-----BEGIN PGP SIGNED MESSAGE-----
- --------------------------------------------------------------------------
--------
UNIRAS (UK Govt CERT) Briefing Notice - 23/02 dated 30.01.02 Time: 09:32
UNIRAS is part of NISCC(National Infrastructure Security Co-ordination
Centre)
- --------------------------------------------------------------------------
--------
UNIRAS material is also available from its website at www.uniras.gov.uk
and
Information about NISCC is available from www.niscc.gov.uk
- --------------------------------------------------------------------------
--------
Title
=====
Cisco CatOS Telnet Buffer Vulnerability
Detail
======
- -----BEGIN PGP SIGNED MESSAGE-----
Cisco Security Advisory: Cisco CatOS Telnet Buffer Vulnerability
================================================================
Revision 1.0
For Public Release 2002 January 29 at 1500 UTC
- - ------------------------------------------------------------------------
-------
Summary
- - -------
Some Cisco Catalyst switches, running certain CatOS based software releases,
have a vulnerability wherein a buffer overflow in the telnet option handling
can cause the telnet daemon to crash and result in a switch reload. This
vulnerability can be exploited to initiate a denial of service (DoS) attack.
This vulnerability is documented as Cisco bug ID CSCdw19195. There are
workarounds available to mitigate the vulnerability.
This advisory will be posted at http://www.cisco.com/warp/public/707/
catos-telrcv-vuln-pub.shtml .
Affected Products
- - -----------------
Cisco's various Catalyst family of switches run CatOS-based releases or
IOS-based releases. IOS-based releases are not vulnerable.
The following Cisco Catalyst Switches are vulnerable :
* Catalyst 6000 series
* Catalyst 5000 series
* Catalyst 4000 series
* Catalyst 2948G
* Catalyst 2900
For the switches above, the following CatOS based switch software revisions
are
vulnerable.
+---------------------------------------------------------------------------
--+
| | Release 4 | Release 5 | Release 6 | Release 7
|
| | code base | code base | code base | code base
|
|---------------+---------------+---------------+--------------+------------
--|
| Catalyst 6000 | Not | earlier than | earlier than | earlier
than |
| series | Applicable | 5.5(13) | 6.3(4) | 7.1(2)
|
|---------------+---------------+---------------+--------------+------------
--|
| Catalyst 5000 | earlier than | earlier than | earlier than | Not
|
| series | 4.5(13a) | 5.5(13) | 6.3(4) | Applicable
|
|---------------+---------------+---------------+--------------+------------
--|
| Catalyst 4000 | All releases | earlier than | earlier than | earlier
than |
| series | | 5.5(13) | 6.3(4) | 7.1(2)
|
+---------------------------------------------------------------------------
--+
To determine your software revision, type show version at the command line
prompt.
Not Affected Products
- - ---------------------
The following Cisco Catalyst Switches are not vulnerable :
* Catalyst 8500 series
* Catalyst 4800 series
* Catalyst 4200 series
* Catalyst 3900 series
* Catalyst 3550 series
* Catalyst 3500 XL series
* Catalyst 4840G
* Catalyst 4908G-l3
* Catalyst 2948G-l3
* Catalyst 2950
* Catalyst 2900 XL
* Catalyst 2900 LRE XL
* Catalyst 2820
* Catalyst 1900
No other Cisco product is currently known to be affected by this
vulnerability.
Details
- - -------
Some Cisco Catalyst switches, running certain CatOS-based software releases,
have a vulnerability wherein a buffer overflow in the telnet option handling
can cause the telnet daemon to crash and result in a switch reload. This
vulnerability can be exploited to initiate a denial of service (DoS) attack.
Once the switch has reloaded, it is still vulnerable and the attack can be
repeated as long as the switch is IP reachable on port 23 and has not been
upgraded to a fixed version of CatOS switch software.
This vulnerability is documented as Cisco bug ID CSCdw19195, which requires
a
CCO account to view and can be viewed after 2002 January 30 at 1500 UTC.
Impact
- - ------
This vulnerability can be exploited to produce a denial of service (DoS)
attack. When the vulnerability is exploited it can cause the Cisco Catalyst
switch to crash and reload.
