[Full-Disclosure] Cisco Security Advisory: ACNS Denial of Service and Default Admin Password Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Security Advisory: ACNS Denial of Service and Default Admin Password Vulnerabilities == Revision 1.0 For Public Release 2005 February 24 1600 UTC (GMT) Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures Summary === Devices running Cisco Application and Content Networking System (ACNS) software may be vulnerable to Denial of Service (DoS) attacks and may contain a default password for the administrative account. Devices running ACNS software may be vulnerable to the DoS attacks while configured as a transparent proxy server, forward proxy server, or reverse proxy server. Cisco has made free software available to address the DoS vulnerabilities for all affected customers. The administrative account default password does not require a software upgrade and can be changed by a configuration command for all affected customers. There are workarounds available to mitigate the effects of two of the vulnerabilities. The vulnerabilities are documented as the following Cisco Bug IDs: * CSCef27476 * CSCef30460 * CSCeg49648 * CSCeg23731 * CSCef30743 This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050224-acnsdos.shtml. Affected Products = Vulnerable Products - - +-+ | DDTS Bug ID |Vulnerable ACNS | ||Versions| |+| ||5.0 prior to| ||release 5.0.17.6| |CSCef27476 || ||5.1 prior to| ||release 5.1.11.6| |+| ||All 4.X releases| ||| |CSCef30460 |All 5.0 releases| ||| ||5.1 prior to| ||release 5.1.11.6| |+| |CSCeg49648 |All 5.1 releases| |+| ||All 5.0 releases| ||| ||5.1 prior to| |CSCeg23731 |release 5.1.13.7| ||| ||5.2 prior to| ||release 5.2.3.9 | |+| ||All 4.X releases| ||| ||All 5.0 releases| |CSCef30743 || ||All 5.1 releases| ||| ||All 5.2 releases| +-+ The hardware models that support ACNS are: * Cisco 500 Series Content Engines * Cisco 7300 Series Content Engines * Cisco Content Routers 4400 series * Cisco Content Distribution Manager 4600 series * Cisco Content Engine Module for Cisco 2600, 2800, 3600, 3700, and 3800 series Integrated Service Routers To determine the ACNS software running on a supported device, log in to the device and issue the show version command to display the system banner. Cisco ACNS Software will identify itself as Application and Content Networking System Software (ACNS) . Below the copyright information the ACNS release and build information is displayed. The following example identifies a Cisco device running ACNS software release 5.1.5.2: Application and Content Networking System Software (ACNS) Copyright 1999-2003 by Cisco Systems, Inc. Application and Content Networking System Software Release 5.1.5 (build b2 Mar 30 2004) To match the release and build information from the device with the software release information in this advisory and available on CCO, append the release with the build code and replace the lowercase 'b' with a dot (example: 5.1.5b2 becomes 5.1.5.2) Products Confirmed Not Vulnerable - --- No other Cisco products are currently known to be affected by these vulnerabilities. Details === ACNS software provides web application acceleration and caching services. Cisco ACNS software combines the technologies of demand-pull caching, pre-positioning, and live and on-demand streaming to accelerate delivery of web applications, object files, live events, and video. Bandwidth-intensive content objects, such as Java applets, Flash animations, Shockwave programs, and other file formats can be managed and scheduled for distribution to Content Engines during off-peak hours. Cisco ACNS software may be vulnerable to four DoS attacks and may contain a default password for the administrative account. Devices running ACNS software may be vulnerable to the DoS attacks while configured
[Full-Disclosure] Cisco Security Advisory: Default SNMP Community Strings in Cisco IP/VC Products
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Default SNMP Community Strings in Cisco IP/VC Products Revision 1.0 For Public Release 2005 February 02 16:00 UTC (GMT) Summary === Hard-coded Simple Network Management Protocol (SNMP) community strings are present in Cisco IP/VC Videoconferencing System models 3510, 3520, 3525 and 3530. Any user who has access to the vulnerable devices and knows the community strings, can obtain total control of the device. Cisco strongly recommends that all users deploy the mitigation measures outlined in the Workaround section. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20050202-ipvc.shtml. Affected Products = Vulnerable Products - --- The following products are known to be vulnerable: * Cisco IPVC-3510-MCU * Cisco IPVC-3520-GW-2B * Cisco IPVC-3520-GW-4B * Cisco IPVC-3520-GW-2V * Cisco IPVC-3520-GW-4V * Cisco IPVC-3520-GW-2B2V * Cisco IPVC-3525-GW-1P * Cisco IPVC-3530-VTA Products Confirmed Not Vulnerable - - The following products are known not to be vulnerable: * Cisco IPVC-3511-MCU * Cisco IPVC-3511-MCU-E * Cisco IPVC-3521-GW-4B * Cisco IPVC-3526-GW-1P * Cisco IPVC-3540-EMP * Cisco IPVC-3540-EMP3 * Cisco IPVC-3540-MCU03A * Cisco IPVC-3540-MCU06A * Cisco IPVC-3540-MCU10A * Cisco IPVC-3540-GW2P * Cisco IPVC-3540-GW4S No other Cisco products are currently known to be affected by this vulnerability. In particular, video-enabled Cisco IP video telephones are not affected. Details === Affected products contain hard-coded SNMP community strings. SNMP is used for managing and monitoring an IP/VC device and community strings are the equivalent to a password. All models listed as affected are vulnerable regardless of the software release they are running. There is no Cisco bug ID associated with this issue. Impact == A user with knowledge of the community strings can gain full control of the device. Such user can, among other things, create new services, terminate or affect existing sessions, and redirect traffic to a different destination. Software Versions and Fixes === Cisco will not provide fixed software for this vulnerability. Customers are strongly advised to deploy the mitigation measures described in the Workaround section. Obtaining Fixed Software There is no fixed software for this issue. All customers are strongly advised to deploy the mitigation measures. Additionally, customers who are considering replacing the affected models can contact their Cisco sales representative. If you need assistance with the implementation of the workarounds, or have questions on the workarounds, please contact the Cisco Technical Assistance Center (TAC). * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: [EMAIL PROTECTED] See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Workarounds === The only mitigation for this vulnerability is to disable SNMP traffic at the switch port that is connected to the affected device. If that cannot be done, the SNMP traffic to the IP/VC device should be blocked at the nearest possible point. In order for the mitigation to be successful all possible paths to the device must be protected. This can be done by blocking traffic on UDP (User Datagram Protocol) ports 161 and 162. Port 161 is used for inbound/outbound read/write SNMP access and port 162 is used for outbound traffic for SNMP traps. Blocking these ports disables all configuration and traps to/from the device. Access to ports 161 and 162 from the trusted hosts should be temporarily enabled and the IPVC Configuration Utility used when configuration changes are required on the affected IP/VC device. The effectiveness of any workaround is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround is the most appropriate for use in the intended network before it is deployed. Exploitation and Public Announcements
[Full-Disclosure] Cisco Security Advisory: Multiple Crafted IPv6 Packets Cause Reload
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Multiple Crafted IPv6 Packets Cause Reload Revision 1.0 For Public Release 2005 January 26 1600 UTC (GMT) - -- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures - -- Summary === Cisco Internetwork Operating System (IOS) Software is vulnerable to a Denial of Service (DoS) attack from crafted IPv6 packets when the device has been configured to process IPv6 traffic. This vulnerability requires multiple crafted packets to be sent to the device which may result in a reload upon successful exploitation. Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects. This issue is tracked by CERT/CC VU#472582 This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20050126-ipv6.shtml. Affected Products = Vulnerable Products Only the Cisco devices running IOS and configured for IPv6 are affected. A router will display all IPv6 enabled interfaces with the show ipv6 interface command. An empty output or an error message will be displayed if IPv6 is disabled or unsupported on the system. In this case the system is not vulnerable. Sample output of show ipv6 interface command is shown below for a system configured for IPv6. Router#show ipv6 interface Serial1/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::A8BB:CCFF:FE00:D200 Global unicast address(es): 2001:1:33::3, subnet is 2001:1:33::/64 [TENTATIVE] Joined group address(es): FF02::1 FF02::1:FF00:3 FF02::1:FF00:D200 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 3 milliseconds Router# A router that has IPv6 enabled on a physical or logical interface is vulnerable to this issue even if ipv6 unicast-routing is globally disabled. The show ipv6 interface command can be used to determine whether IPv6 is enabled on any interface. Products Confirmed Not Vulnerable * Products that are not running Cisco IOS are not affected. * Products running any version of Cisco IOS that do not have IPv6 configured interfaces are not vulnerable. No other Cisco products are currently known to be affected by these vulnerabilities. Details === IPv6 is the Internet Protocol Version 6, designed by the Internet Engineering Task Force (IETF) to replace the current version Internet Protocol, IP Version 4 (IPv4). A vulnerability exists in the processing of IPv6 packets that can be exploited to cause the reload of a system. Crafted packets received on logical interfaces (that is, tunnels including 6to4 tunnels) as well as physical interfaces can trigger this vulnerability. Multiple crafted IPv6 packets need to be sent to exploit this vulnerability. Such crafted packets can be sent remotely. This issue is documented in Cisco bug ID CSCed40933 ( registered customers only) . Impact == Successful exploitation of this vulnerability results in a reload of the device. Repeated exploitation could result in a sustained DoS attack. Software Versions and Fixes === +-+ | Major| Availability of Repaired Releases| | Release || |+| | Affected | | | | | | 12.0-Based | Rebuild | Interim | Maintenance | | | Release| | | | | |+-+-+-+--| || 12.0(23)S | | | | || and before | | | | || are not | | | | || vulnerable. | | | | ||-+-+-+--| || 12.0(24)S6 | | | | |12.0S |-+-+-+--| || 12.0(25)S3 | | | | ||-+-+-+--| || 12.0(26)S2 | | | | ||-+-+-+--| || 12.0(27)S1 | | | | ||-+-+-+--| || | | 12.0(28)S | |
[Full-Disclosure] Cisco Security Advisory: Crafted Packet Causes Reload on Cisco Routers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Crafted Packet Causes Reload on Cisco Routers Revision 1.0 For Public Release 2005 January 26 1600 (GMT) - -- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures - -- Summary === Cisco Routers running Internetwork Operating System (IOS) that supports Multi Protocol Label Switching (MPLS) are vulnerable to a Denial of Service (DoS) attack on MPLS disabled interfaces. A system that supports MPLS is vulnerable even if that system is not configured for MPLS. The vulnerability is only present in Cisco IOS release trains based on 12.1T, 12.2, 12.2T, 12.3 and 12.3T. Releases based on 12.1 mainline, 12.1E and all releases prior to 12.1 are not vulnerable. Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects. This issue is tracked by CERT/CC VU#583638. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20050126-les.shtml. Affected Products = Vulnerable Products Only the following products running a vulnerable version of IOS that support MPLS are affected. * 2600 and 2800 series routers * 3600, 3700 and 3800 series routers * 4500 and 4700 series routers * 5300, 5350 and 5400 series Access Servers Products that are not listed above are not affected. MPLS is not supported in IP and IP Plus feature sets. Therefore, products running an IOS version with an IP or IP Plus feature set are not vulnerable. An attack can only be launched at systems that are not configured for MPLS Traffic Engineering and on the interfaces where MPLS is not enabled. MPLS enabled interfaces can be determined by the show mpls interfaces command. An unaffacted system where MPLS is not supported will give an output similar to the following. Router#show mpls interfaces ^ % Invalid input detected at '^' marker. Router# MPLS can be enabled in different ways on a router. In the below output, a router is shown that has MPLS enabled for IP on interface Ethernet0/0. Router#show mpls interfaces Interface IPTunnel Operational Ethernet0/0Yes (tdp) No Yes Router# When MPLS for IP is enabled on an interface, the router is immune to the attacks coming from that interface but vulnerable to the attacks coming from other interfaces. Enabling MPLS for IP on all interfaces of the router will make the router immune to attacks coming from any interface. An interface that has MPLS for IP enabled will have mpls ip or tag-switching ip command in the interface configuration. MPLS Traffic Engineering (TE) provides a better protection against this vulnerability. If MPLS TE is enabled globally, the router will be immune to the attacks coming from any interface. A router that has MPLS TE enabled will have mpls traffic-eng tunnels command in the show running-config output. Products Confirmed Not Vulnerable * Products that are not running Cisco IOS are not vulnerable. * Products running Cisco IOS versions 12.0 and earlier and 12.1 mainline are not vulnerable. * Products that are not mentioned in the Affected Products section are not vulnerable (including but not limited to Cisco 7200, 7500, 12000 series and Catalyst systems). No other Cisco products are currently known to be affected by these vulnerabilities. Details === Multi Protocol Label Switching (MPLS) is a vendor-independent protocol that integrates layer-2 (as defined in the Open System Interconnection Reference Model) information into layer-3. More information on MPLS can be found at http: //www.cisco.com/warp/public/732/Tech/mpls. A vulnerability exists in the processing of an MPLS packet that is received on an interface where MPLS is disabled. A router that is configured for MPLS Traffic Engineering is immune to attacks coming from any interface. A Cisco device receiving a crafted packet on an MPLS disabled interface will reset and may take several minutes to become fully functional. This vulnerability may be exploited repeatedly resulting in an extended DoS attack. This issue is documented in bugs ID CSCeb56909 ( registered customers only) and CSCec86420 ( registered customers only) . Such crafted packets can only be sent from the local network segment. Impact == Successful exploitation of this vulnerability could result in a reload of the device. Repeated exploitation could result in a sustained DoS attack. Software Versions and Fixes
[Full-Disclosure] Cisco Security Advisory: Cisco IOS Misformed BGP Packet Causes Reload
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco IOS Misformed BGP Packet Causes Reload Revision 1.0 For Public Release 2005 January 26 1600 UTC (GMT) - --- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures - --- Summary === A Cisco device running IOS® and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DoS) attack from a malformed BGP packet. Only devices with the command bgp log-neighbor-changes configured are vulnerable. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet. Cisco has made free software available to address this problem. This issue is tracked by CERT/CC VU#689326. This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20050126-bgp.shtml. Affected Products = Vulnerable Products +-- This vulnerability is present in any unfixed version of Cisco IOS, from the beginning of support for the BGP protocol, including versions 9.x, 10.x, 11.x and 12.x. This issue affects all Cisco devices configured for BGP routing and running the bgp log-neighbor-changes command, which is on by default starting with releases 12.0(22)S, 12.0(11)ST, 12.1(10) E, 12.1(10) and later software. A router which is running the BGP process will have both a line in the configuration defining the AS number and the command bgp log-neighbor-changes, which can be seen by issuing the command show running-config: router bgp AS number bgp log-neighbor-changes To determine the software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as Internetwork Operating System Software or simply IOS ®. On the next line of output, the image name will be displayed between parentheses, followed by Version and the IOS release name. Other Cisco devices will not have the show version command or will give different output. The following example identifies a Cisco product running IOS release 12.0(3) with an installed image name of C2500-IS-L: Cisco Internetwork Operating System Software IOS (TM) 2500 Software (C2500-IS-L), Version 12.0(3), RELEASE SOFTWARE The release train label is 12.0. The next example shows a product running IOS release 12.0(2a)T1 with an image name of C2600-JS-MZ: Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-JS-MZ), Version 12.0(2a)T1, RELEASE SOFTWARE (fc1) Additional information about Cisco IOS release naming can be found at: http://www.cisco.com/warp/public/620/1.html. Products Confirmed Not Vulnerable + Products confirmed not to be vulnerable include devices that do not run Cisco IOS, such as the Cisco Guard, products that cannot participate in BGP or products that cannot be configured for BGP. No other Cisco products are currently known to be affected by this vulnerability. Details === The Border Gateway Protocol (BGP) is a routing protocol defined by RFC 1771, and designed to manage IP routing in large networks. An affected Cisco device running a vulnerable version of Cisco IOS software with the BGP protocol enabled will reload if a malformed BGP packet is already queued on the interface when a BGP neighbor change is logged. The device is not vulnerable unless the command 'bgp log-neighbor-changes' is configured. Malformed packets may not come from malicious sources; a valid peering device such as another BGP speaking router which produces the specific malformed packet in error may trigger this behavior. BGP runs over the Transport Control Protocol (TCP), a reliable transport protocol which requires a valid three way handshake before any further messages will be accepted. The Cisco IOS implementation of BGP requires the explicit definition of a neighbor before a connection can be established, and traffic must appear to come from that neighbor. These implementation details make it very difficult to maliciously send a BGP packet to a Cisco IOS device from an unauthorized source. This bug may also be triggered by other means which are not considered remotely exploitable. The use of the commands 'show ip bgp neighbors' or 'debug ip bgp neighbor updates' can cause a router to reload if a router has previously queued a malformed packet. If there are no queued malformed packets, issuing
