[guru] Cisco biztonsagi frissitesek
DATE: Tue, 31 Mar 2009 12:44:40 +0200
A Cisco 7600 sorozatú router-ek Cisco Session Border Controller (SBC)
moduljai DoS-olhatóak, ha a 2000/tcp port-ra a támadó megfelelően
preparált adatok küld.
A Cisco Unified Communications Manager (régebben CallManager) Cisco
IP Phone Personal Address Book (PAB) Synchronizer képessége lehetővé
teszi, hogy a felhasználók szinkronizálják címlistájukat a Windows
rendszerükkel. A rendszer hibásan kivitelezett, az eszköz a https
azonosítás után visszaadja a felhasználónak a directory szerverhez
tartozó belépési kódot, amivel ott a jogait is megváltoztathatja.
Bizonyos telepítések esetén ez a hiba még tovább is fejlődhet, mivel
ilyenkor a directory-ban operációs rendszer account-ok is tárolódnak,
így a támadó ezekhez is hozzáférhet.
A Cisco IOS alapú eszközei TCP csomagok segítségével DoS-olhatóak,
ha a Easy VPN szerver Cisco Tunneling Control Protocol (cTCP)
képessége engedélyezett.
A Cisco IOS alapú Mobile IPv6 és Mobile IP NAT Traversal funkcióval
rendelkező eszközei DoS-olhatóak, az érintett interfész a támadás
hatására képtelen csomagokat feldolgozni, az eszközt újra kell
indítani.
A Cisco IOS eszközök scp szerver felülete nem megfelelően ellenőrzi
a felhasználók hozzáférési jogait, konfigurált CLI view-k esetén
olyan fájlok (pl. az eszköz konfigurációja) is írhatóak/olvashatóak
amik egyébként nem lennének engedélyezettek.
A Cisco IOS eszközök több modulja is DoS-olható, amennyiben a
támadónak sikerült tcp kapcsolatot felépíteni, és egy megfelelően
preparált csomagot elküldenie.
A Cisco IOS WebVPN (vagy SSLVPN) szervere DoS-olható, megfelelően
preparált HTTPS csomag DoS-olja az egységet, az SSLVPN session
kezelése pedig memleak-et tartalmaz.
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco 7600 Series Router Session Border
Controller Denial of Service Vulnerability
Document ID: 109483
Advisory ID: cisco-sa-20090304-sbc
http://www.cisco.com/warp/public/707/cisco-sa-20090304-sbc.shtml
Revision 1.0
For Public Release 2009 March 4 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
=======
A denial of service (DoS) vulnerability exists in the Cisco Session
Border Controller (SBC) for the Cisco 7600 series routers. Cisco has
released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090304-sbc.shtml
Affected Products
=================
Vulnerable Products
+------------------
All Cisco ACE-based SBC modules running software versions prior to
3.0(2) are affected.
To determine the version of the Cisco SBC software running on a
system, log in to the device and issue the show version command to
display the system banner.
card_A/Admin# show version
system image file: [LCP] disk0:c76-sbck9-mzg.3.0.1_AS3_0_00.bin
<output truncated>
Cisco SBC software version 3.0.1 is running in the device used in
this example.
Products Confirmed Not Vulnerable
+--------------------------------
The Cisco XR 12000 Series SBC is not vulnerable. Additionally, the
Cisco ACE Module, Cisco ACE 4710 Application Control Engine, Cisco
ACE XML Gateway, Cisco ACE Web Application Firewall, and the Cisco
ACE GSS (Global Site Selector) 4400 Series are not affected by this
vulnerability. No other Cisco products are currently known to be
affected by this vulnerability.
Details
=======
The Session Border Controller (SBC) enables direct IP-to-IP
interconnect between multiple administrative domains for
session-based services providing protocol interworking, security, and
admission control and management. The SBC is a multimedia device that
sits on the border of a network and controls call admission to that
network. A vulnerability exists in the Cisco SBC where an
unauthenticated attacker may cause the Cisco SBC card to reload by
sending crafted TCP packets over port 2000. Repeated exploitation
could result in a sustained DoS condition.
Note: Only the Cisco SBC module reloads after successful
exploitation. The Cisco 7600 series router does not reload and it is
not affected by this vulnerability.
Note: TCP port 2000 is typically used by Skinny Call Control Protocol
(SCCP) applications. However, the Cisco SBC module uses TCP port 2000
for high availability (redundancy) communication, but does not use
the SCCP for this purpose.
This vulnerability is documented in Cisco Bug IDs CSCsq18958 (
registered customers only) ; and has been assigned the Common
Vulnerability and Exposures (CVE) IDs CVE-2009-0619.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerability in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability may cause a reload of
the affected device. Repeated exploitation could result in a
sustained DoS condition.
Software Versions and Fixes
===========================
This vulnerability has been corrected in Cisco SBC software release
3.0(2).
Cisco SBC software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/sbc-7600-crypto
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Workarounds
===========
As a workaround, configure an access control list (ACL) in the
signaling / media VLAN on the Route Processor (RP). The following
examples show how VLAN 140 is configured as the signaling / media
VLAN. A separate VLAN (VLAN 77) is configured as Fault Tolerance
(FT). An ACL is added to the signaling/media VLAN on the RP filtering
all TCP port 2000 packets to the alias IP address.
Cisco SBC configuration
interface vlan 140
ip address 10.140.1.90 255.255.255.0
alias 10.140.1.100 255.255.255.0
peer ip address 10.140.1.8 255.255.255.0
!
ft interface vlan 77
ip address 192.168.1.1 255.255.255.0
peer ip address 192.168.1. 255.255.255.0
RP Configuration
!- ACL blocking all TCP port 2000 traffic to the 10.140.1.0 internal network
!
access-list 100 deny tcp any host 10.140.1.100 eq 2000
access-list 100 permit ip any any
!
interface Vlan140
ip address 10.140.1.1 255.255.255.0
!- ACL is applied to the VLAN interface to egress traffic
ip access-group 100 out
!
The alias command under VLAN 140 is configured with an IP address
that floats between active and standby modules when using high
availability. Only TCP port 2000 traffic destined to this IP address
may trigger this vulnerability. An access control list (ACL) is
configured to deny TCP port 2000 destined to the alias IP address
(10.140.1.100). The ACL is applied egress in the RP.
Note: TCP port 2000 is used by Skinny Call Control Protocol (SCCP)
applications; however, in this case it is used by the SBC for
internal communications. The previous ACL only blocks TCP port 2000
traffic to the alias IP address. TCP port 2000 is not used by the
alias IP address. This ACL should not cause any collateral damage.
Additional mitigations that can be deployed on Cisco devices within
the network are available in the Cisco Applied Intelligence companion
document for this Advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20090304-sbc.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address this
vulnerability. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was found during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20090304-sbc.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-March-04 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkmurgEACgkQ86n/Gc8U/uBrwwCfbQxCcSz4S4X3UpH4Mccg0Df1
KMoAn11BqKmRhw5mUuJOl3D/RrVxVrc7
=m2di
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco Unified Communications Manager IP
Phone Personal Address Book Synchronizer Privilege Escalation
Vulnerability
Advisory ID: cisco-sa-20090311-cucmpab
Revision 1.0
For Public Release 2009 March 11 1600 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
Cisco Unified Communications Manager, formerly CallManager, contains
a privilege escalation vulnerability in the IP Phone Personal Address
Book (PAB) Synchronizer feature that may allow an attacker to gain
complete administrative access to a vulnerable Cisco Unified
Communications Manager system. If Cisco Unified Communications
Manager is integrated with an external directory service, it may be
possible for an attacker to leverage the privilege escalation
vulnerability to gain access to additional systems configured to use
the directory service for authentication.
Cisco has released free software updates that address this
vulnerability. Workarounds that mitigate this vulnerability are
available.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20090311-cucmpab.shtml
Affected Products
=================
Vulnerable Products
+------------------
The following products are vulnerable:
* Cisco Unified CallManager 4.1 versions
* Cisco Unified Communications Manager 4.2 versions prior to 4.2(3)SR4b
* Cisco Unified Communications Manager 4.3 versions prior to 4.3(2)SR1b
* Cisco Unified Communications Manager 5.x versions prior to 5.1(3e)
* Cisco Unified Communications Manager 6.x versions prior to 6.1(3)
* Cisco Unified Communications Manager 7.0 versions prior to 7.0(2)
Administrators of systems that are running Cisco Unified
Communications Manager software version 4.x can determine the
software version by navigating to Help > About Cisco Unified
CallManager and selecting the Details button via the Cisco Unified
Communications Manager administration interface.
Administrators of systems that are running Cisco Unified
Communications Manager software versions 5.x, 6.x, and 7.x can
determine the software version by viewing the main page of the Cisco
Unified Communications Manager administration interface. The software
version can also be determined by running the command show version
active via the command line interface (CLI).
Products Confirmed Not Vulnerable
+--------------------------------
Cisco Unified Communications Manager Express is not affected by this
vulnerability. No other Cisco products are currently known to be
affected by this vulnerability.
Details
=======
The Cisco IP Phone Personal Address Book (PAB) Synchronizer feature
of Cisco Unified Communications Manager allows users to keep their
Cisco Unified Communications Manager address book synchronized with
their Microsoft Windows address book. The IP Phone PAB Synchronizer
feature contains a privilege escalation vulnerability that may allow
an attacker to obtain complete administrative access to a vulnerable
Cisco Unified Communications Manager system. After an IP Phone PAB
Synchronizer client successfully authenticates to a Cisco Unified
Communications Manager device over a HTTPS connection, the Cisco
Unified Communications Manager returns credentials for a user account
that is used to manage the Cisco Unified Communications Manager
directory service. If an attacker is able to intercept the
credentials, they can perform unauthorized modifications to the Cisco
Unified Communications Manager configuration and extend their
privileges. The IP Phone PAB Synchronizer client has been redesigned
to allow address book synchronization without requiring the directory
service credentials. This vulnerability does not allow an attacker to
gain access to the underlying platform operating system of any Cisco
Unified Communications Manager system.
Cisco Unified Communications Manager 4.x
+---------------------------------------
Cisco Unified Communications Manager software version 4.x by default
stores user information using an internal Lightweight Directory
Access Protocol (LDAP) server called DC Directory. After an IP Phone
PAB Synchronizer client successfully authenticates, the Cisco Unified
Communications Manager returns credentials for the DC Directory user
that will be used by the client to synchronize a user's address book.
Depending on how a Cisco Unified Communications Manager is
configured, an attacker may obtain different privilege levels using
the intercepted credentials.
By default, Cisco Unified Communications Manager software version 4.x
administrator accounts are created as part of an underlying Microsoft
Windows operating system. Cisco Unified Communications Manager is
commonly deployed using the Multi-Level Administration (MLA) feature
to ease the integration of Cisco Unified Communications Manager into
enterprise environments. If MLA is enabled, Cisco Unified
Communications Manager stores administrator accounts in the Cisco
Unified Communications Manager DC Directory service. If an attacker
obtains the DC Directory credentials and MLA is enabled, the attacker
can add an existing account to the Cisco Unified Communications
Manager super-user group. The attacker can then access the Cisco
Unified Communications Manager management interface with complete
administrative access. If MLA is not enabled, the attacker cannot
escalate their privileges; however, they can modify any user settings
in the directory.
The Cisco Unified Communications Manager 4.x IP Phone PAB
Synchronizer client uses an unencrypted LDAP connection to perform
address book synchronization. The DC Directory credentials are passed
in the clear over the network and are vulnerable to being sniffed by
an attacker. If using the DC Directory internal LDAP server, the IP
Phone PAB Synchronizer client communicates to Cisco Unified
Communications Manager on TCP ports 8404 and 8405.
Cisco Unified Communications Manager 5.x, 6.x, 7.x
+-------------------------------------------------
Cisco Unified Communications Manager software versions 5.x, 6.x, and
7.x store user information as a part of the internal Cisco Unified
Communications Manager configuration database. The IP Phone PAB
Synchronizer client uses the AXL application programming interface
(API) to perform address book synchronization. After a client
successfully authenticates, the Cisco Unified Communications Manager
returns credentials for a database user account named TabSyncSysUser
that will be used by the client to synchronize an user's address
book. The TabSyncSysUser account has full read and write privileges
to the Cisco Unified Communications Manager configuration database.
Using the TabSyncSysUser credentials via the AXL API, an attacker can
modify any parameter in the database including creating new
administrator accounts.
Directory Service Integration
+----------------------------
Cisco Unified Communications Manager software versions 4.x, 5.x, 6.x,
and 7.x can be integrated with Microsoft Active Directory and several
non-Microsoft LDAP servers to perform user authentication. In order
to function properly, the integration process requires that
appropriate user credentials for the directory service are provided
to Cisco Unified Communications Manager. If an attacker intercepts or
sniffs the directory service credentials returned by a Cisco Unified
Communications Manager responding to an IP Phone PAB Synchronizer
client, the attacker may be able to leverage the credentials to gain
access to additional systems configured to use the directory service
for authentication.
Administrators should ensure that any directory service credentials
used for the Cisco Unified Communications Manager integration process
are configured to follow the principle of least privilege. The
credentials should be configured with only the privileges necessary
to access the directory service data needed for the integration
process to function properly. The use of overly privileged
administrator accounts is discouraged. Please see the Workarounds
section for more information on performing the integration of Cisco
Unified Communications Manager with AD using the least privilege
concept.
This vulnerability is documented in Cisco Bug IDs CSCso76587 and
CSCso78528 and has been assigned Common Vulnerabilities and Exposures
(CVE) identifier CVE-2009-0632.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerability in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
CSCso76587 - Directory Manager password sent in clear from client
CVSS Base Score - 9
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCso78528 - TabSyncSysUser (axl user) password sent in clear from client
CVSS Base Score - 9
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of this vulnerability may allow an attacker
to intercept user credentials that allow the attacker to escalate
their privilege level and obtain complete administrative access to a
vulnerable Cisco Unified Communications Manager system. If integrated
with an external directory service, the intercepted user credentials
may allow an attacker to gain access to additional systems configured
to use the directory service for authentication.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Cisco Unified Communications Manager software version 4.2(3)SR4b
contains the fix for this vulnerability. Administrators of Cisco
Unified CallManager software version 4.1 systems are encouraged to
upgrade to Cisco Unified Communications Manager software version 4.2
(3)SR4b in order to obtain fixed software. Version 4.2(3)SR4b can be
downloaded at the following link:
http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Unified%20Communications%20Manager%20Updates&mdfid=280264388&treeName=Voice%20and%20Unified%20Communications&mdfLevel=Software%20Version/Option&url=null&modelName=Cisco%20Unified%20CallManager%20Version%204.2&isPlatform=N&treeMdfId=278875240&modifmdfid=null&imname=null&hybrid=Y&imst=N
Cisco Unified Communications Manager software version 4.3(2)SR1b
contains the fix for this vulnerability. Version 4.3(2)SR1b can be
downloaded at the following link:
http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Unified%20Communications%20Manager%20Updates&mdfid=280771554&treeName=Voice%20and%20Unified%20Communications&mdfLevel=Software%20Version/Option&url=null&modelName=Cisco%20Unified%20Communications%20Manager%20Version%204.3&isPlatform=N&treeMdfId=278875240&modifmdfid=null&imname=null&hybrid=Y&imst=N
Cisco Unified Communications Manager software version 5.1(3e)
contains the fix for this vulnerability. Version 5.1(3e) can be
downloaded at the following link:
http://tools.cisco.com/support/downloads/go/ReleaseType.x?optPlat=null&isPlatform=Y&mdfid=280735907&sftType=Unified%20Communications%20Manager%20Updates&treeName=Voice%20and%20Unified%20Communications&modelName=Cisco%20Unified%20Communications%20Manager%20Version%205.1&mdfLevel=Software%20Version/Option&treeMdfId=278875240&modifmdfid=null&imname=null&hybrid=Y&imst=N
Cisco Unified Communications Manager software version 6.1(3) contains
the fix for this vulnerability. Version 6.1(3) can be downloaded at
the following link:
http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Unified%20Communications%20Manager%20Updates&mdfid=281023410&treeName=Voice%20and%20Unified%20Communications&mdfLevel=Software%20Version/Option&url=null&modelName=Cisco%20Unified%20Communications%20Manager%20Version%206.1&isPlatform=N&treeMdfId=278875240&modifmdfid=null&imname=null&hybrid=Y&imst=N
Cisco Unified Communications Manager software version 7.0(2) contains
the fix for this vulnerability. Version 7.0(2) can be downloaded at
the following link:
http://tools.cisco.com/support/downloads/go/ReleaseType.x?optPlat=&isPlatform=Y&mdfid=281941895&sftType=Unified+Communications+Manager+Updates&treeName=Voice+and+Unified+Communications&modelName=Cisco+Unified+Communications+Manager+Version+7.0&mdfLevel=Software%20Version/Option&treeMdfId=278875240&modifmdfid=null&imname=&hybrid=Y&imst=N
Workarounds
===========
It is possible to mitigate against this vulnerability using the
following workarounds.
Cisco Unified Communications Manager 4.x
+---------------------------------------
It is possible to mitigate this vulnerability by moving the ASP
script that IP Phone Personal Address Book (PAB) Scynchronizer
clients interact with to a directory location that is not accessible
to the Cisco Unified Communications Manager web server. The system
drive where the ASP script resides depends on how Cisco Unified
Communications Manager was installed. Employing this workaround will
prevent address book synchronization; however, the PAB application
will continue to function. The ASP script can be moved using the
following command:
C:\> move c:\CiscoWebs\User\LDAPDetails.asp c:\temp
It is also possible to mitigate this vulnerability by implementing
filtering on screening devices or using the Windows firewall.
Administrators are advised to permit access to TCP ports 8404 and
8405 only from trusted networks.
Cisco Unified Communications Manager 5.x, 6.x, 7.x
+-------------------------------------------------
It is possible to mitigate this vulnerability by restricting the
permissions of the TabSyncSysUser database user account. In the Cisco
Unified Communications Manager Administration interface, navigate to
User Management > Application User and search for the TabSyncSysUser
account. Remove all groups from the account and change the password.
Employing this workaround will prevent address book synchronization;
however, the PAB application will continue to function.
Active Directory Integration
+---------------------------
To improve the security of Cisco Unified Communications Manager
integration with Active Directory (AD), Cisco has produced a
whitepaper that provides a detailed explanation of how to perform
Cisco Unified Communications Manager integration with AD using the
least-privileged principle. The whitepaper can be downloaded here:
http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186a0080a83435.shtml
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20090311-cucmpab.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact
information, including localized telephone numbers, and instructions
and e-mail addresses for use in various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
The vulnerability in Cisco Unified Communications Manager 4.x
software versions was reported to Cisco by Olivier Grosjeanne of
Dimension Data France. The vulnerability in Cisco Unified
Communications Manager 5.x, 6.x and 7.x software versions was
reported by Oliver Dewdney of LBI.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090311-cucmpab.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-March-11 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iD8DBQFJt9DF86n/Gc8U/uARAtjqAJ9eE9ETbc4lyUJV8GrCEmiaJeS1NACdExbB
dLmiSiaPCdGHpVKTKvZj78k=
=C3h7
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS cTCP Denial of Service
Vulnerability
Advisory ID: cisco-sa-20090325-ctcp
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml
Revision 1.0
For Public Release 2009 March 25 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
=======
A series of TCP packets may cause a denial of service (DoS) condition
on Cisco IOS devices that are configured as Easy VPN servers with the
Cisco Tunneling Control Protocol (cTCP) encapsulation feature. Cisco
has released free software updates that address this vulnerability.
No workarounds are available; however, the IPSec NAT traversal
(NAT-T) feature can be used as an alternative.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml
Note: The March 25, 2009, Cisco IOS Security Advisory bundled
publication includes eight Security Advisories. All of the advisories
address vulnerabilities in Cisco IOS Software. Each advisory lists
the releases that correct the vulnerability or vulnerabilities in the
advisory. The following table lists releases that correct all Cisco
IOS Software vulnerabilities that have been published in Cisco
Security Advisories on March 25, 2009, or earlier.
http://www.cisco.com/warp/public/707/cisco-sa-20090325-bundle.shtml
Individual publication links are listed below:
* Cisco IOS cTCP Denial of Service Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml
* Cisco IOS Software Multiple Features IP Sockets Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml
* Cisco IOS Software Mobile IP and Mobile IPv6 Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml
* Cisco IOS Software Secure Copy Privilege Escalation Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml
* Cisco IOS Software Session Initiation Protocol Denial of Service
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml
* Cisco IOS Software Multiple Features Crafted TCP Sequence
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml
* Cisco IOS Software Multiple Features Crafted UDP Packet
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml
* Cisco IOS Software WebVPN and SSLVPN Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml
Affected Products
=================
Vulnerable Products
+------------------
Cisco IOS devices running versions 12.4(9)T or later and configured
for Cisco Tunneling Control Protocol (cTCP) encapsulation for EZVPN
server are vulnerable.
Note: The cTCP encapsulation feature was introduced in Cisco IOS
version 12.4(9)T. The cTCP encapsulation feature is disabled by
default. Cisco IOS devices configured for EZVPN client are not
affected by this vulnerability. Only devices configured as EZVPN
servers are vulnerable.
To configure the cTCP encapsulation feature for Easy VPN, use the
crypto ctcp command in global configuration mode. You can optionally
specify the port number that the device will listen to with the
crypto ctcp port <port> command. Up to ten numbers can be configured
and the port value can be from 1 through 65535. If the port keyword
is not configured, the default port number is 10000. In the following
example, the Cisco IOS device is configured to listen for cTCP
messages on port 10000.
crypto ctcp port 10000
Note: The port keyword is configured only on the Cisco IOS device
acting as an EZVPN server.
To determine the version of the Cisco IOS software running on a Cisco
product, log in to the device and issue the show version command to
display the system banner. Cisco IOS software will identify itself as
"Internetwork Operating System Software" or simply "IOS". On the next
line of output, the image name will be displayed between parentheses,
followed by "Version" and the IOS release name. Other Cisco devices
will not have the show version command or will give different output.
The following example identifies a Cisco product running Cisco IOS
Software release 12.3(26) with an installed image name of C2500-IS-L:
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 14:39 by dchih
<output truncated>
The next example shows a product running Cisco IOS Software release
12.4(20)T with an image name of C1841-ADVENTERPRISEK9-M:
Router#show version
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 20:25 by prod_rel_team
<output truncated>
Additional information on the Cisco IOS release naming conventions
can be found on the document entitled "White Paper: Cisco IOS
Reference Guide", which is available at
http://www.cisco.com/warp/public/620/1.html
Products Confirmed Not Vulnerable
+--------------------------------
Cisco IOS devices that are not configured for cTCP are not affected
by this vulnerability. The Cisco ASA and Cisco VPN 3000 series
concentrators are not vulnerable. Cisco IOS devices configured as
EZVPN clients are not affected by this vulnerability. The Cisco VPN
Client is not vulnerable. Cisco IOS-XR and Cisco IOS-XE software are
not affected by this vulnerability. No other Cisco products are
currently known to be affected by this vulnerability.
Details
=======
The Cisco Tunneling Control Protocol (cTCP) feature is used by Easy
VPN remote device operating in an environment in which standard IPSec
does not function transparently without modification to existing
firewall rules. The cTCP traffic is actually TCP traffic. Cisco IOS
cTCP packets are Internet Key Exchange (IKE) or Encapsulating
Security Payload (ESP) packets that are being transmitted over TCP.
A vulnerability exists where a series of TCP packets may cause a
Cisco IOS device that is configured as an Easy VPN server with the
cTCP encapsulation feature to run out of memory. This vulnerability
is documented in Cisco Bug IDs CSCsr16693 and CSCsu21828; and has
been assigned the Common Vulnerabilities and Exposures (CVE)
identifier CVE-2009-0635.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerability in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss.
CSCsr16693 - cTCP server may crash when processing a series of TCP
packets
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsu21828 - Cisco IOS Device may crash with cTCP enabled
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of this vulnerability may cause the affected
device to run out of memory. Repeated exploitation will result in a
denial of service (DoS) condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+-------------------------------------------------------------------+
| Major Release | Availability of Repaired Releases |
|-------------------+-----------------------------------------------|
| Affected | | |
| 12.0-Based | First Fixed Release | Recommended Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.0 based releases |
|-------------------------------------------------------------------|
| Affected | | |
| 12.1-Based | First Fixed Release | Recommended Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.1 based releases |
|-------------------------------------------------------------------|
| Affected | | |
| 12.2-Based | First Fixed Release | Recommended Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.2 based releases |
|-------------------------------------------------------------------|
| Affected | | |
| 12.3-Based | First Fixed Release | Recommended Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.3 based releases |
|-------------------------------------------------------------------|
| Affected | | |
| 12.4-Based | First Fixed Release | Recommended Release |
| Releases | | |
|-------------------+-----------------------+-----------------------|
| 12.4 | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4JA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4JDA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4JK | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4JL | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4JMA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4JMB | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4JX | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4MD | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4MR | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4SW | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| | 12.4(20)T2 | 12.4(22)T1 |
| 12.4T | | |
| | 12.4(15)T9; Available | 12.4(15)T9; Available |
| | on 29-APR-2009 | on 29-APR-2009 |
|-------------------+-----------------------+-----------------------|
| 12.4XA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XB | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XC | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XD | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XE | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XF | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XG | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XJ | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XK | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XL | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XM | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XN | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XP | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XQ | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XR | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XT | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XV | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XW | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XY | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XZ | 12.4(15)XZ2 | 12.4(15)XZ2 |
|-------------------+-----------------------+-----------------------|
| 12.4YA | 12.4(20)YA2 | 12.4(20)YA3 |
|-------------------+-----------------------+-----------------------|
| 12.4YB | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4YD | Not Vulnerable | |
+-------------------------------------------------------------------+
Workarounds
===========
No workarounds are available.
