That is why the world should use Linksys. On Wed, Mar 4, 2009 at 11:30 AM, Cisco Systems Product Security Incident Response Team <ps...@cisco.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Cisco Security Advisory: Cisco 7600 Series Router Session Border > Controller Denial of Service Vulnerability > > Document ID: 109483 > > Advisory ID: cisco-sa-20090304-sbc > > http://www.cisco.com/warp/public/707/cisco-sa-20090304-sbc.shtml > > Revision 1.0 > > For Public Release 2009 March 4 1600 UTC (GMT) > > - --------------------------------------------------------------------- > > Summary > ======= > > A denial of service (DoS) vulnerability exists in the Cisco Session > Border Controller (SBC) for the Cisco 7600 series routers. Cisco has > released free software updates that address this vulnerability. > Workarounds that mitigate this vulnerability are available. > > This advisory is posted at > http://www.cisco.com/warp/public/707/cisco-sa-20090304-sbc.shtml > > Affected Products > ================= > > Vulnerable Products > +------------------ > > All Cisco ACE-based SBC modules running software versions prior to > 3.0(2) are affected. > > To determine the version of the Cisco SBC software running on a > system, log in to the device and issue the show version command to > display the system banner. > > card_A/Admin# show version > system image file: [LCP] disk0:c76-sbck9-mzg.3.0.1_AS3_0_00.bin > <output truncated> > > > Cisco SBC software version 3.0.1 is running in the device used in > this example. > > Products Confirmed Not Vulnerable > +-------------------------------- > > The Cisco XR 12000 Series SBC is not vulnerable. Additionally, the > Cisco ACE Module, Cisco ACE 4710 Application Control Engine, Cisco > ACE XML Gateway, Cisco ACE Web Application Firewall, and the Cisco > ACE GSS (Global Site Selector) 4400 Series are not affected by this > vulnerability. No other Cisco products are currently known to be > affected by this vulnerability. > > Details > ======= > > The Session Border Controller (SBC) enables direct IP-to-IP > interconnect between multiple administrative domains for > session-based services providing protocol interworking, security, and > admission control and management. The SBC is a multimedia device that > sits on the border of a network and controls call admission to that > network. A vulnerability exists in the Cisco SBC where an > unauthenticated attacker may cause the Cisco SBC card to reload by > sending crafted TCP packets over port 2000. Repeated exploitation > could result in a sustained DoS condition. > > Note: Only the Cisco SBC module reloads after successful > exploitation. The Cisco 7600 series router does not reload and it is > not affected by this vulnerability. > > Note: TCP port 2000 is typically used by Skinny Call Control Protocol > (SCCP) applications. However, the Cisco SBC module uses TCP port 2000 > for high availability (redundancy) communication, but does not use > the SCCP for this purpose. > > This vulnerability is documented in Cisco Bug IDs CSCsq18958 ( > registered customers only) ; and has been assigned the Common > Vulnerability and Exposures (CVE) IDs CVE-2009-0619. > > Vulnerability Scoring Details > ============================= > > Cisco has provided scores for the vulnerability in this advisory > based on the Common Vulnerability Scoring System (CVSS). The CVSS > scoring in this Security Advisory is done in accordance with CVSS > version 2.0. > > CVSS is a standards-based scoring method that conveys vulnerability > severity and helps determine urgency and priority of response. > > Cisco has provided a base and temporal score. Customers can then > compute environmental scores to assist in determining the impact of > the vulnerability in individual networks. > > Cisco has provided an FAQ to answer additional questions regarding > CVSS at > > http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html > > Cisco has also provided a CVSS calculator to help compute the > environmental impact for individual networks at > > http://intellishield.cisco.com/security/alertmanager/cvss > > CVSS Base Score - 7.8 > > Access Vector - Network > Access Complexity - Low > Authentication - None > Confidentiality Impact - None > Integrity Impact - None > Availability Impact - Complete > > CVSS Temporal Score - 6.4 > > Exploitability - Functional > Remediation Level - Official-Fix > Report Confidence - Confirmed > > Impact > ====== > > Successful exploitation of the vulnerability may cause a reload of > the affected device. Repeated exploitation could result in a > sustained DoS condition. > > Software Versions and Fixes > =========================== > > This vulnerability has been corrected in Cisco SBC software release > 3.0(2). > > Cisco SBC software can be downloaded from: > > http://www.cisco.com/pcgi-bin/tablebuild.pl/sbc-7600-crypto > > When considering software upgrades, also consult > http://www.cisco.com/go/psirt and any subsequent advisories to > determine exposure and a complete upgrade solution. > > In all cases, customers should exercise caution to be certain the > devices to be upgraded contain sufficient memory and that current > hardware and software configurations will continue to be supported > properly by the new release. If the information is not clear, contact > the Cisco Technical Assistance Center (TAC) or your contracted > maintenance provider for assistance. > > Workarounds > =========== > > As a workaround, configure an access control list (ACL) in the > signaling / media VLAN on the Route Processor (RP). The following > examples show how VLAN 140 is configured as the signaling / media > VLAN. A separate VLAN (VLAN 77) is configured as Fault Tolerance > (FT). An ACL is added to the signaling/media VLAN on the RP filtering > all TCP port 2000 packets to the alias IP address. > > Cisco SBC configuration > > interface vlan 140 > ip address 10.140.1.90 255.255.255.0 > alias 10.140.1.100 255.255.255.0 > peer ip address 10.140.1.8 255.255.255.0 > ! > ft interface vlan 77 > ip address 192.168.1.1 255.255.255.0 > peer ip address 192.168.1. 255.255.255.0 > > > RP Configuration > > !- ACL blocking all TCP port 2000 traffic to the 10.140.1.0 internal > network > ! > access-list 100 deny tcp any host 10.140.1.100 eq 2000 > access-list 100 permit ip any any > ! > interface Vlan140 > ip address 10.140.1.1 255.255.255.0 > !