[Full-Disclosure] Cisco Security Advisory: Vulnerability in Cisco IOS Embedded Call Processing Solutions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Vulnerability in Cisco IOS Embedded Call Processing Solutions Revision 1.0 For Public Release 2005 January 19 1500 UTC +-- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures +-- Summary === Cisco Internetwork Operating System (IOS®) Software release trains 12.1YD, 12.2T, 12.3 and 12.3T, when configured for the Cisco IOS Telephony Service (ITS), Cisco CallManager Express (CME) or Survivable Remote Site Telephony (SRST) may contain a vulnerability in processing certain malformed control protocol messages. A successful exploitation of this vulnerability may cause a reload of the device and could be exploited repeatedly to produce a Denial of Service (DoS). This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20050119-itscme.shtml Cisco has made free software upgrades available to address this vulnerability for all affected customers. There are workarounds available to mitigate the effects of the vulnerability. This vulnerability is documented by Cisco bug ID CSCee08584. Affected Products = Vulnerable Products +-- This issue affects all Cisco devices running any unfixed version of Cisco IOS code that supports, and is configured for ITS, CME or SRST. A Cisco device running ITS or CME will have the following line in the configuration: telephony-service A Cisco device running SRST will have the following line in the configuration: call-manager-fallback To determine the software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS Software will identify itself as Internetwork Operating System Software or simply IOS. On the next line of output, the image name will be displayed between parentheses, followed by Version and the IOS release name. Other Cisco devices will not have the show version command or will give different output. The following example identifies a Cisco product running IOS release 12.0(3) with an installed image name of C2500-IS-L: Cisco Internetwork Operating System Software IOS (TM) 2500 Software (C2500-IS-L), Version 12.0(3), RELEASE SOFTWARE The release train label is 12.0. The next example shows a product running IOS release 12.3(6) with an image name of C2600-JS-MZ: Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-JS-MZ), Version 12.3(6), RELEASE SOFTWARE (fc1) Additional information about Cisco IOS release naming can be found at http://www.cisco.com/warp/public/620/1.html. Products Confirmed Not Vulnerable + ITS, CME and SRST are IOS-only features. Devices that do not run IOS are not vulnerable. Details More information about Cisco's IOS Telephony Service (ITS) and Cisco CallManager Express (CME) can be found here: http://www.cisco.com/en/US/products/sw/voicesw/ps4625/index.html More information on Cisco's Survivable Remote Site Telephony (SRST) can be found here: http://www.cisco.com/en/US/products/sw/voicesw/ps2169/index.html ITS, CME and SRST are features that allow a Cisco device running IOS to control IP Phones using the Skinny Call Control Protocol (SCCP). SCCP is the Cisco CallManager native signaling protocol. Certain malformed packets sent to the SCCP port on an IOS device configured for ITS, CME or SRST may cause the target device to reload. This issue is documented in Cisco bug ID CSCee08584. The following commands can be used to determine if ITS or CME are running. A device that does not have ITS or CME enabled will display: Router#show telephony-service telephony-service is not enabled A device that has ITS or CME enabled will show something similar to: Router#show telephony-service CONFIG (Version=3.0) = Cisco CallManager Express ip source-address 192.168.1.1 port 2000 max-ephones 2 max-dn 2 max-conferences 8 max-redirect 5 time-format 12 date-format mm-dd-yy keepalive 30 timeout interdigit 10 timeout busy 10 timeout ringing 180 edit DN through Web: disabled. edit TIME through web: disabled. Log (table parameters):
[Full-Disclosure] Cisco Security Advisory: Crafted Timed Attack Evades Cisco Security Agent Protections
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Crafted Timed Attack Evades Cisco Security Agent Protections Document ID: 63326 Revision 1.0: FINAL For Public Release 2004 November 11 1600 UTC (GMT) - --- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures - --- Summary === Cisco Security Agent (CSA) provides threat protection for server and desktop computing systems, also known as endpoints. It identifies and prevents malicious behavior, thereby eliminating known and unknown security risks. A vulnerability exists in which a properly timed buffer overflow attack may evade the protections offered by CSA. The system under attack must contain an unpatched underlying vulnerability in system software that CSA is configured to protect. Another prerequisite for the attack is that a user must be interactively logged in during the attack. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-2004-csa.shtml Cisco is making patches available for CSA versions 4.0 free of charge, to correct the problem. Affected Products = The following products are affected: * Cisco Security Agent versions up to and excluding 4.0.3 build 728 * Cisco Security Agent 3.x versions * Okena Stormwatch 3.x versions Determining the Version of the CSA client - - To determine which version of CSA is running on client machines simply right click on the CSA icon in the task bar. On the pop-up menu, selecting About ... will display the version number of the agent. Determining the Version on the CSA Management Console - - To determine which version of CSA you are running log on to the Management console for Cisco Security Agent on your CiscoWorks server: http://ciscoworks-hostname:1741/ Select the Security Agents tab under * VPN/Security Management Solution + Management Center o Security Agents This will launch the Management Center for Cisco Security Agents. Within the browser window, locate the tab in the center marked Help and click on the sub-item labeled About. The version of the Cisco Security Agents should show up in a pop-up window containing text similar to Management Center for Cisco Security Agents V4.0-1 build 540 Details === CSA versions prior to 4.0.3.728 contain a vulnerability in the buffer overflow handling code allowing for the evasion of the protections offered by CSA. The evasion is timing dependent, where the second of two closely spaced overflow attacks is not processed by CSA. In a vulnerable release a buffer overflow will trigger the Overflow heuristic, generating a query to the user. This query has a countdown timer of 5 minutes after which the default action of Terminate is taken in the event that the user does not make a selection. A second or subsequent buffer overflow attack that is received during this countdown period will not be trapped by CSA. The result is that a sequence of two buffer overflow attacks in quick succession can result in the second bypassing CSA protection. If the attack is targeted at a vulnerable unpatched system process privileged access may result. Agents prior to 4.0.3.728 are not affected if a user is not logged in or if the hidden GUI option is in effect. Under these circumstances the agent knows that there is no user to respond to a query message. Because of this, the agent immediately takes the default action to terminate the process thus preventing the opportunity to evade the protection provided by CSA. This has been documented in Cisco Bug ID CSCef96160. Impact == The integrity of the system which CSA is protecting may be compromised via privileged access which may be gained if patches for underlying system software vulnerabilities have not been applied. Software Versions and Fixes === Environments in which CSA is being used should ensure that they are running version 4.0.3.728 or later with a minimum of the default desktop or default server policy enabled. Obtaining Fixed Software Customers with Service Contracts - Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com/. Customers using Third-party Support
[Full-Disclosure] Cisco Security Advisory: Cisco IOS DHCP Blocked Interface Denial-of-Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco IOS DHCP Blocked Interface Denial-of-Service === Revision 1.0 For Public Release 2004 November 10 1700 UTC (GMT) - --- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures - --- Summary === Cisco IOS devices running branches of Cisco IOS version 12.2S that have Dynamic Host Configuration Protocol (DHCP) server or relay agent enabled, even if not configured, are vulnerable to a denial of service where the input queue becomes blocked when receiving specifically crafted DHCP packets. Cisco is providing free fixed software to address this issue. There are also workarounds to mitigate this vulnerability. This issue was introduced by the fix included in CSCdx46180 and is being tracked by Cisco Bug ID CSCee50294 ( registered customers only) . This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20041110-dhcp.shtml. Affected Products = This vulnerability was introduced by the fix for CSCdx46180, and was integrated in Cisco IOS 12.2(14)SZ and 12.2(18)S. The following Cisco products running Cisco IOS version 12.2(14)SZ, or a variant of Cisco IOS 12.2(18)S (as listed in the following section) and higher are affected by this vulnerability. * Cisco 7200, 7300, 7500 platforms * Cisco 2650, 2651, 2650XM, 2651XM Multiservice platform * Cisco ONS15530, ONS15540 * Cisco Catalyst 4000, Sup2plus, Sup3, Sup4 and Sup5 modules * Cisco Catalyst 4500, Sup2Plus TS * Cisco Catalyst 4948, 2970, 3560, and 3750 * Cisco Catalyst 6000, Sup2/MSFC2 and Sup720/MSFC3 * Cisco 7600 Sup2/MSFC2 and Sup720/MSFC3 Vulnerable Products - --- This issue affects only Cisco devices running affected Cisco IOS versions 12.2 (18)EW, 12.2(18)EWA, 12.2(14)SZ, 12.2(18)S, 12.2(18)SE, 12.2(18)SV, 12.2(18)SW and higher that do not have the configuration command no service dhcp. It is not necessary for DHCP server or relay agent to be configured in order for this vulnerability to be present and exploited; service dhcp is enabled by default in IOS and is the only setting necessary (in addition to interface addresses) for exploitation of this vulnerability. This includes routers as well as switches and line cards which run Cisco IOS software. Cisco devices which do not run Cisco IOS software are not affected. Cisco devices running affected Cisco IOS software with the command no service dhcp enabled are not affected. To determine the software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as Internetwork Operating System Software or simply IOS. On the next line of output, the image name will be displayed between parentheses, followed by Version and the IOS release name. Other Cisco devices will not have the show version command or will give different output. The following example identifies a Cisco product running IOS release 12.0(3) with an installed image name of C2500-IS-L: Cisco Internetwork Operating System Software IOS (TM) 2500 Software (C2500-IS-L), Version 12.0(3), RELEASE SOFTWARE The release train label is 12.0. The next example shows a product running Cisco IOS release 12.0(2a)T1 with an image name of C2600-JS-MZ: Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-JS-MZ), Version 12.0(2a)T1, RELEASE SOFTWARE (fc1) Additional information about Cisco IOS release naming can be found at http://www.cisco.com/warp/public/620/1.html. Products Confirmed Not Vulnerable - - Cisco devices running affected Cisco IOS software with the command no service dhcp enabled are not affected. Cisco products that run any versions of IOS not listed in the Software Versions and Fixes table below, are not affected. Cisco products that do not run Cisco IOS software and are not affected by this vulnerability include, but are not limited to: * 700 series dialup routers (750, 760, and 770 series) are not affected. * WAN switching products such as the IGX, BPX and MGX lines are not affected. * No host-based software is affected. * The Cisco PIX Firewall is not affected * The Cisco LocalDirector is not affected. * The Cisco Content Engine and ACNS is not affected. * The Catalyst 2901/2902, 2948G, 2980G, 4000, 5000, and 6000 switches running CatOS. * Cisco Network Registrar is not affected. * Cisco VPN 3000 series is not affected * Cisco IOS-XR
[Full-Disclosure] Cisco Security Advisory: Vulnerability in Cisco Secure Access Control Server EAP-TLS Authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Vulnerability in Cisco Secure Access Control Server EAP-TLS Authentication Revision 1.0 For Public Release 2004 November 2 1500 UTC (GMT) - -- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures - -- Summary === A Cisco Secure Access Control Server (ACS) that is configured to use Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) to authenticate users to the network will allow access to any user that uses a cryptographically correct certificate as long as the user name is valid. Cryptographically correct means that the certificate is in the appropriate format and contains valid fields. The certificate can be expired, or come from an untrusted Certificate Authority (CA) and still be cryptographically correct. Only version 3.3.1 of the Cisco Secure ACS for Windows and Cisco Secure ACS Solution Engine is affected by this vulnerability. Cisco has made free software available to address this problem. This vulnerability has no effect, that is, user authentication is not impacted, if EAP-TLS is configured in the Cisco Secure ACS with binary comparison of user certificates as the only comparison method and if the user entry in Lightweight Directory Access Protocol/Active Directory (LDAP/AD) contains only valid certificates. No exploitations of this vulnerability have been reported. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20041102-acs-eap-tls.shtml. Affected Products = Vulnerable Products - --- Only version 3.3.1 of the Cisco Secure ACS for Windows and Cisco Secure ACS Solution Engine is affected by the vulnerability described in this document. To determine your Cisco Secure ACS software version you can log into the Cisco Secure ACS. The first screen that is presented after a successful login will show the version number in the following format: CiscoSecure ACS Release 3.3(1) Build 16.. ACS versions may also be displayed as 003.003(001.16), where 16 is the build number referenced on the ACS Administration Graphical User Interface (GUI). Products Confirmed Not Vulnerable - - Cisco Secure ACS for Unix and versions of Cisco Secure ACS for Windows and Cisco Secure ACS Solution Engine prior to, and later than, 3.3.1 are not affected by this vulnerability. Version 3.3.1 is the first version in the 3.3.x series and version 3.3.2 is the first one that is not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. Details === Cisco Secure Access Control Server provides centralized authentication, authorization, and accounting (AAA) services to network devices that function as AAA clients, such as a network access servers, PIX firewalls, routers and switches. With Cisco Secure ACS, network administrators can quickly administer accounts and globally change levels of service offerings for entire groups of users. EAP is a general protocol for authentication that supports multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates, public key authentication and smart cards. TLS is a protocol that provides privacy and data integrity between client/ server applications communicating over an unsecure network such as the Internet. EAP and TLS are both IETF RFC standards. The EAP protocol carries initial authentication information, specifically EAPOL (the encapsulation of EAP over LANs as established by IEEE 802.1X). TLS uses certificates both for user authentication and for dynamic ephemeral session key generation. The EAP-TLS authentication protocol uses the certificates of Cisco Secure ACS and of the end-user client, enforcing mutual authentication of the client and of Cisco Secure ACS. More detailed information on EAP, TLS, and EAP-TLS can be found in the following IETF RFCs: RFC 2284 (PPP Extensible Authentication Protocol), RFC 2246 (The TLS Protocol), and RFC 2716 (PPP EAP TLS Authentication Protocol). The vulnerability described in this document affects user authentication in the following way: when the EAP-TLS protocol is enabled in version 3.3.1 of Cisco Secure ACS for Windows or Cisco Secure ACS Solution Engine, and network devices and services are configured to authenticate users via the ACS, access will be granted to any user that uses a certificate that is cryptographically correct as long as the user name is valid and regardless of whether the certificate is from a trusted Certificate Authority or whether the certificate has expired.
[Full-Disclosure] Cisco Security Advisory: Vulnerabilities in Kerberos 5 Implementation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Vulnerabilities in Kerberos 5 Implementation Revision 1.0 For Public Release 2004 August 31 1830 UTC (GMT) - -- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures - -- Summary === Two vulnerabilities in the Massachusetts Institute of Technology (MIT) Kerberos 5 implementation that affect Cisco VPN 3000 Series Concentrators have been announced by the MIT Kerberos Team. Cisco VPN 3000 Series Concentrators authenticating users against a Kerberos Key Distribution Center (KDC) may be vulnerable to remote code execution and to Denial of Service (DoS) attacks. Cisco has made free software available to address these problems. Cisco VPN 3000 Series Concentrators not authenticating users against a Kerberos Key Distribution Center (KDC) are not impacted. No exploitations of these vulnerabilities have been reported. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040831-krb5.shtml. Affected Products = Vulnerable Products - --- The following products have their Kerberos 5 implementation based on MIT Kerberos code and are affected by these vulnerabilities: * Cisco VPN 3000 Series Concentrators. All 4.0.x software versions prior to 4.0.5.B and all 4.1.x software versions prior to 4.1.5.B are vulnerable. Versions prior to 4.0.x are not vulnerable since they do not support Kerberos authentication. Note that vulnerable products are impacted only if they are configured to authenticate users against a Kerberos KDC. Products Confirmed Not Vulnerable - - The following products have Kerberos 5 support, but their implementation is not based on MIT Kerberos, and therefore are not affected by the vulnerabilities discussed in this advisory: * Cisco IOS (Kerberos support available in release 11.2 or later) * Cisco CatOS The following products do not have Kerberos 5 support and therefore are not affected by these vulnerabilities: * Cisco PIX Firewall * Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series and Cisco 7600 Series routers No other Cisco products are currently known to be affected by these vulnerabilities. Details === Kerberos is a secret-key network authentication protocol developed at the Massachusetts Institute of Technology (MIT) that uses the Data Encryption Standard (DES) cryptographic algorithm for encryption and authentication. Kerberos was designed to authenticate requests for network resources. Kerberos, like other secret-key systems, is based on the concept of a trusted third party that performs secure verification of users and services. In the Kerberos protocol, this trusted third party is called the Key Distribution Center (KDC). The primary use of Kerberos is to verify that users and the network services they use are really who and what they claim to be. To accomplish this, a trusted Kerberos server issues tickets to users. These tickets, which have a limited lifespan, are stored in a user's credential cache and can be used in place of the standard username-and-password authentication mechanism. The Kerberos credential scheme embodies a concept called single logon. This process requires authenticating a user once, and then allows secure authentication (without encrypting another password) wherever that user's credential is accepted. Vulnerable Cisco devices using versions of Kerberos based on the MIT implementation to authenticate users are affected by two vulnerabilities. The first vulnerability consists of a double-free error that can happen under certain error conditions, and that can potentially allow a remote attacker to execute arbitrary code. The second vulnerability consists of an infinite loop in the Abstract Syntax Notation (ASN) 1 decoder that can be entered upon receipt of an ASN.1 SEQUENCE type with invalid Basic Encoding Rules (BER) encoding. This vulnerability can be exploited by an attacker impersonating a legitimate Kerberos KDC or application server to cause a client program to hang inside an infinite loop, and thus creating a Denial of Service condition. This vulnerability can also be exploited to cause a KDC or application server to hang inside an infinite loop. More information about these MIT Kerberos vulnerabilities is available at http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-002-dblfree.txt and http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-003-asn1.txt. The information in these links is provided by MIT. The two vulnerabilities described
[Full-Disclosure] Cisco Security Advisory: Cisco Telnet Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Telnet Denial of Service Vulnerability Revision 1.0 For Public Release 2004 August 27 1000 UTC - - Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: INTERIM Distribution Revision History Cisco Security Procedures - - Summary === A specifically crafted Transmission Control Protocol (TCP) connection to a telnet or reverse telnet port of a Cisco device running Internetwork Operating System (IOS) may block further telnet, reverse telnet, Remote Shell (RSH), Secure Shell (SSH), and in some cases Hypertext Transport Protocol (HTTP) access to the Cisco device. Telnet, reverse telnet, RSH and SSH sessions established prior to exploitation are not affected. All other device services will operate normally. Services such as packet forwarding, routing protocols and all other communication to and through the device are not affected. Cisco will make free software available to address this vulnerability. Workarounds, identified below, are available that protect against this vulnerability. This vulnerability is documented in Cisco bug ID CSCef46191 ( registered customers only) . This Advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040827-telnet.shtml. Affected Products = Vulnerable Products - --- This vulnerability affects all Cisco devices that permit access via telnet or reverse telnet and are running an unfixed version of IOS. Products Confirmed Not Vulnerable - - Cisco products that do not run IOS are not affected. Details === Telnet, RSH and SSH are used for remote management of Cisco IOS devices. The SSH protocol is also used for Secure Copy (SCP), which allows an encryption-protected transfer of files to and from Cisco devices. HTTP is also used for management of certain Cisco devices. IOS versions prior to12.2(15)T include HTTP server version 1.0, which, if configured, will be unresponsive on a device that is under exploitation. IOS versions after and including 12.2(15)T include HTTP server version 1.1, which is unaffected. Reverse telnet is a feature that allows you to telnet to a Cisco device and then connect to a third device through an asynchronous serial connection. For more information on reverse telnet, consult the following documents: http://cisco.com/en/US/products/sw/iosswrel/ps1828/products_configuration_guide_chapter09186a00800871ec.html http://cisco.com/en/US/products/sw/iosswrel/ps1826/products_configuration_guide_chapter09186a00800d9bd8.html Cisco devices that are operating as a reverse telnet server may have ports open in the ranges of: * 2001 to 2999 * 3001 to 3099 * 6001 to 6999 * 7001 to 7099 After a specially crafted TCP connection to an IOS device on TCP port 23 or the reverse telnet ports listed above, all subsequent telnet, reverse telnet, RSH (TCP port 514), SSH, SCP (SSH and SCP use TCP port 22), and in some cases HTTP (TCP port 80) connections to the device experiencing exploitation will be unsuccessful. Any telnet, reverse telnet, RSH, SSH, SCP and HTTP sessions that are already established with the device will continue to function properly. In Cisco IOS, telnet, reverse telnet, RSH, SSH, SCP and some HTTP sessions are handled by a virtual terminal (VTY). Each telnet, reverse telnet, RSH, SSH and SCP session consumes a VTY. After successful exploitation, the Cisco device can no longer accept any subsequent VTY connections. Though it is not possible to establish new telnet, reverse telnet, RSH, SSH, SCP or HTTP connections to the device after a successful exploitation, the device is only vulnerable on TCP port 23 and the reverse telnet ports listed above. A successful exploitation of this vulnerability requires a complete 3-way TCP handshake, which makes it very difficult to spoof the source IP address. Only remote access services that use VTYs are affected. This includes telnet, reverse telnet, RSH, SSH, SCP and version 1.0 of the HTTP server. Other device services including, but not limited to, routing protocols, TACACS/RADIUS, Voice over IP (VoIP) and packet forwarding are not affected. This vulnerability is addressed by Cisco bug ID: * CSCef46191 ( registered customers only) To determine the software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as Internetwork Operating System Software or simply IOS ®. On the next line of output, the image name will be displayed between parentheses, followed by Version and the IOS release name. Other Cisco devices
[Full-Disclosure] Cisco Security Advisory: Multiple Vulnerabilities in Cisco Secure Access Control Server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Secure Access Control Server Revision 1.1 Last Updated 2004 August 25 1630 UTC (GMT) For Public Release 2004 August 25 1600 UTC (GMT) - --- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures - --- Summary === Cisco Secure Access Control Server for Windows (ACS Windows) and Cisco Secure Access Control Server Solution Engine (ACS Solution Engine) provide authentication, authorization, and accounting (AAA) services to network devices such as a network access server, Cisco PIX and a router. This advisory documents multiple Denial of Service (DoS) and authentication related vulnerabilities for the ACS Windows and the ACS Solution Engine servers. The vulnerabilities are documented as these Cisco bug IDs: * CSCeb60017 * CSCec66913 * CSCec90317 * CSCed81716 * CSCef05950 This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20040825-acs.shtml. Affected Products = Vulnerable Products * Versions 3.2(3) and earlier are vulnerable to CSCef05950 and CSCed81716. * Version 3.2(2) build 15 is vulnerable to CSCeb60017. * Version 3.2 is vulnerable to CSCec90317 and CSCec66913. * CSCed81716 is only applicable to the ACS Solution Engine. Successfully authenticate to your ACS box to determine your software revision. After you perform the authentication, the first screen displays the current ACS version in this format-CiscoSecure ACS Release 3.2(3) Build 11. ACS versions may also be displayed as 003.002(003.011), where 011 is the build number referenced on the ACS graphical user interface (GUI). Products Confirmed Not Vulnerable Cisco Secure ACS for UNIX is not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details === The Cisco Secure ACS products provide a centralized identity networking solution and simplified user management experience across all Cisco devices and security management applications. The products help to ensure enforcement of assigned policies-they allow network administrators to control who can log into the network, per user privileges in the network, security auditing and billing information, and command level access controls. * CSCeb60017 and CSCec66913 -- Cisco Secure ACS provides a Web-based management interface, termed CSAdmin, which listens on TCP port 2002. When flooded with TCP connections the ACS Windows and ACS Solution Engine stops responding to any new TCP connections destined for port 2002. Additionally, services on the ACS that process authentication related requests may become unstable and stop responding, which hampers the ability for ACS to process any authentication related requests. A reboot of the device is required to restore these services. * CSCec90317 -- Cisco Secure ACS, when configured for Light Extensible Authentication Protocol (LEAP) RADIUS Proxy, forwards LEAP authentication requests to a secondary RADIUS server. The ACS device with LEAP RADIUS proxy configured may crash when LEAP authentication requests are being processed. A reboot is required to bring the device back to an operational state. * CSCed81716 -- Cisco Secure ACS can communicate with external databases and authenticate users against those databases. One of the external databases that ACS supports is Novell Directory Services (NDS). If an anonymous bind in NDS is allowed, and if the ACS Solution Engine is authenticating NDS users with NDS as the external database and not Generic LDAP, then users are able to authenticate with blank passwords against that NDS database. However, wrong passwords and incorrect usernames are properly rejected. * CSCef05950 -- Once a user successfully authenticates to the ACS GUI on TCP port 2002, a separate TCP connection is created between the browser and ACS administration Web service, with a random destination port. If an attacker spoofs the IP address of the user computer, and accesses the ACS GUI on this random port, then the attacker may be able to connect to the ACS GUI, bypassing authentication. Authentication to the ACS server may also be bypassed if the attacker is behind the same PAT device as that of the ACS user and accesses the ACS GUI on this random port. Impact == * CSCeb60017, CSCec66913, and CSCec90317 -- These vulnerabilities may cause a crash impacting the availability of services on the ACS
[Full-Disclosure] Cisco Security Advisory: Cisco IOS Malformed OSPF Packet Causes Reload
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco IOS Malformed OSPF Packet Causes Reload Revision 1.0 For Public Release 2004 August 18 15:00 UTC (GMT) - Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures - Summary === A Cisco device running Internetwork Operating System (IOS) and enabled for the Open Shortest Path First (OSPF) protocol is vulnerable to a Denial of Service (DoS) attack from a malformed OSPF packet. The OSPF protocol is not enabled by default. The vulnerability is only present in Cisco IOS release trains based on 12.0S, 12.2, and 12.3. Releases based on 12.0, 12.1 mainlines, and all Cisco IOS images prior to 12.0 are not affected. Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040818-ospf.shtml. Affected Products = Vulnerable Products This vulnerability was introduced by a code change that was committed to the 12.0S, 12.2, and 12.3 based release trains, causing these trains to be vulnerable. All Cisco devices running a vulnerable release train and running OSPF process are vulnerable. Some release trains that are not vulnerable are explicitly listed below for clarification. The release trains that are not mentioned below are not vulnerable. +-+ | Release Train | Vulnerable | | | Versions | |---+-| | 10.x based releases | Not | | | vulnerable | |---+-| | 11.x based releases | Not | | | vulnerable | |---+-| | 12.0 based releases (except | Not | | for 12.0.S based releases)| vulnerable | |---+-| | 12.1 based releases | Not | | | vulnerable | |---+-| | 12.0.S| 12.0(22)S | | | and later | |---+-| | 12.0.SX | 12.0(23)SX | | | and later | |---+-| | 12.0.SY | 12.0(22)SY | | | and later | |---+-| | 12.0.SZ | 12.0(23)SZ | | | and later | |---+-| | 12.2 mainline | Not | | | vulnerable | |---+-| | 12.2.B| 12.2(15)B | | | and later | |---+-| | 12.2.BC | 12.2(15)BC | | | and later | |---+-| | 12.2.BX | 12.2(15)BX | | | and later | |---+-| | 12.2.BZ | 12.2(15)BZ | | | and later | |---+-| | 12.2.CX | 12.2(15)CX | | | and later | |---+-| | 12.2.EW | 12.2(18)EW | | | and later | |---+-| | 12.2.MC | 12.2(15)MC1 | | | and later | |---+-| | 12.2.S| 12.2(18)S | | | and later | |---+-| | 12.2.SE | 12.2(18)SE | | | and later | |---+-| | 12.2.SV | 12.2(18)SV | | | and later | |---+-| | 12.2.SW | 12.2(18)SW | | | and later | |---+-| | 12.2.SZ | 12.2(14)SZ | | | and later |
[Full-Disclosure] Cisco Security Advisory: Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Malformed Packet Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Malformed Packet Vulnerabilities Revision 1.0 For Public Release 2004 July 21 at 1600 UTC (GMT) -- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures -- Summary Cisco has fixed multiple malformed packet vulnerabilities in the TCP/IP stacks of Cisco ONS 15327 Edge Optical Transport Platform, the Cisco ONS 15454 Optical Transport Platform, the Cisco ONS 15454 SDH Multiplexer Platform, and the Cisco ONS 15600 Multiservice Switching Platform. These vulnerabilities are documented as the following Cisco bug IDs * CSCed06531 (IP) * CSCed86946 (ICMP) * CSCec88426/CSCec88508/CSCed85088/CSCeb07263/CSCec21429 (TCP) * CSCec59739/CSCed02439/CSCed22547 (Last-ACK) * CSCec88402/CSCed31918/CSCed83309/CSCec85982/CSCec21435/CSCee03697 (UDP) * CSCea16455/CSCea37089/CSCea37185 (SNMP) * CSCee27329 (passwd) There are workarounds available to mitigate the exposure to these vulnerabilities in the workaround section of this advisory. Cisco is providing fixed software, and recommends that customers upgrade to it. This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20040721-ons.shtml. Affected Products Vulnerable Products * CSCed06531 (IP) ++ | Product | Affected Releases | |--+-| | |4.6(0) and 4.6(1)| |15327 |4.1(0) to 4.1(3) | | |4.0(0) to 4.0(2) | | |3.x(x) and earlier | |--+-| | |4.6(0) and 4.6(1)| | |4.5(x) | |15454, 15454 SDH |4.1(0) to 4.1(3) | | |4.0(0) to 4.0(2) | | |3.x(x) | | |earlier than 2.3(5) | |--+-| |15600 |Not Affected | ++ * CSCed86946 (ICMP) ++ | Product | Affected Releases | |--+-| | |4.6(0) and 4.6(1)| |15327 |4.1(0) to 4.1(3) | | |4.0(0) to 4.0(2) | | |3.x(x) and earlier | |--+-| | |4.6(0) and 4.6(1)| | |4.5(x) | |15454, 15454 SDH |4.1(0) to 4.1(3) | | |4.0(0) to 4.0(2) | | |3.x(x) | | |earlier than 2.3(5) | |--+-| |15600 |Not Affected | ++ * CSCec88426/CSCec88508/CSCed85088/CSCeb07263/CSCec21429 (TCP) ++ | Product | Affected Releases | |--+-| | |4.6(0) and 4.6(1)| |15327 |4.1(0) to 4.1(3) | | |4.0(0) to 4.0(2) | | |3.x(x) and earlier | |--+-| | |4.6(0) and 4.6(1)| | |4.5(x) | |15454, 15454 SDH |4.1(0) to 4.1(3) | | |4.0(0) to 4.0(2) | | |3.x(x) | | |earlier than 2.3(5) | |--+-| |15600 |1.x(x) | ++ * CSCec59739/CSCed02439/CSCed22547 (Last-ACK) ++ | Product | Affected Releases | |--+-| | |4.6(0) and 4.6(1)| |15327 |4.1(0) to 4.1(3) | | |4.0(0) to 4.0(2) | | |3.x(x) and earlier | |--+-| | |4.6(0) and 4.6(1)| | |4.5(x) |
[Full-Disclosure] Cisco Security Advisory: Cisco Collaboration Server Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Collaboration Server Vulnerability Revision 1.0 For Public Release 2004 June 30 1600 UTC (GMT) Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures Summary === Cisco Collaboration Server (CCS) versions earlier than 5.0 ship with ServletExec versions that are vulnerable to attack where unauthorized users can upload any file and gain administrative privileges. The workaround is documented in the Workaround section below. Cisco has provided an automated script to remove this vulnerability from the CCS 4.x versions This advisory is posted on Cisco's worldwide website at http://www.cisco.com/warp/public/707/cisco-sa-20040630-CCS.shtml Affected Products = Vulnerable Products - - CCS using an unpatched ServletExec version earlier than 3.0E is vulnerable. * CCS 4.x ships with ServletExec 3.0 which is vulnerable until patched. CCS 4.0 customers can patch the software with an automated script or upgrade to CCS 5.x. * CCS 3.x ships with ServletExec 2.2 which is vulnerable until patched. An automated script is not available for CCS 3.0. Customers can patch the software by following the manual instructions in the Workaround section, upgrade to CCS 4.x and patch the software with an automated script, or upgrade to CCS 5.x. Products Confirmed Not Vulnerable - --- CCS 5.x ships with ServletExec 4.1 and is not vulnerable. Details === Cisco Collaboration Server utilizes the ServletExec subcomponent provided by New Atlanta for Microsoft Windows 2000 and Windows NT. ServletExec versions prior to SE 3.0E allow for an attacker to upload files to the Web server and invoke them. Cisco bug id CSCed49648. Users should either upgrade to CCS 5.x which ships with ServletExec 4.1, download the automated script for CCS 4.x, or follow the manual instructions in the Workaround section. Patching ServletExec either with the automated script or manual instructions removes the UploadServlet from the ServletExec30.jar file but does not alter the version number. The best way to test if the CCS is vulnerable is to attempt to load the http://ccsservername/servlet/UploadServlet URL when CCS is up and running. If this attempt results in a NullPointerException, the vulnerability is present. If this results in a Page Not Found error, then the CCS is not vulnerable. Customers can continue to obtain and apply the most current patches for ServletExec by following the instructions on the New Atlanta website: http://www.newatlanta.com/biz/c/products/servletexec/self_help/faq/detail?faqId=195 . Additionally, customers are encouraged to go to the following Cisco web pages for tips on increasing security on their CCS: http://www.cisco.com/application/pdf/en/us/guest/products/ps1001/c1067/ccmigration_09186a008020f9b4.pdf Refer to page 38 for ServletExec notes and refer to page 71 for notes on Collaboration Option. Cisco Collaboration Server (CCS) has been sold as a standalone product or as part of Cisco Web Collaboration Option where it is integrated with the Cisco Intelligent Contact Management (ICM) software. A user can determine their version level by using the *http:///ccs server//version* command, where /ccs server/ is the hostname or IP address. Impact == Cisco Collaboration Server (CCS) versions earlier than 5.0 ship with ServletExec versions that are vulnerable to attack where unauthorized users can upload any file and gain administrative privileges. *CSCed49648 Software Versions and Fixes === Cisco Collaboration Server 4.x users can patch the software with an automated script available at http://www.cisco.com/cgi-bin/tablebuild.pl/ccs40, or patch the software by following the manual instructions in the Workaround section, or upgrade to CCS 5.x. Cisco Collaboration Server 3.x users can patch the software by following the manual instructions in the Workaround section, or upgrade to CCS 4.x and patch the software with an automated script, or upgrade to CCS 5.x. Obtaining Fixed Software As the fix for this vulnerability is a default configuration change, and a workaround is available, a software upgrade is not required to address this vulnerability. However, if you have a service contract, and wish to upgrade to unaffected code, you may obtain upgraded software through your regular update channels once that software is available. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's Worldwide Web site
[Full-Disclosure] Cisco Security Advisory: Cisco IOS Malformed BGP packet causes reload
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco IOS Malformed BGP Packet Causes Reload Revision 1.0 Last Updated June 16 15:00 UTC (GMT) For Public Release 2004 June 16 15:00 UTC (GMT) - --- Please provide your feedback on this document. - --- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures - --- Summary === A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DOS) attack from a malformed BGP packet. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet. Cisco has made free software available to address this problem. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml. Affected Products = Vulnerable Products This issue affects all Cisco devices running any unfixed version of Cisco IOS code and configured for BGP routing. A router which is running the BGP process will have a line in the config defining the AS number, which can be seen by issuing the command show running-config: router bgp AS number This vulnerability is present in any unfixed version of IOS, from the beginning of support for the BGP protocol, including versions 9.x, 10.x, 11.x and 12.x. To determine the software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as Internetwork Operating System Software or simply IOS ®. On the next line of output, the image name will be displayed between parentheses, followed by Version and the IOS release name. Other Cisco devices will not have the show version command or will give different output. The following example identifies a Cisco product running IOS release 12.0(3) with an installed image name of C2500-IS-L: Cisco Internetwork Operating System Software IOS (TM) 2500 Software (C2500-IS-L), Version 12.0(3), RELEASE SOFTWARE The release train label is 12.0. The next example shows a product running IOS release 12.0(2a)T1 with an image name of C2600-JS-MZ: Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-JS-MZ), Version 12.0(2a)T1, RELEASE SOFTWARE (fc1) Additional information about Cisco IOS release naming can be found at http://www.cisco.com/warp/public/620/1.html. Products Confirmed Not Vulnerable Products confirmed not to be vulnerable include devices which cannot participate in BGP or cannot be configured for BGP. Details === The Border Gateway Protocol (BGP) is a routing protocol defined by RFC 1771, and designed to manage IP routing in large networks. An affected Cisco device running a vulnerable version of Cisco IOS software and enabling the BGP protocol will reload when a malformed BGP packet is received. BGP runs over TCP, a reliable transport protocol which requires a valid three way handshake before any further messages will be accepted. The Cisco IOS implementation of BGP requires the explicit definition of a neighbor before a connection can be established, and traffic must appear to come from that neighbor. These implementation details make it very difficult to send a BGP packet to a Cisco IOS device from an unauthorized source. A Cisco device receiving an invalid BGP packet will reset and may take several minutes to become fully functional. This vulnerability may be exploited repeatedly resulting in an extended DOS attack. This issue is documented in bug IDs CSCdu53656 and CSCea28131. Impact == Successful exploitation of this vulnerability results in a reload of the device. Repeated exploitation could result in a sustained DoS attack. Software Versions and Fixes === Note: Many of the releases in this table were fixed prior to the release of other IOS advisories. Read the table carefully to determine if your IOS release contains these fixes. Most fixed releases for the TCP and SNMP advisories such as http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml and http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml contained the fixes for this BGP advisory. Each row of the Cisco IOS software table (below) describes a release train and the platforms or products for which it is intended. If a given release train is