As an alternative, the IPSec NAT traversal (NAT-T) feature can be
used. The IPSec NAT-T feature introduces support for IP Security
(IPSec) traffic to travel through Network Address Translation (NAT)
or Port Address Translation (PAT) points in the network by addressing
many known incompatabilites between NAT and IPSec.
Note: The NAT-T feature was introduced in Cisco IOS version 12.2(13)
T.
NAT Traversal is a feature that is auto detected by VPN devices.
There are no configuration steps for a router running Cisco IOS
Release 12.2(13)T and later. If both VPN devices are NAT-T capable,
NAT Traversal is auto-detected and auto-negotiated.
Note: When you enable NAT-T, the Cisco IOS device automatically opens
UDP port 4500 on all IPSec enabled interfaces.
Caution: Be aware that you may need to enable IPSec over UDP on Cisco
VPN software clients to support NAT-T. Additionally, you may need to
change firewall rules to allow UDP port 500 for Internet Key Exchange
(IKE) and UDP port 4500 for NAT-T.
For more information about NAT-T, refer to the white paper at:
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_ipsec_nat_transp.html
Additional mitigations that can be deployed on Cisco devices within
the network are available in the Cisco Applied Mitigation Bulletin
companion document for this advisory, which is available at the
following link:
http://www.cisco.com/warp/public/707/cisco-amb-20090325-ctcp.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address this
vulnerability. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized
telephone numbers, and instructions and e-mail addresses for use in
various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was found during the resolution of a technical
support service request.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-March-25 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAknKUaYACgkQ86n/Gc8U/uBSWwCbBgAQRNBNdft9MYK8bC1MP/Z4
4D8AnA7qaiFqAdeWWbS+p4K601XNoo4S
=Rvhp
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Software Mobile IP and Mobile IPv6
Vulnerabilities
Advisory ID: cisco-sa-20090325-mobileip
http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml
Revision 1.0
For Public Release 2009 March 25 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
=======
Devices that are running Cisco IOS Software and configured for Mobile
IP Network Address Translation (NAT) Traversal feature or Mobile IPv6
are vulnerable to a denial of service (DoS) attack that may result in
a blocked interface.
Cisco has released free software updates that address these
vulnerabilities.
This advisory is posted at the following link
http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml
Note: The March 25, 2009, Cisco IOS Security Advisory bundled
publication includes eight Security Advisories. All of the advisories
address vulnerabilities in Cisco IOS Software. Each advisory lists
the releases that correct the vulnerability or vulnerabilities in the
advisory. The following table lists releases that correct all Cisco
IOS Software vulnerabilities that have been published in Cisco
Security Advisories on March 25, 2009, or earlier.
http://www.cisco.com/warp/public/707/cisco-sa-20090325-bundle.shtml
Individual publication links are listed below:
* Cisco IOS cTCP Denial of Service Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml
* Cisco IOS Software Multiple Features IP Sockets Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml
* Cisco IOS Software Mobile IP and Mobile IPv6 Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml
* Cisco IOS Software Secure Copy Privilege Escalation Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml
* Cisco IOS Software Session Initiation Protocol Denial of Service
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml
* Cisco IOS Software Multiple Features Crafted TCP Sequence
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml
* Cisco IOS Software Multiple Features Crafted UDP Packet
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml
* Cisco IOS Software WebVPN and SSLVPN Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml
Affected Products
=================
Devices that are running an affected version of Cisco IOS Software
and configured for Mobile IP NAT Traversal feature or Mobile IPv6 are
vulnerable.
Vulnerable Products
+------------------
Devices running Cisco IOS Software and configured for Mobile IP NAT
Traversal feature will have a line similar to the following in the
output of the show running-config command:
ip mobile home-agent nat traversal [...]
or
ip mobile foreign-agent nat traversal [...]
or
ip mobile router-service collocated registration nat traversal [...]
Devices running Cisco IOS Software and configured for Mobile IPv6
will have a line similar to the following in the output of the show
running-config command:
ipv6 mobile home-agent
To determine the Cisco IOS Software release that is running on a
Cisco product, administrators can log in to the device and issue the
show version command to display the system banner. The system banner
confirms that the device is running Cisco IOS Software by displaying
text similar to "Cisco Internetwork Operating System Software" or
"Cisco IOS Software." The image name displays in parentheses,
followed by "Version" and the Cisco IOS Software release name. Other
Cisco devices do not have the show version command or may provide
different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.3(26) with an installed image name of
C2500-IS-L:
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 14:39 by dchih
!--- output truncated
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.4(20)T with an installed image name of
C1841-ADVENTERPRISEK9-M:
Router#show version
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 20:25 by prod_rel_team
!--- output truncated
Additional information about Cisco IOS Software release naming
conventions is available in "White Paper: Cisco IOS Reference Guide"
at the following link: http://www.cisco.com/warp/public/620/1.html
Products Confirmed Not Vulnerable
+--------------------------------
Cisco IOS XR is not affected by these vulnerabilities.
Cisco IOS XE is not affected by these vulnerabilities.
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
Mobile IP is part of both IPv4 and IPv6 standards. Mobile IP allows a
host device to be identified by a single IP address even though the
device may move its physical point of attachment from one network to
another. Regardless of movement between different networks,
connectivity at the different points is achieved seamlessly without
user intervention. Roaming from a wired network to a wireless or
wide-area network is also possible.
More information on Mobile IPv6 can be found at the following link:
http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-mobile.html
The Mobile IP Support NAT Traversal feature is documented in RFC
3519. It introduces an alternative method for tunneling Mobile IP
data traffic. New extensions in the Mobile IP registration request
and reply messages have been added for establishing User Datagram
Protocol (UDP) tunneling. This feature allows mobile devices in
collocated mode that use a private IP address (RFC 1918) or foreign
agents (FAs) that use a private IP address for the care-of address
(CoA) to establish a tunnel and traverse a NAT-enabled router with
mobile node (MN) data traffic from the home agent (HA).
More information on Mobile IP NAT Traversal feature can be found at
the following link:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gtnatmip.html
Devices that are running an affected version of Cisco IOS Software
and configured for Mobile IPv6 or Mobile IP NAT Traversal feature are
affected by a DoS vulnerability. A successful exploitation of this
vulnerability could cause an interface to stop processing traffic
until the system is restarted. Offending packets need to be destined
to the router for a successful exploit.
These vulnerabilities are documented in the Cisco Bug IDs CSCsm97220
and CSCso05337 and have been assigned Common Vulnerabilities and
Exposures (CVE) IDs CVE-2009-0633 and CVE-2009-0634.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsm97220 - Input queue wedged by MIPv6 packets
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCso05337 - HA: Input queue wedged by ICMP packet
CVSS Base Score - 7.1
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 5.9
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability may result in an
interface to stop processing traffic, causing a DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|------------+------------------------------------------------------|
| Affected | | Recommended |
| 12.0-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.0 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.1-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.1 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.2-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.2 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.3-Based | First Fixed Release | Release |
| Releases | | |
|------------+--------------------------------------+---------------|
| 12.3 | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3B | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3BC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3BW | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3EU | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JEA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JEB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JEC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JK | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JL | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JX | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.3T | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.3TPC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3VA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XD | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XE | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XF | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XG | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XI | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XJ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XK | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XL | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XQ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XR | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XS | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XU | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XW | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XX | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XY | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XZ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YD | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YF | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YG | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YH | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YI | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YJ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | Releases prior to 12.3(11)YK3 are | 12.4(22)T1 |
| | vulnerable, release 12.3(11)YK3 and | |
| 12.3YK | later are not vulnerable; first | 12.4(15)T9; |
| | fixed in 12.4T | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.3YM | 12.3(14)YM13 | 12.3(14)YM13 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YQ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YS | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YT | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YU | Vulnerable; migrate to 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | Releases prior to 12.3(14)YX10 are | |
| 12.3YX | vulnerable, release 12.3(14)YX10 and | 12.3(14)YX14 |
| | later are not vulnerable; | |
|------------+--------------------------------------+---------------|
| 12.3YZ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3ZA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| Affected | | Recommended |
| 12.4-Based | First Fixed Release | Release |
| Releases | | |
|------------+--------------------------------------+---------------|
| | | 12.4(18e) |
| | 12.4(18e) | |
| 12.4 | | 12.4(23a); |
| | 12.4(23a); Available on 30-APR-2009 | Available on |
| | | 30-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.4JA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JDA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JK | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JL | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JMA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JMB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JX | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4MD | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4MR | 12.4(19)MR | 12.4(19)MR2 |
|------------+--------------------------------------+---------------|
| 12.4SW | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | 12.4(20)T | 12.4(22)T1 |
| | | |
| 12.4T | 12.4(15)T8 | 12.4(15)T9; |
| | | Available on |
| | 12.4(15)T9; Available on 29-APR-2009 | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XA | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | 12.4(15)T8 | 12.4(22)T1 |
| | | |
| 12.4XB | 12.4(20)T | 12.4(15)T9; |
| | | Available on |
| | 12.4(15)T9; Available on 29-APR-2009 | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XC | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | 12.4(4)XD12; Available on | 12.4(4)XD12; |
| 12.4XD | 27-MAR-2009 | Available on |
| | | 27-MAR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XE | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XF | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.4XG | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XJ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.4XK | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XL | 12.4(15)XL4 | 12.4(15)XL4 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XM | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.4XN | Vulnerable; contact TAC | |
|------------+--------------------------------------+---------------|
| 12.4XP | Vulnerable; contact TAC | |
|------------+--------------------------------------+---------------|
| 12.4XQ | 12.4(15)XQ2 | 12.4(15)XQ2 |
|------------+--------------------------------------+---------------|
| 12.4XR | 12.4(15)XR4 | 12.4(22)T1 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XT | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.4XV | Vulnerable; contact TAC | |
|------------+--------------------------------------+---------------|
| 12.4XW | 12.4(11)XW10 | 12.4(11)XW10 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XY | 12.4(15)XY4 | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.4XZ | 12.4(15)XZ1 | 12.4(15)XZ2 |
|------------+--------------------------------------+---------------|
| 12.4YA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4YB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4YD | Not Vulnerable | |
+-------------------------------------------------------------------+
Workarounds
===========
The following mitigation and identification methods have been
identified for these vulnerabilities:
Infrastructure Access Control Lists
+----------------------------------
Although it is often difficult to block traffic that transits a
network, it is possible to identify traffic that should never be
allowed to target infrastructure devices and block that traffic at
the border of networks. Infrastructure Access Control Lists (iACLs)
are a network security best practice and should be considered as a
long-term addition to good network security as well as a workaround
for these specific vulnerabilities. The iACL example below should be
included as part of the deployed infrastructure access-list which
will protect all devices with IP addresses in the infrastructure IP
address range:
IPv4 example:
!--- Anti-spoofing entries are shown here.
!--- Deny special-use address sources.
!--- Refer to RFC 3330 for additional special use addresses.
access-list 110 deny ip host 0.0.0.0 any
access-list 110 deny ip 127.0.0.0 0.255.255.255 any
access-list 110 deny ip 192.0.2.0 0.0.0.255 any
access-list 110 deny ip 224.0.0.0 31.255.255.255 any
!--- Filter RFC 1918 space.
access-list 110 deny ip 10.0.0.0 0.255.255.255 any
access-list 110 deny ip 172.16.0.0 0.15.255.255 any
access-list 110 deny ip 192.168.0.0 0.0.255.255 any
!--- Deny your space as source from entering your AS.
!--- Deploy only at the AS edge.
access-list 110 deny ip YOUR_CIDR_BLOCK any
!--- Permit BGP.
access-list 110 permit tcp host bgp_peer host router_ip eq bgp
access-list 110 permit tcp host bgp_peer eq bgp host router_ip
!--- Deny access to internal infrastructure addresses.
access-list 110 deny ip any INTERNAL_INFRASTRUCTURE_ADDRESSES
!--- Permit transit traffic.
access-list 110 permit ip any any
IPv6 example:
!--- Configure the access-list.
ipv6 access-list iacl
!--- Deny your space as source from entering your AS.
!--- Deploy only at the AS edge.
deny ipv6 YOUR_CIDR_BLOCK_IPV6 any
!--- Permit multiprotocol BGP.
permit tcp host bgp_peer_ipv6 host router_ipv6 eq bgp
permit tcp host bgp_peer_ipv6 eq bgp host router_ipv6
!--- Deny access to internal infrastructure addresses.
deny ipv6 any INTERNAL_INFRASTRUCTURE_ADDRESSES_IPV6
!--- Permit transit traffic.
permit ipv6 any any
The white paper entitled "Protecting Your Core: Infrastructure
Protection Access Control Lists" presents guidelines and recommended
deployment techniques for infrastructure protection access lists.