Software Versions and Fixes
- - ---------------------------
This vulnerability has been fixed in the following switch software revisions
and the fix will be carried forward in all future releases.
+---------------------------------------------------------------------------
----+
| | Release 4 | Release 5 | Release 6 | Release
7 |
| | code base | code base | code base | code
base |
|---------------+---------------+---------------+---------------+-----------
----|
| Catalyst 6000 | Not | 5.5(13) and | 6.3(4) and | 7.1(2)
and |
| series | Applicable | later | later | later
|
|---------------+---------------+---------------+---------------+-----------
----|
| Catalyst 5000 | 4.5(13a) | 5.5(13) and | 6.3(4) and | Not
|
| series | | later | later |
Applicable |
|---------------+---------------+---------------+---------------+-----------
----|
| Catalyst 4000 | Not Available | 5.5(13) and | 6.3(4) and | 7.1(2)
and |
| series | | later | later | later
|
+---------------------------------------------------------------------------
----+
All previous releases must upgrade to the above releases. CatOS switch
software
release 4.5(13a) for the Catalyst 5000 series is expected on CCO by 2002
February 4. CatOS switch software release 7.1(2) is expected on CCO by 2002
February 4.
Software upgrade can be performed via the console interface. Please refer to
software release notes for instructions.
Obtaining Fixed Software
- - ------------------------
Cisco is offering free software upgrades to remedy this vulnerability for
all
affected customers. Customers with service contracts may upgrade to any
software release containing the feature sets they have purchased.
Customers with contracts should obtain upgraded software through their
regular
update channels. For most customers, this means that upgrades should be
obtained through the Software Center on Cisco's Worldwide Web site at
http://
www.cisco.com .
Customers whose Cisco products are provided or maintained through prior or
existing agreement with third-party support organizations such as Cisco
Partners, authorized resellers, or service providers should contact that
support organization for assistance with the upgrade, which should be free
of
charge.
Customers who purchased directly from Cisco but who do not hold a Cisco
service
contract, and customers who purchase through third party vendors but are
unsuccessful at obtaining fixed software through their point of sale, should
get their upgrades by contacting the Cisco Technical Assistance Center
(TAC).
TAC contacts are as follows:
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: [EMAIL PROTECTED]
See http://www.cisco.com/warp/public/687/Directory.shtml for additional TAC
contact information, including instructions and e-mail addresses for use in
various languages.
Please have your product serial number available and give the URL of this
notice as evidence of your entitlement to a free upgrade. Free upgrades for
non
contract customers must be requested through the TAC.
Please do not contact either "[EMAIL PROTECTED]" or "[EMAIL PROTECTED]"
for software upgrades.
Workarounds
- - -----------
The following workarounds can be implemented.
* If ssh is available in the code base use ssh instead of Telnet and
disable
Telnet.
For instructions how to do this please refer http://www.cisco.com/warp/
public/707/ssh_cat_switches.html
* Apply Access Control Lists (ACLs) on routers / switches / firewalls in
front of the vulnerable switches such that traffic destined for the
Telnet
port 23 on the vulnerable switches is only allowed from the network
management subnets.
For an example see http://www.cisco.com/univercd/cc/td/doc/product/lan/
cat6000/sw_5_4/msfc/acc_list.htm
Exploitation and Public Announcements
- - -------------------------------------
This vulnerability has been exploited to initiate Denial of Service (DoS)
attacks.
This vulnerability was reported by TESO and is detailed at
http://www.cert.org/
advisories/CA-2001-21.html
Status of This Notice: Final
- - ----------------------------
This is a final notice. Although Cisco cannot guarantee the accuracy of all
statements in this notice, all of the facts have been checked to the best of
our ability. Cisco does not anticipate issuing updated versions of this
notice
unless there is some material change in the facts. Should there be a
significant change in the facts, Cisco may update this notice.
A standalone copy or paraphrase of the text of this security advisory that
omits the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Distribution
- - ------------
This notice will be posted on Cisco's Worldwide Web site at http://
www.cisco.com/warp/public/707/catos-telrcv-vuln-pub.shtml .