[Full-Disclosure] Cisco Security Advisory: Cisco CatOS Telnet, HTTP and SSH Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco CatOS Telnet, HTTP and SSH Vulnerability Revision 1.0 For Public Release 2004 June 9 at 1600 UTC (GMT) -- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures -- Summary Cisco CatOS is susceptible to a TCP-ACK Denial of Service (DoS) attack on the Telnet, HTTP and SSH service. If exploited, the vulnerability causes the Cisco CatOS running device to stop functioning and reload. This vulnerability is documented as Cisco bug IDs CSCec42751, CSCed45576, and CSCed48590. There are techniques available to mitigate the potential effects of this vulnerability in the workaround section of this advisory. Cisco is providing fixed software, and recommends that customers upgrade to it. This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20040609-catos.shtml. Affected Products Vulnerable Products Hardware * Catalyst 6000 series * Catalyst 5000 series * Catalyst 4500 series * Catalyst 4000 series * Catalyst 2948G, 2980G, 2980G-A, 4912G - use Catalyst 4000 series code base * Catalyst 2901, 2902, 2926[T,F,GS,GL], 2948 - use Catalyst 5000 series code base Software +--+ |CatOS Release Train| Affected Releases | |---+--| |8.xGLX |earlier than 8.3(2)GLX| |---+--| |8.x|earlier than 8.2(2) | |---+--| |7.x|earlier than 7.6(6) | |---+--| |6.x|earlier than 6.4(9) | |---+--| |5.x and earlier|earlier than 5.5(20) | +--+ Products Confirmed Not Vulnerable The following Catalyst switches do not run Cisco CatOS. * Catalyst 8500 series * Catalyst 4800 series * Catalyst 4200 series * Catalyst 4840G * Catalyst 4908G-l3 * Catalyst 4224 Access Gateway Switch * Catalyst 3750 * Catalyst 3750 Metro * Catalyst 3560 * Catalyst 3550 * Catalyst 3500 XL * Catalyst 2948G-l3 * Catalyst 2970 * Catalyst 2955 * Catalyst 2950 * Catalyst 2950 LRE * Catalyst 2940 * Catalyst 2900 XL * Catalyst 2900 LRE XL * Catalyst 2820 * Catalyst 1900 Cisco IOS is not vulnerable to this issue. No other Cisco products are currently known to be affected by this vulnerability. To determine your software revision, type show version at the command line prompt of the network device. Details A TCP-ACK DoS attack is conducted by not sending the regular final ACK required for a 3-way TCP handshake to complete, and instead sending an invalid response to move the connection to an invalid TCP state. This attack can be initiated from a remote spoofed source. This vulnerability is currently known to be exploitable only if you have the Telnet, HTTP or SSH service configured on a device which is running Cisco CatOS. CatOS release 5.4 was the first CatOS release which incorporated the HTTP feature. Software releases that contain a cv in the image filename support the HTTP feature. The HTTP server is disabled by default. It is typically enabled to allow web based management of the switch using CiscoView. To disable the HTTP server on the switch type set ip http server disable. CatOS K9 (crypto) release 6.1 was the first CatOS release which incorporated the SSH feature. The SSH server is disabled by default. To verify if SSH has been configured on the switch type show crypto key. If this shows you the RSA key then SSH has been configured and enabled on the switch. To remove the crypto key type clear crypto key RSA and this will disable the SSH server on the switch. To check if the HTTP or SSH services are enabled one can also do the following: For HTTP, try and connect to the default HTTP port, TCP 80, using Telnet. telnet ip_address_of_device 80. If the session connects, the service is enabled and accessible. Similarly, for SSH try and connect to the SSH port, TCP 22. The Internetworking Terms and Cisco Systems Acronyms online guides can be found at http://www.cisco.com/univercd/cc/td/doc/cisintwk/. This vulnerability is documented in the Cisco Bug Toolkit as Bug IDs CSCec42751 (registered customers only) , CSCed45576
[Full-Disclosure] Cisco Security Advisory: TCP Vulnerabilities in Multiple Non-IOS-Based Cisco Products
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: TCP Vulnerabilities in Multiple Non-IOS Cisco Products Revision 1.0 For Public Release 2004 April 20 21:00 UTC (GMT) - - Summary === A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer), and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, the attack vector does not directly compromise data integrity or confidentiality. All Cisco products which contain a TCP stack are susceptible to this vulnerability. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml, and it describes this vulnerability as it applies to Cisco products that do not run Cisco IOS® software. A companion advisory that describes this vulnerability for products that run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml. Affected Products = Products which contain a TCP stack are susceptible to this vulnerability. All Cisco products and models are affected. The severity of the exposure depends upon the protocols and applications that utilize TCP. The nonexhaustive list of vulnerable non-IOS based Cisco products is as follows: * Access Registrar * BPX, IGX, MGX WAN switches, and the Service Expansion Shelf * BR340, WGB340, AP340, AP350, BR350 Cisco/Aironet wireless products * Cache Engine 505 and 570 * CallManager * Catalyst 1200, 1900, 28xx, 29xx, 3000, 3900, 4000, 5000, 6000 * Cisco 8110 Broadband Network Termination Unit * Cisco Element Management Framework * Cisco Info Center * Cisco Intelligent Contact Management * Cisco MDS 9000 * Cisco ONS 15190/15194 IP Transport Concentrator * Cisco ONS 15327 Metro Edge Optical Transport Platform * Cisco ONS 15454 Optical Transport Platform * Cisco ONS 15531/15532 T31 OMDS Metro WDM System * Cisco ONS 15800/15801/15808 Dense Wave Division Multiplexing Platform * Cisco ONS 15830 T30 Optical Amplification System * Cisco ONS 15831/15832 T31 DWDM System * Cisco ONS 15863 T31 Submarine WDM System * Content Router 4430 and Content Delivery Manager 4630 and 4650 * Cisco Secure Intrusion Detection System (NetRanger) appliance and IDS Module * Cisco Secure PIX firewall * Cisco ws-x6608 and ws-x6624 IP Telephony Modules * CiscoWorks Windows * Content Engine 507, 560, 590, and 7320 * CSS11000 (Arrowpoint) Content Services Switch * Hosting Solution Engine * User Registration Tool VLAN Policy Server * Cisco FastHub 300 and 400 * CR-4430-B * Device Fault Manager * Internet CDN Content Engine 590 and 7320, Content Distribution Manager 4670, and Content Router 4450 * IP Phone (all models including ATA and VG248) * IP/TV * LightStream 1010 * LightStream 100 ATM Switches * LocalDirector * ME1100 series * MicroHub 1500,MicroSwitch 1538/1548 * Voice Manager * RTM * SN5400 series storage routers * Switch Probe * Unity Server * VG248 Analog Phone Gateway * Traffic Director * WAN Manager Products Confirmed Not Vulnerable = The following products are not vulnerable: * Cisco VPN 3000 Series Concentrators * Cisco Firewall Services Module for Cisco Catalyst 6500 Series and Cisco 7600 Series (FWSM) Details == TCP is the transport layer protocol designed to provide connection-oriented reliable delivery of a data stream. To accomplish this, TCP uses a mixture of flags to indicate state and sequence numbers to identify the order in which the packets are to be reassembled. TCP also provides a number, called an acknowledgement number, that is used to indicate the sequence number of the next packet expected. The packets are reassembled by the receiving TCP implementation only if their sequence numbers fall within a range of the acknowledgement number (called a window). The acknowledgement number is not used in a packet with the reset (RST) flag set because a reset does not expect a packet in return. The full specification of the TCP protocol can be found at
[Full-Disclosure] Cisco Security Advisory: Vulnerabilities in SNMP Message Processing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Vulnerabilities in SNMP Message Processing Revision 1.0 INTERIM For Public Release 2004 April 20 UTC 2100 - --- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: INTERIM Distribution Revision History Cisco Security Procedures - --- Summary === Cisco Internetwork Operating System (IOS) Software releases trains 12.0S, 12.1E, 12.2, 12.2S, 12.3, 12.3B and 12.3T may contain a vulnerability in processing SNMP requests which, if exploited, could cause the device to reload. The vulnerability is only present in certain IOS releases on Cisco routers and switches. This behavior was introduced via a code change and is resolved with CSCed68575. This vulnerability can be remotely triggered. A successful exploitation of this vulnerability may cause a reload of the device and could be exploited repeatedly to produce a Denial of Service (DoS). This advisory is available at: http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml Affected Products = This vulnerability was introduced by a code change for CSCeb22276. This change was committed to the following releases, causing these releases to be vulnerable. Note: The list below is not comprehensive; it is provided to help quickly identify some commonly used releases. Please see the Software Versions and Fixes section of this advisory for the complete IOS upgrade table. * 12.0(23)S4, 12.0(23)S5 * 12.0(24)S4, 12.0(24)S5 * 12.0(26)S1 * 12.0(27)S * 12.0(27)SV, 12.0(27)SV1 * 12.1(20)E, 12.1(20)E1, 12.1(20)E2 * 12.1(20)EA1 * 12.1(20)EW, 12.1(20)EW1 * 12.1(20)EC, 12.1(20)EC1 * 12.2(12g), 12.2(12h) * 12.2(20)S, 12.2(20)S1 * 12.2(21), 12.2(21a) * 12.2(23) * 12.3(2)XC1, 12.3(2)XC2 * 12.3(5), 12.3(5a), 12.3(5b) * 12.3(6) * 12.3(4)T, 12.3(4)T1, 12.3(4)T2, 12.3(4)T3 * 12.3(5a)B * 12.3(4)XD, 12.3(4)XD1 To determine the software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as Internetwork Operating System Software or simply IOS. On the next line of output, the image name will be displayed between parentheses, followed by Version and the IOS release name. Other Cisco devices will not have the show version command or will give different output. The following example identifies a Cisco product running IOS release 12.0(3) with an installed image name of C2500-IS-L: Cisco Internetwork Operating System Software IOS (TM) 2500 Software (C2500-IS-L), Version 12.0(3), RELEASE SOFTWARE The release train label is 12.0. The next example shows a product running IOS release 12.0(2a)T1 with an image name of C2600-JS-MZ: Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-JS-MZ), Version 12.0(2a)T1, RELEASE SOFTWARE (fc1) Additional information about Cisco IOS release naming can be found at http://www.cisco.com/warp/public/620/1.html. Details === The Simple Network Management Protocol (SNMP) defines a standard mechanism for remote management and monitoring of devices in an Internet Protocol (IP) network. A device or host that supports SNMP is an SNMP entity. There are two classes of SNMP entities: SNMP managers that request information and receive unsolicited messages and SNMP agents that respond to requests and send unsolicited messages. SNMP entities that support SNMP proxy functions combine the functions of both SNMP manager and SNMP agent. There are two classes of SNMP operations: solicited operations such as 'get' or 'set', with which the SNMP manager requests or changes the value of a managed object on an SNMP agent; and unsolicited operations such as 'trap' or 'inform' messages with which the SNMP agent provides an unsolicited notification or alarm message to the SNMP manager. The 'inform' operation is essentially an acknowledged 'trap'. All SNMP operations are transported over the User Datagram Protocol (UDP). Solicited operations are sent by the SNMP manager to the UDP destination port 161 on the agent. Unsolicited operations are sent by the SNMP agent to the UDP destination port 162. In IOS, The acknowledgement sent by the SNMP manager to an SNMP agent in reply to an 'inform' operation is sent to a randomly chosen high port that is chosen when the SNMP process is started. As IOS implements both an SNMP agent and SNMP proxy functionality, the SNMP process in IOS starts listening for SNMP operations on UDP ports 161, 162 and the random UDP port at the time it is initialized. The SNMP process is started either at the time the device boots, or when SNMP
[Full-Disclosure] Cisco Security Notice: Cisco IPsec VPN Implementation Group Password Usage Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Notice: Cisco IPsec VPN Implementation Group Password Usage Vulnerability Revision 1.0 For Public Release 2004 April 15 1600 UTC (GMT) -- Contents Summary Details Workarounds Status of This Notice: INTERIM Revision History Cisco Security Procedures Related Information -- Summary This Security Notice is being released due to the new information received by Cisco PSIRT regarding the Cisco IPsec VPN implementation, Group Password Usage Vulnerability. This is also a follow-up to an email thread that appeared on the Bugtraq mailing list in December 2003 which can be found at http://www.securityfocus.com/archive/1/347351. This notice will be posted at http://www.cisco.com/warp/public/707/cisco-sn-20040415-grppass.shtml. Details Proof of Concept code now exists for: * Recovering the Group Password - The Group Password used by the Cisco Internet Protocol Security (IPsec) virtual private network (VPN) client is scrambled on the hard drive, but unscrambled in memory. This password can now be recovered on both the Linux and Microsoft Windows platform implementations of the Cisco IPsec VPN client. This vulnerability is documented in the Cisco Bug Toolkit as Bug ID CSCed41329 (registered customers only) . * The Linux implementation vulnerability was reported by Karl Gaissmaier, University of Ulm, Germany. * The Microsoft Windows implementation vulnerability was reported by Jonas Eriksson and Nicholas Kathmann. * Man In The Middle (MITM) attack to emulate a VPN head end server for stealing valid user names and passwords or hijacking connections using a previously recovered Group Password - This vulnerability exists whenever Group Passwords are used as the pre-shared key during Internet Key Exchange (IKE) Phase 1 in the XAUTH protocol. The user name and password in XAUTH are transmitted over the network only encrypted by the Phase 1 IKE security association (SA) which in this case are derived from the Group Password. Anyone in possession of the Group Passwords will have the ability to either hijack a connection from a valid user, or pose as a VPN head end for stealing user names and passwords. In the e-mail thread on Bugtraq, it was mentioned that Cisco may be looking at implementing Challenge/Response Authentication of Cryptographic Keys (CRACK) as an alternate to XAUTH. This information was incorrect and Cisco does not plan to implement the CRACK authentication method. Cisco is working on implementing IKEv2 with an estimated release date in the fourth quarter of the calendar year 2005. For the Cisco VPN 3000 Concentrator, Cisco VPN Client (software client) and Cisco VPN 3002 Hardware Client, Cisco is in the process of implementing a feature which is based on the expired IETF draft 'A Hybrid Authentication Mode for IKE' published in August of 2000. Cisco's solution extends the Hybrid Auth model by additionally requiring a group pre-shared key for VPN group identification. The group pre-shared key will be used solely to associate users with their appropriate VPN groups, followed by the XAUTH exchange that will then authenticate the user. The MITM attack vulnerability described in this document will no longer be possible because of the additional digital signature that will bind the keying material to the Cisco VPN 3000 Concentrator's digital certificate. This feature is estimated to ship in the third quarter of the calendar year 2004. Hybrid Authentication mode is a two stage process that allows the asymmetric use of digital certificates between the client and the head end server. The first stage is used to authenticate the head end server by the client and is based on the IKE Phase 1 exchange where in the client verifies the authenticity of the head end server's certificate. The second stage authenticates the client by the head end server and is based on a Transaction Exchange (IKECFG) using the mechanism described in the XAUTH protocol. Pre-shared keys are not used. Workarounds No workarounds exist for the vulnerabilities documented in this Notice. To avoid the potential exploitation because of these vulnerabilities Cisco PSIRT recommends customer deploy Public Key Infrastructure (PKI) and carefully evaluate the risks of deploying Group Password based authentication schemes. Status of This Notice: INTERIM This is an interim notice. Although Cisco cannot guarantee the accuracy of all statements in this notice, all of the facts
[Full-Disclosure] UPDATE: Cisco Security Notice: Dictionary Attack on Cisco LEAP Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Notice: Dictionary Attack on Cisco LEAP Vulnerability Revision 2.0 Last Updated 2004 April 12 1600 UTC (GMT) For Public Release 2003 August 03 1600 UTC (GMT) -- Contents Summary Details Workarounds Status of This Notice: Final Revision History Cisco Security Procedures Related Information -- Summary Cisco LEAP is a mutual authentication algorithm that supports dynamic derivation of session keys. With Cisco LEAP, mutual authentication relies on a shared secret, the user's logon password-which is known by the client and the network, and is used to respond to challenges between the user and the Remote Authentication Dial-In User Service (RADIUS) server. As with most password-based authentication algorithms, Cisco LEAP is vulnerable to dictionary attacks. Cisco has now announced the availability of EAP-Flexible Authentication via Secure Tunneling (EAP-FAST) for users who wish to deploy an 802.1X Extensible Authentication Protocol (EAP) type that does not require digital certificates and is not vulnerable to dictionary attacks. This notice will be posted at http://www.cisco.com/warp/public/707/cisco-sn-20030802-leap.shtml. Details At DEFCON, on August 3, 2003, a presentation by Joshua Wright explored mechanisms that could make it easier for someone to write a tool to launch an offline dictionary attack on password-based authentications that leverage Microsoft MS-CHAP, such as Cisco LEAP. The source code of the dictionary attack tool called asleap was released on April 6, 2004. During a dictionary attack, variations of passwords are used to compromise a user's authentication credentials. Most password-based authentication algorithms are vulnerable to dictionary attacks in the absence of a strong password policy. Cisco developed EAP-FAST for users who wish to deploy an 802.1X EAP type that does not require digital certificates and is not vulnerable to dictionary attacks. Workarounds Creating a strong password policy is the most effective way to mitigate against dictionary attacks. This includes using strong passwords and periodically expiring passwords. Cisco recommends that customers review their security policies and incorporate the best practices outlined in the 802.11 Wireless LAN Security White Paper - http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wswpf_wp.htm (refer to section 5.2 Cisco LEAP Deployment). Users could migrate to another EAP type like EAP-FAST, PEAP or EAP-TLS whose authentication methods are not susceptible to dictionary attacks. * EAP-FAST is an authentication protocol that creates a secure tunnel without using certificates. * PEAP is a hybrid authentication protocol that creates a secured TLS tunnel between the WLAN user and the RADIUS server to authenticate the user to the network. This requires certificate and public key infrastructure (PKI) management on both RADIUS servers and WLAN clients. * EAP-TLS uses pre-issued digital certificates to authenticate a user to the network. This requires certificate and PKI management on both RADIUS servers and WLAN clients. Status of This Notice: Final This is a final notice. Although Cisco cannot guarantee the accuracy of all statements in this notice, all of the facts have been checked to the best of our ability. Cisco does not anticipate issuing updated versions of this notice unless there is some material change in the facts. Should there be a significant change in the facts, Cisco may update this notice. A stand-alone copy or paraphrase of the text of this security notice that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Revision History +--+ |Revision 2.0|2004-April-12 |Announcing| || |EAP-FAST. | |+--+--| |Revision 1.0|2003-August-02|Initial | || |release. | +--+ Cisco Security Procedures Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.
[Full-Disclosure] Cisco Security Advisory: Cisco IPSec VPN Services Module Malformed IKE Packet Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco IPSec VPN Services Module Malformed IKE Packet Vulnerability Revision 1.0 For Public Release 2004 April 8 at 1600 UTC (GMT) -- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures -- Summary The Cisco IP Security (IPSec) VPN Services Module (VPNSM) is a high-speed module for the Cisco Catalyst 6500 Series Switch and the Cisco 7600 Series Internet Router that provides infrastructure-integrated IPSec VPN services. A malformed Internet Key Exchange (IKE) packet may cause the Cisco Catalyst 6500 Series Switch or the Cisco 7600 Series Internet Router hardware, with the VPNSM installed, to crash and reload. This vulnerability is documented as Cisco bug ID CSCed30113. There is no workaround available to mitigate the effects of this vulnerability. Cisco is providing fixed software at no charge, and recommends that customers upgrade to it. This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20040408-vpnsm.shtml. Affected Products Vulnerable Products All Cisco Catalyst 6500 Series Switch and the Cisco 7600 Series Internet Router hardware, with the VPNSM installed, running the following Cisco IOS releases are affected by this vulnerability: +--+ | Release Train |Affected Releases | |---+--| |12.2SXA|earlier than 12.2(17b)SXA | |---+--| |12.2SXB|earlier than 12.2(17d)SXB | |---+--| |12.2SY |earlier than 12.2(14)SY03 | |---+--| |12.2ZA |earlier than 12.2(14)ZA8 | +--+ Products Confirmed Not Vulnerable Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Internet Router hardware, using the VPNSM and running Cisco IOS release train 12.1E are not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. To determine your software revision, type show version at the command line prompt. Details A malformed IKE packet may cause the Cisco Catalyst 6500 Series Switch or the Cisco 7600 Series Internet Router hardware, with the VPNSM installed, to crash and reload. This vulnerability could be used to conduct a Denial of Service (DoS) attack on the Cisco Catalyst 6500 Series Switch or the Cisco 7600 Series Internet Router hardware platforms that have the VPNSM installed in them. This vulnerability is known to only exist in the modified IKE code which was incorporated in the 12.2SXA, 12.2SXB, 12.2SY, and 12.2ZA Cisco IOS software release trains. More information on the VPNSM is available at http://www.cisco.com/en/US/products/hw/modules/ps2706/products_data_sheet09186a00800c4fe2.html. The Internetworking Terms and Cisco Systems Acronyms online guides can be found at http://www.cisco.com/univercd/cc/td/doc/cisintwk/. This vulnerability is documented in the Cisco Bug Toolkit as Bug ID CSCed30113 (registered customers only) . Impact This vulnerability could be used to conduct a Denial of Service (DoS) attack on the Cisco Catalyst 6500 Series Switch or the Cisco 7600 Series Internet Router hardware platforms that have the VPNSM installed in them. Software Versions and Fixes This vulnerability has been fixed in the following Cisco IOS releases for the Cisco Catalyst 6500 Series Switch and the Cisco 7600 Series Internet Router hardware: +--+ |Release Train| Fixed Releases | |-+| |12.2SXA |12.2(17b)SXA and later | |-+| |12.2SXB |12.2(17d)SXB and later | |-+| |12.2SY |12.2(14)SY03 and later | |-+| | |12.2(14)ZA8 and later. No | |12.2ZA |software availability date | | |has been determined yet.| +--+ Please refer to these documents for more information: * 12.2(17b)SXA Release Notes: http://www.cisco.com/en/US/products/sw/iosswrel/ps5014/prod_bulletin09186a00801df1dd.html * 12.2(17d)SXB Release Notes:
[Full-Disclosure] Cisco Security Advisory: A default Username and Password in WLSE and HSE devices
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: A Default Username and Password in WLSE and HSE Devices Revision 1.0 Last Updated For Public Release 2004 April 07 1600 UTC (GMT) - - Summary === A default username/password pair is present in all releases of the Wireless LAN Solution Engine (WLSE) and Hosting Solution Engine (HSE) software. A user who logs in using this username has complete control of the device. This username cannot be disabled. There is no workaround. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040407-username.shtml. Affected Products = * The affected software releases for WLSE are 2.0, 2.0.2 and 2.5. * The affected software releases for HSE are 1.7, 1.7.1, 1.7.2 and 1.7.3. Details === A hardcoded username and password pair is present in all software releases for all models of WLSE and HSE devices. This vulnerability is documented in the Cisco Bug Toolkit as Bug ID CSCsa11583 (registered customers only) for the WLSE and CSCsa11584 (registered customers only) for the HSE. CiscoWorks WLSE provides centralized management for the Cisco Wireless LAN infrastructure. It unifies the other components in the solution and actively employs them to provide continual Air/RF monitoring, network security, and optimization. The CiscoWorks WLSE also assists network managers by automating and simplifying mass configuration deployment, fault monitoring and alerting. Cisco Hosting Solution Engine is a hardware-based solution to monitor and activate a variety of e-business services in Cisco powered data centers. It provides fault and performance information about the Layer 2-3 hosting infrastructure and Layer 4-7 hosted services. Impact == Any user who logs in using this username has complete control of the device. One can add new users or modify details of the existing users, and change the device's configuration. Here are some more concrete examples of possible actions: * For WLSE this means that an adversary can hide the presence of a rogue Access Point or change the Radio Frequency plan, potentially causing system-wide outages. The first action may cause long term loss of information confidentiality and integrity. The second action can yield Denial-of-Service (DOS). * For HSE this may lead up to illegal re-directing of a Web site with the ultimate loss of revenue. * In both cases the device itself may be used as a launching platform for further attacks. Such attacks could be directed at your organization, or towards a third party. Software Versions and Fixes === For WLSE, users need to install the WLSE-2.x-CSCsa11583-K9.zip patch. The patch can be downloaded from http://www.cisco.com/cgi-bin/tablebuild.pl/wlan-sol-eng (registered customers only) This patch is applicable to WLSE 1130 software releases 2.0, 2.0.2 and 2.5. For HSE, users need to install the HSE-1.7.x-CSCsa11584.zip patch. The patch can be downloaded from http://www.cisco.com/cgi-bin/tablebuild.pl/1105-host-sol (registered customers only). This patch is applicable to HSE 1105 for versions 1.7, 1.7.1, 1.7.2, and 1.7.3. Obtaining Fixed Software Customers with Service Contracts As the fix for this vulnerability is a default configuration change, and a workaround is available, a software upgrade is not required to address this vulnerability. However, if you have a service contract, and wish to upgrade to unaffected code, you may obtain upgraded software through your regular update channels once that software is available. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's Worldwide Web site at http://www.cisco.com. Customers using Third-party Support Organizations Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with the upgrade, which should be free of charge. Customers without Service Contracts Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: [EMAIL PROTECTED] Please have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC.
[Full-Disclosure] Exploit for Multiple Cisco Vulnerabilities Released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Proof-of-concept code has been publicly released that exploits multiple previous vulnerabilities in various Cisco products. The following list of vulnerabilities taken verbatim from the exploit code are affected. Included after each is a URL which may be referenced for more information regarding each vulnerability where Cisco has previously released a security advisory or response to address the issue. Customers should take steps to ensure that they have addressed each of these either via a software upgrade or workarounds in place as appropriate in order to mitigate any risk from this new exploit code. [1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability CBOS - Improving Resilience to Denial-of-Service Attacks http://www.cisco.com/warp/public/707/CBOS-DoS.shtml [2] - Cisco IOS Router Denial of Service Vulnerability Cisco IOS HTTP Server Vulnerability http://www.cisco.com/warp/public/707/ioshttpserver-pub.shtml [3] - Cisco IOS HTTP Auth Vulnerability IOS HTTP Authorization Vulnerability http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html [4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability IOS HTTP Authorization Vulnerability http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html [5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability Cisco Catalyst SSH Protocol Mismatch Vulnerability http://www.cisco.com/warp/public/707/catalyst-ssh-protocolmismatch-pub.shtml [6] - Cisco 675 Web Administration Denial of Service Vulnerability Cisco is currently researching this vulnerability further. Mitigation methods have been available for some time such as setting the web server to listen on a different port: Code Red Worm - Customer Impact http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml#workarounds and through bugs resolved in the following advisory where the webserver under Cisco CBOS was enabled by default and listening on port 80 even when the web server was not configured. CBOS Web-based Configuration Utility Vulnerability http://www.cisco.com/warp/public/707/cisco-cbos-webserver-pub.shtml [7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability Catalyst 3500 Issue Report: http://www.securityfocus.com/archive/1/141471 Cisco Response: http://www.securityfocus.com/archive/1/144655 [8] - Cisco IOS Software HTTP Request Denial of Service Vulnerability Cisco IOS HTTP Server Query Vulnerability http://www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml [9] - Cisco 514 UDP Flood Denial of Service Vulnerability A Vulnerability in IOS Firewall Feature Set http://www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml This issue regarding the publication of new exploit code was first reported to Cisco by the NCC/Telecom-ISAC who also contributed to the content of this notice. -BEGIN PGP SIGNATURE- Version: PGP 6.5.2 iQA/AwUBQGSDg3sxqM8ytrWQEQLD0QCeMqpkXFBUEfZfGKZUCO0zNSzyOgYAoK3f kgGyWJb/UaRTyvwbP4blfLtN =oGRt -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Cisco Security Advisory: Cisco OpenSSL Implementation Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco OpenSSL Implementation Vulnerability Revision 1.0 For Public Release 2004 March 17 at 1300 UTC (GMT) -- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: INTERIM Distribution Revision History Cisco Security Procedures -- Summary A new vulnerability in the OpenSSL implementation for SSL has been announced on March 17, 2004. An affected network device running an SSL server based on an affected OpenSSL implementation may be vulnerable to a Denial of Service (DoS) attack. There are workarounds available to mitigate the effects of this vulnerability on Cisco products in the workaround section of this advisory. Cisco is providing fixed software, and recommends that customers upgrade to it when it is available. This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20040317-openssl.shtml. Affected Products The following products have their SSL implementation based on the OpenSSL code and are affected by this vulnerability. * Cisco IOS 12.1(11)E and later in the 12.1E release train. Only crypto images (56i and k2) are vulnerable for the Cisco 7100 and 7200 Series Routers. * Cisco IOS 12.2SY release train. Only crypto images (k8, k9 and k91) are vulnerable for the Cisco Catalyst 6500 Series and Cisco 7600 Series Routers. * Cisco PIX Firewall * Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series and Cisco 7600 Series routers * Cisco MDS 9000 Series Multilayer Switch * Cisco Content Service Switch (CSS) 11000 series * Cisco Global Site Selector (GSS) 4480 * CiscoWorks Common Services (CWCS) version 2.2 and CiscoWorks Common Management Foundation (CMF) version 2.1 * Cisco Access Registrar (CAR) The following products have their SSL implementation based on the OpenSSL code and are not affected by this vulnerability. * Cisco Secure Intrusion Detection System (NetRanger) appliance. This includes the IDS-42xx appliances, NM-CIDS and WS-SVS-IDSM2. * Cisco SN 5428 and SN 5428-2 Storage Router * Cisco CNS Configuration Engine * Cisco Network Analysis Modules (NAM) for the Cisco Catalyst 6000 and 6500 Series switches and Cisco 7600 Series routers * Cisco SIP Proxy Server (SPS) * CiscoWorks 1105 Hosting Solution Engine (HSE) * CiscoWorks 1105 Wireless LAN Solution Engine (WLSE) * Cisco Ethernet Subscriber Solution Engine (ESSE) The following products, which implement SSL, are not affected by this vulnerability. * Cisco VPN 3000 Series Concentrators CatOS does not implement SSL and is not vulnerable. No other Cisco products are currently known to be affected by this vulnerability. This vulnerability is still being actively investigated across Cisco products and status of some products has still not been determined. Details Secure Sockets Layer (SSL), is a protocol used to encrypt the data transferred over an TCP session. SSL in Cisco products is mainly used by the HyperText Transfer Protocol Secure (HTTPS) web service for which the default TCP port is 443. The affected products, listed above, are only vulnerable if they have the HTTPS service enabled and the access to the service is not limited to trusted hosts or network management workstations. To check if the HTTPS service is enabled one can do the following: 1. Check the configuration on the device to verify the status of the HTTPS service. 2. Try to connect to the device using a standard web browser that supports SSL using a URL similar to https://ip_address_of_device/. 3. Try and connect to the default HTTPS port, TCP 443, using Telnet. telnet ip_address_of_device 443. If the session connects the service is enabled and accessible. Testing by the OpenSSL development team has uncovered a null-pointer assignment in the do_change_cipher_spec() function. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server that used the OpenSSL library in such a way as to cause OpenSSL to crash. This crash on many Cisco products would cause the device to reload. Repeated exploitation of this vulnerability would result in a Denial of Service (DoS) attack on the device. Another flaw was also discovered in the SSL/TLS handshaking code when using Kerberos ciphersuites. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server configured to use Kerberos
[Full-Disclosure] Cisco Security Advisory: Cisco CSS 11000 Series Content Services Switches Malformed UDP Packet Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco CSS 11000 Series Content Services Switches Malformed UDP Packet Vulnerability Revision 1 For Public Release 2004 March 4 at 1700 UTC (GMT) -- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures -- Summary The CSS 11000 Series Content Services Switches are vulnerable to a Denial of Service (DoS) attack caused by malformed UDP packets received over the management port. This vulnerability is documented as Cisco bug ID CSCed45747. There is no workaround available to mitigate the effects of this vulnerability. Cisco is providing fixed software, and customers are recommended to upgrade to it. This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20040304-css.shtml. Affected Products The CSS 11000 Series Content Services Switches (formerly known as Arrowpoint) consist of the CSS 11050, CSS 11150, and CSS 11800 hardware platforms. They run the Cisco WebNS software. +--+ | WebNS Release | Affected Releases| | Train || |-+| |5.0(x) |earlier than| | |05.0(04.07)S| |-+| |6.10(x) |earlier than| | |06.10(02.05)S | +--+ For clarification, the CSS 11500 Series Content Services Switches consisting of 11501, 11503, and 11506 , the Cisco Global Site Selector (GSS) series switches, and the Content Switching Module (CSM) are not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. To determine your hardware model and software revision, type show chassis at the command line prompt. Details If malformed UDP packets are sent to UDP port 5002, the default port for app-udp, on the management port of the CSS 11000 Series Content Services Switch running Cisco WebNS release 5.0(x) and 6.10(x) release trains the switch may reload. This vulnerability exists even when the Network Proximity feature is not configured on the CSS 11000 Series Content Services Switch. Please refer to http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_610/advcggd/proximty.htm for more details on the Network Proximity feature. Access to the management port of the CSS 11000 Series Content Services Switches is available solely through the physical management interface on the device; access via circuit VLANs is not implemented, and therefore the vulnerability can only be exploited through the management port. This vulnerability is documented in the Cisco Bug Toolkit (registered customers only) as Bug ID CSCed45747. Cisco WebNS release 7.10(x), 7.20(x), and 7.30(x) release trains have also had code changes but due to architectural differences they are not affected by this vulnerability. The Internetworking Terms and Cisco Systems Acronyms online guides can be found at http://www.cisco.com/univercd/cc/td/doc/cisintwk/. Impact Exploitation of this vulnerability results in a reload of the CSS 11000 Series Content Services Switches. Repeated exploitation of the vulnerability may result in a Denial of Service (DoS) for the CSS 11000 Series Content Services Switches. Software Versions and Fixes +--+ | WebNS Release |Fixed Releases | | Train | | |--+---| |5.0(x)|05.0(04.07)S and later | |--+---| |6.10(x) |06.10(02.05)S and later| +--+ The procedure to upgrade to the fixed software version is detailed at http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_administration_guide_chapter09186a0080176d04.html. Obtaining Fixed Software Cisco is offering free software upgrades to address this vulnerability for all affected customers. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, Customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as
[Full-Disclosure] Cisco Security Advisory: Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Vulnerabilities Revision 1.0 For Public Release 2004 February 19 1700 UTC (GMT) -- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures -- Summary Multiple vulnerabilities exist in the Cisco ONS 15327 Edge Optical Transport Platform, the Cisco ONS 15454 Optical Transport Platform, the Cisco ONS 15454 SDH Multiplexer Platform, and the Cisco ONS 15600 Multiservice Switching Platform. These vulnerabilities are documented as Cisco bug ID CSCec17308/CSCec19124(tftp), CSCec17406(port 1080), and CSCec66884/CSCec71157(SU access). There are workarounds available to mitigate the effects of these vulnerabilities. This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20040219-ONS.shtml . Affected Products * CSCec17308/CSCec19124(tftp) +--+ | Product | Affected Releases | |+-| ||4.1(0) to 4.1(2) | |15327 | | ||4.0(x) | |+-| ||4.5(x) | || | |15454, 15454 SDH|4.1(0) to 4.1(2) | || | ||4.0(x) | |+-| |15600 |1.0(x) | +--+ * CSCec17406(port 1080) +--+ | Product | Affected Releases | |+-| ||4.1(0) | |15327 | | ||4.0(0) to 4.0(1) | |+-| ||4.5(x) | || | |15454, 15454 SDH|4.1(0) | || | ||4.0(0) to 4.0(1) | |+-| |15600 |Not Affected | +--+ * CSCec66884/CSCec71157(SU access) +--+ | Product | Affected Releases| |-+| | |4.1(0) to 4.1(2)| |15327|| | |4.0(x) | |-+| | |4.5(x) | | || |15454, 15454 SDH |4.1(0) to 4.1(2)| | || | |4.0(x) | |-+| |15600|1.x(x) except for 1.1(1)| +--+ Products not affected by these vulnerabilities include the Cisco ONS 15800 series, ONS 15500 series extended service platform, ONS 15302, ONS 15305, ONS 15200 series metro DWDM systems, and the ONS 15190 series IP transport concentrator. Cisco ONS 15327 hardware running ONS Release 1.x(x) and 3.x(x) and Cisco ONS 15454 hardware running ONS Releases 2.x(x) and 3.x(x) are not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. To determine your software revision, view the Help About window on the CTC management software. Details The affected Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 hardware is managed through the XTC, TCC+/TCC2, TCCi/TCC2, and TSC control cards respectively. These control cards are usually connected to a network isolated from the Internet and local to the customer's environment. This limits the exposure to the exploitation of the vulnerabilities from the Internet. * CSCec17308/CSCec19124(tftp) The TFTP service on UDP port 69 is enabled by default to allow both GET and PUT commands to be executed without any authentication. Using a TFTP client, it is possible to connect to the optical device and upload or retrieve ONS system files on the current active TCC in the /flash0 or /flash1
