Re: Cisco Vulnerability Testing Results

[Jason Frisvold <friz () corp ptd net>]

Just a quick credit email..  :)

I wanna make sure credit is given to the 2 guys who helped with this
testing..  Keith Pachulski and Chrus Kruslicky .. both from PTD..

:)

On Fri, 2003-07-18 at 11:34, Jason Frisvold wrote:
> Ok, update to my testing :
>
> On Fri, 2003-07-18 at 10:48, Jason Frisvold wrote:
> > Hi all,
> >
> >     First post..  I hope this is ok ...
> >
> >     We tested the Cisco vulnerability and I wanted to share our results
> > with you ...
> <SNIP>
> > Testing scenario is this : 
> >
> > Linux Machine (10.0.0.2/24)
> > Cisco 2514 
> >    Ethernet0 (10.0.0.1/24) is in from the attacker 
> >    Ethernet1 (192.168.0.1/24) is output to the 2501 
> > Cisco 2501 
> >    Ethernet0 (192.168.0.2/24) is in from the 2514 
> <SNIP>
>
> Firstly, HPing (www.hping.org) can craft the packets required for this
> attack very simply...  I won't post the exact command string, but it's
> not that hard to figure out...  And with HPing, you can easily take down
> an interface in under a second.
>
> Now, on to ACL testing...
>
> 3 ACL tests just to make sure we had everything correct ...  We first
> tried the any any ACL that Cisco recommends :
>
> access-list 101 deny 53 any any
> access-list 101 deny 55 any any
> access-list 101 deny 77 any any
> access-list 101 deny 103 any any
> access-list 101 permit ip any any
>
> This produced expected results.  When placed on the interface, it
> prevented the router from being attacked.
>
> Next, we tried an ACL with just the interface IP in it :
>
> access-list 101 deny 53 any host 10.0.0.1
> access-list 101 deny 55 any host 10.0.0.1
> access-list 101 deny 77 any host 10.0.0.1
> access-list 101 deny 103 any host 10.0.0.1
> access-list 101 permit ip any any
>
> We applied this to the Ethernet0 interface on the 2514.  Attacks to that
> IP were prevented as expected.
>
> Attacks through to the 2501 were not blocked, again as expected.
>
> And finally, attacks to the ethernet1 interface on the 2514, which
> passes through the ethernet0 interface, still caused the ethernet0
> interface to be attacked.
>
> And the last test was an ACL containing all of the IP's on the router:
>
> access-list 101 deny 53 any host 10.0.0.1
> access-list 101 deny 55 any host 10.0.0.1
> access-list 101 deny 77 any host 10.0.0.1
> access-list 101 deny 103 any host 10.0.0.1
> access-list 101 deny 53 any host 192.168.0.1
> access-list 101 deny 55 any host 192.168.0.1
> access-list 101 deny 77 any host 192.168.0.1
> access-list 101 deny 103 any host 192.168.0.1
> access-list 101 permit ip any any
>
> This blocked all attacks on the 2514 while still allowing attacks
> through to the 2501..  This is as expected.
>
> Also, another note.  Loopback interfaces, while not vulnerable
> themselves, make it much easier to completely take out routers..  (We're
> assuming that the device is still vulnerable)  If the attacker has the
> loopback of the router, they can run an attack at that interface.  Every
> input interface will be attacked in succession.  As each interface goes
> down and the traffic re-routed, the next interface will fall under
> attack.
>
> Just be sure to add the loopback IP as part of the ACL ...  :)
-- 
---------------------------
Jason H. Frisvold
Backbone Engineering Supervisor
Penteledata Engineering
friz () corp ptd net
RedHat Engineer - RHCE # 807302349405893
Cisco Certified - CCNA # CSCO10151622
MySQL Core Certified - ID# 205982910
---------------------------
"Imagination is more important than knowledge.
Knowledge is limited. Imagination encircles
the world."
      -- Albert Einstein [1879-1955]

Attachment: signature.asc
Description: This is a digitally signed message part