Cisco Information for VU#228186

Hot Standby Router Protocol (HSRP) uses weak authentication



Vendor Statement

We can confirm that described vulnerability is present in the HSRP
and, at the present time, there is no workaround for it. Customers
may consider using HSRP and IPsec combination as described in However, this
solution does not scale well.

Cisco is deliberating usage of IP authenticated header for HSRP
and VRRP (Virtual Router Redundancy Protocol, RFC2338) in the future
releases of IOS.

However, there are some other factors that must be considered in
this context:

- this vulnerability can be exploited only from the local segment
(not over the Internet),
- the same effect, denial of service, can be produced by using ARP,
which can not be protected in any way

The last issue is especially important since it may cause a false
sense of security if user is using a hardened version the protocol
(whichever protocol). Even by using VRRP and ESP+AH option, an
attacker can still disrupt the network by using ARP.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References



The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.