[Full-Disclosure] Cisco Security Advisory: Cisco 6000/6500/7600 Crafted Layer 2 Frame Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco 6000/6500/7600 Crafted Layer 2 Frame Vulnerability Revision 1.0 - FINAL For Public Release 2004 February 03 1600 UTC (GMT) - Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures - Summary === A layer 2 frame (as defined in the Open System Interconnection Reference Model) that is encapsulating a layer 3 packet (IP, IPX, etc.) may cause Cisco 6000/ 6500/7600 series systems with Multilayer Switch Feature Card 2 (MSFC2) that have a FlexWAN or Optical Services Module (OSM) or that run 12.1(8b)E14 to freeze or reset, if the actual length of this frame is inconsistent with the length of the encapsulated layer 3 packet. This vulnerability may be exploited repeatedly causing a denial of service. This vulnerability has been addressed by the Cisco Bug IDs CSCdy15598 and CSCeb56052. There is no workaround available. A software upgrade is needed to address the vulnerability. This advisory will be posted on the Cisco worldwide website at http://www.cisco.com/warp/public/707/cisco-sa-20040203-cat6k.shtml. Affected Products = Cisco 6000/6500/7600 series systems with MSFC2 and a FlexWAN or OSM module are affected. Cisco 6000/6500/7600 series systems with MSFC2 that are running 12.1(8b)E14 are affected even if they do not have a FlexWAN or OSM module. Cisco 6000/6500/7600 series systems with a Supervisor 720 are not affected by this vulnerability. The affected systems may be running native or hybrid code. The show module command can be used to determine if there is a FlexWAN or OSM module on the system. A FlexWAN module will have the part number WS-X6182-2PA. The OSM modules will have OSM in the part number. Refer to http://www.cisco.com/warp/public/473/96.html for more information about determining the type of the the MSFC used on the system. This vulnerability only affects Cisco 6000/6500/7600 series systems with the specified hardware or software configuration. All other systems are not affected by this vulnerability even though they may run affected versions of IOS. To determine the software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as Internetwork Operating System Software or simply IOS ^®. On the next line of output, the image name will be displayed between parentheses, followed by Version and the IOS release name. Other Cisco devices will not have the show version command or will give different output. The following example identifies a Cisco product running IOS release 12.1(11b) E1 with an installed image name of C6MSFC2-JSV-M: Cisco Internetwork Operating System Software IOS (tm) MSFC2 Software (C6MSFC2-JSV-M), Version 12.1(11b)E1, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) Details === A layer 2 frame that is encapsulating a protocol independent layer 3 packet (IP, IPX, etc.) may cause Cisco 6000/6500/7600 series systems with an MSFC2 to freeze or reset. The actual length of the layer 2 frame needs to be inconsistent with the length of the encapsulated layer 3 packet. A layer 3 packet that is routed by the Cisco 6000/6500/7600 series systems may trigger this vulnerability if the packet is encapsulated in a specifically crafted layer 2 frame. Crafted packets must be software switched on the vulnerable systems to trigger this vulnerability. The packets that are switched in hardware will not trigger this vulnerability. Although such frames can only be sent from the local network segment, there might be some cases where it is possible to trigger this vulnerability remotely. For remote exploitation, the crafted layer 2 frames need to pass through all the intermediate layer 3 devices between the source and the destination without being clipped. Remote exploitation will not be possible even if only a single layer 3 device on the path from source to destination clips the crafted layer 2 frame. To the best of our knowledge, only Cisco 6000/ 6500/7600 series will forward such crafted frames without being corrected. This vulnerability has been addressed by the Cisco Bug IDs CSCdy15598 and CSCeb56052. * CSCdy15598 - Affects Cisco 6000/6500/7600 series with an MSFC2 and a FlexWAN or OSM module. The systems that do not have a FlexWAN or OSM will not be affected by this bug. * CSCeb56052 - Affects Cisco 6000/6500/7600 series with an MSFC2 module. Only 12.1(8b)E14 is affected by this bug, other software versions are not affected. The systems without a FlexWAN or OSM will still be affected
[Full-Disclosure] Cisco Security Advisory: Buffer Overrun in Microsoft Windows 2000 Workstation Service (MS03-049)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Buffer Overrun in Microsoft Windows 2000 Workstation Service (MS03-049) Revision 1.0 - FINAL For Public Release 2004 January 29 18:00 UTC (GMT) - --- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures - --- Summary === This advisory describes a vulnerability that affects Cisco products and applications running on Microsoft Windows 2000. A vulnerability has been discovered that enables an attacker to execute arbitrary code or perform a denial of service (DoS) against the server. These vulnerabilities were discovered and publicly announced by Microsoft in their Microsoft Security Bulletin MS03-049. More information about the vulnerability can be found at the following URL: http://www.microsoft.com/technet/security/bulletin/MS03-049.asp All Cisco products and applications that are using unpatched Microsoft Windows 2000 are vulnerable. This advisory is available at: http://www.cisco.com/warp/public/707/cisco-sa-20040129-ms03-049.shtml Affected Products = To determine if a product is vulnerable, review the list below. If the software versions or configuration information are provided, then only those combinations are vulnerable. This is a list of appliance software which needs patches downloaded from Cisco. * Cisco CallManager * Cisco Building Broadband Service Manager (BBSM) + BBSM Version 5.2 + HotSpot 1.0 * Cisco Customer Response Application Server (CRA) * Cisco Personal Assistant (PA) * Cisco Conference Connection (CCC) * Cisco Emergency Responder (CER) * Cisco IP Call Center Express (IPCC Express) * Cisco Internet Service Node (ISN) Other Cisco products which run on a Microsoft based operating system should strongly consider loading the patch from Microsoft at the following URL: http://www.microsoft.com/technet/security/bulletin/MS03-049.asp This list is not all inclusive. Please refer to Microsoft's bulletin if you think you have an affected Microsoft platform. * Cisco Unity * Cisco Building Broadband Service Manager (BBSM) versions 5.1 and prior * Cisco uOne Enterprise Edition * Cisco Latitude products * Cisco Network Registrar (CNR) * Cisco Internet Service Node (ISN) * Cisco Intelligent Contact Manager (ICM) (Hosted and Enterprise) * Cisco IP Contact Center (IPCC) (Express and Enterprise) * Cisco E-mail Manager (CEM) * Cisco Collaboration Server (CCS) * Cisco Dynamic Content Adapter (DCA) * Cisco Media Blender (CMB) * TrailHead (Part of the Web Gateway solution) * Cisco Networking Services for Active Directory (CNS/AD) * Cisco SN 5400 Series Storage Routers (driver to interface to Windows server) * CiscoWorks + CiscoWorks VPN/Security Management Solution (CWVMS) + User Registration Tool + Lan Management Solution + Routed WAN Management + Service Management + VPN/Security Management Solution + IP Telephony Environment Monitor + Small Network Management Solution + QoS Policy Manager + Voice Manager * Cisco Transport Manager (CTM) * Cisco Broadband Troubleshooter (CBT) * DOCSIS CPE Configurator * Cisco Secure Applications + Cisco Secure Scanner + Cisco Secure Policy Manager (CSPM) + Access Control Server (ACS) * Videoconferencing Applications + IP/VC 3540 Video Rate Matching Module + IP/VC 3540 Application Server * Cisco IP/TV Server Details === Default installations of Microsoft Windows 2000 Server automatically enable the Workstation service. This vulnerability is not isolated to Microsoft Windows 2000 Workstation edition. The Microsoft Windows 2000 Workstation service is vulnerable to buffer overflows and denial of service (DoS) attacks. This vulnerability can be exploited to execute arbitrary code on a computer system or to disrupt normal operation of the server. The vulnerability has been described in more detail at the following URL: http://www.microsoft.com/technet/security/bulletin/MS03-049.asp Impact == According to Microsoft, an attacker could gain System privileges on an affected system, or could cause the Workstation service to fail. For a full list of symptoms and for the most up to date information, please see Microsoft's Bulletin at the following URL:
[Full-Disclosure] Cisco Security Advisory: Voice Product Vulnerabilities on IBM Servers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Voice Product Vulnerabilities on IBM Servers Revision 1.0 - FINAL For Public Release 2004 January 21 UTC 1700 (GMT) Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures Summary === The default installation of Cisco voice products on the IBM platform will install the Director Agent in an unsecure state, leaving the Director services vulnerable to remote administration control and/or Denial of Service attacks. The vulnerabilities can be mitigated by configuration changes and Cisco is providing a repair script that will close the vulnerable ports and put the Director agent in secure state without requiring an upgrade. This advisory will be available at http://www.cisco.com/warp/public/707/cisco-sa-20040121-voice.shtml. Affected Products = Cisco voice products running on IBM servers installed with the default configurations are affected if they leave TCP or UDP port 14247 open. To verify this vulnerability, the administrator may open a command window on the server and type netstat -a. If port 14247 is listed, the server is vulnerable to remote administrative control and Denial of Service attacks. Affected Cisco voice products: * Cisco CallManager * Cisco IP Interactive Voice Response (IP IVR) * Cisco IP Call Center Express (IPCC Express) * Cisco Personal Assistant (PA) * Cisco Emergency Responder (CER) * Cisco Conference Connection (CCC) * Cisco Internet Service Node (ISN) running on an IBM with an affected OS version. Affected IBM-based server model numbers: * IBM X330 (8654 or 8674) * IBM X340 * IBM X342 * IBM X345 * MCS-7815-1000 * MCS-7815I-2.0 * MCS-7835I-2.4 * MCS-7835I-3.0 Affected OS Versions: * All operating system (OS) versions running on an IBM server prior to OS 2000.2.6, which has not yet been released as of the date of this notice. Details === The default installations of Cisco voice products on IBM servers will install IBM Director in unsecure state leaving TCP and UDP ports 14247 open. Any Director Server/Console agent can connect over port 14247 to gain administrative level control without requiring authentication. Also, a network security scanner scanning port 14247 can trigger the IBM Director agent process twgipc.exe to use 100% of the CPU until the server is rebooted. These vulnerabilities are documented in the two Cisco bug IDs: * CSCed33037 - IBM Director agents default install allows remote access. * CSCed23357 - IBM servers with Director agent 2.2 or 3.11 are vulnerable to a DoS. Impact == A Cisco voice server with the IBM Director agent in unsecure state is susceptible to administrative level control and Denial of Service attacks. Administrative level control includes the following functionality: shutdown/power off/restart, remote command shell, file transfer, processes/services/device drivers stop and start, network configuration modification (including domain/workgroup membership), Windows 2000 user account creation, and SNMP configuration modification. In a Denial of Service attack, an attacker can render the Cisco voice server inoperative with CPU utilization spiking to 100%, and the IBM server must be powered off or rebooted in order to regain control of the machine. Software Versions and Fixes === The vulnerabilities are specific to Cisco voice products on IBM servers and all vulnerabilities listed in this advisory can be mitigated with the repair script without requiring an upgrade. The repair script is available at: http://www.cisco.com/cgi-bin/tablebuild.pl/cmva-3des Obtaining Fixed Software As the mitigation for the vulnerabilities is a repair script, a software upgrade is not required to address the vulnerabilities. However, if you have a service contract, and wish to upgrade to unaffected code, you may obtain upgraded software through your regular update channels once that software is available. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's Worldwide Web site at http://www.cisco.com. If you need assistance with the implementation of the workarounds, or have questions on the workarounds, please contact the Cisco Technical Assistance Center (TAC). * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] See
[Full-Disclosure] Cisco Security Advisory: Cisco Personal Assistant User Password Bypass Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Personal Assistant User Password Bypass Vulnerability Document ID: 47765 Revision 1.0 FINAL For Public Release 2004 January 8 17:00 UTC (GMT) - --- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures - --- Summary === Cisco Personal Assistant may permit unauthorized access to user configuration via the web interface. Once access is granted, user preferences and configuration can be manipulated. There is a workaround available and a software upgrade is not required to remove the vulnerability. This issue is documented in Cisco Bug ID CSCec87825. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040108-pa.shtml Affected Products = Cisco Personal Assistant versions 1.4(1) and 1.4(2) only are affected. Cisco Personal Assistant versions 1.3(x) and prior are not affected. No other Cisco products are affected by this vulnerability. To verify the version of Personal Assistant you are running, perform the following steps. 1. Log in to Personal Assistant through the web interface. 2. Browse to Help - About Cisco Personal Assistant. 3. Click the Details button and a window appears with the full version number. Details === Cisco Personal Assistant is a Microsoft Windows 2000 based application and is part of the AVVID solution. For more information on Personal Assistant, see: http://www.cisco.com/en/US/partner/products/sw/voicesw/ps2026/index.html This vulnerability is only present if both of the following conditions are met: * The Personal Assistant administrator has checked the Allow Only Cisco CallManager Users box through System - Miscellaneous Settings. * The Personal Assistant Corporate Directory settings refer to the same directory service that is used by Cisco CallManager. If both of the above criteria are met, then password authentication to Personal Assistant user configuration is disabled. This allows anyone to enter a valid User ID with any password and the user will be authorized to make configuration changes to that account. The default setting for Personal Assistant is that the Allow Only Cisco CallManager Users box is unchecked. Users access Personal Assistant by browsing to the address http://x.x.x.x/pauseradmin where x.x.x.x is the IP address or hostname of the Personal Assistant server. This vulnerability does not affect access to Personal Assistant through the telephony interface. Users access the telephony interface by dialing the Personal Assistant extension. Personal Assistant uses the user's CallManager Extension Mobility PIN or the Unity Subscriber Phone Password to authenticate users through the telephony interface. This vulnerability is documented as Cisco bug ID CSCec87825 Impact == This bug permits unauthorized configuration access to users' Personal Assistant settings. This vulnerability does not affect the system configuration of the Personal Assistant application. An attacker can modify the settings of a user, which can include modifying call routing to redirect calls for purposes of impersonation, or forwarding the user's number to a toll number, incurring charges. Software Versions and Fixes === All vulnerabilities listed in this advisory can be removed through configuration of the Personal Assistant server. No software update is required. Obtaining Fixed Software As the fix for this vulnerability is a configuration change, a software upgrade is not required to address this vulnerability. If you need assistance with the implementation of the fix, or have questions regarding the fix, please contact the Cisco Technical Assistance Center (TAC). Cisco TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: [EMAIL PROTECTED] See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Please do not contact either [EMAIL PROTECTED] or [EMAIL PROTECTED] for software upgrades. Workarounds === This vulnerability can be removed by de-selecting the checkbox Allow Only Cisco CallManager Users on the System - Miscellaneous Settings page of the Personal Assistant Administration site. This workaround will have no effect on the behavior of the Personal Assistant as CallManager and
[Full-Disclosure] Cisco Security Advisory: Cisco PIX Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco PIX Vulnerabilities Revision 1.0 For Public Release 2003 December 15 at 1600 UTC (GMT) -- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: Final Distribution Revision History Cisco Security Procedures -- Summary This advisory documents two vulnerabilities for the Cisco PIX firewall. These vulnerabilities are documented as CSCeb20276 (SNMPv3) and CSCec20244/CSCea28896 (VPNC) There are workarounds available to mitigate the effects of CSCeb20276 (SNMPv3). No workaround is available for CSCec20244/CSCea28896 (VPNC). This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20031215-pix.shtml. Affected Products All Cisco PIX firewall devices running the affected Cisco PIX firewall software, as documented below, are affected by these vulnerabilities. * CSCeb20276 (SNMPv3) 6.3.1, 6.2.2 and earlier, 6.1.4 and earlier. 5.x.x and earlier. * CSCec20244/CSCea28896 (VPNC) 6.2.3 and earlier. 6.1.x and 5.x.x are not affected; they do not implement the VPNC feature. The Firewall Service Module (FWSM) is also vulnerable to the SNMPv3 issue and is documented as http://www.cisco.com/warp/public/707/cisco-sa-20031215-fwsm.shtml. No other Cisco products are currently known to be affected by these vulnerabilities. To determine your software revision, type show version at the command line prompt. Details * CSCeb20276 (SNMPv3) The Cisco PIX firewall crashes and reloads while processing a received SNMPv3 message when snmp-server host ip_addr is configured on the Cisco PIX firewall. This happens even though the Cisco PIX firewall does not support SNMPv3. * CSCec20244/CSCea28896 (VPNC) Under certain conditions an established VPNC IPSec tunnel connection is dropped if another IPSec client attempts to initiate an IKE Phase I negotiation to the outside interface of the VPN Client configured Cisco PIX firewall. Only a Cisco PIX firewall configured as a VPN Client is vulnerable to this vulnerability. A VPNC, also referred to as Easy VPN or ezVPN, connection is created when the Cisco PIX firewall is used as a VPN client to connect to a VPN server. An IKE Phase I negotiation is a step in the establishment of an IPSec session. CSCea28896 resolved this issue for the 6.3.x software releases and CSCec20244 resolved this issue for the 6.2(3.100) and later software releases. The Internetworking Terms and Cisco Systems Acronyms online guides can be found at http://www.cisco.com/univercd/cc/td/doc/cisintwk/. These vulnerabilities are documented in the Cisco Bug Toolkit as Bug ID CSCeb20276 (SNMPv3) and CSCec20244/CSCea28896 (VPNC). To access this tool, you must be a registered user and you must be logged in. Impact * CSCeb20276 (SNMPv3) This vulnerability can be exploited to initiate a Denial of Service attack on the Cisco PIX firewall. * CSCec20244/CSCea28896 (VPNC) This vulnerability can be exploited to initiate a Denial of Service attack on sessions established between a Cisco PIX configured as a VPN Client and a VPN server. Software Versions and Fixes * CSCeb20276 (SNMPv3) 6.3.2 and later, 6.2.3 and later, 6.1.5 and later. * CSCec20244/CSCea28896 (VPNC) 6.3.1 and later, 6.2(3.100) and later. The procedure to upgrade to the fixed software version is detailed at http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/index.htm. Obtaining Fixed Software Cisco is offering free software upgrades to address these vulnerabilities for all affected customers. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, Customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at the Cisco Connection Online Software Center at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com/tacpage/sw-center/ciscosecure/pix.shtml. To access the software download URL, you must be a
