Operating System:

Published:

24 February 2003

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                  ESB-2003.0116 -- Cisco Security Notice
                 Cisco response to Cisco IOS OSPF exploit
                             24 February 2003

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                Cisco IOS 11.1 to 12.0 inclusive
Vendor:                 Cisco Systems
Impact:                 Denial of Service
Access Required:        Remote

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


The Cisco PSIRT just responded to a recent posting on the BUGTRAQ mailing 
list regarding CSCdp58462.  The original post may be found at

http://www.securityfocus.com/archive/1/312510/2003-02-18/2003-02-24/0

Our response is attached.

Thanks,

- - -Mike-

- - -- 
- - ----------------------------------------------------------------------------
|      ||        ||       | Mike Caudill              | mcaudill@cisco.com |
|      ||        ||       | PSIRT Incident Manager    | 919.392.2855       |
|     ||||      ||||      | DSS PGP: 0xEBBD5271       | 919.522.4931 (cell)|
| ..:||||||:..:||||||:..  | RSA PGP: 0xF482F607       ---------------------|
| C i s c o S y s t e m s | http://www.cisco.com/go/psirt                  |
- - ----------------------------------------------------------------------------


- -----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2

iQA/AwUBPla0H5PS/wbyNnWcEQIRBACePE3RVKI/I6rUcCtRs9c2NF7+BlwAoKoI
mkL4NZABwYu0P/Mh5v4Ib/s3
=nx00
- -----END PGP SIGNATURE-----


>From mcaudill@cisco.com Fri Feb 21 17:29:54 2003
>Received: from sj-msg-core-1.cisco.com (sj-msg-core-1.cisco.com [171.71.163.11])
>	by rooster.cisco.com (8.11.6+Sun/8.8.8) with ESMTP id h1LMTs023458
>	for <mcaudill@rooster.cisco.com>; Fri, 21 Feb 2003 17:29:54 -0500 (EST)
>Received: from rtp-cse-184.cisco.com (rtp-cse-184.cisco.com [64.102.51.44])
>	by sj-msg-core-1.cisco.com (8.12.2/8.12.6) with ESMTP id h1LMTpSQ002294
>	for <psirt@domestic.cisco.com>; Fri, 21 Feb 2003 14:29:51 -0800 (PST)
>Received: (from mcaudill@localhost)
>	by rtp-cse-184.cisco.com (8.11.6+Sun/8.11.6) id h1LMToD25063;
>	Fri, 21 Feb 2003 17:29:50 -0500 (EST)
>From: Mike Caudill <mcaudill@cisco.com>
>Message-Id: <200302212229.h1LMToD25063@rtp-cse-184.cisco.com>
>Subject: Re: Cisco IOS OSPF exploit
>To: fx@phenoelit.de (FX)
>Date: Fri, 21 Feb 2003 17:29:50 -0500 (EST)
>Cc: bugtraq@securityfocus.com, darklab@darklab.org,
>   mcaudill@cisco.com (Mike Caudill), gaus@cisco.com (Damir Rajnovic),
>   psirt@cisco.com
>In-Reply-To: <20030220164519.GC282@echelon.cluster.phenoelit.de> from "FX" at Feb 20, 2003 05:45:19 PM
>X-Mailer: ELM [version 2.5 PL2]
>MIME-Version: 1.0
>Content-Type: text/plain; charset=us-ascii
>Content-Transfer-Encoding: 7bit
>Status: RO

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Cisco can confirm the statement made by FX from Phenoelit in his message 
"Cisco IOS OSPF exploit" posted on 2003-Feb-20. The OSPF implementation in 
certain Cisco IOS versions is vulnerable to a denial of service if it 
receives a flood of neighbor announcements in which more than 255 hosts 
try to establish a neighbor relationship per interface.


One workaround for this issue is to configure OSPF MD5 authentication.
This may be done per interface or per area.

