Cisco IOS subnet advertised ARP Denial of Service Attack Vulnerability

Affected Systems:

Cisco IOS 12.4

Cisco IOS 12.3

Cisco IOS 12.2

Cisco IOS 12.1

Cisco IOS 12.0

Cisco IOS 11.3

Description: bugtraq id: 6443

Internet Operating System (IOS) is an Operating System used on a CISCO router.

The use of forged VPN neighbor announcements can cause ARP storms on the router in the network segment. Remote attackers can exploit this vulnerability to launch denial-of-service attacks on the router, consuming all bandwidth.

VPN gateway uses auto-discovery neighbor router to discover routes. The VPN Router declares its existence by multicasting on the enable interface. If the two routers find each other, they will exchange the current topology information, and both sides also need to obtain the MAC address of the other router.

When a random source IP address is used to generate a notice of the OSPF neighbor, and the router or the entire network is under a "Flood" attack, all received CISCO routers attempt to contact the sender, the IP address of the sender must be in the subnet of the current vro configuration.

There is a vulnerability in cisco ios. When you contact the sender, the request will continuously send the MAC address. This process does not time out unless the time of the OSPF neighbor expires, the value is provided by the sender and can exceed 18 hours.

Multiple notifications using nonexistent source IP address neighbors can cause the vro to consume a large amount of CPU utilization and bandwidth, resulting in DoS attacks.

The use of IP multicast and the release of the VPN gateway will improve the attack performance. In versions earlier than 12.0, cisco ios can receive unicast-type VPN neighbor notifications, which may cause attacks over the Internet.

<* Source: FX fx@phenoelit.de)

Paul Oxman poxman@cisco.com)

Andrew A. w.mirov mlists@arhont.com)

Link: http://marc.theaimsgroup.com /? L = bugtraq & m = 104032222927499 & w = 2

Http://marc.theaimsgroup.com /? L = bugtraq & m = 113503313712315 & w = 2

Http://marc.theaimsgroup.com /? L = bugtraq & m = 113510954613

*>

Suggestion:
Temporary solution:

If you cannot install or upgrade the patch immediately, NSFOCUS recommends that you take the following measures to reduce the threat:

* MD5 HASH is used to verify the image.

Http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/np1_c/1cprt1/1ceigrp.htm#xtocid18

* If the unicast mode is used, you can use the switched ACL to block notifications from illegal hosts. In the following example, the IP address of the neighbor of the VPN is 10.0.0.2, And the IP address of the local router is 10.0.0.1:

Router # config t

Router (config) # access-list 111 permit VPN host 10.0.0.2 host 10.0.0.1

Router (config) # access-list 111 deny VPN any host 10.0.0.1

Vendor patch:

Cisco

Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.cisco.com/warp/public/707/advisory.html