[Full-Disclosure] Cisco Security Advisory: Vulnerability in Authentication Library for ACNS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Vulnerability in Authentication Library for ACNS Revision 1.0 For Public Release 2003 December 10 16:00 UTC (GMT) - -- Summary === By entering an overly long password, it may be possible to execute arbitrary code on a vulnerable device. This vulnerability affects all devices and hardware modules that are running ACNS software releases prior to 4.2.11 and 5.0.5. The workaround is to disable the CE GUI server. This advisory will be available at http://www.cisco.com/warp/public/707/cisco-sa-20031210-ACNS-auth.shtml Affected Products = All Cisco products running ACNS software versions prior to 4.2.11 or 5.0.5 are affected. The hardware models that supports ACNS are: * Content Routers 4400 series * Content Distribution Manager 4600 series * Content Engine 500 and 7300 series * Content Engine Module for Cisco Routers 2600, 3600 and 3700 series ACNS version 5.1 is not affected. Details === By supplying an overly long password, it is possible to trigger a buffer overflow in the authentication module. This may enable an attacker to execute arbitrary code on the affected device. This vulnerability is assigned Cisco bug IDs CSCeb25596 and CSCeb27087. Impact == The impact of the exploitation of this vulnerability can range from a Denial-of-Service to complete control of the device. Software Versions and Fixes === This vulnerability is fixed in 4.2.11 and 5.0.5 releases of ACNS. Obtaining Fixed Software Cisco is offering free software upgrades to remedy this vulnerability for all affected customers. Customers may only install and expect support for the feature sets they have purchased. Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with the upgrade, which should be free of charge. Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). In those cases, customers may only upgrade to a later version of the same release as indicated by the applicable row in the Software Versions and Fixes table. TAC contacts are as follows: * +1 800 553 2447 (toll-free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * email: [EMAIL PROTECTED] See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Please have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Please do not contact either [EMAIL PROTECTED] or [EMAIL PROTECTED] for software upgrades Workarounds === The workaround is to disable the CE GUI server using the following command: no gui-server enable Exploitation and Public Announcements = The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was discovered during internal testing. Status of This Notice: FINAL This is a final advisory. Although Cisco cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Cisco does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Cisco will update this advisory. A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution This notice will be posted on Cisco's worldwide website at http://www.cisco.com/warp/public/707/cisco-sa-20031210-ACNS-auth.shtml. In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients: * [EMAIL PROTECTED] * [EMAIL PROTECTED] (includes
[Full-Disclosure] Cisco Security Advisory: Unity Vulnerabilities on IBM-based Servers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Unity Vulnerabilities on IBM-based Servers Revision Numeral 1.0 For Public Release 2003 December 10 17:00 UTC (GMT) Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice Distribution Revision History Cisco Security Procedures Summary === Recent installations of Cisco Unity running on IBM servers contain default user accounts and default IP addresses which should be removed or disabled immediately. Vulnerable systems can be identified by the part number on the installation disk or by following directions in the Workarounds section. Each vulnerability can be verified and removed manually without requiring an upgrade to new software or reinstallation. This vulnerability only applies to IBM-based Cisco Unity systems installed with specific part numbers on the installation disks. No other platforms running Cisco Unity are vulnerable. This advisory will be available at http://www.cisco.com/warp/public/707/cisco-sa-20031210-unity.shtml. Affected Products = IBM-based Cisco Unity servers purchased either as an MCS server or with direct IBM branding and installed with the Cisco Unity Server image disk supplied may be affected. Cisco Unity servers with the unintended local user account bubba, default RAID Manager address, and default DHCP server address are affected. Following directions in the Workarounds section below, existence of each account or address can be verified. Part numbers imprinted on the installation disks with a local user account bubba, default RAID Manager address, and DHCP server address: 80-7111-01 for the UNITY-SVRX255-1A 80-7112-01 for the UNITY-SVRX255-2A Part numbers imprinted on the installation disks with default RAID Manager address and DHCP server address (no local user account bubba): 80-6750-01 for the Unity SVRX232-1A 80-6765-01 for the UNITY-SVRX232-2A 80-7108-01 and 80-7108-02 for the UNITY-SVRX205-1A 80-7109-01 and 80-7109-02 for the UNITY-SVRX345-1A 80-7110-01 and 80-7110-02 for the UNITY-SVRX345-2A 80-7002-01 and 80-7003-01 for the UNITY-SVRX255-1A and UNITY-SVRX255-2A 80-7243-01 for the MCS-7815i-2.0-ECS1 80-7242-01 for the MCS-7835i-2.4-ECS1 80-7241-01 for the MCS-7845i-2.4-ECS1 80-7240-01 for the MCS-7845i-2.4-ECS2 80-7237-01 plus 80-7239-01 for the MCS-7855i-1.5-ECS1 80-7236-01 plus 80-7238-01 for the MCS-7855i-1.5-ECS2 80-7237-01 plus 80-7239-01 for the MCS-7865i-1.5-ECS1 80-7236-01 plus 80-7238-01 for the MCS-7865i-1.5-ECS2 Details === Local User Account Issue - -- A local user account bubba with log on locally rights was created during manufacturing testing . RAID Manager Issue - After installation, if the RAID (Redundant Array of Inexpensive Disks) Management service is configured to start automatically and not restricted to local-only, the service tries to establish a TCP session with a RAID server address which was used during testing at the manufacturer and leaves the TCP port 34571 open listening for remote contact. The TCP connection attempt is directed to an IP address embedded in the RaidNLst.ser file within the C:\Program Files\RaidMan directory. This is a configuration file which directs how and to whom Notification messages are sent for the RAID Management service (RaidServ.exe). DHCP Issue - After installation, if the Cisco Unity Server is configured to get an IP address from a DHCP server and no local server exists, it will repeatedly send packets attempting to get an IP address from the DHCP server on the manufacturer's test network. The manufacturer's DHCP server IP address will remain in the registry until a local DHCP server is identified or a static entry is made for a local DHCP server. Impact == Local User Account Issue - -- An unplanned local user account with log on locally rights leaves the system open to remote login, which may increase the risk of system compromise and unauthorized administrative access. RAID Manager Issue - The RAID Management service attempts to connect to a RAID server on the manufacturer's test network and leaves the Cisco Unity Server listening on port 34571 to incoming TCP connections. The Cisco Unity Server is attempting to connect to a RAID server with a routable TCP/IP address that, as of the initial publication of this advisory, does not respond to pings or connection requests on the Internet, but good security practices suggest limiting connection attempts to known servers. No known exploits related to port 34571 are known as of the initial publication of this advisory, but good security practices suggest closing all
[Full-Disclosure] Cisco Security Advisory: SNMP trap Reveals WEP Key in Cisco Aironet AP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: SNMP trap Reveals WEP Key in Cisco Aironet AP Revision 1.0 For Public Release 2003 December 02 17:00 UTC (GMT) - Summary === Cisco Aironet Access Points (AP) running Cisco IOS software will send any static Wired Equivalent Privacy (WEP) key in the cleartext to the Simple Network Management Protocol (SNMP) server if the snmp-server enable traps wlan-wep command is enabled. Affected hardware models are the Cisco Aironet 1100, 1200, and 1400 series. This command is disabled by default. The workaround is to disable this command. Any dynamically set WEP key will not be disclosed. Cisco Aironet AP models running VxWorks operating system are not affected by this vulnerability. No other Cisco product is affected. This advisory will be available at http://www.cisco.com/warp/public/707/cisco-sa-20031202-SNMP-trap.shtml Affected Products = Cisco Aironet Access Point 1100, 1200 and 1400 series running Cisco IOS are affected. The Cisco AP 350 running Cisco IOS software is not affected. An Access Points running VxWorks based Operating System are not affected. To determine if you are running Cisco IOS software, type this command on your workstation, replacing 10.0.0.1 with the IP address of your AP. host%telnet 10.0.0.1 If you are not presented with a menu in a graphic form but simply with a prompt (e.g., ap1200%) then you may be vulnerable. To further confirm that you are running Cisco IOS software, type the show version command at the prompt. If the result of the command is similar to the example below, then you are running Cisco IOS software. ap1200show version Cisco Internetwork Operating System Software IOS (tm) C1200 Software (C1200-K9W7-M), Version 12.2(11)JA1, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2003 by cisco Systems, Inc. Compiled Mon 07-Jul-03 13:48 by ccai Image text-base: 0x3000, data-base: 0x004D46F4 If you have determined that Cisco IOS software is being used on the AP, execute the following command. ap1200#show running . . . . snmp-server enable traps tty snmp-server enable traps dot11-qos snmp-server enable traps wlan-wep If your configuration contains the line marked with , then you are vulnerable. Details === If enabled, the snmp-server enable traps wlan-wep command will send static WEP keys in cleartext to the SNMP server every time a key is changed or AP rebooted. This vulnerability is opportunistic and, the following conditions must be met for the vulnerability to be exploited. * A snmp-server enable traps wlan-wep must be enabled. (It is disabled by default.) * An adversary must be able to intercept SNMP packets sent from the AP to the SNMP server. * The AP in question must be rebooted or static WEP key changed. Under these circumstances, an adversary will be able to intercept all static WEP keys. Dynamically configured WEP keys are not affected by this vulnerability and they will not revealed. A WEP key is dynamically configured if you are using one of the Extensible Authentication Protocol (EAP) authentication protocols. The following EAP protocols are currently supported in Cisco APs: LEAP, EAP-TLS, PEAP, EAP-MD5, and EAP-SIM. This vulnerability is assigned Cisco bug ID CSCec55538. Impact == By being able to intercept a static WEP key, an attacker can drastically reduce the effort to break WEP encryption. Please note that this is true only for cases in which you are not using one of the EAP protocols but are using only static WEP keys. Software Versions and Fixes === The vulnerable IOS releases are: 12.2(8)JA, 12.2(11)JA and 12.2(11)JA1. The first fixed release is 12.2(13)JA1. Obtaining Fixed Software Cisco is offering free software upgrades to remedy this vulnerability for all affected customers. Customers may only install and expect support for the feature sets they have purchased. Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with the upgrade, which should be free of charge. Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). In those cases, customers may only upgrade to a
[Full-Disclosure] Cisco Security Advisory: SSL Implementation Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: SSL Implementation Vulnerabilities Revision 1.0 For Public Release 2003 September 30 at 2330 GMT -- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: INTERIM Distribution Revision History Cisco Security Procedures -- Summary New vulnerabilities in the OpenSSL implementation for SSL have been announced. An affected network device running an SSL server based on the OpenSSL implementation may be vulnerable to a Denial of Service (DoS) attack when presented with a malformed certificate by a client. The network device is vulnerable to this vulnerability even if it is configured to not authenticate certificates from the client. There are workarounds available to mitigate the effects of these vulnerabilities. This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20030930-ssl.shtml. Affected Products The following products have their SSL implementation based on the OpenSSL code and may be affected by the OpenSSL vulnerabilities. * Cisco IOS 12.1(11)E and later in the 12.1E release train * Cisco PIX Firewall * Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series and Cisco 7600 Series routers * Cisco Network Analysis Modules (NAM) for the Cisco Catalyst 6000 and 6500 Series switches and Cisco 7600 Series routers * Cisco Content Service Switch (CSS) 11000 series * Cisco Global Site Selector (GSS) 4480 * Cisco Application Content Networking Software (ACNS) * Cisco SN 5428 Storage Router * CiscoWorks 1105 Hosting Solution Engine (HSE) * CiscoWorks 1105 Wireless LAN Solution Engine (WLSE) * CiscoWorks Common Services (CMF) * Cisco SIP Proxy Server (SPS) The following products, which implement SSL, are currently known to be not vulnerable to the OpenSSL vulnerabilities. * Cisco VPN 3000 Series Concentrators * Cisco Secure Intrusion Detection System (NetRanger) appliance. This includes the IDS-42xx appliances, NM-CIDS and WS-SVS-IDSM2. * Cisco Secure Socket Layer (SSL) Services Module for the Cisco Catalyst 6500 Series and Cisco 7600 Series routers * Cisco Call Manager No other Cisco products are currently known to be affected by these vulnerabilities. Details An affected network device running an SSL server based on the OpenSSL implementation may be vulnerable to a Denial of Service (DoS) attack when presented with a malformed certificate by a client. The network device is vulnerable to this vulnerability even if it is configured to not authenticate certificates from the client. More information on these OpenSSL vulnerabilities is available at http://www.openssl.org/news/secadv_20030930.txt . * Cisco IOS - All 12.1(11)E and later IOS software releases in the 12.1E release train are affected by the OpenSSL vulnerabilities. The command no ip http secureserver may be used to disable the HTTPS web service on the device. * Cisco PIX Firewall - This vulnerability is documented as Bug ID CSCec31274 . * Cisco Firewall Services Module (FWSM) - This vulnerability is documented as Bug ID CSCec45573 . * Cisco Network Analysis Modules (NAM) - This vulnerability is documented as Bug ID CSCec45573 . * Cisco Content Service Switch (CSS) 11000 series - Cisco WebNS versions 6.x and 7.x are vulnerable. WebNS version 5.x is not vulnerable to the OpenSSL vulnerabilities. This vulnerability is documented as Bug IDs CSCec45165 and CSCec45342 . * Cisco Global Site Selector (GSS) 4480 - This vulnerability is documented as Bug ID CSCec45380 . * Cisco Application Content Networking Software (ACNS) - This vulnerability is documented as Bug ID CSCec41413 . * Cisco SN 5428 Storage Router - This vulnerability is documented as Bug ID CSCec44103 . * CiscoWorks 1105 Hosting Solution Engine (HSE) - This vulnerability is documented as Bug ID CSCec38542 . * CiscoWorks 1105 Wireless LAN Solution Engine (WLSE) - This vulnerability is documented as Bug ID CSCec38526 . * CiscoWorks Common Services (CMF) - Both Solaris and Windows version of CMF 2.2 and CMF 2.1 are vulnerable. Windows versions of Core 1.0 are also vulnerable. This vulnerability is documented as Bug ID CSCec43722 * Cisco SIP Proxy Server (SPS) - This vulnerability is documented as Bug ID CSCec31901 . Impact An affected network device
[Full-Disclosure] Cisco Security Notice: Nachi Worm Mitigation Recommendations
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Notice: Nachi Worm Mitigation Recommendations Document ID: 44665 - --- Revision 1.0 - --- Contents Summary Details Detection Using IOS with NetFlow Enabled to Detect Infected Hosts Using CatOS with Sup2 and MLS to Detect Infected Hosts CSIDS Signature Symptoms Affected Products Software Version and Fixes Cisco CallManager, Cisco Customer Response Server/Cisco IP Contact Center Express, Cisco Personal Assistant, Cisco Conference Connection, Cisco Emergency Responder Cisco Building Broadband Service Manager Other Windows-based Cisco Products Obtaining Fixed Software Workarounds Policy Based Routing for IOS ACL for IOS Cisco 12000 VACL on the 6500 Catalyst 3550 Catalyst 2950 Catalyst 2900XL and 3500XL PIX Exploitation and Public Announcements Status of This Notice: INTERIM Distribution Revision History Cisco Security Procedures Related Information - --- Summary === Cisco customers are currently experiencing high volumes of network traffic from both internal and external systems due to a new worm that is active on the Internet. Many of the network issues from this worm are from high volumes of 92 byte ICMP type 8 (echo request) packets. Symptoms on Cisco devices include, but are not limited to, high CPU and traffic drops on the input interfaces. This document focuses on both mitigation techniques and affected Cisco products that need software supplied by Cisco or operating system patches from Microsoft to patch properly. The worm has been referenced by the name Nachi. This worm exploits two vulnerabilities previously disclosed by Microsoft, details of which can be found at the following URLs: http://www.microsoft.com/technet/security/bulletin/MS03-026.asp http://www.microsoft.com/technet/security/bulletin/MS03-007.asp Details === Details of the worm can be found on Microsoft's web site: http://www.microsoft.com/technet/security/virus/alerts/nachi.asp The effects of this worm can be mitigated by blocking the required protocols and ports it uses to spread itself, scan for new infections, and propagate the executable code. This document focuses on blocking the spread of the worm, either before or after your internal network is infected. This worm spreads using valid protocols and ports. Blocking those ports may break existing functionality, such as network monitoring, file sharing, or TFTP. As with all network configurations, Cisco recommends you establish documentation of baseline traffic during normal times, and use that to make decisions about blocking ports or traffic in your network. Block ports with caution to avoid disabling functionality in your network. Brief descriptions of the normal usage of these ports is listed below. ICMP protocol type 8, also known as an echo request, is used by the widely known ping utility for connectivity testing and network monitoring purposes. Blocking this protocol can prevent the spreading of the worm but may cause some problems in network diagnostics. TCP port 135 is used for the MS RPC protocol. This port is needed by many RPC based applications that depend on the service such as the Windows Internet Name Services (WINS), DHCP server, Terminal Services and others. This is one port where the initial vulnerability is exploited through the MS RPC DCOM vulnerability described in MS03-026 initiating a sequence of events that fully infects a machine. Blocking port 135 can prevent initial infections, but may disable other functionality within your network. TCP port 80 is used by the HyperText Transport Protocol (HTTP). This port is primarily used by Worldwide Web Servers (WWW). The Nachi worm attempts to exploit the vulnerability described by MS03-007 to infect a machine. Blocking port 80 can prevent initial infections, but may break web-based applications. TCP port 707 is used by the worm as a control channel through which commands are passed to download files named svchost.exe and dllhost.exe from an infected server. Blocking port 707 can prevent infections by preventing the ability to pass the commands to the vulnerable target to download the worm binaries. UDP port 69 is used by the Trivial File Transport Protocol (TFTP), often used to load new software images or configurations to networked devices. A host infected with the Nachi worm opens up this port to transfer the svchost.exe and dllhost.exe files from an infected machine to a newly exploited machine. Blocking this port may prevent the spread of