This white paper can be obtained at the following link
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml
Cisco IOS Embedded Event Manager
+-------------------------------
It is possible to detect blocked interface queues with a Cisco IOS
Embedded Event Manager (EEM) policy. EEM provides event detection and
reaction capabilities on a Cisco IOS device. EEM can alert
administrators of blocked interfaces with email, a syslog message, or
a Simple Network Management Protocol (SNMP) trap.
A sample EEM policy that uses syslog to alert administrators of
blocked interfaces is available at Cisco Beyond, an online community
dedicated to EEM. A sample script is available at the following link:
http://forums.cisco.com/eforum/servlet/EEM?page=eem&fn=script&scriptId=981
More information about EEM is available from Cisco.com at the
following link:
http://www.cisco.com/en/US/products/ps6815/products_ios_protocol_group_home.html
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was reported to Cisco by a customer.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-Mar-25 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAknKUa8ACgkQ86n/Gc8U/uBD0ACfYblb5Nscx1zIWMLeihiaZAe7
TtsAoIGgf8/ubiolVwSDmu/tCTgH8skm
=YxAj
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Software Secure Copy Privilege
Escalation Vulnerability
Advisory ID: cisco-sa-20090325-scp
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml
Revision 1.0
For Public Release 2009 March 25 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
=======
The server side of the Secure Copy (SCP) implementation in Cisco IOS
software contains a vulnerability that could allow authenticated
users with an attached command-line interface (CLI) view to transfer
files to and from a Cisco IOS device that is configured to be an SCP
server, regardless of what users are authorized to do, per the CLI
view configuration. This vulnerability could allow valid users to
retrieve or write to any file on the device's file system, including
the device's saved configuration and Cisco IOS image files, even if
the CLI view attached to the user does not allow it. This
configuration file may include passwords or other sensitive
information.
The Cisco IOS SCP server is an optional service that is disabled by
default. CLI views are a fundamental component of the Cisco IOS
Role-Based CLI Access feature, which is also disabled by default.
Devices that are not specifically configured to enable the Cisco IOS
SCP server, or that are configured to use it but do not use
role-based CLI access, are not affected by this vulnerability.
This vulnerability does not apply to the Cisco IOS SCP client
feature.
Cisco has released free software updates that address this
vulnerability.
There are no workarounds available for this vulnerability apart from
disabling either the SCP server or the CLI view feature if these
services are not required by administrators.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml
Note: The March 25, 2009, Cisco IOS Security Advisory bundled
publication includes eight Security Advisories. All of the advisories
address vulnerabilities in Cisco IOS Software. Each advisory lists
the releases that correct the vulnerability or vulnerabilities in the
advisory. The following table lists releases that correct all Cisco
IOS Software vulnerabilities that have been published in Cisco
Security Advisories on March 25, 2009, or earlier.
http://www.cisco.com/warp/public/707/cisco-sa-20090325-bundle.shtml
Individual publication links are listed below:
* Cisco IOS cTCP Denial of Service Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml
* Cisco IOS Software Multiple Features IP Sockets Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml
* Cisco IOS Software Mobile IP and Mobile IPv6 Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml
* Cisco IOS Software Secure Copy Privilege Escalation Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml
* Cisco IOS Software Session Initiation Protocol Denial of Service
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml
* Cisco IOS Software Multiple Features Crafted TCP Sequence
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml
* Cisco IOS Software Multiple Features Crafted UDP Packet
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml
* Cisco IOS Software WebVPN and SSLVPN Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml
Affected Products
=================
Vulnerable Products
+------------------
Cisco devices running an affected Cisco IOS software release,
configured to offer SCP server functionality, and configured to use
role-based ACL access are affected by this issue.
A device running a vulnerable Cisco IOS software release is affected
if its configuration is similar to the following:
parser view <view name>
<Definition of the CLI view>
!
username <user ID> view <view name> secret <some secret>
!
ip scp server enable
In the above configuration snippet, the parser view command defines a
view that specifies what commands users in that view can execute. The
username command defines a local user and attaches, via the view
keyword, the previously defined view to the user. And finally, the ip
scp server enable command enables the Cisco IOS SCP server.
The absence of the username command does not guarantee that the
device's configuration is not affected by this vulnerability because
the name of a CLI view can be supplied by means of an Authentication,
Authorization, and Accounting (AAA) server by using the cli-view-name
attribute.
Note: The CLI view attached to a user can be supplied by a AAA
server. When inspecting a device's configuration to determine if it
is affected by this vulnerability it is better to check if the SCP
service is enabled (ip scp server enabled command) and whether there
are any CLI views defined (parser view command).
The Cisco IOS SCP server and role-based CLI access features are
disabled by default.
The SCP server functionality is only available on encryption-capable
images. Encryption-capable images are those that contain either a
"k8" or "k9" in the image name, for example, "C7200-ADVSECURITYK9-M".
Devices that do not run encryption-capable images are not vulnerable.
If a device is running an encryption-capable image, the presence in
the configuration of the ip scp server enable command, the existence
of CLI views (parser view command), and whether there are users
(local or remote) attached to these views will determine if the
device is affected.
To determine the Cisco IOS Software release that is running on a
Cisco product, administrators can log in to the device and issue the
show version command to display the system banner. The system banner
confirms that the device is running Cisco IOS Software by displaying
text similar to "Cisco Internetwork Operating System Software" or
"Cisco IOS Software." The image name displays in parentheses,
followed by "Version" and the Cisco IOS Software release name. Other
Cisco devices do not have the show version command or may provide
different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.3(26) with an installed image name of
C2500-IS-L:
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 14:39 by dchih
!--- output truncated
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.4(20)T with an installed image name of
C1841-ADVENTERPRISEK9-M:
Router#show version
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 20:25 by prod_rel_team
!--- output truncated
Additional information about Cisco IOS Software release naming
conventions is available in "White Paper: Cisco IOS Reference Guide"
at the following link: http://www.cisco.com/warp/public/620/1.html
Cisco IOS XE Software is also affected by this vulnerability.
Products Confirmed Not Vulnerable
+--------------------------------
Cisco devices that do not run Cisco IOS software are not affected.
Cisco IOS devices that do not have the SCP server feature enabled, or
that make use of the feature but do not have the role-based CLI
feature enabled, are not affected.
Cisco IOS XR Software is not affected.
No other Cisco products are currently known to be affected by this
vulnerability.
Details
=======
SCP is a protocol similar to the Remote Copy (RCP) protocol, which
allows the transfer of files between systems. The main difference
between SCP and RCP is that in SCP, all aspects of the file transfer
session, including authentication, occur in encrypted form, which
makes SCP a more secure alternative than RCP. SCP relies on the
Secure Shell (SSH) protocol, which uses TCP port 22 by default.
The Role-Based CLI Access feature allows the network administrator to
define "views". Views are sets of operational commands and
configuration capabilities that provide selective or partial access
to Cisco IOS software EXEC and configuration (Config) mode commands.
Views restrict user access to Cisco IOS command-line interface (CLI)
and configuration information; that is, a view can define what
commands are accepted and what configuration information is visible.
For more information about the Role-Based CLI Access feature,
reference
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html
The server side of the SCP implementation in Cisco IOS software
contains a vulnerability that allows authenticated users with an
attached command-line interface (CLI) view to transfer files to and
from a Cisco IOS device that is configured to be a SCP server,
regardless of what users are authorized to do, per the CLI view
configuration. This vulnerability could allow authenticated users to
retrieve or write to any file on the device's file system, including
the device's saved configuration and Cisco IOS image files. This
configuration file may include passwords or other sensitive
information.
In the affected configuration presented in the Affected Products
section, users confined to a CLI view can elevate their privileges by
using SCP to write to the device's configuration. Note that a view
can be attached to a user when defining the user in the local
database (via the username <user name> view ... command), or by
passing the attribute cli-view-name from an AAA server.
This vulnerability does not allow for authentication bypass; login
credentials are verified and access is only granted if a valid
username and password is provided. This vulnerability may cause
authorization to be bypassed.
This vulnerability is documented in the Cisco Bug ID CSCsv38166
and has been assigned Common Vulnerabilities and Exposures (CVE) ID
CVE-2009-0637.
Vulnerability Scoring Details
==============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsv38166 - SCP + views (role-based CLI) allows privilege escalation
CVSS Base Score - 9.0
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability described in this
advisory may allow valid but unauthorized users to retrieve or write
to any file on the device's file system, including the device's saved
configuration and Cisco IOS image files. This configuration file may
include passwords or other sensitive information.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|------------+------------------------------------------------------|
| Affected | | Recommended |
| 12.0-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.0 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.1-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.1 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.2-Based | First Fixed Release | Release |
| Releases | | |
|------------+------------------------------------+-----------------|
| 12.2 | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2B | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2BC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2BW | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2BX | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2BY | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2BZ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2CX | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2CY | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2CZ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2DA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2DD | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2DX | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2EW | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2EWA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2EX | Vulnerable; migrate to any release | 12.2(44)SE6 |
| | in 12.2SEG | |
|------------+------------------------------------+-----------------|
| 12.2EY | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+------------------------------------+-----------------|
| 12.2EZ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2FX | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2FY | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2FZ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| | | 12.2(33)SRC4; |
| 12.2IRA | Vulnerable; first fixed in 12.2SRC | Available on |
| | | 18-MAY-2009 |
|------------+------------------------------------+-----------------|
| | | 12.2(33)SRC4; |
| 12.2IRB | Vulnerable; first fixed in 12.2SRC | Available on |
| | | 18-MAY-2009 |
|------------+------------------------------------+-----------------|
| 12.2IXA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2IXB | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2IXC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2IXD | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2IXE | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2IXF | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2IXG | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2JA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2JK | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2MB | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2MC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2S | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SB | 12.2(33)SB4 | 12.2(33)SB4 |
|------------+------------------------------------+-----------------|
| 12.2SBC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SCA | Vulnerable; first fixed in 12.2SCB | 12.2(33)SCB1 |
|------------+------------------------------------+-----------------|
| 12.2SCB | 12.2(33)SCB1 | 12.2(33)SCB1 |
|------------+------------------------------------+-----------------|
| | 12.2(50)SE | |
| 12.2SE | | 12.2(44)SE6 |
| | 12.2(44)SE6 | |
|------------+------------------------------------+-----------------|
| 12.2SEA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SEB | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SEC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SED | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SEE | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SEF | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SEG | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| | 12.2(52)SG; Available on | 12.2(52)SG; |
| 12.2SG | 15-MAY-2009 | Available on |
| | | 15-MAY-2009 |
|------------+------------------------------------+-----------------|
| 12.2SGA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SL | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SM | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SO | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SQ | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.2SRA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| | | 12.2(33)SRC4; |
| | | Available on |
| | | 18-MAY-2009 |
| 12.2SRB | Vulnerable; first fixed in 12.2SRC | |
| | | 12.2(33)SRB5a; |
| | | Available on |
| | | 3-April-2009 |
|------------+------------------------------------+-----------------|
| | 12.2(33)SRC4; Available on | 12.2(33)SRC4; |
| 12.2SRC | 18-MAY-2009 | Available on |
| | | 18-MAY-2009 |
|------------+------------------------------------+-----------------|
| 12.2SRD | 12.2(33)SRD1 | 12.2(33)SRD1 |
|------------+------------------------------------+-----------------|
| 12.2STE | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.2SU | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SV | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SVA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SVC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SVD | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SVE | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SW | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SX | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SXA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SXB | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SXD | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SXE | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SXF | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SXH | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SXI | 12.2(33)SXI1 | 12.2(33)SXI1 |
|------------+------------------------------------+-----------------|
| 12.2SY | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SZ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2T | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2TPC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XB | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XD | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XE | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XF | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XG | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XH | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XI | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XJ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XK | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XL | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XM | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| | | 12.2(33)SB4 |
| | | |
| | | 12.2(33)SRD1 |
| 12.2XN | Vulnerable; first fixed in 12.2SRC | |
| | | 12.2(33)SRC4; |
| | | Available on |
| | | 18-MAY-2009 |
|------------+------------------------------------+-----------------|
| | | 12.2(33)SRD1 |
| | | |
| 12.2XNA | Vulnerable; first fixed in 12.2SRD | 12.2(33)SRC4; |
| | | Available on |
| | | 18-MAY-2009 |
|------------+------------------------------------+-----------------|
| 12.2XNB | 12.2(33)XNB3 | 12.2(33)XNB3 |
|------------+------------------------------------+-----------------|
