AN EMERGING ISSUE WITH:

THREE DoS VULNERABILITIES IN CISCO 600 SERIES DSL ROUTERS


SEVERITY:
Medium

DATE:
May 24, 2002


SUMMARY:

A post to Bugtraq late May 23 described three Denial of Service
(DoS) vulnerabilities in Cisco Broadband Operating System (CBOS) for
Cisco 600 series routers. A remote hacker could exploit these
vulnerabilities to disrupt your Internet connection. There is no
direct impact on WatchGuard products. DSL customers using Cisco 600
series routers should update their CBOS software or apply Cisco's
workarounds as soon as possible.


EXPOSURE:

Cisco 600 series routers are popular among residential and business
DSL users. These routers run on the Cisco Broadband Operating System
(CBOS).

A security advisory <http://www.cisco.com/warp/public/707/CBOS-DoS.shtml>
from Cisco describes three new DoS vulnerabilities found
in CBOS version 2.4.4 and earlier. All three of these DoS
vulnerabilities are due to the router's inability to handle large
packets.

By sending a large packet to the DHCP or Telnet port of your 600
series router, or by sending many large packets to any port on your
router, a remote hacker can lock up the router. This prevents all
Internet traffic until you reboot the router.


SOLUTION PATH:

Cisco's release of CBOS version 2.4.5 fixes these issues. You can
download CBOS version 2.4.5 from the "Service and Support" section
of Cisco's Web page <http://www.cisco.com>. See the "Obtaining Fixed
Software" section of their advisory for details.
<http://www.cisco.com/warp/public/707/CBOS-DoS.shtml>

Cisco also provides workarounds for these vulnerabilities in the
"Workarounds" section of their advisory.
<http://www.cisco.com/warp/public/707/CBOS-DoS.shtml>