Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

mal-formed IP paquet and CVX Nortel

From: Philippe PATUREL <phpaturel () INFONIE FR>
Date: Tue, 16 Jan 2001 09:54:13 +0100
Hi Marc,

I received a copy of your email mentionning a bug in CVX code. We experience exactly the same trouble with Raw IP 
paquets lacking layer4 TCP and having HTPP content as IP payload. It appears as if paquets used (now well known) TCP 
ports 18245 and 21536  which translate into "GET HTTP ..." if converted to hex and ascii.

Current versions :
CVX>  Vinfo
Image     Version  Bld# BldDate    Time     Machine     User      Brd  Branch
fepmd     3.6.2    3054 10/26/2000 21:36:23 BUILD03     Build     scc  p362  

We've opened a ticket at Nortel and the last release of code they provided solved some issues but not this one. As an 
ISP we also are a good customer for Nortel. I hope we can solve this issue quickly, since we have many complaints and 
notifications from web security managers.

Regards,
Philippe Paturel
Network manager at Infosources FRANCE



Approved-By: ah () SECURITYFOCUS COM
Delivered-To: incidents () lists securityfocus com
Delivered-To: INCIDENTS () SECURITYFOCUS COM
Date:         Fri, 12 Jan 2001 09:48:27 -0600
Reply-To: marc <marc () ZOUNDS NET>
Sender: Incidents Mailing List <INCIDENTS () SECURITYFOCUS COM>
From: marc <marc () ZOUNDS NET>
Subject:      Pls send captures.  Re: CVX? Re: Scans of 21536
X-To:         Mike Blomgren <mike.blomgren () ccnox com>
To: INCIDENTS () SECURITYFOCUS COM


I was contacted off-list by people also seeing similiar symptoms, but
we still haven't solved the issue. However my strongest bet is that the
problem lies within RAS box the users dial into, presumably a Nortel
CVX.

Anyone have good 'connection' with Nortel?


        I am working with my ops team to investigate this issue.  We have
good Nortel connections, as we are a big customer.  Could anyone with
packet captures or traces of this problem please send them to
me?  Especially if they involve splitrock.net.

Thanks in advance,

marc

import sigfile


Jean-Francois Zwobada
Cellule Securite - Fluxus
Phone : +33.1.70.95.10.10 - Fax : +33.1.70.95.10.00
37, rue du Colonel Pierre Avia - 75015 PARIS
Previous By Date Next
Previous By Thread Next

Current thread: