FYI. Mark.
---------- Forwarded Message ---------- Subject: Cisco Security Response: Cisco IOS GRE decapsulation vulnerability Date: Thursday 07 September 2006 04:00 From: Cisco Systems Product Security Incident Response Team <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Response: Cisco IOS GRE decapsulation vulnerability =============================================================== ====== Response ID: cisco-sr-20060906-gre.shtml http://www.cisco.com/warp/public/707/cisco-sr-20060906-gre.shtml Revision 1.0 ============ For Public Release 2006 September 06 2300 UTC (GMT) +--------------------------------------------------------------- ----- Contents ======== Cisco Response Additional Information Revision History Cisco Security Procedures +--------------------------------------------------------------- ----- Cisco Response ============== This is a Cisco response to an advisory published by FX of Phenoelit posted as of September 06, 2006 at http://www.securityfocus.com/archive/1/445322/30/0/threaded, and entitled "Cisco Systems IOS GRE decapsulation fault". This issue is being tracked by the following Cisco bug IDs: * CSCuk27655 -- GRE: make implementation RFC 2784 and RFC 2890 compliant * CSCea22552 -- GRE: implementation of Reserved0 field not RFC2784 compliant * CSCei62762 -- GRE: IP GRE Tunnel with Routing Present Bit not dropped We would like to thank FX from Phenoelit for reporting this issue to Cisco. We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in product reports. Additional Information ====================== Generic Routing Encapsulation (GRE) is a generic packet encapsulation protocol. GRE is documented in RFC1701 and RFC2784. Vulnerable Products +------------------ * Cisco IOS 12.0, 12.1 and 12.2 based trains * All devices running affected versions of Cisco IOS software and configured with GRE IP or GRE IP multipoint tunnels. Products not affected by this vulnerability +------------------------------------------ * Cisco IOS 12.3 and 12.4. * Cisco IOS 12.0S release train, with a revision later than 12.0(23)S, with CEF enabled (Default behaviour) In RFC1701, the GRE Header field (described in RFC2784 as Reserved0) contains a number of flag bits which RFC2784 deprecates. In particular, the Routing Present and Strict Source Route bits along with Routing Information fields have been deprecated. All versions of Cisco IOS software that support RFC2784 will not be affected by this vulnerability, as any packet where any of the bits 1-5 are non-zero will be discarded. Cisco IOS versions that contain ANY of the following three fixes are RFC2784 compliant and are not affected by this vulnerability: * CSCuk27655 -- GRE: make implementation RFC 2784 and RFC 2890 compliant * CSCea22552 -- GRE: implementation of Reserved0 field not RFC2784 compliant * CSCei62762 -- GRE: IP GRE Tunnel with Routing Present Bit not dropped Vulnerability Impact Overview +---------------------------- Upon receiving a specially crafted GRE packet, depending on the data within a specific packet memory location, the GRE code will decapsulate a packet using the contents of referenced memory buffers. With "debug tunnel" enabled, output similar as shown below will be produced: GRE decapsulated IP 0.3.74.0->0.0.1.30 (len=65407, ttl=39) GRE decapsulated IP 176.94.8.0->0.0.0.0 (len=64904, ttl=0) GRE decapsulated IP 0.15.31.193->176.94.8.0 (len=64894, ttl=237) GRE decapsulated IP 128.42.131.220->128.0.3.74 (len=64884, ttl=128) Only if the referenced memory buffers data decapsulates to a valid IPv4 packet, will this packet be forwarded. Invalid IPv4 packets will be dropped at the router. This potentially could be used to bypass ACLs on the router. Workarounds and Mitigations =========================== The following workaround is applicable to 12.0S based trains only: * Cisco Express Forwarding (CEF) If running Cisco IOS 12.0S release train, with a revision later than 12.0(23)S, with CEF enabled will mitigate this vulnerability. CEF is enabled by default for 12.0S releases. To check the status of CEF on the router issue the CLI command "sh ip cef" or "sh ip cef interface". Refer to: http://www.ciscosystems.ro/univercd/cc/td/doc/product/ software/ios122/122cgcr/fswtch_c/swprt1/xcfcefc.htm for further information on CEF. The following mitigations may be applied to vulnerable Cisco IOS versions: * Anti-spoofing mechanisms of the tunnel source and destination end points. Refer to: http://www.cisco.com/warp/public/707/21.html#sec_ip and http://www.ietf.org/rfc/rfc2827.txt for further further information on deploying anti-spoofing mechanisms. * Encrypt the GRE tunnel with IPSec: Refer to: http://www.cisco.com/univercd/cc/td/doc/product/ software/ios123/123tcr/123tir/int_t1gt.htm#wp1161892 for further information. THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. Revision History ================ +-----------------------------------------------------------+ | Revision 1.0 | 2006-September-06 | Initial public release | +-----------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerabil ity_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (SunOS) iD8DBQFE/3PL8NUAbBmDaxQRArOHAKCFaAwM4yWiw4xGXbfE2adwf0m8nQCeJi+6 7hEEEtfbzPOzVa7btUCXXLM= =qYim -----END PGP SIGNATURE----- -------------------------------------------------------
pgp6BT7bhI24B.pgp
Description: PGP signature
_______________________________________________ LUG mailing list [email protected] http://kym.net/mailman/listinfo/lug %LUG is generously hosted by INFOCOM http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The List's Host is not responsible for them in any way. ---------------------------------------
