Cisco Information for VU#228186
Hot Standby Router Protocol (HSRP) uses weak authentication
- Vendor Information Help Date Notified:
- Statement Date:
- Date Updated: 13 Dec 2001
We can confirm that described vulnerability is present in the HSRP
and, at the present time, there is no workaround for it. Customers
may consider using HSRP and IPsec combination as described in
http://www.cisco.com/networkers/nw00/pres/2402.pdf However, this
solution does not scale well.
Cisco is deliberating usage of IP authenticated header for HSRP
and VRRP (Virtual Router Redundancy Protocol, RFC2338) in the future
releases of IOS.
However, there are some other factors that must be considered in
- this vulnerability can be exploited only from the local segment
(not over the Internet),
- the same effect, denial of service, can be produced by using ARP,
which can not be protected in any way
The last issue is especially important since it may cause a false
sense of security if user is using a hardened version the protocol
(whichever protocol). Even by using VRRP and ESP+AH option, an
attacker can still disrupt the network by using ARP.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.