[unisog] Cisco vulnerability

Anderson Johnston andy at umbc.edu
Thu Jul 17 20:00:11 GMT 2003


Thanks to all who replied.  I will pass this on to our network folks.
Addendum: Networks now has the go-ahead to start rolling upgrades.

					Thanks again,
						- Andy

On Thu, 17 Jul 2003, John Kristoff wrote:

> On Thu, 17 Jul 2003 13:58:01 -0400 (EDT)
> Anderson Johnston <andy at umbc.edu> wrote:
>
> > Like what is it?  Applying the workaround to every router and switch
> > on our campus isn't something we can do real fast.  Any other
> > approaches?  Is there something we can filter on?
>
> There are some workarounds near the end of that advisory.  The page you
> listed is currently the most authoratative source of info.  There are
> some guesses floating around of what the specifics are, but since this
> appears to have been a problem found internally by cisco they are
> withholding further details at this time.
>
> You can shield traffic destined to the router through the use of input
> interface filters.  This may be difficult to manage on a significantly
> sized network actually, but for example (caution, not tested and I'm not
> sure this is the best way to do it):
>
> interface Ethernet0
>  ip address 192.0.2.1 255.255.255.0
>  ip access-group eth0-shield-in in
>
> ip access-list extended eth0-shield-in
>  remark Shield router from unwanted traffic destined to it
>  permit udp host <snmp-manager> host 192.0.2.1 eq 161
>  ! copy above statement with additional router IPs as destination
>  deny udp any host 192.0.2.1 eq 161
>  ! copy above statement with additional router IPs as destination
>  ! do the same for other things to router (e.g. telnet, ssh, bgp)
>  ! ...
>
> It might actually be easier to just upgrade, given that the above would
> probably be a fairly momumentous task for many to widely deploy.
>
> John
>

------------------------------------------------------------------------------
** Andy Johnston (andy at umbc.edu)          *            pager: 410-678-8949  **
** Manager of IT Security                 * PGP key:(afj2002) 4096/8448B056 **
** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21 9A **
** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0 56 **
------------------------------------------------------------------------------



More information about the unisog mailing list