ID

VAR-200212-0835

CVE

CVE-2002-2208

TITLE

Cisco IOS EIGRP notice ARP Denial of service attack vulnerability

DESCRIPTION

Extended Interior Gateway Routing Protocol (EIGRP), as implemented in Cisco IOS 11.3 through 12.2 and other products, allows remote attackers to cause a denial of service (flood) by sending a large number of spoofed EIGRP neighbor announcements, which results in an ARP storm on the local network. Internet Operating System (IOS) is the firmware developed and maintained by Cisco for Cisco Routers. A system sending spoofed EIGRP announcements may cause a denial of service to all routers and systems on a given network segment. Due to improper limits in the attempt to discover routers, a neighbor announcement received by routers on a given network segment will result in an address resolution protocol (ARP) storm, filling network capacity while routers attempt to contact the announcing neighbor. Additionally, resources on the router such as CPU will also become bound while the router attempts to reach the announcing neighbor. It should be noted that it is also possible to exploit this vulnerability on systems that accept EIGRP announcements via unicast. Remote attackers can use this vulnerability to carry out denial of service attacks on routers and consume all bandwidth. EIGRP uses automatic discovery of neighbor routers for route discovery. An EIGRP router announces its existence by multicasting on enabled interfaces. If two routers discover each other, they will exchange current topology information, and both sides also need to obtain the MAC address of the other router. When using a random source IP address to generate an EIGRP neighbor advertisement, and perform a \'\'flood\'\' attack on the router or the entire network, all receiving CISCO routers will try to contact the sender, and the sender's IP address must be in the current router configuration in the subnet. There is a loophole in CISCO IOS. When contacting the sender, it will continue to request to send the MAC address. There is no timeout operation in this process, unless the EIGRP neighbor keeping time expires. This value is provided by the sender and can exceed 18 hours at most. Multiple neighbor advertisements using non-existent source IP addresses can cause the router to consume a large amount of CPU utilization and consume a large amount of bandwidth, resulting in a denial of service attack. Using IP multicast and EIGRP announcements will have a better attack effect. CISCO IOS versions lower than 12.0 can receive EIGRP Neighbor Advertisement in unicast mode, resulting in the possibility of attacks through the Internet. Arhont Ltd.- Information Security Arhont Advisory by: Arhont Ltd Advisory: Unauthenticated EIGRP DoS Class: design bug Version: EIGRP version 1.2 Model Specific: Other versions might have the same bug DETAILS: We have used our custom EIGRP packet generator written on Perl to evaluate the security of the EIGRP routing protocol. In the initial generator testing stage we have successfully reproduced the known DoS against EIGRP discovered by FX and described at http://www.securityfocus.com/bid/6443. This attack is canned in the generator using the --hellodos flag. The testing network was completely brought down due to the ARP storm. Moving further, we have discovered a novel selective single peer - directed DoS attack employing the EIGRP "Goodbye Message". A goodbye message is sent when an EIGRP routing process is shutting down to tell the neighbors about the impending topology change to speed up the convergence. This feature is supported in Cisco IOS Releases later than 12.3(2), 12.3(3)B, and 12.3(2)T. A spoofed "goodbye message" can be sent to a peer claiming that it's neighbor is down, thus breaking the neighborhood: arhontus #/eigrp.pl --ipgoodbye 192.168.66.202 --as 65534 --source 192.168.66.191 469573: Aug 16 2005 03:08:11.773 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 65534: Neighbor 192.168.66.111 (Ethernet0/0) is up: new adjacency c2611#sh ip eigrp neigh IP-EIGRP neighbors for process 65534 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 2 192.168.66.111 Et0/0 13 00:01:08 1 5000 1 0 0 192.168.30.191 Se0/0 12 00:05:06 1 4500 0 198 1 192.168.66.191 Et0/0 13 00:05:14 201 1206 0 199 469574: Aug 16 2005 03:09:31.299 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 65534: Neighbor 192.168.66.111 (Ethernet0/0) is down: retry limit exceeded c2611# 469575: Aug 16 2005 03:09:32.818 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 65534: Neighbor 192.168.66.111 (Ethernet0/0) is up: new adjacency c2611# 469576: Aug 16 2005 03:09:56.277 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 65534: Neighbor 192.168.66.191 (Ethernet0/0) is down: Peer goodbye received c2611# 469577: Aug 16 2005 03:09:59.283 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 65534: Neighbor 192.168.66.191 (Ethernet0/0) is down: Peer goodbye received 469578: Aug 16 2005 03:09:59.868 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 65534: Neighbor 192.168.66.191 (Ethernet0/0) is up: new adjacency c2611# 469579: Aug 16 2005 03:10:02.288 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 65534: Neighbor 192.168.66.191 (Ethernet0/0) is down: Peer goodbye received c2611# 469580: Aug 16 2005 03:10:04.676 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 65534: Neighbor 192.168.66.191 (Ethernet0/0) is up: new adjacency 469581: Aug 16 2005 03:10:05.289 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 65534: Neighbor 192.168.66.191 (Ethernet0/0) is down: Peer goodbye received c2611# 469582: Aug 16 2005 03:10:08.290 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 65534: Neighbor 192.168.66.191 (Ethernet0/0) is down: Peer goodbye received c2611#sh ip eigrp neigh IP-EIGRP neighbors for process 65534 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 192.168.30.191 Se0/0 14 00:09:50 1 4500 0 286 This selective nighborhood breaking can be used for other purposes, than DoS. Re-initiating the EIGRP handshake helps a sniffing attacker to find information about the EIGRP routing domain topology. Possessing such information, a skilled attacker can selectively break the neighborhood to redirect traffic the way he wants. Of course, on an unportected EIGRP domain there is a much simpler way of traffic redirection, which is either directly injecting the routes using our packet generator or establishing a fake neighbourhood and supplying metric parameters to the legitimate peers, which would lead DUAL to favor the fake neighbor. Risk Factor: Medium Workarounds: Always use EIGRP MD5-based authentication. Communication History: sent to PSIRT on 10/10/05 *According to the Arhont Ltd. policy, all of the found vulnerabilities and security issues will be reported to the manufacturer at least 7 days before releasing them to the public domains (such as CERT and BUGTRAQ). If you would like to get more information about this issue, please do not hesitate to contact Arhont team.* _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

Design Error

EXTERNAL IDS

REFERENCES

CREDITS

FX fx@phenoelit.de※Paul Oxman※ poxman@cisco.com※Andrew A. Vladimirov※ mlists@arhont.com

SOURCES

LAST UPDATE DATE

2024-08-14T14:48:13.970000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE