EXAMPLES OF SPECIFIC DOS ATTACKS AGAINST CATALYST SWITCHES AND OTHER CISCO NETWORKING DEVICES

Of course, device-specific DoS attacks are not restricted to IOS routers only. A variety of hosts , ranging from Catalyst switches to Aironet wireless access points and even the mighty PIX firewalls, have these flaws. Many of these attacks can be launched using Cisco Global Exploiter; however, some do not require more than a Telnet client to execute. In fact, as we were writing this chapter we discovered such an attack ourselves this time against a testing-lab PIX515E firewall.

Cisco Catalyst Memory Leak DoS Vulnerability

Attack 

Popularity:

6

Simplicity:

8

Impact:

8

Risk Rating:

7

A Telnet server running on the Catalyst firmware (CatOS) for the purpose of remote administration contains a flaw relating to a memory leak that can result in a DoS. The flaw exists due to a programming error in closing a Telnet session. A memory resource that is allocated during the start of the Telnet session is not freed at the end of the session. After a large amount of sessions, most of the system memory will be allocated to the Telnet service, resulting in a DoS. Attackers can abuse this flaw to deny access of legitimate users to the device. The abused appliance then has to be manually restarted to resume operations.

The proof of concept code has been released to test this vulnerability and is available as part (vulnerability number 11) of the CGE Perl toolkit described previously. At the end of the day, all it takes to cause the crash is to open up many Telnet connections to the unlucky switch.

Cisco Catalyst Memory Leak DoS Countermeasure

Countermeasure 

Cisco has released an advisory to address this issue. Consult the Cisco Systems web site to get the instructions on updating your CatOS firmware to resolve this vulnerability. The list of affected switches and necessary CatOS upgrades is available at http://www.securityfocus.com/bid/2072/solution . It is also highly advisable that you use access control lists (ACLs) and proper virtual LAN (VLAN) separation employing VLAN access lists to allow access to Cisco management servicessuch as Telnet, Secure Shell Protocol (SSH), and the web management interfaceto legitimate users and IP addresses only.

Incorrect TCP Checksum Attack Disrupting Communication Through a PIX Firewall

Attack 

Popularity:

N/A

Simplicity:

8

Impact:

4

Risk Rating:

6

For a situation in which a host is located on the trusted side of the network behind the PIX firewall, it is possible to prevent a legitimate TCP connection from being established through the PIX to the host located on the other side of the firewall. To execute such an attack, a cracker would send a specifically crafted TCP packet with a set incorrect checksum through the PIX firewall, pretending that it originated from the legitimate host. He would need to specify both source and destination IPs and a client-side connection port; once such packet is received by the PIX firewall, it will cut down the attacked connection. The downtime of the cut connection is around 2 minutes, 4 secondsafter which the new connection can be established again. Such an attack does not affect the connections that are already established through the PIX.

Since it would take a lot of packets to disrupt the communication between two hosts completely, we assume that the attacker's aim is to prevent communication to a specific service on the remote hosts, such as SSH, SMTP, or TCP-syslog. In our tests, it took around 15 seconds to generate and spit out 65,535 packets with a custom source port. The attack was successfully tested on a PIX firewall 515E with 64MB of RAM performing a NAT on the external interface.

A sample Perl script, Pixdos.pl , that was used to generate the packets is available at the book's companion web site.

It might be worthwhile to investigate the effects of sending the packets with an incorrect IP checksum; this way, you may be able to disable the complete communication between two hosts through a PIX firewall.

Cisco Broadband OS TCP/IP Stack DoS Vulnerability

Attack 

Popularity:

7

Simplicity:

8

Impact:

7

Risk Rating:

7

Cisco Systems has released a variety of broadband router devices to capture a share of the vast broadband equipment market from Motorola, Netgear, and other big players that provide affordable appliances to home and small office users. A vulnerability has been identified in a popular Cisco 600 series router running Cisco Broadband Operating System (CBOS) software that crashes the device when a large amount of traffic traverses the device. Cisco has confirmed that small routers from 605 to 678 are vulnerable to this flaw. By using any network tool that generates a large amount of traffic, such as ping , hping2 , or rain , malicious attackers can deny service to legitimate users. Attackers can also bring down these small routers with large Dynamic Host Configuration Protocol (DHCP) packets (which can be sent using Yersinia in DHCP mode) or with large Telnet packets, generated by Cisco Global Exploiter (attack number 1).