In addition to Worldwide Web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail
and Usenet news recipients:
* [EMAIL PROTECTED]
* [EMAIL PROTECTED]
* [EMAIL PROTECTED]
* [EMAIL PROTECTED] (includes CERT/CC)
* [EMAIL PROTECTED]
* [EMAIL PROTECTED]
* comp.dcom.sys.cisco
* Various internal Cisco mailing lists
Future updates of this notice, if any, will be placed on Cisco's Worldwide
Web
server, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.
Revision History
- - ----------------
+---------------------------------------------------------------------------
--+
| Revision 1.0 | 2002-Jan-29 | For Public Release 2002 January 29 at 1500
UTC |
+---------------------------------------------------------------------------
--+
Cisco Security Procedures
- - -------------------------
Complete information on reporting security vulnerabilities in Cisco
products,
obtaining assistance with security incidents, and registering to receive
security information from Cisco, is available on Cisco's Worldwide Web site
at
http://www.cisco.com/go/psirt . This includes instructions for press
inquiries
regarding Cisco security notices.
- - ------------------------------------------------------------------------
-------
This notice is copyright 2002 by Cisco Systems, Inc. This notice may be
redistributed freely after the release date given at the top of the text,
provided that redistributed copies are complete and unmodified, including
all
date and version information.
- - ------------------------------------------------------------------------
-------
- -----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Signed by Sharad Ahlawat, Cisco Systems PSIRT
iQEVAwUBPFa4iw/VLJ+budTTAQGkywf9GkyUO77MFWJHqhGR+ZtNpk63NAzK4ath
TGE/GyRJlht4YXvP4sTuKgRmsBkefXRoFttN0T8G1HytxTfFP75THbh5kk2kRFYo
R4qcxM6QExs1FbJwx42MOjmD5Cyds8pdZ8ZSGdVTDe96k/0D+BNiN1oe672x1hkM
6Nrt1wnyRzKj7ZfF7NRnlN7DsR4gAPIIP0yLiP2KLJheqDnZNThANng97i9YP1Mz
gve9jAwZtiKij6mv0LDG/Jkk/NUl5VijxfuoRFM4ZvAEn8hFYDLnvPJUVb+CvKpt
3AJ3/J+MBS8EAKTM98sGr5ywp7/cQfXWZsoJAYgHbGtEs3Qy6xbK+w==
=1bxQ
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------
--------
For additional information or assistance, please contact the HELP Desk by
telephone or Not Protectively Marked information may be sent via EMail to:
[EMAIL PROTECTED]
Tel: 020 7821 1330 Ext 4511
Fax: 020 7821 1686
- --------------------------------------------------------------------------
--------
UNIRAS wishes to acknowledge the contributions of CISCO Systems PSIRT for
the
information contained in this briefing.
- --------------------------------------------------------------------------
--------
This Briefing contains the information released by the original author. Some
of the information may have changed since it was released. If the
vulnerability
affects you, it may be prudent to retrieve the advisory from the canonical
site
to ensure that you receive the most current information concerning that
problem.
Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views
and opinions of authors expressed within this notice shall not be used for
advertising or product endorsement purposes.
Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they
shall
not be liable for any loss or damage whatsoever, arising from or in
connection
with the usage of information contained within this notice.
UNIRAS is a member of the Forum of Incident Response and Security Teams
(FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to
prompt
rapid reaction to incidents, and to promote information sharing amongst its
members and the community at large.
- --------------------------------------------------------------------------
--------
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use
iQCVAwUBPFe984pao72zK539AQF8JwP+IG957P0OLRBlKuCUx6K+YViGLHtYn+EI
h/iKR/RT4YVH0tck+jBPtkit88Qn+cXD5QDm5TeqPP3P/8FyYJZW6z6sqdPXRQbf
JJSQFt8XJBdVLAu1GsS1SFiF47p91G8FK1RVX68GIxCJy90jx1qbyddq1gqXU5lp
RvdoDN+TSE0=
=Mwes
-----END PGP SIGNATURE-----
IWS INFOCON Mailing List
@ IWS - The Information Warfare Site
http://www.iwar.org.uk
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33682&t=33682
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