| 12.2XNC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XO | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XQ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XR | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XS | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XT | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XU | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XV | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XW | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YB | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YD | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YE | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YF | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YG | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YH | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YJ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YK | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YL | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YM | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YN | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YO | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YP | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YQ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YR | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YS | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YT | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YU | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YV | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YW | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YX | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YY | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YZ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZB | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZD | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZE | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZF | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZG | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZH | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZJ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZL | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZP | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZU | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZX | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZY | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZYA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| Affected | | Recommended |
| 12.3-Based | First Fixed Release | Release |
| Releases | | |
|------------+------------------------------------+-----------------|
| 12.3 | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3B | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3BC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3BW | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3EU | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3JA | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.3JEA | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.3JEB | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.3JEC | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3JK | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.3JL | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3JX | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3T | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.3TPC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3VA | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.3XA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3XB | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3XC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3XD | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3XE | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3XF | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XG | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.3XI | Vulnerable; first fixed in 12.2SB | 12.2(33)SB4 |
|------------+------------------------------------+-----------------|
| 12.3XJ | Vulnerable; first fixed in 12.3YX | 12.3(14)YX14 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XK | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XL | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XQ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(18e) |
| | | |
| 12.3XR | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XS | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XU | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.3XW | Vulnerable; first fixed in 12.3YX | 12.3(14)YX14 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XX | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XY | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.3XZ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YA | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YD | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.3YF | Vulnerable; first fixed in 12.3YX | 12.3(14)YX14 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YG | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YH | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YI | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YJ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YK | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.3YM | 12.3(14)YM13 | 12.3(14)YM13 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YQ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YS | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YT | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YU | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.3YX | 12.3(14)YX14 | 12.3(14)YX14 |
|------------+------------------------------------+-----------------|
| 12.3YZ | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3ZA | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| Affected | | Recommended |
| 12.4-Based | First Fixed Release | Release |
| Releases | | |
|------------+------------------------------------+-----------------|
| | 12.4(18e) | 12.4(18e) |
| | | |
| 12.4 | 12.4(23a); Available on | 12.4(23a); |
| | 30-APR-2009 | Available on |
| | | 30-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.4JA | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.4JDA | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.4JK | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.4JL | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.4JMA | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.4JMB | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.4JX | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.4MD | 12.4(11)MD7 | 12.4(11)MD7 |
|------------+------------------------------------+-----------------|
| 12.4MR | 12.4(19)MR2 | 12.4(19)MR2 |
|------------+------------------------------------+-----------------|
| 12.4SW | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| | 12.4(24)T | |
| | | 12.4(22)T1 |
| | 12.4(20)T2 | |
| 12.4T | | 12.4(15)T9; |
| | 12.4(22)T1 | Available on |
| | | 29-APR-2009 |
| | 12.4(15)T9; Available on | |
| | 29-APR-2009 | |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XA | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XB | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XC | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | 12.4(4)XD12; Available on | 12.4(4)XD12; |
| 12.4XD | 27-MAR-2009 | Available on |
| | | 27-MAR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XE | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XF | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | 12.4(20)T2 | |
| 12.4XG | | 12.4(15)T9; |
| | 12.4(22)T1 | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XJ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XK | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | Releases prior to 12.4(15)XL4 are | |
| 12.4XL | vulnerable, release 12.4(15)XL4 | 12.4(15)XL4 |
| | and later are not vulnerable; | |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XM | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.4XN | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.4XP | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.4XQ | 12.4(15)XQ2 | 12.4(15)XQ2 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XR | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XT | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.4XV | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.4XW | 12.4(11)XW10 | 12.4(11)XW10 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XY | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.4XZ | 12.4(15)XZ2 | 12.4(15)XZ2 |
|------------+------------------------------------+-----------------|
| 12.4YA | 12.4(20)YA2 | 12.4(20)YA3 |
|------------+------------------------------------+-----------------|
| 12.4YB | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.4YD | Not Vulnerable | |
+-------------------------------------------------------------------+
Workarounds
===========
If the Cisco IOS SCP server functionality is not needed then the
vulnerability described in this document can be mitigated by
disabling the SCP server or the CLI view feature. The SCP server can
be disabled by executing the following command in global
configuration mode:
no ip scp server enable
If the SCP server cannot be disabled due to operational concerns,
then no workarounds exist. The risk posed by this vulnerability can
be mitigated by following the best practices detailed in "Cisco Guide
to Harden Cisco IOS Devices" at
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
Please refer to the Obtaining Fixed Software section of this advisory
for appropriate solutions to resolve this vulnerability.
Due to the nature of this vulnerability, networking best practices
like access control lists (ACLs) and Control Plane Policing (CoPP)
that restrict access to a device to certain IP addresses or
subnetworks may not be effective. If access is already granted to a
specific IP address or subnetwork, a user with low privileges will be
able to establish an SCP session with the device, which would allow
the user to exploit this vulnerability.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as
otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was reported to Cisco by Kevin Graham. Cisco would
like to thank Mr. Graham for reporting this vulnerability and working
with us towards coordinated disclosure of the vulnerability.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-March-25 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAknKUbQACgkQ86n/Gc8U/uBoggCdGbEAh9pGrV/ApbhENou5MF4M
vTIAn03h9J//T0V6BZBxwwS2hKs/JIXi
=JGEE
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Software Multiple Features Crafted
TCP Sequence Vulnerability
Advisory ID: cisco-sa-20090325-tcp
http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml
Revision 1.0
For Public Release 2009 March 25 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
=======
Cisco IOS Software contains a vulnerability in multiple features
that could allow an attacker to cause a denial of service (DoS)
condition on the affected device. A sequence of specially crafted TCP
packets can cause the vulnerable device to reload.
Cisco has released free software updates that address this
vulnerability.
Several mitigation strategies are outlined in the workarounds section
of this advisory.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml
Note: The March 25, 2009, Cisco IOS Security Advisory bundled
publication includes eight Security Advisories. All of the advisories
address vulnerabilities in Cisco IOS Software. Each advisory lists
the releases that correct the vulnerability or vulnerabilities in the
advisory. The following table lists releases that correct all Cisco
IOS Software vulnerabilities that have been published in Cisco
Security Advisories on March 25, 2009, or earlier.
http://www.cisco.com/warp/public/707/cisco-sa-20090325-bundle.shtml
Individual publication links are listed below:
* Cisco IOS cTCP Denial of Service Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml
* Cisco IOS Software Multiple Features IP Sockets Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml
* Cisco IOS Software Mobile IP and Mobile IPv6 Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml
* Cisco IOS Software Secure Copy Privilege Escalation Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml
* Cisco IOS Software Session Initiation Protocol Denial of Service
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml
* Cisco IOS Software Multiple Features Crafted TCP Sequence
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml
* Cisco IOS Software Multiple Features Crafted UDP Packet
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml
* Cisco IOS Software WebVPN and SSLVPN Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml
Affected Products
=================
Vulnerable Products
+------------------
Devices running affected versions of Cisco IOS Software and Cisco IOS
XE Software are affected when configured to use any of the following
features within Cisco IOS:
* Airline Product Set (ALPS)
* Serial Tunnel Code (STUN) and Block Serial Tunnel Code (BSTUN)
* Native Client Interface Architecture support (NCIA)
* Data-link switching (DLSw)
* Remote Source-Route Bridging (RSRB)
* Point to Point Tunneling Protocol (PPTP)
* X.25 for Record Boundary Preservation (RBP)
* X.25 over TCP (XOT)
* X.25 Routing
Information on how to determine whether an affected feature is
enabled on a device are provided in the Details section of this
advisory.
To determine the Cisco IOS Software release that is running on a
Cisco product, administrators can log in to the device and issue the
"show version" command to display the system banner. The system
banner confirms that the device is running Cisco IOS Software by
displaying text similar to "Cisco Internetwork Operating System
Software" or "Cisco IOS Software." The image name displays in
parentheses, followed by "Version" and the Cisco IOS Software release
name. Other Cisco devices do not have the "show version" command or
may provide different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.3(26) with an installed image name of
C2500-IS-L:
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 14:39 by dchih
<output truncated>
The following example shows a product that is running Cisco IOS
Software Release 12.4(20)T with an image name of
C1841-ADVENTERPRISEK9-M:
Router#show version
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 20:25 by prod_rel_team
<output truncated>
Additional information about Cisco IOS Software release naming
conventions is available in "White Paper: Cisco IOS Reference Guide"
at the following link: http://www.cisco.com/warp/public/620/1.html .
Products Confirmed Not Vulnerable
+--------------------------------
The following product and feature have been confirmed not vulnerable:
* Cisco IOS XR Software
* BGP is not affected
No other Cisco products or features configured within Cisco IOS
Software are currently known to be affected by this vulnerability.
Details
=======
Completion of the 3-way handshake to the associated TCP port number
(s) of any of the features outlined below is required in order for
the vulnerability to be successfully exploited.
Airline Product Set (ALPS)
+-------------------------
Devices configured for ALPS are vulnerable. The default TCP listening
ports for ALPS are 350 and 10000. The following example shows a
vulnerable ALPS configuration:
alps local-peer <ip address>
Further information about ALPS is available in "Cisco IOS Bridging
and IBM Networking Configuration Guide, Release 12.2 - Configuring
the Airline Product Set" at the following link
http://www.cisco.com/en/US/docs/ios/12_2/ibm/configuration/guide/bcfalps_ps1835_TSD_Products_Configuration_Guide_Chapter.html
Serial Tunnel Code (STUN) and Block Serial Tunneling (BSTUN)
+-----------------------------------------------------------
Devices configured for either STUN or BSTUN are vulnerable. The
default listening TCP ports for STUN are 1990,1991 1992 and 1994. The
default listening TCP ports for BSTUN are 1963, 1976, 1977, 1978 and
1979 The following example shows a vulnerable STUN configuration:
interface serial 0/0/0
encapsulation stun
The following example shows a vulnerable BSTUN configuration:
interface serial 0/0/0
encapsulation bstun
Further information about STUN and BSTUN is available in "Cisco IOS
Bridging and IBM Networking Configuration Guide, Release 12.2 -
Configuring Serial Tunnel and Block Serial Tunnel" at the following
link
http://www.cisco.com/en/US/docs/ios/12_2/ibm/configuration/guide/bcfstun_ps1835_TSD_Products_Configuration_Guide_Chapter.html
Native Client Interface Architecture support (NCIA)
+--------------------------------------------------
Devices configured for NCIA are vulnerable, because of the underlying
transport they will use. The default listening TCP ports will be
dependent on the protocol used with NCIA, such as RSRB or DSLw. The
following examples shows a vulnerable configuration:
ncia server 1 10.66.91.138 0000.1111.2222 2222.2222.2222 1
Further information about NCIA is available in "Cisco IOS Bridging
and IBM Networking Configuration Guide, Release 12.4 - Configuring
NCIA Client/Server" at the following link
http://www.cisco.com/en/US/docs/ios/bridging/configuration/guide/br_ncia_client_svr_ps6350_TSD_Products_Configuration_Guide_Chapter.html
Data-link switching (DLSw)
+-------------------------
Devices configured for DLSw are vulnerable. The default listening TCP
ports for DSLw are 2065, 2067, 1981, 1982 and 1983. The following
example shows a vulnerable configuration:
dlsw local-peer peer-id <ip address>
Devices configured with either FST Encapsulation or Direct
Encapsulation are still vulnerable as the affected TCP ports are
opened by the "dslw local-peer peer-id ip address" command.
Further information about DLSw is available in "Cisco IOS Bridging
and IBM Networking Configuration Guide, Release 12.4 - Configuring
Data-Link Switching Plus" at the following link
http://www.cisco.com/en/US/docs/ios/bridging/configuration/guide/br_dlsw_plus_ps6350_TSD_Products_Configuration_Guide_Chapter.html
Remote Source-Route Bridging (RSRB)
+----------------------------------
Devices configured for RSRB Using IP Encapsulation over a TCP
connection are vulnerable. The default listening TCP ports for RSRB
are 1996,1987, 1988 and 1989. The following example shows a
vulnerable configuration:
source-bridge ring-group 10
source-bridge remote-peer 10 tcp <ip address>
Devices configured with either RSRB Using Direct Encapsulation or
RSRB Using IP Encapsulation over an FST Connection are not affected.
