Revised April 24, 2008
February 10, 2003
THIS FIELD NOTICE HAS BEEN EXPIRED AND IS NO LONGER MAINTAINED OR UPDATED BY CISCO.
THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE, WARRANTY OR SUPPORT. USE OF THE INFORMATION ON THIS FIELD NOTICE OR MATERIALS LINKED FROM THIS FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
All Cisco IOS® Software
This issue is not specific to any Cisco IOS software release or device configuration. The device is only vulnerable if IP routing is disabled. The IP routing is enabled by default and must be explicitly disabled if required.
If a router has IP routing disabled it will accept bogus ICMP redirect packets and modify its routing table accordingly. With IP routing is disabled the router will act as a Host and it will comply with the Host Requirements given in the RFC1122. If IP routing is enabled (which it is by default) ICMP redirect packets are received and recognized but ignored. The router will not update its routing table with the information present in the redirect packets.
This vulnerability was reported to Cisco by Ofir Arkin with at @stake (currently The Sys-Security Group, email@example.com).
By sending bogus ICMP redirect packets a malicious user can either disrupt or intercept communication from a router.
The disruption can be accomplished by advertising that a default gateway is an unused IP address from the local subnet. That will effectively prevent the router from sending any packets to any destination that is outside the local subnet.
Another possibility is to advertise a gateway that is on the completely different subnet. If there is a device that will proxy ARP request for this bogus gateway, all victim's traffic destined outside of the local subnet may be forwarded to the bogus gateway, which would cause the victim's traffic to leak out of the local subnet to a device of attacker's choosing. If there is no device that will proxy ARP requests for a bogus gateway then the scenario collapses to the first scenario where traffic is simply blocked.
The last possibility is that malicious user inserts a default gateway whose IP address is the address of the attacker's machine itself. That way a malicious user will be able to receive all victim's traffic host that is destined outside of the local subnet. That traffic can subsequently be recorded or manipulated at the attackers' will. The traffic can even be forwarded to the correct gateway so that the victim will be unable to notice what is going on. That a malicious user could participate as a default gateway and intercept and record legitimate traffic is normal operation, and is based on availability principles, and is not dependent on the vulnerability of accepting llegitimate ICMP messages.
The workaround is to prevent the router from acting upon ICMP redirect packets. This can be accomplished in the following manner:
Router(config)#no ip icmp redirect
The preferred way would be to upgrade to the fixed Cisco IOS software release. The first fixed releases are 12.2(13.03)B, 12.2(12.05)T, 12.2(12.05)S, 12.2(12.05), 12.2(12.02)S, and 12.2(12.02)T. These releases are fixed as of the time this notice was written. For the most current list of the fixed releases consult the DDTS CSCdx92043.
To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Receive Email Notification For New Field Notices
Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.