-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This email is in response to the BugTraq posting at http://online.securityfocus.com/archive/1/276270/2002-06-08/2002-06-14/2 Cisco is currently working on Cisco Bug Id CSCdx82139 to ensure that HSRP validates the destination IP address of packets received, before processing them. This will be integrated in all new releases of IOS. In the interim the steps documented by Shane at http://online.securityfocus.com/archive/1/276347/2002-06-08/2002-06-14/2 could be used as best practice. On Saturday June 8 2002 02:21, Felix Lindner wrote: > Sharad Ahlawat wrote: > > an excerpt form RFC 2281 - Cisco HSRP > > > > 7. Security Considerations > > [SNIP] > > > It is difficult to subvert the protocol from outside the > > LAN as most routers will not forward packets addressed to the > > all-routers multicast address (224.0.0.2). > > This does not prevent remote attacks because Cisco devices do not > validate the destination address of a HSRP packet. Unicast packets > are accepted, which can be tested using the hrsp tool at > http://www.phenoelit.de/irpas/ > > Regards > /F - -- Sharad Ahlawat. Product Security Incident Response Team (PSIRT) Incident Manager http://www.cisco.com/go/psirt Phone:+1 (408) 527-6087 (Land line and Mobile) DH/DSS key Id: 0xC12A996C Fingerprint: 9A93 2A20 43E5 7F01 2954 C427 1A81 A898 C12A 996C -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9BuoEGoGomMEqmWwRAgVdAJ4jb3rvk+ha+a55JJvGmNVwHO6GZQCfUypa /7CfuGKx+P3w2zo7gv/2v4E= =B1E/ -----END PGP SIGNATURE-----