Further information about RSRB is available in "Cisco IOS Bridging
and IBM Networking Configuration Guide, Release 12.2 - Configuring
Remote Source-Route Bridging" at the following link
http://www.cisco.com/en/US/docs/ios/12_2/ibm/configuration/guide/bcfrsrb_ps1835_TSD_Products_Configuration_Guide_Chapter.html
Point to Point Tunneling Protocol (PPTP)
+---------------------------------------
Devices configured for PPTP are vulnerable. The default listening TCP
port for PPTP is 1723. The following examples shows a vulnerable
configuration:
vpdn enable
!
vpdn-group pptp
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
Or
vpdn enable
!
vpdn-group L2_Tunneling
! Default L2TP VPDN group
! Default PPTP VPDN group
accept-dialin
protocol any
virtual-template 1
Further information about PPTP is available in "Cisco IOS VPDN
Configuration Guide, Release 12.4 - Configuring Client-Initiated
Dial-In VPDN Tunneling" at the following link
http://www.cisco.com/en/US/docs/ios/vpdn/configuration/guide/client_init_dial-in_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1105140
X.25 Record Boundary Preservation (RBP)
+--------------------------------------
Devices configured for RBP are vulnerable. The listening TCP port is
configured with the "local port port_number" CLI command, as shown in
the next examples. The following examples shows vulnerable
configurations. The first leverages switched virtual circuits (SVC):
interface Serial1/0
x25 map rbp 1111 local port <port_number>
The second example, leverages a permanent virtual circuit (PVC):
interface Serial1/0
x25 map pvc <pvc_number> rbp local port <port_number>
Further information about RBP is available in "Cisco IOS Wide-Area
Networking Configuration Guide, Release 12.4 - X.25 Record Boundary
Preservation for Data Communications Networks" at the following link
http://www.cisco.com/en/US/docs/ios/wan/configuration/guide/wan_x25_rbp_dcn_ps6350_TSD_Products_Configuration_Guide_Chapter.html
X.25 over TCP (XOT)
+------------------
Devices configured for XOT are vulnerable. The default listening TCP
port for XOT is 1998. The following example shows a vulnerable
configuration.
xot access-group 1
and a corresponding access-list 1.
Further information about XOT is available in "Cisco IOS Wide-Area
Networking Configuration Guide, Release 12.4 - X.25 over TCP
Profiles" at the following link
http://www.cisco.com/en/US/docs/ios/wan/configuration/guide/wan_x25otcp_pro_ps6350_TSD_Products_Configuration_Guide_Chapter.html
X25 Routing
+----------
Devices configured with X25 are vulnerable. The default listening TCP
port for X25 Routing is 1998. The following example shows a
vulnerable configuration.
x25 routing
Further information about X25 is available in "Cisco IOS Wide-Area
Networking Configuration Guide, Release 12.4 - Configuring X.25 and
LAPB" at the following link
http://www.cisco.com/en/US/docs/ios/wan/configuration/guide/wan_cfg_x25_lapb_ps6350_TSD_Products_Configuration_Guide_Chapter.html
This vulnerability is documented in the following Cisco Bug ID:
CSCsr29468 and has been assigned the Common Vulnerabilities and
Exposures (CVE) identifier CVE-2009-0629.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerability in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsr29468: Cisco IOS Software Multiple Features Crafted TCP Sequence
Vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of this vulnerability will cause the device
to reload. Repeated attempts to exploit this vulnerability could
result in a sustained DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|------------+------------------------------------------------------|
| Affected | | |
| 12.0-Based | First Fixed Release | Recommended Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.0 based releases |
|-------------------------------------------------------------------|
| Affected | | |
| 12.1-Based | First Fixed Release | Recommended Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.1 based releases |
|-------------------------------------------------------------------|
| Affected | | |
| 12.2-Based | First Fixed Release | Recommended Release |
| Releases | | |
|------------+-----------------------------+------------------------|
| 12.2 | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2B | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2BC | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2BW | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2BX | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2BY | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2BZ | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2CX | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2CY | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2CZ | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2DA | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2DD | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2DX | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2EW | Vulnerable; first fixed in | 12.2(31)SGA9 |
| | 12.2SG | |
|------------+-----------------------------+------------------------|
| 12.2EWA | Vulnerable; first fixed in | 12.2(31)SGA9 |
| | 12.2SG | |
|------------+-----------------------------+------------------------|
| | Releases prior to 12.2(44) | |
| | EX are vulnerable, release | |
| 12.2EX | 12.2(44)EX and later are | 12.2(44)SE6 |
| | not vulnerable; first fixed | |
| | in 12.2SE | |
|------------+-----------------------------+------------------------|
| 12.2EY | 12.2(44)EY | 12.2(44)SE6 |
|------------+-----------------------------+------------------------|
| 12.2EZ | Vulnerable; first fixed in | 12.2(44)SE6 |
| | 12.2SE | |
|------------+-----------------------------+------------------------|
| 12.2FX | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2FY | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2FZ | Vulnerable; first fixed in | 12.2(44)SE6 |
| | 12.2SE | |
|------------+-----------------------------+------------------------|
| | Vulnerable; first fixed in | 12.2(33)SRC4; |
| 12.2IRA | 12.2SRC | Available on |
| | | 18-MAY-2009 |
|------------+-----------------------------+------------------------|
| | Vulnerable; first fixed in | 12.2(33)SRC4; |
| 12.2IRB | 12.2SRC | Available on |
| | | 18-MAY-2009 |
|------------+-----------------------------+------------------------|
| 12.2IXA | Vulnerable; migrate to any | 12.2(18)IXH; Available |
| | release in 12.2IXH | on 31-MAR-2009 |
|------------+-----------------------------+------------------------|
| 12.2IXB | Vulnerable; migrate to any | 12.2(18)IXH; Available |
| | release in 12.2IXH | on 31-MAR-2009 |
|------------+-----------------------------+------------------------|
| 12.2IXC | Vulnerable; migrate to any | 12.2(18)IXH; Available |
| | release in 12.2IXH | on 31-MAR-2009 |
|------------+-----------------------------+------------------------|
| 12.2IXD | Vulnerable; migrate to any | 12.2(18)IXH; Available |
| | release in 12.2IXH | on 31-MAR-2009 |
|------------+-----------------------------+------------------------|
| 12.2IXE | Vulnerable; migrate to any | 12.2(18)IXH; Available |
| | release in 12.2IXH | on 31-MAR-2009 |
|------------+-----------------------------+------------------------|
| 12.2IXF | Vulnerable; migrate to any | 12.2(18)IXH; Available |
| | release in 12.2IXH | on 31-MAR-2009 |
|------------+-----------------------------+------------------------|
| 12.2IXG | Vulnerable; migrate to any | 12.2(18)IXH; Available |
| | release in 12.2IXH | on 31-MAR-2009 |
|------------+-----------------------------+------------------------|
| 12.2JA | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2JK | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2MB | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2MC | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2S | Vulnerable; first fixed in | 12.2(33)SB4 |
| | 12.2SB | |
|------------+-----------------------------+------------------------|
| | 12.2(33)SB3 | |
| | | |
| 12.2SB | 12.2(28)SB13 | 12.2(33)SB4 |
| | | |
| | 12.2(31)SB14 | |
|------------+-----------------------------+------------------------|
| 12.2SBC | Vulnerable; first fixed in | 12.2(33)SB4 |
| | 12.2SB | |
|------------+-----------------------------+------------------------|
| 12.2SCA | Vulnerable; first fixed in | 12.2(33)SCB1 |
| | 12.2SCB | |
|------------+-----------------------------+------------------------|
| 12.2SCB | 12.2(33)SCB1 | 12.2(33)SCB1 |
|------------+-----------------------------+------------------------|
| | 12.2(46)SE2 | |
| | | |
| 12.2SE | 12.2(50)SE | 12.2(44)SE6 |
| | | |
| | 12.2(44)SE5 | |
|------------+-----------------------------+------------------------|
| 12.2SEA | Vulnerable; first fixed in | 12.2(44)SE6 |
| | 12.2SE | |
|------------+-----------------------------+------------------------|
| 12.2SEB | Vulnerable; first fixed in | 12.2(44)SE6 |
| | 12.2SE | |
|------------+-----------------------------+------------------------|
| 12.2SEC | Vulnerable; first fixed in | 12.2(44)SE6 |
| | 12.2SE | |
|------------+-----------------------------+------------------------|
| 12.2SED | Vulnerable; first fixed in | 12.2(44)SE6 |
| | 12.2SE | |
|------------+-----------------------------+------------------------|
| 12.2SEE | Vulnerable; first fixed in | 12.2(44)SE6 |
| | 12.2SE | |
|------------+-----------------------------+------------------------|
| 12.2SEF | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| | Releases prior to 12.2(25) | |
| | SEG4 are vulnerable, | |
| 12.2SEG | release 12.2(25)SEG4 and | 12.2(44)SE6 |
| | later are not vulnerable; | |
| | first fixed in 12.2SE | |
|------------+-----------------------------+------------------------|
| 12.2SG | 12.2(50)SG | 12.2(52)SG; Available |
| | | on 15-MAY-2009 |
|------------+-----------------------------+------------------------|
| 12.2SGA | 12.2(31)SGA9 | 12.2(31)SGA9 |
|------------+-----------------------------+------------------------|
| 12.2SL | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2SM | Vulnerable; contact TAC | |
|------------+-----------------------------+------------------------|
| 12.2SO | Vulnerable; contact TAC | |
|------------+-----------------------------+------------------------|
| 12.2SQ | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| | Vulnerable; first fixed in | 12.2(33)SRC4; |
| 12.2SRA | 12.2SRC | Available on |
| | | 18-MAY-2009 |
|------------+-----------------------------+------------------------|
| | | 12.2(33)SRB5a; |
| | | Available on |
| 12.2SRB | Vulnerable; first fixed in | 3-April-2009 12.2(33) |
| | 12.2SRC | SRC4; Available on |
| | | 18-MAY-2009 12.2(33) |
| | | SRD1 |
|------------+-----------------------------+------------------------|
| | | 12.2(33)SRC4; |
| 12.2SRC | 12.2(33)SRC3 | Available on |
| | | 18-MAY-2009 12.2(33) |
| | | SRD1 |
|------------+-----------------------------+------------------------|
| 12.2SRD | 12.2(33)SRD1 | 12.2(33)SRD1 |
|------------+-----------------------------+------------------------|
| 12.2STE | Vulnerable; contact TAC | |
|------------+-----------------------------+------------------------|
| 12.2SU | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2SV | Vulnerable; contact TAC | |
|------------+-----------------------------+------------------------|
| 12.2SVA | Vulnerable; contact TAC | |
|------------+-----------------------------+------------------------|
| 12.2SVC | Vulnerable; contact TAC | |
|------------+-----------------------------+------------------------|
| 12.2SVD | Vulnerable; contact TAC | |
|------------+-----------------------------+------------------------|
| 12.2SVE | Vulnerable; contact TAC | |
|------------+-----------------------------+------------------------|
| 12.2SW | Vulnerable; migrate to any | |
| | release in 12.4SW | |
|------------+-----------------------------+------------------------|
| 12.2SX | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2SXA | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2SXB | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2SXD | Vulnerable; first fixed in | 12.2(18)SXF16 |
| | 12.2SXF | |
|------------+-----------------------------+------------------------|
| 12.2SXE | Vulnerable; first fixed in | 12.2(18)SXF16 |
| | 12.2SXF | |
|------------+-----------------------------+------------------------|
| 12.2SXF | 12.2(18)SXF16 | 12.2(18)SXF16 |
|------------+-----------------------------+------------------------|
| | 12.2(33)SXH5; Available on | 12.2(33)SXH5; |
| 12.2SXH | 20-APR-2009 | Available on |
| | | 20-APR-2009 |
|------------+-----------------------------+------------------------|
| 12.2SXI | 12.2(33)SXI1 | 12.2(33)SXI1 |
|------------+-----------------------------+------------------------|
| 12.2SY | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2SZ | Vulnerable; first fixed in | 12.2(33)SB4 |
| | 12.2SB | |
|------------+-----------------------------+------------------------|
| 12.2T | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2TPC | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XA | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XB | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XC | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XD | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XE | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XF | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XG | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XH | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XI | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XJ | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XK | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XL | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XM | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| | Vulnerable; first fixed in | 12.2(33)SB4 |
| 12.2XN | 12.2SRC | |
| | | 12.2(33)SRD1 |
|------------+-----------------------------+------------------------|
| 12.2XNA | Vulnerable; first fixed in | 12.2(33)SRD1 |
| | 12.2SRD | |
|------------+-----------------------------+------------------------|
| 12.2XNB | 12.2(33)XNB1 | 12.2(33)XNB3 |
|------------+-----------------------------+------------------------|
| 12.2XNC | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XO | 12.2(46)XO | 12.2(46)XO |
|------------+-----------------------------+------------------------|
| 12.2XQ | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XR | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XS | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XT | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XU | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XV | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XW | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YA | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YB | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YC | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YD | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YE | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YF | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YG | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YH | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YJ | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YK | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YL | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YM | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YN | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YO | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YP | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YQ | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YR | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YS | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YT | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YU | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YV | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YW | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YX | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YY | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YZ | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2ZA | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2ZB | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2ZC | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2ZD | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2ZE | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2ZF | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2ZG | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2ZH | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2ZJ | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2ZL | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2ZP | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| | Vulnerable; first fixed in | 12.2(33)SXH5; |
| 12.2ZU | 12.2SXH | Available on |
| | | 20-APR-2009 |
|------------+-----------------------------+------------------------|
| 12.2ZX | Vulnerable; first fixed in | 12.2(33)SB4 |
| | 12.2SB | |
|------------+-----------------------------+------------------------|
| 12.2ZY | Vulnerable; contact TAC | |
|------------+-----------------------------+------------------------|
| 12.2ZYA | 12.2(18)ZYA1 | 12.2(18)ZYA1 |
|------------+-----------------------------+------------------------|
| Affected | | |
| 12.3-Based | First Fixed Release | Recommended Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.3 based releases |
|-------------------------------------------------------------------|
| Affected | | |
| 12.4-Based | First Fixed Release | Recommended Release |
| Releases | | |
|------------+-----------------------------+------------------------|
| 12.4 | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4JA | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4JDA | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4JK | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4JL | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4JMA | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4JMB | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4JX | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| | 12.4(15)MD2 | |
| | | |
| 12.4MD | Releases prior to 12.4(11) | 12.4(11)MD7 |
| | MD6 are not vulnerable, | |
| | releases 12.4(15)MD and | |
| | later are vulnerable. | |
|------------+-----------------------------+------------------------|
| | 12.4(19)MR1 | |
| | | |
| 12.4MR | Releases prior to 12.4(16) | 12.4(19)MR2 |
| | MR2 are not vulnerable, | |
| | releases 12.4(19)MR and | |
| | later are vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4SW | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| | 12.4(22)T | |
| | | 12.4(22)T1 |
| 12.4T | 12.4(20)T2 | |
| | | 12.4(15)T9; Available |
| | Releases prior to 12.4(20)T | on 29-APR-2009 |
| | are NOT vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XA | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XB | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XC | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XD | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XE | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XF | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XG | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XJ | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XK | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XL | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XM | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XN | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XP | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XQ | 12.4(15)XQ2 | 12.4(15)XQ2 |
|------------+-----------------------------+------------------------|
| | | 12.4(22)T1 |
| 12.4XR | 12.4(15)XR4 | |
| | | 12.4(15)T9; Available |
| | | on 29-APR-2009 |
|------------+-----------------------------+------------------------|
| 12.4XT | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XV | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XW | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| | | 12.4(22)T1 |
| 12.4XY | 12.4(15)XY4 | |
| | | 12.4(15)T9; Available |
| | | on 29-APR-2009 |
|------------+-----------------------------+------------------------|
| 12.4XZ | 12.4(15)XZ2 | 12.4(15)XZ2 |
|------------+-----------------------------+------------------------|
| 12.4YA | 12.4(20)YA2 | 12.4(20)YA3 |
|------------+-----------------------------+------------------------|
| 12.4YB | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4YD | Not Vulnerable | |
+-------------------------------------------------------------------+
Workarounds
===========
The following mitigations have been identified for this
vulnerability, which may help protect an infrastructure until an
upgrade to a fixed version of Cisco IOS software can be scheduled:
Infrastructure Access Control Lists
+----------------------------------
Although it is often difficult to block traffic that transits a
network, it is possible to identify traffic that should never be
allowed to target infrastructure devices and block that traffic at
the border of networks. Infrastructure Access Control Lists (iACLs)
are a network security best practice and should be considered as a
long-term addition to good network security as well as a workaround
for these specific vulnerabilities. The iACL example below should be
included as part of the deployed infrastructure access-list which
will protect all devices with IP addresses in the infrastructure IP
address range:
!---
!--- Only sections pertaining to features enabled on the device
!--- need be configured.
