Cisco IOS Routers Can Be Made to Consume All Available Bandwidth By Remote Users Sending Spoofed EIGRP Announcements
|
|
SecurityTracker Alert ID: 1005840
|
|
SecurityTracker URL: http://securitytracker.com/id?1005840
|
|
CVE Reference: CVE-2002-2208
(Links to External Site)
|
Updated: Jun 8 2008
|
Original Entry Date: Dec 20 2002
|
Impact: Denial of service via network
|
Exploit Included: Yes
Vendor Confirmed: Yes
|
Advisory: Phenoelit Group
|
Version(s): Tested on IOS 11.3, 12.0(19), 12.2
|
Description: A denial of service vulnerability was reported in Cisco IOS Routers. A remote user can send spoofed Cisco Enhanced IGRP (EIGRP)
routing protocol data to an EIGRP-configured router to cause the router to consume network bandwidth and router CPU resources.
Phenoelit issued an advisory warning that a remote user can flood a Cisco IOS Router that is configured to use the EIGRP routing
protocol with spoofed EIGRP neighbor announcements to cause denial of service on that network segment. The router will reportedly
generate an Address Resolution Protocol (ARP) packet storm as it tries to identify the Ethernet MAC addresses for the newly discovered
(spoofed) neighbor. According to the report, this will consume all available bandwidth on the network segment and all availble
CPU resources on the router.
The Cisco IOS router will generate the packet storm until the EIGRP neighbor holdtimer expires (a
value specified by the sender of the neighbor announcement, with a maximum of more than 18 hours).
It is reported that the spoofed
source IP address must be within the subnet(s) enabled via the "network" statement on the target router.
Cisco IOS versions prior
to 12.0 will reportedly accept EIGRP neighbor announcements via unicast packets, allowing a remote user to initiate this exploit
from a remote system via the Internet.
|
Impact: A remote user can cause the router to consume all available CPU resources and all available bandwidth on the network segment.
|
Solution: No solution was available at the time of this entry. Cisco has described a workaround [we will issue a subsequent Alert shortly containing the workaround.]
|
Vendor URL: www.cisco.com/ (Links to External Site)
|
Cause: State error
|
Reported By: FX <fx@phenoelit.de>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Thu, 19 Dec 2002 18:06:32 +0100
From: FX <fx@phenoelit.de>
Subject: Cisco IOS EIGRP Network DoS
|
--cWoXeonUoKmBZSoM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Hi there,
please find attached an advisory about an issue with the Cisco IOS Enhanced
IGRP implementation that can be used to cause a network segment wide denial of
service condition.
Regards
FX
--
FX <fx@phenoelit.de>
Phenoelit (http://www.phenoelit.de)
672D 64B2 DE42 FCF7 8A5E E43B C0C1 A242 6D63 B564
--cWoXeonUoKmBZSoM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="CiscoEIGRP.txt"
Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +++->
[ Title ]
Cisco Systems IOS EIGRP Network Denial of Service
[ Authors ]
FX <fx@phenoelit.de>
Phenoelit Group (http://www.phenoelit.de)
Advisory http://www.phenoelit.de/stuff/CiscoEIGRP.txt
[ Affected Products ]
Cisco IOS
Tested on: IOS 11.3
IOS 12.0(19)
IOS 12.2
Cisco Bug ID: <not assigned>
CERT Vu ID: <not assinged>
[ Vendor communication ]
10/08/02 Initial Notification,
gaus@cisco.com
10/08/02
-
11/14/02 Communication with gaus@cisco.com about the issue,
fixes and timelines.
12/18/02 Final advisory going public as coordinated release
*Note-Initial notification by phenoelit
includes a cc to cert@cert.org by default
[ Overview ]
Cisco Systems IOS is vulnerable to a denial-of-service attack using
Cisco's proprietary routing protocol Enhanced IGRP (EIGRP). When
flooding a Cisco router with spoofed EIGRP neighbor announcements,
the router will cause an Address Resultion Protocol (ARP) storm on
the network segment while trying to find the MAC addresses for the
newly discovered neighbors, effectively using all available bandwidth.
[ Description ]
EIGRP uses automatic discovery of neighboring routers. An EIGRP router
announces it's existence via multicast on the enabled interfaces. If
two routers discover each other, they try to exchange information
about the current topology in unicast. On Ethernet, both sides need
to obtain the MAC address of the other router.
When generating EIGRP neighbor announcements with random source IP
addresses and flooding a Cisco router (unicast, only possible in 11.x)
or an entire network (multicast), all receiving Cisco routers will try
to contact the sender(s). The source IP addresses have to be in the
subnet(s) enabled via the "network" statement in the config of the
victim router.
A bug in Cisco IOS causes the router to continiously try to obtain the
MAC address of the sender. This process does not time out unless the
EIGRP neighbor holdtimer expires. This value is supplied by the sender
of the neighbor announcement and has a maximum of over 18 hours.
Multiple neighbor announcements with not existing source IP addresses
will cause the router to use all available CPU power and bandwidth on
the segment for ARP request - creating a segment-wide denial of
service condition.
The possible use of IP multicast poses a high risk for larger
corporate networks using EIGRP. Cisco IOS versions below 12.0 also
accept EIGRP neighbor announcements as unicast packets, which makes
the attack possible via the Internet.
[ Example ]
None provided at this time.
[ Solution ]
Implement EIGRP authentication using MD5 hashes - which should have
been done in the first place. Where MD5 can not be implemented, use
extended access lists to match expected neighbors.
The obvious workaround of using fixed neighbor entries in the
configuration does not work due to another bug in IOS that makes it
ignore the command (Cisco Bug ID CSCdv19648).
[ end of file ($Revision: 1.5 $) ]
--cWoXeonUoKmBZSoM--
|
|
