COMMAND
SmartSwitch Router
SYSTEMS AFFECTED
Cabletron SmartSwitch Router 8000 Firmware v2.x
PROBLEM
Following is based on BindView Security Advisory. Cabletron's
SSR is a Layers 2-4 routing and switching device with one of the
fastest switching architectures in the industry. Attackers can
cause the SSR to stop handling any network traffic. Bindview only
confirms the vulnerability in the SSR 8000 running firmware
revision 2.x. Due to the nature of the problem, other equipment
may be vulnerable, including other manufacturers' products. A
malicious attacker can cause the SSR to stop functioning for as
long as the attacker can continue feeding packets to the device.
Cabletron indicates that the bottleneck appears to occur in the
ARP handling mechanism of the SSR. The SSR appears to only be
capable of handling ~200 ARP requests per second. Thus, by
initiating network traffic to more than this critical number of IP
addresses, an attacker can cause the router to stop functioning
while the ARP handler is flooded. In extreme cases, with input
rates only available on the local network, it may be possible to
corrupt the SSR's configuration with a sustained flood of new IP
addresses. The danger in this problem arises from the fact that
many perimeter defenses (firewalls) permit ICMP through, which
means that remote, anonymous attackers may be able to crash the
SSR.
SOLUTION
Upgrade your SSR firmware to version 3.x:
http://www.cabletron.com/download/download.cgi?lib=ssr
Note that perimiter firewalls that don't let some ICMP through
are broken (If anyone from certain large search/net companies
beginning with A and Y are listening....). With return ICMP must
fragment messages blocked the host isnt properly accessible (in
many cases not accessible at all) over lower MTU paths like
secure tunnels, groups of machines behind low mtu ppp links etc.
A perimiter firewall can (and probably should) do stateful
checking of the ICMPs perhaps with rate limiting too.