!---
!--- Feature: ALPS
!---
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 350
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 10000
!---
!--- Deny ALPS TCP traffic from all other sources destined
!--- to infrastructure addresses.
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 350
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 10000
!---
!--- Feature: STUN
!---
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1994
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD range 1990 1992
!---
!--- Deny STUN TCP traffic from all other sources destined
!--- to infrastructure addresses.
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1994
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD range 1990 1992
!---
!--- Feature: BSTUN
!---
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1963
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD range 1976 1979
!---
!--- Deny BSTUN TCP traffic from all other sources destined
!--- to infrastructure addresses.
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1963
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD range 1976 1979
!---
!--- Feature: NCIA
!---
!---
!--- Leverage the underlying protocols, DLSw, RSRB, etc.
!---
!---
!--- Feature: DLSW
!---
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 2065
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 2067
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD range 1981 1983
!---
!--- Deny DLSW TCP traffic from all other sources destined
!--- to infrastructure addresses.
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 2065
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 2067
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD range 1981 1983
!---
!--- Feature: RSRB
!---
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD range 1987 1989
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1996
!---
!--- Deny RSRB TCP traffic from all other sources destined
!--- to infrastructure addresses.
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD range 1987 1989
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1996
!---
!--- Feature: PPTP
!---
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1723
!---
!--- Deny PPTP TCP traffic from all other sources destined
!--- to infrastructure addresses.
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1723
!---
!--- Feature: RBP
!---
!--- RBP will listen for TCP connections on the configured port
!--- as per "local port <port_number>". The following example
!--- uses port 1055
!---
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1055
!---
!--- Deny RBP traffic from all other sources destined
!--- to infrastructure addresses.
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1055
!---
!--- Feature: XOT and X.25 Routing
!---
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1998
!---
!--- Deny XOT and X25 TCP traffic from all other sources
!--- destined to infrastructure addresses.
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1998
!---
!--- Permit/deny all other Layer 3 and Layer 4 traffic in
!--- accordance with existing security policies and
!--- configurations Permit all other traffic to transit the
!--- device.
!---
access-list 150 permit ip any any
!---
!--- Apply access-list to all interfaces (only one example
!--- shown)
!---
interface serial 2/0
ip access-group 150 in
The white paper entitled "Protecting Your Core: Infrastructure
Protection Access Control Lists" presents guidelines and recommended
deployment techniques for infrastructure protection access lists.
This white paper can be obtained at the following link:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml
Receive ACLs (rACL)
+------------------
For distributed platforms, Receive ACLs may be an option starting in
Cisco IOS Software Versions 12.0(21)S2 for the 12000 (GSR), 12.0(24)S
for the 7500, and 12.0(31)S for the 10720. The Receive ACL protects
the device from harmful traffic before the traffic can impact the
route processor. Receive ACLs are designed to only protect the device
on which it is configured. On the 12000, 7500, and 10720, transit
traffic is never affected by a receive ACL. Because of this, the
destination IP address "any" used in the example ACL entries below
only refer to the router's own physical or virtual IP addresses.
Receive ACLs are considered a network security best practice, and
should be considered as a long-term addition to good network
security, as well as a workaround for this specific vulnerability.
The white paper entitled "Protecting Your Core: Infrastructure
Protection Access Control Lists" presents guidelines and recommended
deployment techniques for infrastructure protection access lists.
This white paper can be obtained at the following link
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a0a5e.shtml
The following is the receive path ACL written to permit this type of
traffic from trusted hosts:
!---
!--- Only sections pertaining to features enabled on the device
!--- need be configured.
!---
!---
!--- Permit ALPS traffic from trusted hosts allowed to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 350
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 10000
!---
!--- Deny ALPS traffic from all other sources to the RP.
!---
access-list 150 deny tcp any any eq 350
access-list 150 deny tcp any any eq 10000
!---
!--- Permit STUN traffic from trusted hosts allowed to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 1994
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any range 1990 1992
!---
!--- Deny STUN traffic from all other sources to the RP.
!---
access-list 150 deny tcp any any eq 1994
access-list 150 deny tcp any any eq range 1990 1992
!---
!--- Permit BSTUN traffic from trusted hosts allowed to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 1963
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any range 1976 1979
!---
!--- Deny BSTUN traffic from all other sources to the RP.
!---
access-list 150 deny tcp any any eq 1963
access-list 150 deny tcp any any eq range 1976 1979
!---
!--- Permit DLSw from trusted hosts allowed to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 2065
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 2067
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any range 1981 1983
!---
!--- Deny DLSw all other sources to the RP.
!---
access-list 150 deny tcp any any eq 2065
access-list 150 deny tcp any any eq 2067
access-list 150 deny tcp any any range 1981 1983
!---
!--- Permit RSRB traffic from trusted hosts allowed to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 1996
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any range 1987 1989
!---
!--- Deny RSRB traffic from all other sources to the RP.
!---
access-list 150 deny tcp any any eq 1996
access-list 150 deny tcp any any range 1987 1989
!---
!--- Permit PPTP traffic from trusted hosts allowed to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 1723
!---
!--- Deny PPTP traffic from all other sources to the RP.
!---
access-list 150 deny tcp any any eq 1723
!---
!--- Permit RBP traffic from trusted hosts allowed to the RP.
!--- RBP will listen for TCP connections on the configured port
!--- as per "local port <port_number>". The following example
!--- uses port 1055
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 1055
!---
!--- Deny RBP traffic from all other sources to the RP.
!---
access-list 150 deny tcp any any eq 1055
!---
!--- Permit XOT and X.25 Routing traffic from trusted hosts allowed
!--- to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 1998
!---
!--- Deny XOT and X.25 Routing traffic from all other sources to
!--- the RP.
!---
access-list 150 deny tcp any any eq 1998
!--- Permit all other traffic to the RP.
!--- according to security policy and configurations.
access-list 150 permit ip any any
!--- Apply this access list to the 'receive' path.
ip receive access-list 150
Control Plane Policing
+---------------------
Control Plane Policing (CoPP) can be used to block the affected
features TCP traffic access to the device. Cisco IOS software
releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support the
CoPP feature. CoPP can be configured on a device to protect the
management and control planes and minimize the risk and effectiveness
of direct infrastructure attacks by explicitly permitting only
authorized traffic that is sent to infrastructure devices in
accordance with existing security policies and configurations. The
CoPP example below should be included as part of the deployed CoPP
that will protect all devices with IP addresses in the infrastructure
IP address range.
!---
!--- Only sections pertaining to features enabled on the device
!--- need be configured.
!---
!--- Feature: ALPS
!---
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD any eq 350
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD any eq 10000
!---
!--- Permit ALPS traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so
!--- that it will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any eq 350
access-list 150 permit tcp any any eq 10000
!---
!--- Feature: STUN
!---
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any eq 1994
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any range 1990 1992
!---
!--- Permit STUN traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so
!--- that it will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any eq 1994
access-list 150 permit tcp any any range 1990 1992
!---
!--- Feature: BSTUN
!---
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any eq 1963
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any range 1976 1979
!---
!--- Permit BSTUN traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so
!--- that it will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any eq 1963
access-list 150 permit tcp any any range 1976 1979
!---
!--- Feature: NCIA
!---
!--- Leverage the underlying protocols, DLSw, RSRB, etc.
!---
!---
!--- Feature: DLSW
!---
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any eq 2065
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any eq 2067
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any range 1981 1983
!---
!--- Permit DLSW traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so
!--- that it will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any eq 2065
access-list 150 permit tcp any any eq 2067
access-list 150 permit tcp any any range 1981 1983
!---
!--- Feature: RSRB
!---
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any range 1987 1989
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any eq 1996
!---
!--- Permit RSRB traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so
!--- that it will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any range 1987 1989
access-list 150 permit tcp any any eq 1996
!---
!--- Feature: PPTP
!---
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any eq 1723
!---
!--- Permit PPTP traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so
!--- that it will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any eq 1723
!---
!--- Feature: RBP
!---
!--- RBP will listen for TCP connections on the configured port
!--- as per "local port <port_number>". The following example
!--- uses port 1055
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any eq 1055
!---
!--- Permit RBP traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so
!--- that it will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any eq 1055
!---
!--- Feature: XOT and X.25 Routing
!---
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any eq 1998
!---
!--- Permit XOT and X25 traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so
!--- that it will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any eq 1998
!---
!--- Permit (Police or Drop)/Deny (Allow) all other Layer3 and
!--- Layer4 traffic in accordance with existing security policies
!--- configurations for traffic that is authorized to be sent
!--- and to infrastructure devices
!--- Create a Class-Map for traffic to be policed by
!--- the CoPP feature
!---
class-map match-all drop-tcp-class
match access-group 150
!---
!--- Create a Policy-Map that will be applied to the
!--- Control-Plane of the device.