- ACL is applied to the VLAN interface to egress traffic > ip access-group 100 out > ! > > The alias command under VLAN 140 is configured with an IP address > that floats between active and standby modules when using high > availability. Only TCP port 2000 traffic destined to this IP address > may trigger this vulnerability. An access control list (ACL) is > configured to deny TCP port 2000 destined to the alias IP address > (10.140.1.100). The ACL is applied egress in the RP. > > Note: TCP port 2000 is used by Skinny Call Control Protocol (SCCP) > applications; however, in this case it is used by the SBC for > internal communications. The previous ACL only blocks TCP port 2000 > traffic to the alias IP address. TCP port 2000 is not used by the > alias IP address. This ACL should not cause any collateral damage. > > Additional mitigations that can be deployed on Cisco devices within > the network are available in the Cisco Applied Intelligence companion > document for this Advisory: > > http://www.cisco.com/warp/public/707/cisco-amb-20090304-sbc.shtml > > Obtaining Fixed Software > ======================== > > Cisco has released free software updates that address this > vulnerability. Prior to deploying software, customers should consult > their maintenance provider or check the software for feature set > compatibility and known issues specific to their environment. > > Customers may only install and expect support for the feature sets > they have purchased. By installing, downloading, accessing or > otherwise using such software upgrades, customers agree to be bound > by the terms of Cisco's software license terms found at > > http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html > or as otherwise set forth at Cisco.com Downloads at > http://www.cisco.com/public/sw-center/sw-usingswc.shtml > > Do not contact ps...@cisco.com or security-al...@cisco.com for > software upgrades. > > Customers with Service Contracts > +------------------------------- > > Customers with contracts should obtain upgraded software through > their regular update channels. For most customers, this means that > upgrades should be obtained through the Software Center on Cisco's > worldwide website at http://www.cisco.com. > > Customers using Third Party Support Organizations > +------------------------------------------------ > > Customers whose Cisco products are provided or maintained through > prior or existing agreements with third-party support organizations, > such as Cisco Partners, authorized resellers, or service providers > should contact that support organization for guidance and assistance > with the appropriate course of action in regards to this advisory. > > The effectiveness of any workaround or fix is dependent on specific > customer situations, such as product mix, network topology, traffic > behavior, and organizational mission. Due to the variety of affected > products and releases, customers should consult with their service > provider or support organization to ensure any applied workaround or > fix is the most appropriate for use in the intended network before it > is deployed. > > Customers without Service Contracts > +---------------------------------- > > Customers who purchase direct from Cisco but do not hold a Cisco > service contract, and customers who purchase through third-party > vendors but are unsuccessful in obtaining fixed software through > their point of sale should acquire upgrades by contacting the Cisco > Technical Assistance Center (TAC). TAC contacts are as follows. > > * +1 800 553 2447 (toll free from within North America) > * +1 408 526 7209 (toll call from anywhere in the world) > * e-mail: t...@cisco.com > > Customers should have their product serial number available and be > prepared to give the URL of this notice as evidence of entitlement to > a free upgrade. Free upgrades for non-contract customers must be > requested through the TAC. > > Refer to > http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html > for additional TAC contact information, including localized telephone > numbers, and instructions and e-mail addresses for use in various > languages. > > Exploitation and Public Announcements > ===================================== > > The Cisco PSIRT is not aware of any public announcements or malicious > use of the vulnerability described in this advisory. > > This vulnerability was found during internal testing. > > Status of this Notice: FINAL > ============================ > > THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY > KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF > MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE > INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS > AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS > DOCUMENT AT ANY TIME. > > A stand-alone copy or Paraphrase of the text of this document that > omits the distribution URL in the following section is an > uncontrolled copy, and may lack important information or contain > factual errors. > > Distribution > ============ > > This advisory is posted on Cisco's worldwide website at : > > http://www.cisco.com/warp/public/707/cisco-sa-20090304-sbc.shtml > > In addition to worldwide web posting, a text version of this notice > is clear-signed with the Cisco PSIRT PGP key and is posted to the > following e-mail and Usenet news recipients. > > * cust-security-annou...@cisco.com > * first-bullet...@lists.first.org > * bugt...@securityfocus.com > * vulnwa...@vulnwatch.org > * ci...@spot.colorado.edu > * cisco-...@puck.nether.net > * full-disclosure@lists.grok.org.uk > * comp.dcom.sys.ci...@newsgate.cisco.com > > Future updates of this advisory, if any, will be placed on Cisco's > worldwide website, but may or may not be actively announced on > mailing lists or newsgroups. Users concerned about this problem are > encouraged to check the above URL for any updates. > > Revision History > ================ > > +---------------------------------------+ > | Revision | | Initial | > | 1.0 | 2009-March-04 | public | > | | | release | > +---------------------------------------+ > > Cisco Security Procedures > ========================= > > Complete information on reporting security vulnerabilities in Cisco > products, obtaining assistance with security incidents, and > registering to receive security information from Cisco, is available > on Cisco's worldwide website at > > http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html > This includes instructions for press inquiries regarding Cisco > security notices. All Cisco security advisories are available at > http://www.cisco.com/go/psirt > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.8 (Darwin) > > iEYEARECAAYFAkmurgEACgkQ86n/Gc8U/uBrwwCfbQxCcSz4S4X3UpH4Mccg0Df1 > KMoAn11BqKmRhw5mUuJOl3D/RrVxVrc7 > =m2di > -----END PGP SIGNATURE----- > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/