-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is to acknowledge your postings regarding a Denial of Service vulnerability in the Cisco CSS 11000 platforms located at: Vulnwatch list: http://lists.insecure.org/lists/vulnwatch/2003/Jul-Sep/0073.html BUGTRAQ: http://www.securityfocus.com/archive/1/332284/2003-08-05/2003-08-11/0 The Cisco PSIRT is investigating the issue further. Once we have verified details surrounding this problem, we will post a response to both forums with more information regarding fixed software versions and applicable workarounds which can be used to mitigate the problem. Thanks. - -Mike- > ############################################################### > ID: S21SEC-025-en > Title: Cisco CSS 11000 Series DoS > Date: 04/07/2003 > Status: Solution available > Scope: Interruption of service, high CPU load. > Platforms: All/Chassis CS800. > Author: ecruz, egarcia, jandre > Location: http://www.s21sec.com/en/avisos/s21sec-025-en.txt > Release: External > ############################################################### > > S 2 1 S E C > > http://www.s21sec.com > > Cisco CSS 11000 Series Denial of service > > Description of vulnerability > ---------------------------- > > A heavy storm of TCP SYN packets directed to the circuit address of the > CSS > can cause DoS on it, high cpu load or even sudden reboots. > > The issue is known by cisco as the ONDM Ping failure (CSCdz00787). On the > CS800 chassis the > system controller module (SCM) sends ONDM (online diagnostics monitor) > pings to each SFP card > in order to see if they are alive, if the SCM doesn't get a response in > about 30 seconds the > SCM will reboot the CS800 and there will be no core. > > By attacking the circuit IP address of the CSS with SYN packets the > traffic is sent up to the SCM > over the internal MADLAN ethernet interface. If this internal interface > becomes overloaded > the ONDM ping request and response traffic can be dropped leading this to > an internal DoS > since no internal comunications are available. > > Any attacker could do this externally with a few sessions of NMAP and a > cable/ADSL internet > connection. > > Affected Versions and platforms > ------------------------------- > > This vulnerability affects the models 11800, 11150 and 11050 with chassis > CS800. > > Solution > -------- > > Upgrade to software release WebNS 5.00.110s or above. > http://www.cisco.com/en/US/products/hw/contnetw/ps789/prod_release_note0918 > 6a008014ee04.html > > AcL's to protect the circuit address are recomended. > > Additional information > ---------------------- > > These vulnerabilities have been found and researched by: > > Eduardo Cruz ecruz@s21sec.com > Emilin Garcia egarcia@s21sec.com > Jordi Andre jandre@s21sec.com > > You can find the last version of this warning in: > > http://www.s21sec.com/en/avisos/s21sec-025-en.txt > > And other S21SEC warnings in http://www.s21sec.com/en/avisos/ - -- - ---------------------------------------------------------------------------- | || || | Mike Caudill | mcaudill@cisco.com | | || || | PSIRT Incident Manager | 919.392.2855 | | |||| |||| | DSS PGP: 0xEBBD5271 | 919.522.4931 (cell)| | ..:||||||:..:||||||:.. | RSA PGP: 0xF482F607 ---------------------| | C i s c o S y s t e m s | http://www.cisco.com/go/psirt | - ---------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.2 iQA/AwUBPzPjG4pjyUnrvVJxEQJNOwCfR7b6rjXNpcAmbgXue5pk6t6+PDEAoO4n vZpl/lFWudgREMq98AwDGbFq =DY/N -----END PGP SIGNATURE-----
