(Cisco Describes Workaround) Re: Cisco IOS Routers Can Be Made to Consume All Available Bandwidth By Remote Users Sending Spoofed EIGRP Announcements
|
|
SecurityTracker Alert ID: 1005842 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Dec 20 2002
|
Impact: Denial of service via network
|
Vendor Confirmed: Yes
|
Version(s): Tested on IOS 11.3, 12.0(19), 12.2
|
Description: A denial of service vulnerability was reported in Cisco IOS Routers. A remote user can send spoofed Cisco Enhanced IGRP (EIGRP)
routing protocol data to an EIGRP-configured router to cause the router to consume network bandwidth and router CPU resources.
Phenoelit issued an advisory warning that a remote user can flood a Cisco IOS Router that is configured to use the EIGRP routing
protocol with spoofed EIGRP neighbor announcements to cause denial of service on that network segment. The router will reportedly
generate an Address Resolution Protocol (ARP) packet storm as it tries to identify the Ethernet MAC addresses for the newly discovered
(spoofed) neighbor. According to the report, this will consume all available bandwidth on the network segment and all availble
CPU resources on the router.
The Cisco IOS router will generate the packet storm until the EIGRP neighbor holdtimer expires (a
value specified by the sender of the neighbor announcement, with a maximum of more than 18 hours).
It is reported that the spoofed
source IP address must be within the subnet(s) enabled via the "network" statement on the target router.
Cisco IOS versions prior
to 12.0 will reportedly accept EIGRP neighbor announcements via unicast packets, allowing a remote user to initiate this exploit
from a remote system via the Internet.
|
Impact: A remote user can cause the router to consume all available CPU resources and all available bandwidth on the network segment.
|
Solution: Cisco is working on a solution and has assigned Bug ID CSCdv19648 to this flaw.
The following workaround has been described:
"The
workaround for this issue is to apply MD5 authentication that will permit the receipt of EIGRP packets only from authorized hosts.
You can find an example of how to configure MD5 authentication for EIGRP at the following URL (possibly wrapped):
http://www.cisco.com/univercd/cc/td/doc/product/soft
ware/ios120/12cgcr/np1_c/1cprt1/1ceigrp.htm#xtocid18
If you are using EIGRP in the unicast mode then you can mitigate this issue
by placing appropriate ACL which will block all EIGRP packets from illegitimate hosts. In the following example the EIGRP neighbor
has IP address of 10.0.0.2 and the local router has address 10.0.0.1.
Router#config t
Router(config)#access-list 111 permit
eigrp host 10.0.0.2 host 10.0.0.1
Router(config)#access-list 111 deny eigrp any host 10.0.0.1
The previous example will permit
all EIGRP packet throughout the router and into the rest of the network. If you want to block these packets as well then use the
following commands instead of the previous example:
Router#config t
Router(config)#access-list 111 permit eigrp host 10.0.0.2
host 10.0.0.1
Router(config)#access-list 111 deny eigrp any any
An ACL will not be effective if you are using the default multicast
mode of EIGRP neighbor discovery. However, multicast packets should not be propagated through the Internet so an attacker must be
on the same local network segment as the target router in order to exploit this issue with multicast advertisements."
|
Vendor URL: www.cisco.com/ (Links to External Site)
|
Cause: State error
|
Reported By: Damir Rajnovic <gaus@cisco.com>
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Thu, 19 Dec 2002 17:51:07 +0000
From: Damir Rajnovic <gaus@cisco.com>
Subject: Re: Cisco IOS EIGRP Network DoS
|
-----BEGIN PGP SIGNED MESSAGE-----
We can confirm the statement made by FX from Phenoelit in his message
"Cisco IOS EIGRP Network DoS" posted on 2002-Dec-19. The EIGRP
implementation in all versions of IOS is vulnerable to a denial of
service if it receives a flood of neighbor announcements. EIGRP is a
Ciscos' extension of IGP routing protocol used to propagate routing
information in internal network environments.
The workaround for this issue is to apply MD5 authentication that will
permit the receipt of EIGRP packets only from authorized hosts.
You can find an example of how to configure MD5 authentication for
EIGRP at the following URL (possibly wrapped):
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/
np1_c/1cprt1/1ceigrp.htm#xtocid18
If you are using EIGRP in the unicast mode then you can mitigate
this issue by placing appropriate ACL which will block all EIGRP
packets from illegitimate hosts. In the following example the
EIGRP neighbor has IP address of 10.0.0.2 and the local router
has address 10.0.0.1.
Router#config t
Router(config)#access-list 111 permit eigrp host 10.0.0.2 host 10.0.0.1
Router(config)#access-list 111 deny eigrp any host 10.0.0.1
The previous example will permit all EIGRP packet throughout the router
and into the rest of the network. If you want to block these packets
as well then use the following commands instead of the previous example:
Router#config t
Router(config)#access-list 111 permit eigrp host 10.0.0.2 host 10.0.0.1
Router(config)#access-list 111 deny eigrp any any
An ACL will not be effective if you are using the default multicast mode
of EIGRP neighbor discovery. However, multicast packets should not be
propagated through the Internet so an attacker must be on the same local
network segment as the target router in order to exploit this issue with
multicast advertisements.
The issue with EIGRP neighbor command FX is referring to is assigned
Cisco Bug ID CSCdv19648 and is visible to all registered users through
Cisco's Bug Toolkit at
http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl.
At the time of writing this notice Cisco PSIRT does not have a current
estimate on when the fix will be available.
Gaus
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.3
iQEVAwUBPgIFTw/VLJ+budTTAQE7yggAiDxmo8MFD9rULZAG1PKcnn0wfHungE1a
dMfLN1oUaW7LYaMv+PJYkCvSO4t8oJlmQE9MXV3Q9VgLu9FHQDul3tzpOXMCmRB9
19H0XThGXzj7hDUbOrqgYXgDKQucarXg6yZ0nIuxNhEkl4XsnDohaMIkH7ynV/mY
mQ2qIehPw6aus2plvGDKDYZVTbClHk1qjTWhL3AgFqbVH9zkOHppLF47kP/adRlh
GeloUfxwMAJP2w4/MXObHMr9ELY+8mku/Fi0IBMfnZtS/VprZQZuvYQQmov7uYMV
VkvCoI/mkjkJGlTZyxHGtIbQGelC/eub+r4SiCxtH6APiFWaYWnwVw==
=o5+g
-----END PGP SIGNATURE-----
==============
Damir Rajnovic <psirt@cisco.com>, PSIRT Incident Manager, Cisco Systems
<http://www.cisco.com/go/psirt> Telephone: +44 7715 546 033
200 Longwater Avenue, Green Park, Reading, Berkshire RG2 6GB, GB
==============
There is no insolvable problems.
The question is can you accept the solution?
|
|
