( Appending my earlier email to this thread for ref.) Srini,
An attacker would not need to craft or have mention of (the vulnerable Cisco IOS code) 'version 12.3' into the PPTP packet. Also, if there is non-Cisco deployment for PPTP, you don't even have to worry about adding signature to IPS/IDS as this vulnerability affects only Cisco IOS. Thanks Aditya Mukadam On Mon, Jul 7, 2008 at 9:39 PM, Srinivasa Addepalli <[EMAIL PROTECTED]> wrote: > You are right that these kinds of DoS attacks are difficult to detect > at Network IDS/IPS level due to the problems you mentioned - false > positives and false negatives. > > I suggest that you consider "version" of cisco routers in your rules > to avoid false positives in deployment scnearios where CISCO routers > are not used. > > Thanks > Srini > ====================================================== --------- Forwarded message ---------- From: Secure Scorp <[EMAIL PROTECTED]> Date: Sat, Jul 5, 2008 at 1:19 PM Subject: Re: Signature for CVE ID: CVE-2008-1151 (CISCO PPTP memory leak - DoS) To: Ravi Chunduru <[EMAIL PROTECTED]> Cc: Focus IDS <[email protected]> This vulnerablity as described by Cisco occurs when the PPTP session is terminated. Please note it states 'terminated'. If terminates means log off then it means that a legitimate active connective has logged off etc. For this vulnerablity to be exploited the user should be a legitimate user.I think it is difficult to write a signature for such legitimate users.Even if we write any signatures, we are bound to get false positives as you correctly mentioned. There is no possible work around in the Cisco configuration as well. I don't think so that anyone can carry out DoS to exploit this vulnerablity.If we still want to write some signatures then we should write it for TCP 1723 and GRE (protocol 47) with higher rate OR only on TCP 1723 as it is the connection channel. Cisco has released a software to address this issue. The best and fastest way to go about this vulnerablity is to patch the router than spending resources on writing signatures which are bound to give false positives. Note: PPTP initiates/terminates the connections on TCP 1723 and the data is sent using/encapsulating GRE (protocol 47). Thanks, Aditya.Govind.Mukadam ====================================================== > On Fri, Jul 4, 2008 at 9:03 AM, Ravi Chunduru > <[EMAIL PROTECTED]> wrote: >> >> Please see these links for more information on vulnerability: >> >> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1151 >> http://www.cisco.com/en/US/products/products_security_advisory09186a0080969862.shtml >> >> According to this vulnerability report, PPTP process in CISCO routers >> leak memory upon every PPTP termination. Eventually memory is used up >> and no other PPTP connections are entertained. >> >> How does one go about writing signatures for detecting exploits >> targeting this vulnerability? >> Only possibility I can think of, based on capabilities of signature >> language, is to check for the rate at which these PPTP connections are >> made. If it checks for higher rate, there could be false negatives >> where attacker makes the connections at very slow rate. If it checks >> for lower rate, then there is possibility of false positives. What is >> the right way of writing signatures? >> >> >> thanks >> Ravi >> >> ------------------------------------------------------------------------ >> Test Your IDS >> >> Is your IDS deployed correctly? >> Find out quickly and easily by testing it >> with real-world attacks from CORE IMPACT. >> Go to >> http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw >> to learn more. >> ------------------------------------------------------------------------ >> > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw > to learn more. > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
