Bugtraq mailing list archives
Re: Cisco HSRP Weakness/DoS
From: "Steven M. Bellovin" <smb () RESEARCH ATT COM>
Date: Thu, 3 May 2001 22:53:01 -0400
In message <200105031757.TAA05508 () ns wcd se>, bashis writes:
--%--multipart-mixed-boundary-1.5498.988912661--% Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi I was playing with Cisco's HSRP (Hot Standby Routing Protocol), and there is a (major) weakness in that protocol that allow any host in a LAN segment to make a HSRP DoS. Short (very) explain of HSRP. HSRP uses UDP on port 1985 to multicast address 224.0.0.2, and the authentication is in clear text. (default: cisco) I include a small program that sends out a fake HSRP packet, when it hear a legal HSRP packet, as a "proof of concept" code... Vendor was notified about this 14 April 2001,, and their response was to use HSRP with IPSec. http://www.cisco.com/networkers/nw00/pres/2402.pdf
Their response was precisely correct. Given the evils that can be done with ARP-spoofing, this sort of misbehavior by someone already on the LAN can't easily be prevented. More generally, have a look at RFC 2338, on VRRP -- the Virtual Router Redundancy Protocol. VRRP is the standards-track replacement for HSRP. The Security Considerations section explains when to use each type of authentication, up to and including IPsec. Cisco's real mistake is in having a common default authentication word -- not because it's a security failure, but because it can no longer fulfill its function of guarding against configuration errors. --Steve Bellovin, http://www.research.att.com/~smb
Current thread:
- Cisco HSRP Weakness/DoS bashis (May 03)
- <Possible follow-ups>
- Re: Cisco HSRP Weakness/DoS Steven M. Bellovin (May 03)
- Re: Cisco HSRP Weakness/DoS bashis (May 05)
- Re: Cisco HSRP Weakness/DoS Damir Rajnovic (May 16)