(23)SW | | |------------+-------------------------------------+--| | 12.2SX | Migrate to 12.2(17d)SXB2 or later | | |------------+-------------------------------------+--| | 12.2SXA | Migrate to 12.2(17d)SXB1 or later | | |------------+-------------------------------------+--| | 12.2SXB | 12.2(17d) | | | | | | SXB1 | | | | |------------+-------------+---------+-------------+--| | 12.2SXD | | | 12.2(18)SXD | | |------------+-------------------------------------+--| | 12.2SY | Migrate to 12.2(17d)SXB2 or later | | |------------+-------------------------------------+--| | 12.2SZ | Migrate to 12.2(20)S4 | | |------------+-------------------------------------+--| | | 12.2(13)T14 | | | | |12.2T |-------------+---------+-------------+--| | | 12.2(15)T12 | | | | |------------+-------------------------------------+--| | 12.2YT | Migrate to 12.2(15)T13 or later | | |------------+-------------------------------------+--| | 12.2YU | Migrate to 12.3(4)T6 or later | | |------------+-------------------------------------+--| | 12.2YV | Migrate to 12.3(4)T6 or later | | |------------+-------------------------------------+--| | 12.2YZ | Migrate to 12.2(20)S4 or later | | |------------+-------------------------------------+--| | 12.2ZC | Migrate to 12.3T or later | | |------------+-------------------------------------+--| | 12.2ZD | Migrate to 12.3 or later | | |------------+-------------------------------------+--| | 12.2ZE | Migrate to 12.3 or later | | |------------+-------------------------------------+--| | 12.2ZF | Migrate to 12.3(4)T6 or later | | |------------+-------------------------------------+--| | 12.2ZG | Migrate to 12.3(4)T6 or later | | |------------+-------------------------------------+--| | 12.2ZH | Migrate to 12.3(4)T6 or later | | |------------+-------------------------------------+--| | 12.2ZI | Migrate to 12.2(18)S or later | | |------------+-------------------------------------+--| | 12.2ZJ | Migrate to 12.3 or later | | |------------+-------------------------------------+--| | 12.2ZL | Migrate to 12.3(7)T or later | | |------------+-------------------------------------+--| | 12.2ZN | Migrate to 12.3(2)T6 or later | | |------------+-------------------------------------+--| | 12.2ZO | Migrate to 12.2(15)T12 or later | | |------------+-------------------------------------+--| | 12.2ZP | Migrate to 12.3(8)XY or later | | |------------+-------------------------------------+--| | Affected | | | | | | 12.3-Based | Rebuild | Interim | Maintenance | | | Release | | | | | |------------+-------------+---------+-------------+--| | | 12.3(3f) | | | | | |-------------+---------+-------------+--| | | 12.3(5c) | | | | |12.3 |-------------+---------+-------------+--| | | 12.3(6a) | | | | | |-------------+---------+-------------+--| | | | | 12.3(9) | | |------------+-------------+---------+-------------+--| | 12.3BC | | | 12.3(9a)BC | | |------------+-------------+---------+-------------+--| | 12.3B | 12.3(5a)B2 | | | | |------------+-------------------------------------+--| | 12.3BW | Migrate to 12.3(5a)B2 or later | | |------------+-------------------------------------+--| | 12.3JA | | | 12.3(2)JA | | |------------+-------------+---------+-------------+--| | | 12.3(2)T6 | | | | | |-------------+---------+-------------+--| | 12.3T | 12.3(4)T6 | | | | | |-------------+---------+-------------+--| | | | | 12.3(7)T | | |------------+-------------------------------------+--| | 12.3XA | Migrate to 12.3(7)T or later | | |------------+-------------------------------------+--| | 12.3XB | Migrate to 12.3(8)T or later | | |------------+-------------------------------------+--| | 12.3XC | Migrate 12.3(2)XC3 or later | | |------------+-------------------------------------+--| | 12.3XD | 12.3(4)XD4 | | | | |------------+-------------------------------------+--| | 12.3XE | 12.3(2)XE1 | | |------------+-------------------------------------+--| | 12.3XF | Migrate to 12.3(11)T or later | | |------------+-------------------------------------+--| | 12.3XG | 12.3(4)XG2 | | | | |------------+-------------------------------------+--| | 12.3XH | Migrate to 12.3(11)T or later | | |------------+-------------------------------------+--| | 12.3XI | | | 12.3(7)XI | | |------------+-------------------------------------+--| | 12.3XJ | 12.3(7)XJ | | |------------+-------------------------------------+--| | 12.3XK | 12.3(4)XK1 | | | | |------------+-------------+---------+-------------+--| | 12.3XL | | | 12.3(7)XL | | |------------+-------------+---------+-------------+--| | 12.3XM | | | 12.3(7)XM | | |------------+-------------------------------------+--| | 12.3XN | Migrate to 12.3(14)T or later | | |------------+-------------------------------------+--| | 12.3XQ | 12.3(4)XQ | | |------------+-------------------------------------+--| | 12.3XR | | | 12.3(7)XR | | |------------+-------------------------------------+--| | 12.3XS | 12.3(7)XS | | |------------+-------------------------------------+--| | 12.3XT | 12.3(2)XT | | |------------+-------------------------------------+--| | 12.3XU | 12.3(8)XU | | |------------+-------------------------------------+--| | 12.3XX | | | 12.3(8)XX | | |------------+-------------+---------+-------------+--| | 12.3XW | | | 12.3(8)XW | | |------------+-------------+---------+-------------+--| | 12.3XY | | | 12.3(8)XY | | |------------+-------------+---------+-------------+--| | 12.3XZ | | | 12.3(2)XZ | | |------------+-------------+---------+-------------+--| | 12.3YA | | | 12.3(8)YA | | |------------+-------------+---------+-------------+--| | 12.3YD | | | 12.3(8)YD | | |------------+-------------+---------+-------------+--| | 12.3YE | | | 12.3(4)YE | | |------------+-------------+---------+-------------+--| | 12.3YF | | | 12.3(11)YF | | |------------+-------------+---------+-------------+--| | 12.3YG | | | 12.3(8)YG | | |------------+-------------+---------+-------------+--| | 12.3YH | | | 12.3(8)YH | | +-----------------------------------------------------+ When considering software upgrades, please also consult http://www.cisco.com/en /US/products/products_security_advisories_listing.html and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) for assistance. Obtaining Fixed Software ======================== Customers with Service Contracts Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http:// www.cisco.com. Customers using Third-party Support Organizations Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with the upgrade, which should be free of charge. Customers without Service Contracts Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac(a)cisco.com Please have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Please do not contact either "psirt(a)cisco.com" or "security-alert(a)cisco.com" for software upgrades. See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public /sw-center/sw-usingswc.shtml. Workarounds =========== The effectiveness of any workaround is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround is the most appropriate for use in the intended network before it is deployed. Although it is often difficult to block traffic transiting your network, it is possible to identify traffic which should never be allowed to target your infrastructure devices and block that traffic at the border of your network. Infrastructure access control lists (ACLs) are considered a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The white paper entitled "Protecting Your Core: Infrastructure Protection Access Control Lists", available at http://www.cisco.com/warp/public/707/iacl.html, presents guidelines and recommended deployment techniques for infrastructure protection ACLs. Exceptions would include any devices which have a legitimate reason to access your infrastructure (for example, BGP peers, DNS servers, and so on). All other traffic must be able to traverse your network without terminating on any of your devices. