[prev in list] [next in list] [prev in thread] [next in thread]
List: vulnwatch
Subject: Re: [VulnWatch] Cisco CSS 11000 Series DoS
From: Mike Caudill <mcaudill () cisco ! com>
Date: 2003-08-08 17:53:27
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is to acknowledge your postings regarding a Denial of Service
vulnerability in the Cisco CSS 11000 platforms located at:
Vulnwatch list:
http://lists.insecure.org/lists/vulnwatch/2003/Jul-Sep/0073.html
BUGTRAQ:
http://www.securityfocus.com/archive/1/332284/2003-08-05/2003-08-11/0
The Cisco PSIRT is investigating the issue further. Once we have verified
details surrounding this problem, we will post a response to both forums
with more information regarding fixed software versions and applicable
workarounds which can be used to mitigate the problem.
Thanks.
- -Mike-
> ###############################################################
> ID: S21SEC-025-en
> Title: Cisco CSS 11000 Series DoS
> Date: 04/07/2003
> Status: Solution available
> Scope: Interruption of service, high CPU load.
> Platforms: All/Chassis CS800.
> Author: ecruz, egarcia, jandre
> Location: http://www.s21sec.com/en/avisos/s21sec-025-en.txt
> Release: External
> ###############################################################
>
> S 2 1 S E C
>
> http://www.s21sec.com
>
> Cisco CSS 11000 Series Denial of service
>
> Description of vulnerability
> ----------------------------
>
> A heavy storm of TCP SYN packets directed to the circuit address of the
> CSS
> can cause DoS on it, high cpu load or even sudden reboots.
>
> The issue is known by cisco as the ONDM Ping failure (CSCdz00787). On the
> CS800 chassis the
> system controller module (SCM) sends ONDM (online diagnostics monitor)
> pings to each SFP card
> in order to see if they are alive, if the SCM doesn't get a response in
> about 30 seconds the
> SCM will reboot the CS800 and there will be no core.
>
> By attacking the circuit IP address of the CSS with SYN packets the
> traffic is sent up to the SCM
> over the internal MADLAN ethernet interface. If this internal interface
> becomes overloaded
> the ONDM ping request and response traffic can be dropped leading this to
> an internal DoS
> since no internal comunications are available.
>
> Any attacker could do this externally with a few sessions of NMAP and a
> cable/ADSL internet
> connection.
>
> Affected Versions and platforms
> -------------------------------
>
> This vulnerability affects the models 11800, 11150 and 11050 with chassis
> CS800.
>
> Solution
> --------
>
> Upgrade to software release WebNS 5.00.110s or above.
> http://www.cisco.com/en/US/products/hw/contnetw/ps789/prod_release_note0918
> 6a008014ee04.html
>
> AcL's to protect the circuit address are recomended.
>
> Additional information
> ----------------------
>
> These vulnerabilities have been found and researched by:
>
> Eduardo Cruz ecruz@s21sec.com
> Emilin Garcia egarcia@s21sec.com
> Jordi Andre jandre@s21sec.com
>
> You can find the last version of this warning in:
>
> http://www.s21sec.com/en/avisos/s21sec-025-en.txt
>
> And other S21SEC warnings in http://www.s21sec.com/en/avisos/
- --
- ----------------------------------------------------------------------------
| || || | Mike Caudill | mcaudill@cisco.com |
| || || | PSIRT Incident Manager | 919.392.2855 |
| |||| |||| | DSS PGP: 0xEBBD5271 | 919.522.4931 (cell)|
| ..:||||||:..:||||||:.. | RSA PGP: 0xF482F607 ---------------------|
| C i s c o S y s t e m s | http://www.cisco.com/go/psirt |
- ----------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2
iQA/AwUBPzPjjYpjyUnrvVJxEQJmGACgya7O22vVuve9xyTLcR0K+W7xGK8AnisN
ZxRCBS4Ku21eGv0snlEm3MZj
=0NCw
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic