1. Introduction
Source Routed Packet Weakness affects network devices that accept loose source routed IP packets. This feature, originally intended for testing, can be exploited to bypass IP filtering rules and potentially compromise systems. It is most commonly found on Cisco networking equipment but may exist in other implementations handling IP traffic. A successful exploit could impact confidentiality, integrity, or availability depending on the broader network configuration.
2. Technical Explanation
The vulnerability occurs because the host processes loose source routed packets without sufficient validation. An attacker can craft malicious packets that manipulate routing information to redirect traffic or bypass security checks. Exploitation requires the target system to be configured to accept these packets, which is often a default setting for testing purposes.
- Root cause: The host does not properly filter or validate loose source routed IP packets.
- Exploit mechanism: An attacker sends crafted IP packets with manipulated routing headers to bypass filtering and potentially redirect traffic. For example, an attacker could attempt to spoof the source address of a packet to gain access to internal networks.
- Scope: Cisco devices are commonly affected, but other network equipment handling IP traffic may also be vulnerable.
3. Detection and Assessment
To confirm vulnerability, check if your system accepts loose source routed packets. A thorough method involves packet capture analysis during a test attempt.
- Quick checks: Use the `ping` command with the `-R` option to send a source-routed packet. If the ping succeeds, the host likely accepts these packets.
- Scanning: Nessus plugin ID 10853 can detect this vulnerability on Cisco devices as an example.
- Logs and evidence: Examine network traffic captures for IP packets with the ‘SR’ flag set in the IP header.
ping -R 4. Solution / Remediation Steps
The recommended solution is to drop source routed packets on affected hosts or upstream network devices like routers and firewalls. This prevents attackers from exploiting the weakness.
4.1 Preparation
- Ensure you have console access or another reliable method to revert changes if needed. A roll back plan involves restoring the previous configuration.
- Changes should be made during a scheduled maintenance window with appropriate approvals from network administrators.
4.2 Implementation
- Step 1: Configure your firewall or router to drop all incoming packets with the source route option set.
- Step 2: If possible, disable processing of loose source routed packets on the host itself through its operating system configuration.
4.3 Config or Code Example
Before
! No specific source route filtering configuredAfter
ip access-list extended NO_SOURCE_ROUTE
deny ip any any source-route
permit ip any any
interface GigabitEthernet0/0
ip access-group NO_SOURCE_ROUTE in 4.4 Security Practices Relevant to This Vulnerability
Practices like least privilege and input validation are relevant here. Least privilege limits the impact of a successful exploit, while input validation prevents malicious packets from being processed.
- Practice 1: Implement least privilege principles by restricting network access based on need.
4.5 Automation (Optional)
# Example Ansible snippet for Cisco IOS devices
- name: Block Source Route Packets
cisco.ios.ios_config:
lines:
- ip access-list extended NO_SOURCE_ROUTE
- deny ip any any source-route
- permit ip any any
parents: interface GigabitEthernet0/0
become: yes 5. Verification / Validation
Confirm the fix by attempting to send a source routed packet and verifying it is blocked. A smoke test should ensure normal network connectivity remains unaffected.
- Post-fix check: Run `ping -R
` again. The ping should now fail, indicating packets are being dropped. - Re-test: Repeat the initial detection method (packet capture) to confirm no source routed packets are accepted.
- Smoke test: Verify basic network connectivity by pinging other internal hosts or accessing essential services.
ping -R # Should fail after remediation 6. Preventive Measures and Monitoring
Update security baselines to include source route packet filtering as a standard configuration item. Consider adding checks in your CI/CD pipeline to prevent the reintroduction of this vulnerability.
- Baselines: Include source route packet filtering in network device hardening standards like CIS benchmarks.
7. Risks, Side Effects, and Roll Back
Blocking source routed packets should not impact normal network traffic. However, it may affect specific applications or services that rely on this feature for testing purposes. A roll back involves removing the filtering rules from your firewall or router configuration.
- Risk or side effect 1: Potential disruption of legacy testing tools relying on source routing.
- Roll back: Remove the access list and any related configurations to re-enable source route packet processing.
8. References and Resources
- Vendor advisory or bulletin: http://www.faqs.org/faqs/cisco-networking-faq/section-23.html