-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-2003-17 Exploit available for for the Cisco IOS Interface
Blocked Vulnerabilities

   Original release date: July 18, 2003
   Last revised: --
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

     * All  Cisco  devices  running  Cisco IOS software and configured to
       process Internet Protocol version 4 (IPv4) packets

Overview

   An exploit has been posted publicly for the vulnerability described in
   VU#411332, which was announced in

   http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml

I. Description

          An exploit has been posted publicly for VU#411332. This exploit
          allows  an  attacker  to  interrupt  the  normal operation of a
          vulnerable  device. We believe it is likely that intruders will
          begin using this or other exploits to cause service outages.

          If  you  believe  you have been the victim of intruder activity
          related  to this vulnerability, we encourage you to report that
          activity  to  your local incident response team, if any, and to
          the  CERT  Coordination  Center. Relevant artifacts or activity
          can  be  sent to cert@cert.org with "CERT#24229" in the subject
          line.  If  you are not able to communicate via electronic mail,
          contact  CERT/CC by phone at the number listed at the bottom of
          this document.

          Many  large  service providers have already taken action or are
          in  the  midst  of  upgrading. However, if you have not already
          taken  action, we strongly encourage you to review the advisory
          provided  by  Cisco  and  take  action  in accordance with your
          site's  maintenance  and  change management procedures. Cisco's
          advisory can be found at

    http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml

          The  CERT/CC  will  continue  to provide information about this
          vulnerability through VU#411332.

          Any  information  regarding  intruder  activity related to this
          vulnerability  will  be  posted to the CERT/CC Currect Activity
          page, available at

     http://www.cert.org/current/

II. Impact

          By  sending specially crafted IPv4 packets to an interface on a
          vulnerable  device,  an  intruder  can cause the device to stop
          processing  packets  destined  to  that interface. Quoting from
          Cisco's advisory:

     A  device  receiving  these  specifically crafted IPv4 packets will
     force  the inbound interface to stop processing traffic. The device
     may  stop  processing  packets  destined  to  the router, including
     routing  protocol  packets  and  ARP  packets.  No  alarms  will be
     triggered, nor will the router reload to correct itself. This issue
     can  affect  all  Cisco  devices  running  Cisco IOS software. This
     vulnerability  may  be  exercised  repeatedly  resulting in loss of
     availability  until a workaround has been applied or the device has
     been upgraded to a fixed version of code.

III. Solution

Apply a patch from Cisco

          Upgrade as described in Cisco's Advisory.

Restrict access

          Until  a  patch  can  be  applied,  you  can mitigate the risks
          presented  by  this  vulnerability  by  judicious use of access
          control  lists  (ACLs). The correct use of ACLs depends on your
          network topology. Additionally, ACLs may degrade performance on
          some  systems.  We  recommend  reviewing  the  following before
          applying ACLs:

http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml#workarounds
http://www.cisco.com/warp/public/707/racl.html
http://www.cisco.com/warp/public/707/iacl.html
            __________________________________________________________

          The CERT Coordination Center thanks Cisco Systems for notifying
          us  about  this  problem  and  for helping us to construct this
          advisory.
            __________________________________________________________

          Authors: Shawn Hernan and Martin Lindner
          _______________________________________________________________

          This document is available from:
          http://www.cert.org/advisories/CA-2003-17.html
          _______________________________________________________________

CERT/CC Contact Information

        Email: cert@cert.org
                Phone: +1 412-268-7090 (24-hour hotline)
                Fax: +1 412-268-6989
                Postal address:
                CERT Coordination Center
                Software Engineering Institute
                Carnegie Mellon University
                Pittsburgh PA 15213-3890
                U.S.A.

          CERT/CC  personnel  answer the hotline 08:00-17:00 EST(GMT-5) /
          EDT(GMT-4)   Monday  through  Friday;  they  are  on  call  for
          emergencies  during  other  hours,  on  U.S.  holidays,  and on
          weekends.

Using encryption

          We  strongly  urge you to encrypt sensitive information sent by
          email. Our public PGP key is available from

        http://www.cert.org/CERT_PGP.key

          If you prefer to use DES, please call the CERT hotline for more
          information.

Getting security information

          CERT  publications and other security information are available
          from our web site

        http://www.cert.org/

          To  subscribe  to  the  CERT  mailing  list  for advisories and
          bulletins,  send email to majordomo@cert.org. Please include in
          the body of your message
          subscribe cert-advisory

          *  "CERT"  and "CERT Coordination Center" are registered in the
          U.S. Patent and Trademark Office.
          _______________________________________________________________

          NO WARRANTY
          Any  material  furnished  by Carnegie Mellon University and the
          Software  Engineering  Institute  is  furnished  on  an "as is"
          basis.  Carnegie  Mellon  University makes no warranties of any
          kind,  either  expressed or implied as to any matter including,
          but  not  limited  to,  warranty  of  fitness  for a particular
          purpose  or  merchantability,  exclusivity  or results obtained
          from  use  of the material. Carnegie Mellon University does not
          make  any  warranty  of  any  kind with respect to freedom from
          patent, trademark, or copyright infringement.
            __________________________________________________________

          Conditions for use, disclaimers, and sponsorship information

          Copyright 2003 Carnegie Mellon University.

          Revision History

July 18, 2003:  Initial release

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPxgDAGjtSoHZUTs5AQEY6AQA0hYldKCx/AR+SnYaZG5zJ6lHQp4zL9hs
NasNnBnRLW/xqslHBfnjt73pl47cEbZwgVb6B+jjngWHKKRJ2HN8NDijDxkmFvWw
QIOflS1neDMTbpuFwbT/KFBUMOR3eXYumlLCa8m2NbxCxt3aaBBZeXrOxGoUEp3L
nIbMK+mHKxY=
=0maj
-----END PGP SIGNATURE-----