Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

cisco crypt lib vulnerability

Published: 2007-05-23
Last Updated: 2007-05-24 14:46:45 UTC
by donald smith (Version: 1)
0 comment(s)
What appears to be a fairly far reaching ANS.1 DOS vulnerability in Cisco products was recently announced.
It is in a 3rd party crypto library that appears to have been used in lots of different Cisco products.
This affects SSH, SSL, EAP-TLS, SIP-TLS, TIDP, IPSEC, CAPF and TAPI on several different platforms depending on usage and OS.
It appears the vulnerable services/protocols may be enabled by default in some instances.
After a discussion with an informed source cisco IOS less then 12.3(2)T is not vulnerable unless a crypto map has been applied to the interface.

All the text in italics is quoted from the cisco advisory available here:

Affected Products
Cisco IOS
Cisco IOS XR
Cisco PIX and ASA Security Appliances (only 7.x releases are affected)
Cisco Firewall Service Module (FWSM), all releases prior 2.3(5) and 3.1(6) are affected
Cisco Unified CallManager

Affected protocols in Cisco IOS
In Cisco IOS two features rely on ISAKMP - IPSec and Group Domain of Interpretation (GDOI).

Prior to IOS version 12.3(2)T, IKE was enabled by default, with no crypto configuration needed for the IOS device to process IKE messages.

12.2SXD versions of Cisco IOS have IKE enabled by default. To ensure that IKE processing is disabled, enter the global configuration command no crypto isakmp enable.

As of IOS version 12.3(2)T (which includes all 12.4-based versions), crypto configuration is required to enable IKE message processing.
In order for an IOS device to be vulnerable crypto map must be explicitly configured and applied to an interface

Affected protocols in Cisco IOS XR

Internet Security Association and Key Management Protocol (ISAKMP)
In some IOS XR releases the Secure Socket Layer (SSL) may also be affected
Secure Shell (SSH)

Affected protocols in Cisco Firewall Service Module (FWSM)

Internet Security Association and Key Management Protocol (ISAKMP)

Affected protocols in Cisco Unified CallManager
Certificate Authority Proxy Function (CAPF)
Cisco TAPI Service Provider (Cisco Unified CallManager TSP)

See the advisory for mitigations, fixed software and a complete list of which products are vulnerable.
0 comment(s)

Auscert day 3 update

Published: 2007-05-23
Last Updated: 2007-05-23 13:03:21 UTC
by Mark Hofman (Version: 1)
0 comment(s)
Well the last day of the main conference has passed at Auscert and those not staying behind for the tutorials are winging our way back home.  Quite a number delicate heads this morning after the gala dinner last night, but the day forged on.

Keynote - Web 2.0 - Securing the Brave New World
The keynote today was Mary Ann Davidson (Oracle Corporation).  Mary Ann discussed a number of the challenges facing us in the web 2.0 world. Where perimeters fade, more and more data is available, there is more to defend and the “need to share trumps the need to know”. She also discussed some of the social aspects regarding the information that is readily available to people, both within organisations as well as on the internet and the need for stronger control over who has access to this information (at least within the organisation).

  • Know thy Enemy: deconstructing a multi-billion message spam attack & the criminals behind it - Patrick Peterson (Ironport Systems) gave an interesting presentation on the world behind spam and how it works. Patrick went into some of the specifics of how the spam is delivered, changed and again delivered. How some pieces of spam change every 15 minutes or so and how the domains associated with them are registered and used.
  • The Cyber Criminal Economy - Stas Filshtinskiy (ANZ) gave an insight into the cyber criminal economy, which in turn explained why certain things happen in our environment.
  • Large Scale Flow Collection and Analysis - Mike Newton’s (Stanford University) presentation gave us information on how the university uses Argus to collect and analyse large amounts of data at the university. The information was used for multiple purposes which included identifying compromised hosts, but also to identify the firewall rules required within their infrastructure.
  • Traditional IDS should be dead - Richard Bejtlich (TaoSecurity). Richard’s presentation went into some of the shortcomings of Intrusion Detection Systems. Essentially providing an alert regarding an event is not enough. To identify if there is really an issue the information has to be correlated, ideally from sources other than the one providing the alerts.
Those are pretty much all the sessions I was able to attend today. This was my first Auscert event and I enjoyed it, caught up with some old friends, made some new ones. On to the next one.

0 comment(s)

Microsoft Advisories

Published: 2007-05-23
Last Updated: 2007-05-23 01:40:47 UTC
by Mark Hofman (Version: 1)
0 comment(s)
Microsoft has just released two security advisories
The first actually states that does not address a security vulnerability,it provides a fix for Windows installer.  The second one is a conversion tool for office 2003  to convert documents to the new xml format used by  2007 and a file block utility.   The details are in the respective advisory.  There is also an entry on the msrc blog with more information on MOICE.
0 comment(s)
Diary Archives