Bugtraq mailing list archives
Re: Cisco CSS 11000 Series DoS
From: Mike Caudill <mcaudill () cisco com>
Date: Fri, 8 Aug 2003 13:51:40 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is to acknowledge your postings regarding a Denial of Service vulnerability in the Cisco CSS 11000 platforms located at: Vulnwatch list: http://lists.insecure.org/lists/vulnwatch/2003/Jul-Sep/0073.html BUGTRAQ: http://www.securityfocus.com/archive/1/332284/2003-08-05/2003-08-11/0 The Cisco PSIRT is investigating the issue further. Once we have verified details surrounding this problem, we will post a response to both forums with more information regarding fixed software versions and applicable workarounds which can be used to mitigate the problem. Thanks. - -Mike-
############################################################### ID: S21SEC-025-en Title: Cisco CSS 11000 Series DoS Date: 04/07/2003 Status: Solution available Scope: Interruption of service, high CPU load. Platforms: All/Chassis CS800. Author: ecruz, egarcia, jandre Location: http://www.s21sec.com/en/avisos/s21sec-025-en.txt Release: External ############################################################### S 2 1 S E C http://www.s21sec.com Cisco CSS 11000 Series Denial of service Description of vulnerability ---------------------------- A heavy storm of TCP SYN packets directed to the circuit address of the CSS can cause DoS on it, high cpu load or even sudden reboots. The issue is known by cisco as the ONDM Ping failure (CSCdz00787). On the CS800 chassis the system controller module (SCM) sends ONDM (online diagnostics monitor) pings to each SFP card in order to see if they are alive, if the SCM doesn't get a response in about 30 seconds the SCM will reboot the CS800 and there will be no core. By attacking the circuit IP address of the CSS with SYN packets the traffic is sent up to the SCM over the internal MADLAN ethernet interface. If this internal interface becomes overloaded the ONDM ping request and response traffic can be dropped leading this to an internal DoS since no internal comunications are available. Any attacker could do this externally with a few sessions of NMAP and a cable/ADSL internet connection. Affected Versions and platforms ------------------------------- This vulnerability affects the models 11800, 11150 and 11050 with chassis CS800. Solution -------- Upgrade to software release WebNS 5.00.110s or above. http://www.cisco.com/en/US/products/hw/contnetw/ps789/prod_release_note0918 6a008014ee04.html AcL's to protect the circuit address are recomended. Additional information ---------------------- These vulnerabilities have been found and researched by: Eduardo Cruz ecruz () s21sec com Emilin Garcia egarcia () s21sec com Jordi Andre jandre () s21sec com You can find the last version of this warning in: http://www.s21sec.com/en/avisos/s21sec-025-en.txt And other S21SEC warnings in http://www.s21sec.com/en/avisos/
- -- - ---------------------------------------------------------------------------- | || || | Mike Caudill | mcaudill () cisco com | | || || | PSIRT Incident Manager | 919.392.2855 | | |||| |||| | DSS PGP: 0xEBBD5271 | 919.522.4931 (cell)| | ..:||||||:..:||||||:.. | RSA PGP: 0xF482F607 ---------------------| | C i s c o S y s t e m s | http://www.cisco.com/go/psirt | - ---------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.2 iQA/AwUBPzPjG4pjyUnrvVJxEQJNOwCfR7b6rjXNpcAmbgXue5pk6t6+PDEAoO4n vZpl/lFWudgREMq98AwDGbFq =DY/N -----END PGP SIGNATURE-----
Current thread:
- Cisco CSS 11000 Series DoS S21SEC (Aug 07)
- Re: Cisco CSS 11000 Series DoS Mike Caudill (Aug 09)