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. Status of This Notice: FINAL ============================ THIS ADVISORY IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE ADVISORY OR MATERIALS LINKED FROM THE ADVISORY IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS NOTICE AT ANY TIME. A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory will be posted on Cisco's worldwide website at http:// www.cisco.com/warp/public/707/cisco-sa-20050126-ipv6.shtml. In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce(a)cisco.com * first-teams(a)first.org (includes CERT/CC) * bugtraq(a)securityfocus.com * vulnwatch(a)vulnwatch.org * cisco(a)spot.colorado.edu * cisco-nsp(a)puck.nether.net * full-disclosure(a)lists.netsys.com * comp.dcom.sys.cisco(a)newsgate.cisco.com * Various internal Cisco mailing lists Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------------+ | Revision | 2005-January-26 | Initial public | | 1.0 | | release. | +---------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.… . This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go /psirt. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFB97ElezGozzK2tZARAnf7AKCaIOMqvct4DE93oqAztxQJCT2KcgCg127I LHNvmFV/3Dga2ijk5r5XuP8= =HD3z -----END PGP SIGNATURE-----

1 0

Cisco Security Advisory: Crafted Packet Causes Reload on Cisco Routers
by Cisco Systems Product Security Incident Response Team 26 Jan '05

26 Jan '05

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Crafted Packet Causes Reload on Cisco Routers Revision 1.0 For Public Release 2005 January 26 1600 (GMT) - -------------------------------------------------------------------------- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures - -------------------------------------------------------------------------- Summary ======= Cisco Routers running Internetwork Operating System (IOS) that supports Multi Protocol Label Switching (MPLS) are vulnerable to a Denial of Service (DoS) attack on MPLS disabled interfaces. A system that supports MPLS is vulnerable even if that system is not configured for MPLS. The vulnerability is only present in Cisco IOS release trains based on 12.1T, 12.2, 12.2T, 12.3 and 12.3T. Releases based on 12.1 mainline, 12.1E and all releases prior to 12.1 are not vulnerable. Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects. This issue is tracked by CERT/CC VU#583638. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20050126-les.shtml. Affected Products ================= Vulnerable Products Only the following products running a vulnerable version of IOS that support MPLS are affected. * 2600 and 2800 series routers * 3600, 3700 and 3800 series routers * 4500 and 4700 series routers * 5300, 5350 and 5400 series Access Servers Products that are not listed above are not affected. MPLS is not supported in IP and IP Plus feature sets. Therefore, products running an IOS version with an IP or IP Plus feature set are not vulnerable. An attack can only be launched at systems that are not configured for MPLS Traffic Engineering and on the interfaces where MPLS is not enabled. MPLS enabled interfaces can be determined by the show mpls interfaces command. An unaffacted system where MPLS is not supported will give an output similar to the following. Router#show mpls interfaces ^ % Invalid input detected at '^' marker. Router# MPLS can be enabled in different ways on a router. In the below output, a router is shown that has MPLS enabled for IP on interface Ethernet0/0. Router#show mpls interfaces Interface IP Tunnel Operational Ethernet0/0 Yes (tdp) No Yes Router# When MPLS for IP is enabled on an interface, the router is immune to the attacks coming from that interface but vulnerable to the attacks coming from other interfaces. Enabling MPLS for IP on all interfaces of the router will make the router immune to attacks coming from any interface. An interface that has MPLS for IP enabled will have mpls ip or tag-switching ip command in the interface configuration. MPLS Traffic Engineering (TE) provides a better protection against this vulnerability. If MPLS TE is enabled globally, the router will be immune to the attacks coming from any interface. A router that has MPLS TE enabled will have mpls traffic-eng tunnels command in the show running-config output. Products Confirmed Not Vulnerable * Products that are not running Cisco IOS are not vulnerable. * Products running Cisco IOS versions 12.0 and earlier and 12.1 mainline are not vulnerable. * Products that are not mentioned in the Affected Products section are not vulnerable (including but not limited to Cisco 7200, 7500, 12000 series and Catalyst systems). No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Multi Protocol Label Switching (MPLS) is a vendor-independent protocol that integrates layer-2 (as defined in the Open System Interconnection Reference Model) information into layer-3. More information on MPLS can be found at http: //www.cisco.com/warp/public/732/Tech/mpls. A vulnerability exists in the processing of an MPLS packet that is received on an interface where MPLS is disabled. A router that is configured for MPLS Traffic Engineering is immune to attacks coming from any interface. A Cisco device receiving a crafted packet on an MPLS disabled interface will reset and may take several minutes to become fully functional. This vulnerability may be exploited repeatedly resulting in an extended DoS attack. This issue is documented in bugs ID CSCeb56909 ( registered customers only) and CSCec86420 ( registered customers only) . Such crafted packets can only be sent from the local network segment. Impact ====== Successful exploitation of this vulnerability could result in a reload of the device. Repeated exploitation could result in a sustained DoS attack. Software Versions and Fixes +---------------------------------------------+ | Major Release | Availability of Repaired | | | Releases | |-----------------+---------------------------| | Affected | | | | | 12.1-Based | Rebuild | Maintenance | | | Release | | | | |-----------------+------------------------+--| | 12.1DB | Migrate to 12.3(4)T or | | | | later | | |-----------------+------------------------+--| | 12.1DC | Migrate to 12.3(4)T or | | | | later | | |-----------------+------------------------+--| | 12.1T | Migrate to 12.2 or | | | | later | | |-----------------+------------------------+--| | 12.1XG | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.1XI | Migrate to 12.2 or | | | | later | | |-----------------+------------------------+--| | 12.1XJ | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.1XL | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.1XM | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.1XP | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.1XQ | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.1XR | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.1XT | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.1XU | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.1XV | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.1YA | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.1YB | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.1YC | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.1YD | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.1YE | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.1YF | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.1YH | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.1YI | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | Affected | | | | | 12.2-Based | Rebuild | Maintenance | | | Release | | | | |-----------------+----------+-------------+--| | | 12.2 | | | | | (10g) | | | | |----------+-------------+--| | | 12.2 | | | | | (13e) | | | | |----------+-------------+--| | | 12.2 | | | | | (16f) | | | | |----------+-------------+--| | 12.2 | 12.2 | | | | | (17d) | | | | |----------+-------------+--| | | 12.2 | | | | | (19b) | | | | |----------+-------------+--| | | 12.2 | | | | | (21a) | | | | |----------+-------------+--| | | | 12.2(23) | | |-----------------+------------------------+--| | | 12.2(2)B through 12.2 | | | | (4)B7, Migrate to 12.3 | | | | or later | | |12.2B |------------------------+--| | | 12.2(4)B8 and forward, | | | | Migrate to 12.3(4)T or | | | | later | | |-----------------+------------------------+--| | 12.2BC | 12.2(15) | | | | | BC2 | | | |-----------------+------------------------+--| | 12.2BW | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.2BX | Migrate to 12.3(7)XI1 | | | | or later | | |-----------------+------------------------+--| | 12.BY | Migrate to 12.3(4)T or | | | | later | | |-----------------+------------------------+--| | 12.2BZ | Migrate to 12.3(7)XI1 | | | | or later | | |-----------------+------------------------+--| | 12.2CX | Migrate to 12.2(15)BC2 | | |-----------------+------------------------+--| | 12.2CY | Migrate to 12.2(15)BC2 | | |-----------------+------------------------+--| | 12.2CZ | 12.2(15)CZ | | |-----------------+------------------------+--| | 12.2DA | 12.2(12) | | | | | DA6 | | | |-----------------+------------------------+--| | 12.2DD | Migrate to 12.3(4)T or | | | | later | | |-----------------+------------------------+--| | 12.2DX | Migrate to 12.3(4)T or | | | | later | | |-----------------+------------------------+--| | 12.2EW | | 12.2(18)EW | | |-----------------+----------+-------------+--| | 12.2EWA | | 12.2(20)EWA | | |-----------------+----------+-------------+--| | 12.2JA | | 12.2(15)JA | | |-----------------+----------+-------------+--| | 12.2JK | | 12.2(15)JK | | |-----------------+------------------------+--| | 12.2MB | Migrate to 12.2(19)SW | | |-----------------+------------------------+--| | 12.2MC | Migrate to 12.3(11)T | | |-----------------+------------------------+--| | 12.2MX | Migrate to 12.3(8)T or | | | | later | | |-----------------+------------------------+--| | | 12.2(14) | | | | 12.2S | S10 | | | | |----------+-------------+--| | | | 12.2(18)S | | |-----------------+----------+-------------+--| | 12.2SU | | 12.2(14)SU | | |-----------------+----------+-------------+--| | 12.2SW | | 12.2(19)SW | | |-----------------+------------------------+--| | 12.2SX | Migrate to 12.2(17d) | | | | SXB or later | | |-----------------+------------------------+--| | 12.2SXA | Migrate to 12.2(17d) | | | | SXB or later | | |-----------------+------------------------+--| | 12.2SXB | | 12.2(17d) | | | | | SXB | | |-----------------+----------+-------------+--| | 12.2SXD | | 12.2(18)SXD | | |-----------------+------------------------+--| | 12.2SY | Migrate to 12.2(17d) | | | | SXB or later | | |-----------------+------------------------+--| | 12.2SZ | Migrate to 12.2(20)S4 | | |-----------------+------------------------+--| | 12.2T | 12.2(13) | | | | | T14 | | | |-----------------+------------------------+--| | 12.2XA | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.2XB | 12.2(2) | | | | | XB18 | | | |-----------------+------------------------+--| | 12.2XC | Migrate to 12.3T or | | | | later | | |-----------------+------------------------+--| | 12.2XD | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.2XE | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.2XF | Migrate to 12.2(15)BC2 | | |-----------------+------------------------+--| | 12.2XG | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.2XH | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.2XI | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.2XJ | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.2XK | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.2XL | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.2XM | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.2XN | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.2XQ | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.2XR | | 12.2(15)XR | | |-----------------+------------------------+--| | 12.2XS | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.2XT | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.2XU | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.2XV | No plan. | | |-----------------+------------------------+--| | 12.2XW | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.2XZ | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.2YA | 12.2(4) | | | | | YA8 | | | |-----------------+------------------------+--| | 12.2YB | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.2YC | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.2YD | Migrate to 12.3(8)T or | | | | later | | |-----------------+------------------------+--| | 12.2YE | Migrate to 12.2(18)S | | | | or later | | |-----------------+------------------------+--| | 12.2YF | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.2YG | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.2YH | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.2YJ | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.2YL | Migrate to 12.3T or | | | | later | | |-----------------+------------------------+--| | 12.2YM | Migrate to 12.3T or | | | | later | | |-----------------+------------------------+--| | 12.2YN | Migrate to 12.3T or | | | | later | | |-----------------+------------------------+--| | 12.2YO | Migrate to 12.2(17d) | | | | SXB or later | | |-----------------+------------------------+--| | 12.2YQ | Migrate to 12.3(4)T or | | | | later | | |-----------------+------------------------+--| | 12.2YR | Migrate to 12.3(4)T or | | | | later | | |-----------------+------------------------+--| | 12.2YS | Migrate to 12.3T or | | | | later | | |-----------------+------------------------+--| | 12.2YU | Migrate to 12.3(2)T or | | | | later | | |-----------------+------------------------+--| | 12.2YV | Migrate to 12.3(4)T or | | | | later | | |-----------------+------------------------+--| | 12.2YW | Migrate to 12.3(2)T or | | | | later | | |-----------------+------------------------+--| | 12.2YX | Migrate to 12.2(14)SU | | |-----------------+------------------------+--| | 12.2YZ | Migrate to 12.2(20)S4 | | |-----------------+------------------------+--| | 12.2ZB | Migrate to 12.3T or | | | | later | | |-----------------+------------------------+--| | 12.2ZC | Migrate to 12.3T or | | | | later | | |-----------------+------------------------+--| | 12.2ZD | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.2ZE | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.2ZF | Migrate to 12.3(4)T or | | | | later | | |-----------------+------------------------+--| | 12.2ZG | Migrate to 12.3(4)T or | | | | later | | |-----------------+------------------------+--| | 12.2ZH | Migrate to 12.3(4)T or | | | | later | | |-----------------+------------------------+--| | 12.2ZI | Migrate to 12.2(18)S | | | | or later | | |-----------------+------------------------+--| | 12.2ZJ | Migrate to 12.3T or | | | | later | | |-----------------+------------------------+--| | 12.2ZL | Migrate to 12.3(7)T or | | | | later | | |-----------------+------------------------+--| | 12.2ZN | Migrate to 12.3T or | | | | later | | |-----------------+------------------------+--| | 12.2ZO | Migrate to 12.3 or | | | | later | | |-----------------+------------------------+--| | 12.2ZP | No plan. | | |-----------------+------------------------+--| | Affected | | | | | 12.3-Based | Rebuild | Maintenance | | | Release | | | | |-----------------+----------+-------------+--| | | 12.3(3f) | | | |12.3 |----------+-------------+--| | | | 12.3(5) | | |-----------------+----------+-------------+--| | 12.3B | | 12.3(5a)B4 | | |-----------------+----------+-------------+--| | 12.3BC | | 12.3(9a)BC | | |-----------------+------------------------+--| | 12.3BW | Migrate to 12.3(5a)B | | | | or later | | |-----------------+------------------------+--| | | 12.3(2) | | | | | T5 | | | | |----------+-------------+--| | 12.3T | 12.3(4) | | | | | T7 | | | | |----------+-------------+--| | | | 12.3(7)T | | |-----------------+------------------------+--| | 12.3XA | Migrate to 12.3(7)T or | | | | later | | |-----------------+------------------------+--| | 12.3XB | Migrate to 12.3(8)T or | | | | later | | |-----------------+------------------------+--| | | Migrate to 12.3(2)XC3 | | | 12.3XC | - Availablility date | | | | TBD | | |-----------------+------------------------+--| | 12.3XD | 12.3(4)XD | | |-----------------+------------------------+--| | 12.3XE | 12.3(2)XE1 | | |-----------------+------------------------+--| | 12.3XF | 12.3(2)XF | | |-----------------+------------------------+--| | 12.3XG | 12.3(4) | | | | | XG1 | | | |-----------------+------------------------+--| | 12.3XH | 12.3(4)XH | | |-----------------+------------------------+--| | 12.3XI | 12.3(7)XI | | |-----------------+------------------------+--| | 12.3XJ | 12.3(7)XJ | | |-----------------+------------------------+--| | 12.3XK | 12.3(4) | | | | | XK1 | | | |-----------------+------------------------+--| | 12.3XL | 12.3(7)XL | | |-----------------+------------------------+--| | 12.3XM | 12.3(7)XM | | |-----------------+------------------------+--| | 12.3XN | 12.3(4)XN | | |-----------------+------------------------+--| | 12.3XQ | 12.3(4)XQ | | |-----------------+------------------------+--| | 12.3XR | 12.3(7)XR | | |-----------------+------------------------+--| | 12.3XS | 12.3(7)XS | | |-----------------+------------------------+--| | 12.3XT | 12.3(2)XT | | |-----------------+------------------------+--| | 12.3XU | 12.3(8)XU | | |-----------------+------------------------+--| | 12.3XW | 12.3(8)XW | | |-----------------+------------------------+--| | 12.3XX | 12.3(8)XX | | |-----------------+------------------------+--| | 12.3XY | 12.3(8)XY | | |-----------------+------------------------+--| | 12.3YA | 12.3(8)YA | | |-----------------+------------------------+--| | 12.3YD | 12.3(8)YD | | |-----------------+------------------------+--| | 12.3YE | 12.3(4)YE | | |-----------------+------------------------+--| | 12.3YF | 12.3(11)YF | | |-----------------+------------------------+--| | 12.3YG | 12.3(8)YG | | |-----------------+------------------------+--| | 12.3YH | 12.3(8)YH | | +---------------------------------------------+ When considering software upgrades, please also consult http://www.cisco.com/en /US/products/products_security_advisories_listing.html and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) for assistance. Obtaining Fixed Software ======================== Customers with Service Contracts Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http:// www.cisco.com. Customers using Third-party Support Organizations Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with the upgrade, which should be free of charge. Customers without Service Contracts Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac(a)cisco.com Please have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Please do not contact either "psirt(a)cisco.com" or "security-alert(a)cisco.com" for software upgrades. See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public /sw-center/sw-usingswc.shtml. Workarounds =========== The effectiveness of any workaround is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround is the most appropriate for use in the intended network before it is deployed. Warning: Using this workaround may affect the operation of your network and might cause problems. Therefore it is strongly recommended that you do a code upgrade if you are affected. It is not recommended that you use the workaround as a long term solution. Enabling MPLS Traffic Engineering (MPLS TE) globally can be used as a workaround to mitigate this vulnerability. Since MPLS requires Cisco Express Forwarding (CEF) in order to work, CEF needs to be enabled first in order to enable MPLS TE. CEF and MPLS TE can be enabled by the following commands. Router(config)# ip cef Router(config)# mpls traffic-eng tunnels Having MPLS TE enabled will make the router immune to the attacks coming from any interface. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. Status of This Notice: FINAL ============================ THIS ADVISORY IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE ADVISORY OR MATERIALS LINKED FROM THE ADVISORY IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS NOTICE AT ANY TIME. A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory will be posted on Cisco's worldwide website at http://www.cisco.com/warp/public/707/cisco-sa-20050126-les.shtml. In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce(a)cisco.com * first-teams(a)first.org (includes CERT/CC) * bugtraq(a)securityfocus.com * vulnwatch(a)vulnwatch.org * cisco(a)spot.colorado.edu * cisco-nsp(a)puck.nether.net * full-disclosure(a)lists.netsys.com * comp.dcom.sys.cisco(a)newsgate.cisco.com * Various internal Cisco mailing lists Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------------+ | Revision | 2005-January-26 | Initial public | | 1.0 | | release. | +---------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.… . This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go /psirt. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFB97UdezGozzK2tZARAnvpAJ97oXI2aUhYUDe5HIFSa5N/wHJrmQCg7rhz BS4EvADfUI5e0X6zvvleZ60= =wmKc -----END PGP SIGNATURE-----