Cisco Broadband OS TCP/IP Stack DoS Countermeasures

Countermeasure 

This vulnerability has been assigned Cisco Bug ID CSCdx36121. More details about this issue can be found at http://www.cisco.com/en/US/products/products_security_advisory09186a0080094e6f.shtml . The advisory also describes broadband router crashes from sending large DHCP and Telnet packets. If your network uses these devices, you are advised to upgrade the firmware since no reliable workarounds are available, save for filtering out all DHCP packets (which is not advisable if the router IP is dynamic) and disabling Telnet access.

Cisco Aironet AP1x00 Malformed HTTP GET DoS Vulnerability

Attack 

Popularity:

5

Simplicity:

6

Impact:

8

Risk Rating:

6

A flaw has been found in the popular, industry-standard IOS-based wireless device Cisco Aironet AP 1x00 series. It is possible to cause an IOS-based Cisco Aironet Access Point to crash and reboot if the HTTP server feature is used for administrative purposes. The web management interface is enabled by default for an easy and convenient installation and setup of the device. An attacker can abuse this vulnerability by sending a specially crafted malformed HTTP request to a device, causing a reboot or a DoS condition. This flaw does not require previous authentication with the device. Taking into account the amount of unsecured wireless access points (APs) we've encountered in the wild, a script kiddie could abuse many misconfigured vulnerable Cisco APs for fun or profit. All versions of IOS prior to 12.2(8)JA running on AP1x00 series devices are reported to be vulnerable.

To determine whether your AP is vulnerable to this attack, Telnet to the device and execute the following:

 arhontus< sh ver      Cisco Internetwork Operating System Software      IOS (tm) C1100 Software (C1100-K9W7-M), Version 12.2(8)JA, EARLY      DEPLOYMENT RELEASE SOFTWARE (fc1)               ^^^^^^^^^      TAC Support: http://www.cisco.com/tac      Copyright (c) 1986-2003 by cisco Systems, Inc. 

In this example, the device is vulnerable, and shows version 12.2(8)JA of the IOS firmware.

Cisco Aironet AP1x00 Malformed HTTP GET DoS Countermeasures

Countermeasure 

A few possible solutions are available to mitigate this issuethe first being the upgrade of the IOS firmware to the latest version available. The second solution is to use access lists to enable access to the web management interface to legitimate users only, such as system administrators and managers. To do that, execute the following:

A few possible solutions are available to mitigate this issuethe first being the upgrade of the IOS firmware to the latest version available. The second solution is to use access lists to enable access to the web management interface to legitimate users only, such as system administrators and managers. To do that, execute the following:

 arhontus(config)# ip http access-class 10      arhontus(config)# access-list 10 permit host <IP ADDRESS OF ADMIN> 

Repeat the second command for all IP addresses that are allowed to manage Cisco applications.

Alternatively, if the HTTP service is not required for day-to-day management, you are advised to disable it in the following manner:

 arhontus(config)# no ip http server 

Cisco Catalyst Nonstandard TCP Flags Remote DoS Vulnerability

Attack 

Popularity:

5

Simplicity:

5

Impact:

8

Risk Rating:

6

After receiving a series of malformed connection attempts to any TCP service (HTTP, Telnet, SSH), a DoS condition is triggered that disables any communications to the clients . It has been confirmed that as few as eight sequential connection attempts with nonstandard flags are required to crash a service. The flaw is present in any TCP-based service on a Catalyst switch. Network toolkits such as hping2 and rain are fully capable of carrying out this attack. Just bombard the switch with TCP packets with bizarre flag combinationseven a standard Nmap Xmas scan ( -sX ) might do. A Cisco advisory has stated that this vulnerability does not affect the traffic passing through the switch or any console-based service.

Cisco Catalyst Nonstandard TCP Flags Remote DoS Countermeasure

Countermeasure 

As previously stated, it is good security practice to disable the network device management services or restrict access to those services to legitimate users only. Cisco Systems advises that you upgrade the firmware. Refer to Cisco Bug ID CSCdw52219 for more information on how to perform the upgrade. More information can be obtained from http://www.cisco.com/warp/public/707/cisco-sa-20030709-swtcp.shtml.



Hacking Exposed Cisco Networks
Hacking Exposed Cisco Networks: Cisco Security Secrets & Solutions
ISBN: 0072259175
EAN: 2147483647
Year: 2005
Pages: 117

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net