Vigil@nce: Cisco IPS, denial of service via jumbo Ethernet
June 2008 by Vigil@nce
SYNTHESIS
An attacker can send a jumbo Ethernet frame in order to stop Cisco
IPS in inline mode.
Gravity: 2/4
Consequences: denial of service of service
Provenance: LAN
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 18/06/2008
Identifier: VIGILANCE-VUL-7902
IMPACTED PRODUCTS
– Cisco IPS [confidential versions]
DESCRIPTION
The Cisco IPS product can be installed:
– in inline mode (cut mode)
– in promiscuous mode (capture)
– in hybrid mode (both)
When Cisco IPS is in inline mode, and has Ethernet Gigabit
interfaces, an attacker can send a malicious jumbo Ethernet frame
in order to stop the IPS (kernel panic).
A network attacker can thus block the flow of data, except for
4260 and 4270 platforms which have the "hardware bypass" feature
(data flows but it is not analyzed).
CHARACTERISTICS
Identifiers: 107191, BID-29791, cisco-sa-20080618-ips, CSCso64762,
CVE-2008-2060, VIGILANCE-VUL-7902