Cisco: Malicious ICMP messages could cause denial of service

By Bill Brenner, News Writer 13 Apr 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

A publicly available document on how to use how the Internet Control Message Protocol (ICMP) to launch denial-of-service attacks has prompted Cisco Systems to issue an advisory outlining a variety of vulnerable products.

"A document that describes how the ICMP could be used to perform a number of denial-of-service attacks against the Transmission Control Protocol [TCP] has been made publicly available," the San Jose, Calif.-based networking giant said in the advisory. "This document has been published through the Internet Engineering Task Force Internet Draft process, and is entitled 'ICMP Attacks Against TCP.'"

Cisco said three types of attacks can occur:

• Those using ICMP "hard" error messages;
• Those using ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery [PMTUD] attacks; and
• Those using ICMP "source quench" messages.

"Successful exploitation of attacks using crafted ICMP 'hard' error messages may

Read more on Cisco Cisco patches multiple IOS flaws Cisco makes case for self-defending networks

result in connections being dropped," Cisco said. "Successful exploitation of attacks based on 'fragmentation needed and DF bit set' [or PMTUD attacks] and ICMP 'source quench' error messages may result in connections being throttled to very low throughput."

While throughput is low, Cisco warned that "the output buffer of a sending host could overflow or packets could be dropped or be unnecessarily fragmented, which may affect applications and communication efficiency. Accordingly, crafted ICMP packets could interfere with network protocols, such as the Border Gateway Protocol, Label Distribution Protocol [LDP] and Data-Link Switching [DLSw]."

The company added that a PMTUD attack could push the CPU into overdrive and that extra memory on the receiving host could be eaten up because the CPU "will spend time and memory buffers to reassemble the incoming fragmented packets."

The advisory outlines free software available to fix the vulnerabilities in Cisco's products. It also outlines a list of workarounds for IT shops that can't immediately upgrade their systems.

Vulnerable Cisco products include:

• Internetwork Operating Software [IOS]
• IOS XR
• IP Phones
• PIX Security Appliance
• Catalyst 6608 and 6624
• Cisco 11000 and 11500
• Cisco GSS
• MDS 9000
• VPN 5000 Concentrator
• Some ONS products

Digg This!     StumbleUpon     Del.icio.us

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary