CISCO ADMINISTRATORS: Operational - URGENT
Cisco will be releasing a field notice of an IOS vulnerability to *most* IOS images. Attackers need not be able to actually login to the device to cause it to reboot/crash. Details of the notice are available @ http://www.cisco.com/warp/public/770/ioslogin-pub.shtml Information contained is provided for your use only...I claim no repsonsibility for the content, just thought I would give Nanog a good heads-up. Contributions for the Kevin CCIE fund accepted graciously :=) Kevin Brown - Network Engineer Huber & Associates, Inc. - Networking Technologies kbrown@teamhuber.com www.teamhuber.com 573.634.5000
It should be noted that there is a workaround:
From the field notice:
It is possible to work around this problem by preventing interactive access to the Cisco IOS device. If only IP-based interactive access is of concern, this can be done by using the ip access-class line configuration to apply an access list to all virtual terminals in the system. However, it is important to remember that non-IP-based means of making interactive connections to Cisco IOS devices do exist, and to eliminate those means as possible routes of attack. Interactive access can be prevented completely by applying the configuration command no exec to any asynchronous line, or the command transport input none to any virtual terminal line, that may be accessible to untrusted users. So upgrading code on the routers is not needed if you only have telnet access and apply the appropriate ACL. -David
Cisco will be releasing a field notice of an IOS vulnerability to *most* IOS images. Attackers need not be able to actually login to the device to cause it to reboot/crash. Details of the notice are available @ http://www.cisco.com/warp/public/770/ioslogin-pub.shtml
-- David Brouda Verio Pennsylvania Phone: 215/387-6305 3700 Market Street, Suite 307 Fax: 215/387-6302 Philadelphia, PA 19104 mailto:dbrouda@verio.net http://pennsylvania.verio.net
participants (2)
-
David Brouda
-
kbrown@teamhuber.com