COMMAND

    SmartSwitch Router

SYSTEMS AFFECTED

    Cabletron SmartSwitch Router 8000 Firmware v2.x

PROBLEM

    Following is  based on  BindView Security  Advisory.   Cabletron's
    SSR is a Layers 2-4 routing  and switching device with one of  the
    fastest switching  architectures in  the industry.   Attackers can
    cause the SSR to stop handling any network traffic.  Bindview only
    confirms  the  vulnerability  in  the  SSR  8000  running firmware
    revision 2.x.  Due to  the nature of the problem,  other equipment
    may be  vulnerable, including  other manufacturers'  products.   A
    malicious attacker can  cause the SSR  to stop functioning  for as
    long as the attacker can continue feeding packets to the device.

    Cabletron indicates that  the bottleneck appears  to occur in  the
    ARP handling mechanism  of the SSR.   The SSR appears  to only  be
    capable  of  handling  ~200  ARP  requests  per  second.  Thus, by
    initiating network traffic to more than this critical number of IP
    addresses, an attacker  can cause the  router to stop  functioning
    while the ARP  handler is flooded.   In extreme cases,  with input
    rates only available on the  local network, it may be  possible to
    corrupt the SSR's configuration with  a sustained flood of new  IP
    addresses.  The danger in  this problem arises from the  fact that
    many  perimeter  defenses  (firewalls)  permit ICMP through, which
    means that remote,  anonymous attackers may  be able to  crash the
    SSR.

SOLUTION

    Upgrade your SSR firmware to version 3.x:

        http://www.cabletron.com/download/download.cgi?lib=ssr

    Note that  perimiter firewalls  that don't  let some  ICMP through
    are  broken  (If  anyone  from  certain large search/net companies
    beginning with A and Y  are listening....). With return ICMP  must
    fragment messages  blocked the  host isnt  properly accessible (in
    many  cases  not  accessible  at  all)  over  lower MTU paths like
    secure tunnels, groups of machines  behind low mtu ppp links  etc.
    A  perimiter  firewall  can  (and  probably  should)  do  stateful
    checking of the ICMPs perhaps with rate limiting too.