Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TCP state manipulation vulnerabilities in IOS

Hello,

With the recent news about TCP state manipulation I have found out I have an older Internet facing router that is vulnerable to attack.

Its a c2621 running:

IOS (tm) C2600 Software (C2600-IS4-M), Version 12.3(26), RELEASE SOFTWARE (fc2)

The router only has 16mb of flash and 64mb of main (RAM) memory.

The the patched IOSs all require 32mb of flash memory and 128mb of RAM.

What can I do today to workaround this obvious problem??

Thanks,

Pedro

3 REPLIES
Hall of Fame Super Silver

Re: TCP state manipulation vulnerabilities in IOS

Pedro

I am not sure that there is any attractive answer for your situation. It looks like if you want to get code that fixes the problem (generally the preferred solution) that you would have to upgrade the hardware.

As I understand the description of the problem, to execute the attack the bad guy must complete the three way handshake with the router. So probably your best workaround is to control very tightly what is allowed to establish TCP connection to the router. I would start with the access list on the public facing interface (you do have an access list on that interface?). Make sure that connection to the router on TCP based services are denied or if they need to be allowed make sure that you restrict the addresses that are allowed to make the connection. After you have controlled TCP access from outside you might want to make a similar effort to control access from inside.

HTH

Rick

New Member

Re: TCP state manipulation vulnerabilities in IOS

The only thing this router does is DNS. It answers queries (UDP) and does zone transfers (TCP) with certain allowed hosts. Everything else is blocked.

I think I am looking ok.

Thoughts?

Hall of Fame Super Silver

Re: TCP state manipulation vulnerabilities in IOS

Pedro

If everything else is blocked and if you are controlling who can do zone transfers, then I believe that you are ok.

HTH

Rick

141
Views
0
Helpful
3
Replies