[unisog] Cisco vulnerability

John Kristoff jtk at depaul.edu
Thu Jul 17 18:51:12 GMT 2003


On Thu, 17 Jul 2003 13:58:01 -0400 (EDT)
Anderson Johnston <andy at umbc.edu> wrote:

> Like what is it?  Applying the workaround to every router and switch
> on our campus isn't something we can do real fast.  Any other
> approaches?  Is there something we can filter on?

There are some workarounds near the end of that advisory.  The page you
listed is currently the most authoratative source of info.  There are
some guesses floating around of what the specifics are, but since this
appears to have been a problem found internally by cisco they are
withholding further details at this time.

You can shield traffic destined to the router through the use of input
interface filters.  This may be difficult to manage on a significantly
sized network actually, but for example (caution, not tested and I'm not
sure this is the best way to do it):

interface Ethernet0
 ip address 192.0.2.1 255.255.255.0
 ip access-group eth0-shield-in in

ip access-list extended eth0-shield-in
 remark Shield router from unwanted traffic destined to it
 permit udp host <snmp-manager> host 192.0.2.1 eq 161
 ! copy above statement with additional router IPs as destination
 deny udp any host 192.0.2.1 eq 161
 ! copy above statement with additional router IPs as destination
 ! do the same for other things to router (e.g. telnet, ssh, bgp)
 ! ...

It might actually be easier to just upgrade, given that the above would
probably be a fairly momumentous task for many to widely deploy.

John



More information about the unisog mailing list