H Security Logo

Deadly pings for Cisco routers and switches

From a story at H Security: Deadly pings for Cisco routers and switches – News – The H Security: News and features

The command show np 2 stats can be used to determine whether the problem has previously occurred. If it has the error message “ERROR: np_logger_query request for FP Stats failed” is returned. The vendor does not suggest a workaround, but has made updated versions of the FWSM software available in which the problem does not occur.

Notice in the comments:

Ok, this is just plain inaccurate.

I’m not sure who read the Cisco advisory because they did a pretty bad job at the interpretation:

1) First off, this isn’t a bug that “disables Cisco routers and switches”. This is specifically about the FIREWALL MODULE that can be installed on a 6500-switch or a 7600-series router. Just because the  module is installed on the switch/router does not mean that the entire platform is affected/disabled. Please read up on modular switches/routers to understand what that means.

2) The vendor DOES suggest a workaround (albeit not to be carried out on the FWSM itself); it may not be the most elegant, but the
workaround is to filter ICMP packets before they get to the FWSM. The
edge router would be the most suitable candidate for that and applying this filter would prevent the malicious ICMP traffic in question from reaching the vulnerable FWSM.

See also:

[Editor] And now an update: 9 September – It seems there is a problem, and now a fix:

Cisco TCP stack vulnerable to DoS attacks – News – The H Security: News and features

9 September 2009, 12:52

Cisco TCP stack vulnerable to DoS attacks

Cisco has released a software update to fix a DoS vulnerability in a number of its products. An attacker can manipulate the state of an open TCP connection so that it never times out and remains connected indefinitely. According to Cisco, such connections hang in the FINWAIT1 state.

If an attacker can achieve this with a large number of connections, they will consume sufficient resources to prevent further connections to the system being established. A reboot is required to resolve the problem. Crashes may also occur.

Cisco IOS, IOS-XE, CatOS, ASA, PIX, NX-OS and Linksys products are all affected. Precise details of which systems are affected and which are not, can be found in the vendor’s own security advisory.

The problem is not new, but has been smouldering in the TCP stacks of a number of vendors for a while and is actually a bug in the TCP protocol itself. The problem was first reported by Robert E. Lee and Jack C. Louis from Outpost24 back in October. They used a special tool to demonstrate that a low bandwidth internet connection was able to knock a broadband server off the web. Vendors have been scrabbling around for a solution ever since.

Yesterday, Microsoft too released a patch to fix this problem. Checkpoint, Juniper and other vendors have also now reacted. The Finnish CERT has now finally released details of the problem and of the Sockstress tool used, and distributed to vendors, to test the issue.

Leave a Reply