Security Basics mailing list archives

Re: Cisco Workaround

From: Jac <jac_des_vert () yahoo com>
Date: Thu, 24 Jul 2003 03:40:07 -0700 (PDT)

The list stated is what Cisco recommends in thier work
around for the transit ACL.

The exploit for this has already come out and they
state that you don't need any combinations, just 76
packets of one of the protocols. I gave it a quick
read through and you can find it at:

http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2003-07/0703.html

Take a look, it may help you refine the ACLs that you
want.

Jac





--- DOUGLAS GULLETT <dougg03 () comcast net> wrote:

I don't think you have to put all the access-list
in.  I believe that 
the hack requires a certain combination of packets
to the four ports, 
so leaving one or two of them open should still
prevent the hack.  That 
might be a good question for Cisco TAC...they should
be willing to help 
even if you "misplaced" your SmartNet contract
information.  ;-)

Doug



----- Original Message -----
From: Alvaro Gordon-Escobar
<alvaroge () molecularstaging com>
Date: Wednesday, July 23, 2003 10:15 am
Subject: Cisco Workaround

will this access list modification prevent my

internal DNS server

from updates to it self from my telco's DNS

server?


access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny 103 any any
!--- insert any other previously applied ACL

entries here

!--- you must permit other protocols through to

allow normal

!--- traffic -- previously defined permit lists

will work

!--- or you may use the permit ip any any shown

here

access-list 101 permit ip any any

Thanks in advance

~alvaro Escobar

-------------------------------------------------------------------

--------

-------------------------------------------------------------------

---------

---------------------------------------------------------------------------

----------------------------------------------------------------------------



__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Re: Cisco Workaround, (continued)
- Re: Cisco Workaround DOUGLAS GULLETT (Jul 23)
  - RE: Cisco Workaround Terry Baranski (Jul 24)
  - Re: Cisco Workaround Paul Kincaid (Jul 24)
  - RE: Cisco Workaround Dave Gilmore (Intrusense) (Jul 24)
  - Re: Cisco Workaround Kurt Seifried (Jul 24)
    - RE: Cisco Workaround David Gillett (Jul 24)
  - RE: Cisco Workaround Wolfpaw - Dale Corse (Jul 24)
  - RE: Cisco Workaround Byrne Ghavalas (Jul 24)
  - Re: Cisco Workaround john (Jul 24)
  - Re: Cisco Workaround joshua sahala (Jul 24)
  - Re: Cisco Workaround Jac (Jul 24)
- Re: Cisco Workaround Luis Enrique Londono (Jul 23)
- Re: Cisco Workaround bryan_khoo (Jul 24)
- RE: Cisco Workaround dave kleiman (Jul 24)
- Re: Cisco Workaround igenge2 (Jul 24)
- Re: Cisco Workaround Stephane Nasdrovisky (Jul 24)
- RE: Cisco Workaround Jofre, Sebastian (Jul 24)
- RE: Cisco Workaround Tim Donahue (Jul 28)
  - RE: Cisco Workaround Ghaith Nasrawi (Jul 28)
- RE: Cisco Workaround Noonan, Wesley (Jul 28)
- RE: Cisco Workaround Martin, Olivier (Jul 28)

(Thread continues...)