[Snort-sigs] SID: 2190

Keith Pachulski keithp at ...2...
Mon Jul 21 05:39:15 EDT 2003

As the payload can be changed on the fly, and is not actually required for successful exploitation, this will only match on the shadowchode code.

-----Original Message-----
From: Iván Mota Alberca [mailto:ivan.mota at ...1690...]
Sent: Friday, July 18, 2003 12:40 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] SID: 2190

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"CISCO IOS DOS Attempt Proto 55"; ip_proto:55; dsize:26<>256; content:"|0001 0203 0405 0607 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819|"; reference:url,www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml; sid:2190;
classtype:denial-of-service; rev:1;)

Cisco routers and switches running Cisco IOS® software and configured to process Internet Protocol version 4 (IPv4) packets are vulnerable to a Denial of Service (DoS) attack. A rare sequence of crafted IPv4 packets with specific protocol fields sent directly to the device may cause the input interface to stop processing traffic once the input queue is full. No authentication is required to process the inbound packet. Processing of IPv4 packets is enabled by default. Devices running only IP version 6 (IPv6) are not affected.

A device receiving these specifically crafted IPv4 packets will force the inbound interface to stop processing traffic. The device may stop processing packets destined to the router, including routing protocol packets and ARP packets. No alarms will be triggered, nor will the router reload to correct itself. This issue can affect all Cisco devices running Cisco IOS software. This vulnerability may be exercised repeatedly resulting in loss of availability until a workaround has been applied or the device has been upgraded to a fixed version of code. 

Detailed Information:
Cisco routers are configured to process and accept Internet Protocol version 4 (IPv4) packets by default. A rare, specially crafted sequence of IPv4 packets with protocol type 53 (SWIPE), 55 (IP Mobility), 77 (Sun ND), or 103 (Protocol Independent Multicast - PIM) which is handled by the processor on a Cisco IOS device may force the device to incorrectly flag the input queue on an interface as full, which will cause the router to stop processing inbound traffic on that interface. This can cause routing protocols to drop due to dead timers. 

Affected Systems:
This issue affects all Cisco devices running Cisco IOS software and configured to process Internet Protocol version 4 (IPv4) packets. Cisco devices which do not run Cisco IOS software are not affected. Devices which run only Internet Protocol version 6 (IPv6) are not affected.
Attack Scenarios:
Anyone able to craft a special packet meeting the appropiate conditions
will be able to actually hung any not patched Cisco IOS running device.
Ease of Attack:

False Positives:
Not known
False Negatives:
Not known
Corrective Action:
Cisco recommends that all IOS devices which process IPv4 packets be configured to block traffic directed to the router from any unauthorized source with the use of Access Control Lists (ACLs). This can be done at multiple locations, and it is recommended that you review all methods and use the combination which fits your network best. Legitimate traffic is defined as management protocols such as telnet, snmp or ssh, and configured routing protocols from explicitly allowed peers. All other traffic destined to the device should be blocked at the input interface. Traffic entering the network should also be carefully evaluated and filtered at the network edge if destined to an infrastructure device. Although network service providers must often allow unknown traffic to transit their network, it is not necessary to allow that same traffic destined to their network infrastructure. Several white papers have been written to assist in deploying these recommended security best practices.
ivan.mota at ...1691... <http://www.securityxperts.es>

Additional References:

Iván Mota Alberca <ivan.mota at ...1690...>

This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list