1 0

Cisco Security Advisory: Cisco IOS Misformed BGP Packet Causes Reload
by Cisco Systems Product Security Incident Response Team 26 Jan '05

26 Jan '05

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Cisco IOS Misformed BGP Packet Causes Reload Revision 1.0 For Public Release 2005 January 26 1600 UTC (GMT) - ----------------------------------------------------------------------- Contents ======== Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures - ----------------------------------------------------------------------- Summary ======= A Cisco device running IOS� and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DoS) attack from a malformed BGP packet. Only devices with the command bgp log-neighbor-changes configured are vulnerable. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet. Cisco has made free software available to address this problem. This issue is tracked by CERT/CC VU#689326. This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20050126-bgp.shtml. Affected Products ================= Vulnerable Products +------------------ This vulnerability is present in any unfixed version of Cisco IOS, from the beginning of support for the BGP protocol, including versions 9.x, 10.x, 11.x and 12.x. This issue affects all Cisco devices configured for BGP routing and running the bgp log-neighbor-changes command, which is on by default starting with releases 12.0(22)S, 12.0(11)ST, 12.1(10) E, 12.1(10) and later software. A router which is running the BGP process will have both a line in the configuration defining the AS number and the command bgp log-neighbor-changes, which can be seen by issuing the command show running-config: router bgp <AS number> bgp log-neighbor-changes To determine the software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS �." On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the IOS release name. Other Cisco devices will not have the show version command or will give different output. The following example identifies a Cisco product running IOS release 12.0(3) with an installed image name of C2500-IS-L: Cisco Internetwork Operating System Software IOS (TM) 2500 Software (C2500-IS-L), Version 12.0(3), RELEASE SOFTWARE The release train label is "12.0." The next example shows a product running IOS release 12.0(2a)T1 with an image name of C2600-JS-MZ: Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-JS-MZ), Version 12.0(2a)T1, RELEASE SOFTWARE (fc1) Additional information about Cisco IOS release naming can be found at: http://www.cisco.com/warp/public/620/1.html. Products Confirmed Not Vulnerable +-------------------------------- Products confirmed not to be vulnerable include devices that do not run Cisco IOS, such as the Cisco Guard, products that cannot participate in BGP or products that cannot be configured for BGP. No other Cisco products are currently known to be affected by this vulnerability. Details ======= The Border Gateway Protocol (BGP) is a routing protocol defined by RFC 1771, and designed to manage IP routing in large networks. An affected Cisco device running a vulnerable version of Cisco IOS software with the BGP protocol enabled will reload if a malformed BGP packet is already queued on the interface when a BGP neighbor change is logged. The device is not vulnerable unless the command 'bgp log-neighbor-changes' is configured. Malformed packets may not come from malicious sources; a valid peering device such as another BGP speaking router which produces the specific malformed packet in error may trigger this behavior. BGP runs over the Transport Control Protocol (TCP), a reliable transport protocol which requires a valid three way handshake before any further messages will be accepted. The Cisco IOS implementation of BGP requires the explicit definition of a neighbor before a connection can be established, and traffic must appear to come from that neighbor. These implementation details make it very difficult to maliciously send a BGP packet to a Cisco IOS device from an unauthorized source. This bug may also be triggered by other means which are not considered remotely exploitable. The use of the commands 'show ip bgp neighbors' or 'debug ip bgp <neighbor> updates' can cause a router to reload if a router has previously queued a malformed packet. If there are no queued malformed packets, issuing these commands will have no harmful side effects. A Cisco device receiving an invalid BGP packet will reset and may take several minutes to become fully functional. This vulnerability may be exploited repeatedly resulting in an extended DoS attack. This issue is documented in bug ID CSCee67450. Impact ====== Successful exploitation of this vulnerability results in a reload of the device. Repeated exploitation could result in a sustained DoS attack. Software Versions and Fixes =========================== When considering software upgrades, please also consult http://www.cisco.com/en/US/products/products_security_advisories_listing.ht… and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") for assistance. +----------------------------------------+ | Major | Availability of Repaired | | Release | Releases* | |------------+---------------------------| | Affected | | Maintenance | | 12.0-Based | Rebuild | Release | | Release | | | |------------+-------------+-------------| | 12.0 | 12.0(28b) | | |------------+-------------+-------------| | 12.0DA | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | | Migrate to | | | 12.0DB | 12.3(4)T11 | | | | or later | | |------------+-------------+-------------| | | Migrate to | | | 12.0DC | 12.3(4)T11 | | | | or later | | |------------+-------------+-------------| | | 12.0(26)S5 | | | |-------------+-------------| | | 12.0(27)S4 | | |12.0S |-------------+-------------| | | 12.0(28)S1 | | | |-------------+-------------| | | | 12.0(29)S | |------------+-------------+-------------| | 12.0SC | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | | Migrate to | | | 12.0SP | 12.0S or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.0ST | 12.0(26)S5 | | | | or later | | |------------+-------------+-------------| | 12.0SX | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | | Migrate to | | | 12.0SY | 12.0(26)S5 | | | | or later | | |------------+-------------+-------------| | | Migrate to | | | 12.0SZ | 12.0(26)S5 | | | | or later | | |------------+-------------+-------------| | | Migrate to | | | 12.0T | 12.1 or | | | | later | | |------------+-------------+-------------| | | | 12.0(28)W5 | | 12.0W5 | | (31) | | | | | |------------+-------------+-------------| | 12.0WC | Not Vulnerable, no | | | support for BGP | |------------+-------------+-------------| | 12.0WT | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | 12.0WX | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | 12.0XA | Migrate to | | | | 12.1 latest | | |------------+-------------+-------------| | | Migrate to | | | 12.0XB | 12.1 or | | | | later | | |------------+-------------+-------------| | 12.0XC | Migrate to | | | | 12.1 latest | | |------------+-------------+-------------| | 12.0XD | Migrate to | | | | 12.1 latest | | |------------+-------------+-------------| | | Migrate to | | | 12.0XE | 12.1E | | | | latest | | |------------+-------------+-------------| | 12.0XF | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | 12.0XG | Migrate to | | | | 12.1 latest | | |------------+-------------+-------------| | | Migrate to | | | 12.0XH | 12.1 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.0XI | 12.1 or | | | | later | | |------------+-------------+-------------| | 12.0XJ | Migrate to | | | | 12.1 latest | | |------------+-------------+-------------| | 12.0XK | Migrate to | | | | 12.2 latest | | |------------+-------------+-------------| | 12.0XL | Migrate to | | | | 12.2 latest | | |------------+-------------+-------------| | | Migrate to | | | 12.0XM | 12.1 or | | | | later | | |------------+-------------+-------------| | 12.0XN | Migrate to | | | | 12.1 latest | | |------------+-------------+-------------| | 12.0XP | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | | Migrate to | | | 12.0XQ | 12.1 or | | | | later | | |------------+-------------+-------------| | 12.0XR | Migrate to | | | | 12.2 latest | | |------------+-------------+-------------| | | Migrate to | | | 12.0XS | 12.1E | | | | latest | | |------------+-------------+-------------| | 12.0XT | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | 12.0XU | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | | Migrate to | | | 12.0XV | 12.1 or | | | | later | | |------------+-------------+-------------| | Affected | | Maintenance | | 12.1-Based | Rebuild | Release | | Release | | | |------------+-------------+-------------| | 12.1 | | 12.1(26) | |------------+-------------+-------------| | 12.1AA | Migrate to | | | | 12.2 latest | | |------------+-------------+-------------| | 12.1AX | 12.1(14)AX3 | | |------------+-------------+-------------| | | Migrate to | | | 12.1AY | 12.1(22)EA2 | | | | or later | | |------------+-------------+-------------| | | Migrate to | | | 12.1AZ | 12.1(22)EA2 | | | | or later | | |------------+-------------+-------------| | 12.1DA | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | | Migrate to | | | 12.1DB | 12.3(4)T11 | | | | or later | | |------------+-------------+-------------| | | Migrate to | | | 12.1DC | 12.3(4)T11 | | | | or later | | |------------+-------------+-------------| | | 12.1(22)E3 | | | |-------------+-------------| | 12.1E | 12.1(23)E2 | | | |-------------+-------------| | | | 12.1(26)E | |------------+-------------+-------------| | 12.1EA | 12.1(22)EA2 | | |------------+-------------+-------------| | 12.1EC | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | 12.1EO | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | | Migrate to | | | 12.1EV | 12.2S | | | | latest | | |------------+-------------+-------------| | | Migrate to | | | 12.1EW | 12.2(18)EW2 | | | | or later | | |------------+-------------+-------------| | | Migrate to | | | 12.1EX | 12.1E | | | | latest | | |------------+-------------+-------------| | | Migrate to | | | 12.1EY | 12.1E | | | | latest | | |------------+-------------+-------------| | | Migrate to | | | 12.1T | 12.2 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.1XA | 12.2 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.1XB | 12.2 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.1XC | 12.2 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.1XD | 12.2 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.1XE | 12.1E | | | | latest | | |------------+-------------+-------------| | | Migrate to | | | 12.1XF | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.1XG | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.1XH | 12.2 or | | | | later | | |------------+-------------+-------------| | 12.1XI | Migrate to | | | | 12.2 latest | | |------------+-------------+-------------| | | Migrate to | | | 12.1XJ | 12.3 or | | | | later | | |------------+-------------+-------------| | | MMigrate to | | | 12.1XL | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.1XM | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.1XP | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.1XQ | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.1XR | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.1XT | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.1XU | 12.3 or | | | | later | | |------------+-------------+-------------| | 12.1XV | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | | Migrate to | | | 12.1YA | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.1YB | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.1YC | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.1YD | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.1YE | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.1YF | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.1YH | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.1YI | 12.2(2)YC | | | | or later | | |------------+-------------+-------------| | | Migrate to | | | 12.1YJ | 12.1(22)EA2 | | | | or later | | |------------+-------------+-------------| | Affected | Rebuild | Maintenance | | 12.2-Based | | Release | |------------+-------------+-------------| | 12.2 | | 12.2(27) | |------------+-------------+-------------| | | Migrate to | | | 12.2B | 12.3(4)T11 | | | | or later | | |------------+-------------+-------------| | 12.2BC | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | | Migrate to | | | 12.2BW | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | | 12.3(7)XI3 | | | 12.2BX | -- | | | | Available 2 | | | | /15/05 | | |------------+-------------+-------------| | | Migrate to | | | 12.2BY | 12.3(4)T11 | | | | or later | | |------------+-------------+-------------| | | Migrate to | | | | 12.3(7)XI3 | | | 12.2BZ | -- | | | | Available 2 | | | | /15/05 | | |------------+-------------+-------------| | 12.2CZ | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | 12.2DA | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | | Migrate to | | | 12.2DD | 12.3(4)T11 | | | | or later | | |------------+-------------+-------------| | | Migrate to | | | 12.2DX | 12.3(4)T11 | | | | or later | | |------------+-------------+-------------| | | 12.2(18)EW2 | | |12.2EW |-------------+-------------| | | | 12.2(25)EW | |------------+-------------+-------------| | | | | |12.2JK |12.2(15)JK2 |-------------| | | | | |------------+-------------+-------------| | | Migrate to | | | 12.2MB | 12.2(25)SW | | | | or later | | |------------+-------------+-------------| | | Migrate to | | | 12.2MC | 12.3(11)T | | | | or later | | |------------+-------------+-------------| | | Migrate to | | | 12.2MX | 12.3(8)T5 | | | | or later | | |------------+-------------+-------------| | 12.2S | | 12.2(25)S | |------------+-------------+-------------| | 12.2SE | 12.2(20)SE3 | | |------------+-------------+-------------| | 12.2SU | 12.2(14)SU2 | | |------------+-------------+-------------| | 12.2SW | Migrate to | | | | 12.2(25)SW | | |------------+-------------+-------------| | | Migrate to | | | 12.2SX | 12.2(17d) | | | | SXB5 | | |------------+-------------+-------------| | | Migrate to | | | 12.2SXA | 12.2(17d) | | | | SXB5 | | |------------+-------------+-------------| | 12.2SXB | 12.2(17d) | | | | SXB5 | | |------------+-------------+-------------| | 12.2SXD | 12.2(18) | | | | SXD2 | | |------------+-------------+-------------| | | Migrate to | | | 12.2SY | 12.2(17d) | | | | SXB5 | | |------------+-------------+-------------| | | Migrate to | | | 12.2SZ | 12.2(25)S | | | | or later | | |------------+-------------+-------------| | | Migrate to | | | 12.2T | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2XA | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2XB | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2XC | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2XD | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2XE | 12.3 or | | | | later | | |------------+-------------+-------------| | 12.2XF | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | | Migrate to | | | 12.2XG | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2XH | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2XI | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2XJ | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2XK | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2XL | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2XM | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2XN | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2XQ | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2XS | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2XT | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2XU | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2XW | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2XZ | 12.3 or | | | | later | | |------------+-------------+-------------| | 12.2YA | 12.2(4)YA8 | | |------------+-------------+-------------| | | Migrate to | | | 12.2YB | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2YC | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2YE | 12.2S or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2YF | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2YG | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2YH | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2YJ | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2YK | 12.3T or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2YL | 12.3T or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2YM | 12.3T or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2YN | 12.3T or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2YO | 12.2(17d) | | | | SXB5 | | |------------+-------------+-------------| | | Migrate to | | | 12.2YP | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2YQ | 12.3(4)T11 | | | | or later | | |------------+-------------+-------------| | | Migrate to | | | 12.2YR | 12.3(4)T11 | | | | or later | | |------------+-------------+-------------| | | Migrate to | | | 12.2YS | 12.3T or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2YT | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2YU | 12.3T or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2YV | 12.3(4)T11 | | | | or later | | |------------+-------------+-------------| | | Migrate to | | | 12.2YW | 12.3(4)T11 | | | | or later | | |------------+-------------+-------------| | | Migrate to | | | 12.2YX | 12.2(14)SU2 | | | | or later | | |------------+-------------+-------------| | | Migrate to | | | 12.2YY | 12.3T or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2YZ | 12.2(25)S | | | | or later | | |------------+-------------+-------------| | | Migrate to | | | 12.2ZA | 12.2(25)S | | | | or later | | |------------+-------------+-------------| | | Migrate to | | | 12.2ZB | 12.3T or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2ZC | 12.3T or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2ZD | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2ZE | 12.3 or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2ZF | 12.3(4)T11 | | | | or later | | |------------+-------------+-------------| | | Migrate to | | | 12.2ZG | 12.3(4)T11 | | | | or later | | |------------+-------------+-------------| | | Migrate to | | | 12.2ZH | 12.3(4)T11 | | | | or later | | |------------+-------------+-------------| | | Migrate to | | | 12.2ZI | 12.2(25)S | | | | or later | | |------------+-------------+-------------| | | Migrate to | | | 12.2ZJ | 12.3T or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2ZK | 12.3T or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2ZL | 12.3(7)T7 | | | | or later | | |------------+-------------+-------------| | | Migrate to | | | 12.2ZN | 12.3T or | | | | later | | |------------+-------------+-------------| | | Migrate to | | | 12.2ZO | 12.3 or | | | | later | | |------------+-------------+-------------| | 12.2ZP | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | Affected | Rebuild | Maintenance | | 12.3-Based | | Release | |------------+-------------+-------------| | | 12.3(9c) | | | |-------------+-------------| | 12.3 | 12.3(10a) | | | |-------------+-------------| | | | 12.3(12) | |------------+-------------+-------------| | 12.3B | 12.3(5a)B3 | | |------------+-------------+-------------| | | Migrate to | | | 12.3BW | 12.3(7)T7 | | | | or later | | |------------+-------------+-------------| | | 12.3(4)T11 | | | |-------------+-------------| | | 12.3(7)T7 | | |12.3T |-------------+-------------| | | 12.3(8)T5 | | | |-------------+-------------| | | | 12.3(11)T | |------------+-------------+-------------| | | Migrate to | | | 12.3XA | 12.3(7)T7 | | | | or later | | |------------+-------------+-------------| | | Migrate to | | | 12.3XB | 12.3(8)T5 | | | | or later | | |------------+-------------+-------------| | | Migrate to | | | 12.3XC | 12.3(8)T5 | | | | or later | | |------------+-------------+-------------| | 12.3XD | 12.3(4)XD4 | | |------------+-------------+-------------| | 12.3XE | 12.3(2)XE1 | | |------------+-------------+-------------| | | Migrate to | | | 12.3XF | 12.3(11)T | | | | or later | | |------------+-------------+-------------| | | Migrate to | | | 12.3XG | 12.3(11)T | | | | or later | | |------------+-------------+-------------| | | Migrate to | | | 12.3XH | 12.3(11)T | | | | or later | | |------------+-------------+-------------| | | 12.3(7)XI3 | | | 12.3XI | - Available | | | | 2/15/05 | | |------------+-------------+-------------| | 12.3XJ | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | 12.3XK | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | 12.3XL | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | 12.3XN | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | | 12.3(4)XQ1 | | | | Release | | | 12.3XQ | date not | | | | yet | | | | determined | | |------------+-------------+-------------| | 12.3XR | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | 12.3XS | 12.3(7)XS2 | | |------------+-------------+-------------| | 12.3XU | 12.3(8)XU4 | | |------------+-------------+-------------| | | Migrate to | | | 12.3XV | 12.3(11)T | | | | or later | | |------------+-------------+-------------| | 12.3XX | 12.3(8)XX1 | | |------------+-------------+-------------| | 12.3YA | 12.3(8)YA1 | | |------------+-------------+-------------| | 12.3YC | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | 12.3YD | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | | Migrate to | | | 12.3YE | 12.3(4)T11 | | | | or later | | |------------+-------------+-------------| | 12.3YF | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | 12.3YH | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | 12.3YJ | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | 12.3YL | Vulnerable; | | | | contact TAC | | +----------------------------------------+ Obtaining Fixed Software ======================== Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com/public/sw-center/sw-ios.shtml. Customers using Third-party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with the upgrade, which should be free of charge. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac(a)cisco.com Please have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Please do not contact either "psirt(a)cisco.com" or "security-alert(a)cisco.com" for software upgrades. See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Workarounds =========== The effectiveness of any workaround is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround is the most appropriate for use in the intended network before it is deployed. * Remove the configuration command bgp log-neighbor-changes. This feature is used to monitor BGP peer status and its removal may reduce network monitoring capabilities. More information on this command is available here: http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/ipr… The use of networking best practices techniques can greatly reduce the probability of a network infrastructure attack. Best practices that may reduce risk in this case include: BGP MD5 +------ Under normal circumstances, due to inherent security factors in the TCP protocol, such as sequence number checks, it is difficult, but possible to forge an appropriate packet to exploit this problem. Configuring your Cisco IOS device for BGP MD5 authentication greatly increases the work necessary to forge a valid packet from a remote peer. This will not protect your peering session if a valid BGP peer generates an invalid packet. This can be configured as shown in the following example: router(config)# router bgp router(config-router)# neighbor <IP_address> password <enter_your_secret_here> It is necessary to configure the same shared MD5 secret on both peers and at the same time. Failure to do so will break the existing BGP session and the new session will not get established until the exact same secret is configured on both devices. For a detailed discussion on how to configure BGP, refer to the following document: http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_configurati… Once the secret is configured, it is prudent to change it periodically. The exact period must fit within your company security policy but it should not be longer than a few months. When changing the secret, again it must be done at the same time on both devices. Failure to do so will break your existing BGP session. The exception is if your Cisco IOS software release contains the integrated CSCdx23494 ( registered customers only) fix on both sides of the connection. With this fix, the BGP session will not be terminated when the MD5 secret is changed only on one side. The BGP updates, however, will not be processed until either the same secret is configured on both devices or the secret is removed from both devices. Infrastructure Access Control Lists (iACLs) +------------------------------------------ Although it is often difficult to block traffic transiting your network, it is possible to identify traffic that should never be allowed to target your infrastructure devices and block that traffic at the border of your network. Infrastructure ACLs are considered a network security best practice and should be considered as a long-term addition to good network security as well as providing some added protection for this specific vulnerability. The white paper entitled "Protecting Your Core: Infrastructure Protection Access Control Lists" presents guidelines and recommended deployment techniques for infrastructure protection ACLs: http://www.cisco.com/warp/public/707/iacl.html Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was discovered by Cisco during internal testing. Status of This Notice: FINAL ============================ THIS ADVISORY IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE ADVISORY OR MATERIALS LINKED FROM THE ADVISORY IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS NOTICE AT ANY TIME. A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory will be posted on Cisco's worldwide website at http://www.cisco.com/warp/public/707/cisco-sa-20050126-bgp.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce(a)cisco.com * first-teams(a)first.org (includes CERT/CC) * bugtraq(a)securityfocus.com * vulnwatch(a)vulnwatch.org * cisco(a)spot.colorado.edu * cisco-nsp(a)puck.nether.net * full-disclosure(a)lists.netsys.com * comp.dcom.sys.cisco(a)newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2005-January-26 | public | | | | release. | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.…. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. - ----------------------------------------------------------------------- All contents are Copyright � 1992-2005 Cisco Systems, Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.2 iQA/AwUBQffNRHsxqM8ytrWQEQK1VwCggGx6J9it3NcBBhbBcI61672Rn2kAoNOz NOf8b9Cf9/dC3zLRA0tJOCzP =K/W6 -----END PGP SIGNATURE-----

1 0

[eweek article] Window of "anonymity" when domain exists, whois not updated yet
by Suresh Ramasubramanian 26 Jan '05

26 Jan '05

and it is being abused - well, nanog found out about this a while back, but the popular press (read - eweek magazine) seems to have discovered it now, or at least think they've discovered it .. their idea of the situation is a bit skewed. --srs What actually happens - http://www.mail-archive.com/nanog@merit.edu/msg28312.html > Read NANOG archives - Verisign now allows immediate (well, within about 10 > minutes) updates of .com/.net zones (also same for .biz) while whois data is > still updated once or twice a day. That means if spammer registers new domain > he'll be able to use it immediatly and it'll not yet show up in whois (and so > not be immediatly identifiable to spam reporting tools) - and spammers are in > fact using this "feature" more and more! And what eweek thinks happens - and I don't think their interpretation is workable, but the above nanog thread should explain what they're seeing. What's more fun is the "quotes" from some people (including an ex chair of the ASRG) in the article .. http://www.eweek.com/article2/0,1759,1749328,00.asp The only worthwhile quote from there is this one from Paul Mockapetris - > We have to figure out how to taper DNS services gracefully rather than having > catastrophic failures," said Paul Mockapetris, the author of the first DNS > implementation and chief scientist at Nominum Inc., based in Redwood City, > Calif. "Mail look-up was the first application put on top of DNS after I > designed it, and I was so excited to see that. And now, 20 years later, > people are trying to figure out how to stop doing mail look-up on DNS. It's > bizarre."

26 68