Another possible workaround is to apply inbound access lists to explicitly 
allow certain OSPF neighbors only:
                                                                                
access-list 100 permit ospf host a.b.c.x host 224.0.0.5                         
access-list 100 permit ospf host a.b.c.x host interface_ip                      
access-list 100 permit ospf host a.b.c.y host 224.0.0.5                         
access-list 100 permit ospf host a.b.c.y host interface_ip                      
access-list 100 permit ospf host a.b.c.z host 224.0.0.5                         
access-list 100 permit ospf host a.b.c.z host interface_ip                      
access-list 100 permit ospf any host 224.0.0.6                                  
access-list 100 deny ospf any any                                               
access-list 100 permit ip any any                                               


Cisco IOS Versions 11.1 - 12.0 are subject to this vulnerability.
This bug has been resolved.  The following versions of Cisco IOS software
are the first fixed releases, meaning that any subsequent releases also 
contain the fix:

	12.0(19)S
	12.0(19)ST

	12.1(1)
	12.1(1)DB
	12.1(1)DC
	12.1(1)T


We would like to thank FX for his continued cooperation with us in the 
spirit of responsible disclosure and working to increase awareness of 
security issues.

For information on working with the Cisco PSIRT regarding potential security
issues, please see our contact information at 

http://www.cisco.com/warp/public/707/sec_incident_response.shtml#Problems

Thank you,

- - -Mike-


> Hi there,
>
> attached you may find the exploit for the Cisco IOS bug ID CSCdp58462. The bug
> is long fixed, so if you still run OSPF on a old version of IOS, now is a good
> time to give your routers some attention.
>
> FX 
>
> -- 
>          FX           <fx@phenoelit.de>
>       Phenoelit   (http://www.phenoelit.de)
> 672D 64B2 DE42 FCF7 8A5E E43B C0C1 A242 6D63 B564
>
> /* Cisco IOS IO memory exploit prove of concept 
>  * by FX of Phenoelit <fx@phenoelit.de>
>  * http://www.phenoelit.de
>  *
>  * For: 
>  * 	19C3 Chaos Communication Congress 2002 / Berlin
>  * 	BlackHat Briefings Seattle 2003
>  * 
>  * Cisco IOS 11.2.x to 12.0.x OSPF neighbor overflow
>  * Cisco Bug CSCdp58462 causes more than 255 OSPF neighbors to overflow a IO memory
>  * structure (small buffer header). The attached program is a PoC to exploit 
>  * this vulnerability by executing "shell code" on the router and write the 
>  * attached configuration into NVRAM to basicaly own the router. 
>  *

- - -- 
- - ----------------------------------------------------------------------------
|      ||        ||       | Mike Caudill              | mcaudill@cisco.com |
|      ||        ||       | PSIRT Incident Manager    | 919.392.2855       |
|     ||||      ||||      | DSS PGP: 0xEBBD5271       | 919.522.4931 (cell)|
| ..:||||||:..:||||||:..  | RSA PGP: 0xF482F607       ---------------------|
| C i s c o S y s t e m s | http://www.cisco.com/go/psirt                  |
- - ----------------------------------------------------------------------------

- -----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2

iQA/AwUBPlaoLYpjyUnrvVJxEQLcZgCgxAkatIdM5EjV4uMcDgJqd/aFx9EAoPbm
Sw0/fZvhc3uuv0NnuBwfSWnw
=McnI
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBPlok7yh9+71yA2DNAQGuLwP/afUKYj6jZxx867xmDRbcj+qjQ4PPmYp+
pm1SxrfpQDFTdqpDNQN9Jw4GvjsQIFxsDKmzSatnOJtyGD2/yNIIREfXEDmhB4Ei
FCxIGMV/t2zjQyN1eQ6sl7sSysBaQsTIT4HBoAvsXJ0Pz9l4Mfb9uZpBNv2FyPbL
AaMMqcJPeX8=
=RdVu
-----END PGP SIGNATURE-----