Updated:  December 13, 2001

Status

Affected

Vendor Statement

We can confirm that described vulnerability is present in the HSRP and, at the present time, there is no workaround for it. Customers may consider using HSRP and IPsec combination as described in http://www.cisco.com/networkers/nw00/pres/2402.pdf However, this solution does not scale well. Cisco is deliberating usage of IP authenticated header for HSRP and VRRP (Virtual Router Redundancy Protocol, RFC2338) in the future releases of IOS. However, there are some other factors that must be considered in this context: - this vulnerability can be exploited only from the local segment (not over the Internet), - the same effect, denial of service, can be produced by using ARP, which can not be protected in any way The last issue is especially important since it may cause a false sense of security if user is using a hardened version the protocol (whichever protocol). Even by using VRRP and ESP+AH option, an attacker can still disrupt the network by using ARP.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.