!---
policy-map drop-tcp-traffic
class drop-tcp-class
drop
!---
!--- Apply the Policy-Map to the
!--- Control-Plane of the device
!---
control-plane
service-policy input drop-tcp-traffic
In the above CoPP example, the access control list entries (ACEs)
that match the potential exploit packets with the "permit" action
result in these packets being discarded by the policy-map "drop"
function, while packets that match the "deny" action (not shown) are
not affected by the policy-map drop function. Please note that the
policy-map syntax is different in the 12.2S and 12.0S Cisco IOS
trains:
policy-map drop-tcp-traffic
class drop-tcp-class
police 32000 1500 1500 conform-action drop exceed-action drop
Additional information on the configuration and use of the CoPP
feature can be found in the documents, "Control Plane Policing
Implementation Best Practices" and "Cisco IOS Software Releases 12.2S
- - Control Plane Policing" at the following links
http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html
and
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html
Additional mitigations that can be deployed on Cisco devices within
the network are available in the "Cisco Applied Mitigation Bulletin"
companion document for this advisory, at the following link
http://www.cisco.com/warp/public/707/cisco-amb-20090325-tcp-and-ip.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was found by Cisco internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-March-25 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAknKUb8ACgkQ86n/Gc8U/uCp1gCfS6aMv74rf1bDoby1JcGRFsN3
hpYAn1Oqp7nQxPwBrtptF3WM42HgGdIk
=NVYK
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Software WebVPN and SSLVPN
Vulnerabilities
Advisory ID: cisco-sa-20090325-webvpn
http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml
Revision 1.0
For Public Release 2009 March 25 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
=======
Cisco IOS software contains two vulnerabilities within the Cisco IOS
WebVPN or Cisco IOS SSLVPN feature (SSLVPN) that can be remotely
exploited without authentication to cause a denial of service
condition. Both vulnerabilities affect both Cisco IOS WebVPN and
Cisco IOS SSLVPN features:
1. Crafted HTTPS packet will crash device.
2. SSLVPN sessions cause a memory leak in the device.
Cisco has released free software updates that address these
vulnerabilities.
There are no workarounds that mitigate these vulnerabilities.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml
Note: The March 25, 2009, Cisco IOS Security Advisory bundled
publication includes eight Security Advisories. All of the advisories
address vulnerabilities in Cisco IOS Software. Each advisory lists
the releases that correct the vulnerability or vulnerabilities in the
advisory. The following table lists releases that correct all Cisco
IOS Software vulnerabilities that have been published in Cisco
Security Advisories on March 25, 2009, or earlier.
http://www.cisco.com/warp/public/707/cisco-sa-20090325-bundle.shtml
Individual publication links are listed below:
* Cisco IOS cTCP Denial of Service Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml
* Cisco IOS Software Multiple Features IP Sockets Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml
* Cisco IOS Software Mobile IP and Mobile IPv6 Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml
* Cisco IOS Software Secure Copy Privilege Escalation Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml
* Cisco IOS Software Session Initiation Protocol Denial of Service
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml
* Cisco IOS Software Multiple Features Crafted TCP Sequence
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml
* Cisco IOS Software Multiple Features Crafted UDP Packet
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml
* Cisco IOS Software WebVPN and SSLVPN Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml
Affected Products
=================
Vulnerable Products
+------------------
Devices running affected versions of Cisco IOS software are affected
if configured with SSLVPN.
To determine the Cisco IOS Software release that is running on a
Cisco product, administrators can log in to the device and issue the
"show version" command to display the system banner. The system
banner confirms that the device is running Cisco IOS Software by
displaying text similar to "Cisco Internetwork Operating System
Software" or "Cisco IOS Software." The image name displays in
parentheses, followed by "Version" and the Cisco IOS Software release
name. Other Cisco devices do not have the "show version" command or
may provide different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.3(26) with an installed image name of
C2500-IS-L:
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 14:39 by dchih
<output truncated>
The following example shows a product that is running Cisco IOS
Software release 12.4(20)T with an image name of
C1841-ADVENTERPRISEK9-M:
Router#show version
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 20:25 by prod_rel_team
<output truncated>
Additional information about Cisco IOS Software release naming
conventions is available in "White Paper: Cisco IOS Reference Guide"
at the following link: http://www.cisco.com/warp/public/620/1.html
To determine that SSLVPN is enabled on your device, log in to the
device and issue the command-line interface (CLI) command "show
running-config | include webvpn". If the device returns any output
this means that SSLVPN is configured on the device and the device may
be vulnerable. Vulnerable configurations vary depending on whether
the device is supporting Cisco IOS WebVPN (introduced in Release 12.3
(14)T) or Cisco IOS SSLVPNs (introduced in Release 12.4(6)T). The
following methods describe how to confirm if the device is
vulnerable:
If the output from "show running-config | include webvpn" contains
"webvpn enable" then the device is configured with the original Cisco
IOS WebVPN. The only way to confirm the device is vulnerable is to
examine the output of "show running-config" to confirm that webvpn is
enabled via the command "webvpn enable" and that a "ssl trustpoint"
has been configured. The following example shows a vulnerable device
configured with Cisco IOS WebVPN:
webvpn enable
!
webvpn
ssl trustpoint TP-self-signed-29742012
If the output from "show running-config | include webvpn" contains
"webvpn gateway <word>" then the device is supporting the Cisco IOS
SSLVPN feature. A device is vulnerable if it has the "inservice"
command in at least one of the "webvpn gateway" sections. The
following example shows a vulnerable device configured with Cisco IOS
SSLVPN:
Router# show running | section webvpn
webvpn gateway Gateway
ip address 10.1.1.1 port 443
ssl trustpoint Gateway-TP
inservice
!
Router#
A device that supports the Cisco IOS SSLVPN is not vulnerable if it
has no "webvpn gateways" configured or all the configured "webvpn
gateways" contain the "no inservice" "webvpn gateway" command.
Products Confirmed Not Vulnerable
+--------------------------------
The following products are not affected by this vulnerability:
* Cisco ASA 5500 Series Adaptive Security Appliances
* Cisco IOS XR Software
* Cisco IOS XE Software
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
The Cisco SSLVPN feature provides remote access to enterprise sites
by users from anywhere on the Internet. The SSLVPN provides users
with secure access to specific enterprise applications, such as
e-mail and web browsing, without requiring them to have VPN client
software installed on their end-user devices.
The WebVPN Enhancements feature (Cisco IOS SSLVPN), released in Cisco
IOS Release 12.4(6)T, obsoletes the commands and configurations
originally put forward in Cisco IOS WebVPN.
Further information about Cisco IOS WebVPN is available in the "Cisco
IOS Software Release 12.3T WebVPN feature guide" at the following
link:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/g_sslvpn.html
Further information about Cisco IOS SSLVPN is available in the "Cisco
IOS Software Release 12.4T SSLVPN feature guide" at the following
link: http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htwebvpn.html
Details regarding these two vulnerabilities in Cisco IOS devices that
are running affected versions of system software are:
Crafted HTTPS packet will crash device
+--------------------------------------
A device configured for SSLVPN may reload or hang when it receives a
specially crafted HTTPS packet. Completion of the 3-way handshake to
the associated TCP port number of the SSLVPN feature is required in
order for the vulnerability to be successfully exploited, however
authentication is "not" required. The default TCP port number for
SSLVPN is 443.
This vulnerability is documented in Cisco bug ID CSCsk62253
and Common Vulnerabilities and Exposures (CVE) identifier
CVE-2009-0626 has been assigned to this vulnerability.
SSLVPN sessions cause a memory leak in the device
+------------------------------------------------
A device configured for SSLVPN may leak transmission control blocks
(TCBs) when processing an abnormally disconnected SSL session.
Continued exploitation may result in the device depleting its memory
resources and result in a crash of the device. Authentication is
"not" required to exploit this vulnerability.
The memory leak can be detected by running the command "show tcp
brief", like in the following example:
Router#show tcp brief
TCB Local Address Foreign Address (state)
468BBDC0 192.168.0.22.443 192.168.0.33.19794 CLOSEWAIT
482D4730 192.168.0.22.443 192.168.0.33.22092 CLOSEWAIT
482779A4 192.168.0.22.443 192.168.0.33.16978 CLOSEWAIT
4693DEBC 192.168.0.22.443 192.168.0.33.21580 CLOSEWAIT
482D3418 192.168.0.22.443 192.168.0.33.17244 CLOSEWAIT
482B8ACC 192.168.0.22.443 192.168.0.33.16564 CLOSEWAIT
46954EB0 192.168.0.22.443 192.168.0.33.19532 CLOSEWAIT
468BA9B8 192.168.0.22.443 192.168.0.33.15781 CLOSEWAIT
482908C4 192.168.0.22.443 192.168.0.33.19275 CLOSEWAIT
4829D66C 192.168.0.22.443 192.168.0.33.19314 CLOSEWAIT
468A2D94 192.168.0.22.443 192.168.0.33.14736 CLOSEWAIT
4688F590 192.168.0.22.443 192.168.0.33.18786 CLOSEWAIT
4693CBA4 192.168.0.22.443 192.168.0.33.12176 CLOSEWAIT
4829ABC4 192.168.0.22.443 192.168.0.33.39629 CLOSEWAIT
4691206C 192.168.0.22.443 192.168.0.33.17818 CLOSEWAIT
46868224 192.168.0.22.443 192.168.0.33.16774 CLOSEWAIT
4832BFAC 192.168.0.22.443 192.168.0.33.39883 CLOSEWAIT
482D10CC 192.168.0.22.443 192.168.0.33.13677 CLOSEWAIT
4829B120 192.168.0.22.443 192.168.0.33.20870 CLOSEWAIT
482862FC 192.168.0.22.443 192.168.0.33.17035 CLOSEWAIT
482EC13C 192.168.0.22.443 192.168.0.33.16053 CLOSEWAIT
482901D8 192.168.0.22.443 192.168.0.33.16200 CLOSEWAIT
In the output above, those Transmission Control Blocks (TCBs) in the
state CLOSEWAIT will not go away and represent memory leaks. Please
note that only TCP connections with a local TCP port of 443 (the
well-known port for HTTPS) are relevant.
This vulnerability is documented in Cisco bug ID CSCsw24700
and Common Vulnerabilities and Exposures (CVE) identifier
CVE-2009-0628 has been assigned to this vulnerability.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsk62253 - Crafted HTTPS packet will crash device.
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsw24700 - SSLVPN sessions cause a memory leak in the device.
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of any of the two vulnerabilities may result
in the device crashing, not accepting any new SSLVPN sessions or a
memory leak. Repeated exploitation may result in an extended denial
of service (DoS) condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|------------+------------------------------------------------------|
| Affected | | Recommended |
| 12.0-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.0 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.1-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.1 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.2-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.2 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.3-Based | First Fixed Release | Release |
| Releases | | |
|------------+--------------------------------------+---------------|
| 12.3 | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3B | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3BC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3BW | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3EU | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JEA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JEB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JEC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JK | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JL | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JX | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.3T | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.3TPC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3VA | Vulnerable; contact TAC | |
|------------+--------------------------------------+---------------|
| 12.3XA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XD | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XE | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XF | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XG | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XI | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XJ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XK | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XL | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XQ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XR | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XS | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XU | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XW | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XX | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XY | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XZ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YD | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YF | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YG | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YH | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YI | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YJ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | Releases prior to 12.3(11)YK3 are | 12.4(22)T1 |
| | vulnerable, release 12.3(11)YK3 and | |
| 12.3YK | later are not vulnerable; first | 12.4(15)T9; |
| | fixed in 12.4T | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.3YM | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YQ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YS | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YT | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YU | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.3YX | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YZ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3ZA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| Affected | | Recommended |
| 12.4-Based | First Fixed Release | Release |
| Releases | | |
|------------+--------------------------------------+---------------|
| | | 12.4(18e) |
| | 12.4(18e) | |
| 12.4 | | 12.4(23a); |
| | 12.4(23a); Available on 30-APR-2009 | Available on |
| | | 30-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.4JA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JDA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JK | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JL | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JMA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JMB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JX | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4MD | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4MR | 12.4(16)MR | 12.4(19)MR2 |
|------------+--------------------------------------+---------------|
| 12.4SW | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | 12.4(15)T7 | 12.4(22)T1 |
| | | |
| 12.4T | 12.4(20)T | 12.4(15)T9; |
| | | Available on |
| | 12.4(15)T9; Available on 29-APR-2009 | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XA | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XB | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XC | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | 12.4(4)XD12; Available on | 12.4(4)XD12; |
| 12.4XD | 27-MAR-2009 | Available on |
| | | 27-MAR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XE | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.4XF | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XG | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XJ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.4XK | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XL | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XM | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XN | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XP | Vulnerable; contact TAC | |
|------------+--------------------------------------+---------------|
| 12.4XQ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XR | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XT | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.4XV | Vulnerable; contact TAC | |
|------------+--------------------------------------+---------------|
| 12.4XW | 12.4(11)XW10 | 12.4(11)XW10 |
|------------+--------------------------------------+---------------|
| 12.4XY | 12.4(15)XY4 | 12.4(22)T1 |
|------------+--------------------------------------+---------------|
| 12.4XZ | 12.4(15)XZ1 | 12.4(15)XZ2 |
|------------+--------------------------------------+---------------|
| 12.4YA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4YB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4YD | Not Vulnerable | |
+-------------------------------------------------------------------+
Workarounds
===========
There are no workarounds for the vulnerabilities described in this
advisory.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered when handling customer support
calls.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-teams@first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-March-25 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAknKUdcACgkQ86n/Gc8U/uALXwCgmcIGTSzRIHpHRbVVmMNqPFT4
+CIAn27HdwwpkhVDgEIWTMsIX6NE4BgR
=+f8D
-----END PGP SIGNATURE-----
--- End Message ---