[Full-Disclosure] Cisco Security Advisory Update: TFTP Long Filename Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 PSIRT has updated the advisory about the TFTP Long Filename Vulnerability and added PXM-1 based MGX switches as affected products. Please refer to the advisory at the following URL for more information. http://www.cisco.com/warp/public/707/ios-tftp-long-filename-pub.shtml -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE/O9IJezGozzK2tZARAnFaAKCBxbHeWhhan/qNUfuFebohMNZF1ACgv7eE 5Nk0xqilA2N4y2bSA9i0yR8= =yTpU -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Cisco Security Advisory: CiscoWorks Application Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: CiscoWorks Application Vulnerabilities Revision Numeral 1.0: INTERIM = For Public Release 2003 August 13 UTC 1500 - --- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: INTERIM Distribution Revision History Cisco Security Procedures - --- Summary === CiscoWorks Common Management Foundation (CMF), also packaged as part of CiscoWorks CD One, provides an application infrastructure foundation, allowing all CiscoWorks applications to share a common model for data storage, login, user role definitions, access privileges, and security protocols, as well as for navigation and launch management. Two vulnerabilities exist in CiscoWorks CMF versions prior to and including 2.1. The first vulnerability is a privilege escalation vulnerability where a guest user may obtain administrative privileges within the application via a specially crafted URL. The second vulnerability is an ability to run arbitrary commands on the CiscoWorks server due to an error in processing user input. This notice will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20030813-cmf.shtml. Cisco is making patches available for CMF versions 2.0 and 2.1, free of charge, to correct the problem. Affected Products = The following products are affected: * All versions of CiscoWorks CD One (1st through 5th editions) * Resource Manager Essentials (RME) versions 2.0, 2.1, and 2.2 * Cisco Resource Manager (CRM) versions 1.0 and 1.1 CiscoWorks CD One is included as the base for all CiscoWorks management solutions, such as the LAN Management Solution, Routed WAN Management Solution, Small Network Management Solution, and VPN/Security Management Solution. To determine the version of the Common Management Foundation which is installed, navigate through the menus within CiscoWorks starting with the tab on the left titled Server Configuration and locate the screen titled Applications and Versions under the folder named About the Server. Look for the entry in the table labeled Common Management Foundation and the corresponding version. Details === The first vulnerability allows a non-privileged user of the CiscoWorks application, including the guest account if enabled, to send a specially crafted URL to the CiscoWorks server to acquire administrative privileges without authentication. Cisco Bug ID CSCdy33916 describes this vulnerability. The second vulnerability permits an authenticated user of the CiscoWorks application to run arbitrary commands on the CiscoWorks server as casuser, the username under which the application runs. Cisco Bug ID CSCea15281 describes this vulnerability. Impact == * CSCdy33916 - The guest user or a normal user is capable, with a specifically crafted URL, of obtaining administrative privileges within the application allowing the user to perform tasks which it might otherwise not be allowed to do. Examples of such tasks might be approval of scheduled changes, such as software upgrades, adding and removing devices, adding, removing, and modifying accounts with the server, and viewing device configurations stored in the local archive. * CSCea15281 - A normal user is capable, with a specifically crafted URL, of running commands remotely on the CiscoWorks server to perform tasks which they may otherwise not have access to do. Examples of such tasks might be viewing device configurations stored in the local archive. Software Versions and Fixes === Both vulnerabilities have been resolved in CiscoWorks Common Services 2.2. Patches for CMF versions 2.0 and 2.1 should be available by the end of August 2003 (date subject to change). Should the availability date change, Cisco will update this advisory to reflect the new availability date. Obtaining Fixed Software Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Product Upgrade Tool at http://tools.cisco.com/gct/Upgrade/jsp/index.jsp ( registered customers only) . Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with the upgrade, which should be free of charge. Customers who purchase/license the product directly from Cisco, but who do not hold a Cisco service contract and
[Full-Disclosure] Cisco Security Advisory: HTTP GET Vulnerability in AP1x00
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: HTTP GET Vulnerability in AP1x00 Revision 1.0 For Public Release 2003 July 28 16:00 UTC (GMT) -- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures -- Summary A vulnerability has been reported by an external researcher in Cisco IOS(R) release for Cisco Aironet AP1x00 Series Wireless devices. The vulnerability affects only IOS-based Cisco Aironet Wireless products. The VxWorks based Cisco Aironet Wireless Devices are not affected. This vulnerability can cause the AP1x00 to reload and is documented as Cisco bug ID CSCeb49869 (registered customers only) (also CAN-2003-0511). There are workarounds available to mitigate the effects of this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20030728-ap1x00.shtml. The external report can be found at http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003002.htm leavingcisco.com. Although it mentions two issues only one is addressed by this advisory. The other issue, Cisco bug ID CSCdz29724 (registered customers only) (also CAN-2003-512), is present in all IOS software and is duplicated by the AP1x00 specific Cisco bug ID CSCeb49842 (registered customers only) . More details about it can be found at http://www.cisco.com/warp/public/707/cisco-sn-20030724-ios-enum.shtml. Affected Products Only the following Cisco IOS-based wireless Access Points are affected: +--+ | Hardware Model | Software Release(s) | |+-| |Cisco Aironet |12.2(4)JA, | |Wireless Access |12.2(4)JA1, | |Point AP1100 series |12.2(8)JA, 12.2(11)JA| |+-| |Cisco Aironet | | |Wireless Access |12.2(8)JA, 12.2(11)JA| |Point AP1200 series | | |+-| |Cisco Aironet | | |Wireless Bridge |12.2(11)JA | |AP1400 series | | +--+ All previous VxWorks-based software releases for Cisco Aironet Access Point 1200 are not affected. That includes the following, and earlier, software releases: 11.56, 12.01T1, 12.02T1, 12.03T. In order to determine your software release you should log on the Access Point using any account available and execute the following command: access-point show ver Cisco Internetwork Operating System Software IOS (tm) C1100 Software (C1100-K9W7-M), Version 12.2(8)JA, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) ^ TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2003 by cisco Systems, Inc. The Cisco IOS software version is displayed in the second line of the output. In this example it is 12.2(8)JA. Details Sending a malformed URL to the Cisco Aironet AP1x00 can cause the device to reload. Impact Repeated exploitation of this vulnerability can lead to a prolonged Denial-of-Service (DoS) of the AP1x00. Software Versions and Fixes The vulnerability is fixed in the 12.2(11)JA1 version of the software for all Cisco Aironet AP1x00 devices. Obtaining Fixed Software Cisco is offering free software upgrades to address these vulnerabilities for all affected customers. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at the Cisco Connection Online Software Center at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Customers with service contracts should contact their regular update channels to obtain the free software upgrade identified via this advisory. For most customers with service contracts, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com/tacpage/sw-center/sw-wireless.shtml. To access the software download URL, you must be a registered user and you must be logged in. Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers,
[Full-Disclosure] Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet Revision 1.3 Last Updated 2003 July 17 at 23:00 UTC (GMT) For Public Release 2003 July 17 at 6:10 UTC (GMT) = - -- Please provide your feedback on this document. - -- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: INTERIM Distribution Revision History Cisco Security Procedures - -- Summary === Cisco routers and switches running Cisco IOS® software and configured to process Internet Protocol version 4 (IPv4) packets are vulnerable to a Denial of Service (DoS) attack. A rare sequence of crafted IPv4 packets with specific protocol fields sent directly to the device may cause the input interface to stop processing traffic once the input queue is full. No authentication is required to process the inbound packet. Processing of IPv4 packets is enabled by default. Devices running only IP version 6 (IPv6) are not affected. A workaround is available. Cisco has made software available, free of charge, to correct the problem. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml. Affected Products = This issue affects all Cisco devices running Cisco IOS software and configured to process Internet Protocol version 4 (IPv4) packets. Cisco devices which do not run Cisco IOS software are not affected. Devices which run only Internet Protocol version 6 (IPv6) are not affected. Details === Cisco routers are configured to process and accept Internet Protocol version 4 (IPv4) packets by default. A rare, specially crafted sequence of IPv4 packets with protocol type 53 (SWIPE), 55 (IP Mobility), 77 (Sun ND), or 103 (Protocol Independent Multicast - PIM) which is handled by the processor on a Cisco IOS device may force the device to incorrectly flag the input queue on an interface as full, which will cause the router to stop processing inbound traffic on that interface. This can cause routing protocols to drop due to dead timers. Interfaces which are explicitly configured to run PIM will not be affected by traffic with protocol type 103. An interface with PIM enabled will have one of the following three commands in the interface configuration: ip pim dense-mode, ip pim sparse-mode, or ip pim sparse-dense-mode. On Ethernet interfaces, Address Resolution Protocol (ARP) times out after a default time of four hours, and no traffic can be processed. The device must be rebooted to clear the input queue on the interface, and will not reload without user intervention. The attack may be repeated on all interfaces causing the router to be remotely inaccessible. A workaround is available, and is documented in the Workarounds section. The following two Cisco vulnerabilities are documented in DDTS: CSCea02355 ( registered customers only) affects all Cisco routers running Cisco IOS software. This documents the flaw with protocols 53, 55, and 77. CSCdz71127 ( registered customers only) was introduced by an earlier code revision, and documents an input queue vulnerability to protocol 103 with a device which is not configured for PIM. Any version of software which has the fix for CSCdx02283 ( registered customers only) is vulnerable. Registered customers can find more details using the Bug Toolkit at http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl ( registered customers only) . To identify a blocked input interface, use the show interfaces command and look for the Input Queue line. If the current size (in this case, 76) is larger than the maximum size (75), the input queue is blocked. Use the show buffers command and look for the prot field. Below are two examples: Router#show interface ethernet 0/0 Ethernet0/0 is up, line protocol is up Hardware is AmdP2, address is 0050.500e.f1e0 (bia 0050.500e.f1e0) Internet address is 172.16.1.9/24 MTU 1500 bytes, BW 1 Kbit, DLY 1000 usec, rely 255/255, load 1/255 Encapsulation ARPA, loopback not set, keepalive set (10 sec) ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:41, output 00:00:07, output hang never Last clearing of show interface counters 00:07:18 Input queue: 76/75/1091/0 (size/max/drops/flushes); Total output drops: 0 !--- The 76/75 shows that this is blocked Router#show buffers input-interface serial 0/0 Buffer information for Small buffer at 0x612EAF3C data_area 0x7896E84, refcount 1, next 0x0, flags 0x0 linktype 7 (IP), enctype 0
[Full-Disclosure] Cisco Security Advisory: Cisco Content Service Switch 11000 Series DNS Negative Cache of Information Denial-of-Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Content Service Switch 11000 Series DNS Negative Cache of Information Denial-of-Service Vulnerability === Revision Numeral 1.0 For Public Release 2003 April 30 15:00 (GMT) - --- Summary === The Cisco Content Service Switch (CSS) 11000 and 11500 series switches respond to certain Domain Name Service (DNS) name server record requests with an error code and no Start of Authority (SOA) records, which can be negatively cached by some DNS name servers resulting in a potential denial-of-service attack for a particular domain name hosted by a CSS. To be affected by this vulnerability, CSS devices must be configured for Global Server Load Balancing. The CERT/CC issued a vulnerability note on this issue (VU#714121). Cisco is providing repaired software, and customers are urged to upgrade to repaired code. This vulnerability in CSS is documented as Cisco Bug IDs CSCdz62499 and CSCea36989. This advisory will be available at http://www.cisco.com/warp/public/707/cisco-sa-20030430-dns.shtml. Affected Products = The CSS 11000 and 11500 series switches (formerly known as Arrowpoint) consist of the CSS 11050, CSS 11150, CSS 11800 11501, 11503, and 11506 hardware platforms. They run the Cisco WebNS software. CSS 11000 and 11500 series switches running any WebNS software revision are affected by this vulnerability only if they are configured for Global Server Load Balancing (also known as DNS Load Balancing). To determine if your CSS equipment is configured for Global Server Load Balancing, please check the configuration for the dns-server command. If this command is not present, the configuration is not vulnerable to this issue. No other Cisco product is currently known to be affected by this vulnerability. Details === Commonly, the name service in use by the Internet, DNS, uses various record types for queries between DNS servers and clients. The common record types are Address records (A-records), Name Server records (NS records), Mail Exchange (MX records), Start of Authority records (SOA records), and Canonical Name records (CNAME records). Each record or query type has various rules and formats associated with it, including details about what may be cached, what may be trusted by other clients, etc. Clients usually send queries to a local server, and that local server may send further queries to other servers on behalf of that client in order to formulate a response for the client. When the local server receives the responses, it will cache the information for future use and will respond to the client. The CSS 11000 and 11500 series switches have the ability to act as an authoritative DNS name server and will only respond to DNS A-record requests. If a CSS configured for DNS via the Global Server Load Balancing feature receives a DNS request or query for an unsupported record type, the CSS will respond with rcode 4 not implemented or rcode 3 NXDOMAIN, depending on the version of WebNS. When an NXDOMAIN response code is received, the querying server will typically stop attempting to resolve any other record type for that name. For example, an NXDOMAIN response to the query may stop the server from sending an A query, though there may indeed be an A-record in existence. Some resolvers that receive an NXDOMAIN response and support negative caching will not query for A-records for the same name until the negatively cached error response has expired, which can take an extended period of time. When the DNS query received is for a legitimate host name but an unsupported record type, these negative responses may be cached by various proxies or caching nameservers and will lead to apparent temporary service outages when other clients query the caching nameserver or proxy for the legitimate host name. Though network services are physically unaffected, end users are dependent upon name resolution, and the lack of correct DNS information can result in effective service outages. Cisco Bug ID CSCdz62499 was the first fix, which changed the response from rcode 3 to rcode 4. This result code is also negatively cached, so the complete fix has been correctly addressed with Cisco Bug ID CSCea36989. The CSS will now return an RFC 2308-compliant NODATA type 3 response, which is an authoritative answer with rcode=NOERROR, answer=0, and no SOA. This response should cause the specific client to query for another A-record instead of continuing to query for the unsupported record type or using the negatively cached error message or NXDOMAIN answer. Impact == Exploitation of this vulnerability would result in a sporadic or partial denial of service, affecting only the users of the DNS services that cache the negative response information in response to an
[Full-Disclosure] Cisco Security Advisory: Cisco Security Advisory: Microsoft SQL Server 2000 Vulnerabilities in Cisco Products - MS02-061
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Microsoft SQL Server 2000 Vulnerabilities in Cisco Products - MS02-061 Revision 1.0 INTERIM For Public Release 2003 January 26 05:30 GMT - - Please provide your feedback on this document. - - Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice Distribution Revision History Cisco Security Procedures - - Summary === This advisory describes a vulnerability that affects Cisco products and applications that are installed on Microsoft operating systems incorporating the use of the Microsoft SQL Server 2000 and is based on the vulnerability of SQL Server 2000, not due to a defect of the Cisco product or application. A number of vulnerabilities that have been discovered that enable an attacker to execute arbitrary code or perform a denial of service against the server. These vulnerabilities were discovered and publicly announced by Microsoft in their Microsoft Security Bulletins MS02-039, MS02-056, and MS02-061. All Cisco products and applications that are using unpatched Microsoft SQL Server 2000 are considered vulnerable. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20030126-ms02-061.shtml. Affected Products = To determine if a product is vulnerable, review the list below. If the software versions or configuration information are provided, then only those combinations are vulnerable. * Cisco CallManager 3.3(x) * Cisco Unity 3.x, 4.x * Cisco Intelligent Contact Management (ICM) 5.0 * Cisco E-Mail Manager (CeM) * Cisco Building Broadband Service Manager 5.0, 5.1 No other Cisco product is currently known to be affected by this vulnerability. Details === Implementations of the Microsoft SQL Server 2000 are vulnerable to buffer overflows and denial of service attacks. These vulnerabilities can be exploited to execute arbitrary code on a computer system or to disrupt normal operation of the server. The vulnerabilities have been described in more detail at http://www.microsoft.com/technet/security/bulletin/MS02-039.asp http://www.microsoft.com/technet/security/bulletin/MS02-056.asp http://www.microsoft.com/technet/security/bulletin/MS02-061.asp Impact == According to Microsoft, the vulnerabilities range from an attacker gaining additional privileges on a SQL server to gaining control over the SQL Server. Additionally the MS SQL Sapphire Worm is known to exploit this same vulnerability which can result in degraded network performance as the worm attempts to propagate. Software Versions and Fixes === Cisco CallManager Customers running version 3.3(x) should install Cisco's cumulative SQL 2000 Hotfix, SQL2K-MS02-061.exe, from http://www.cisco.com/tacpage/sw-center/telephony/crypto/voice-apps/. Cisco Unity Customers should install the Microsoft SQL 2000 Service Pack 2 (SP2) and Security Rollup 1 (SRP1) Q323875_SQL2000_SP2_en.EXE. Both are available on the Microsoft website at the following location: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316333sd=tech Cisco Intelligent Contact Management Customers should install the Microsoft SQL 2000 Service Pack 3 (SP3). It is available on the Microsoft website at the following location: http://www.microsoft.com/sql/downloads/2000/sp3.asp Cisco E-Mail Manager Customers should install the Microsoft SQL 2000 Service Pack 3 (SP3). It is available on the Microsoft website at the following location: http://www.microsoft.com/sql/downloads/2000/sp3.asp Cisco Building Broadband Service Manager This section will be updated within 24 hours with more details on patch availability. Obtaining Fixed Software Where Cisco provides the operating system bundled with the product, Cisco is offering free software upgrades to address these vulnerabilities for all affected customers. Customers may only install and expect support for the feature sets they have purchased. Customers with service contracts should contact their regular update channels to obtain any software release containing the feature sets they have purchased. For most customers with service contracts, this means that upgrades should be obtained through the Software Center on Cisco's Worldwide Web site at http://www.cisco.com/tacpage/sw-center/. Customers whose Cisco products are provided or maintained through a prior or existing agreement with third-party support organizations such as
[Full-Disclosure] Cisco Security Advisory: MS SQL Sapphire Worm Mitigation Recommendations
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: MS SQL Sapphire Worm Mitigation Recommendations == Revision 1.0 For Public Release 2003 January 25 14:00:00 UTC - --- Contents Summary Details Symptoms Workarounds Exploitation and Public Announcements Status of This Notice Distribution Revision History Cisco Security Procedures - --- Summary === Cisco customers are currently experiencing attacks due to a new worm that has hit the Internet. The signature of this worm appears to be high volumes of UDP traffic to port 1434. Affected customers have been experiencing high volumes of traffic from both internal and external systems. Symptoms on Cisco devices include, but are not limited to high CPU and traffic drops on the input interfaces. http://www.eeye.com/html/Research/Flash/AL20030125.html leaving cisco.com At the time of this notice there is no definitive analysis of the worm. Details === UDP port 1433 and 1434 are used for SQL server traffic. A new worm has been targeting port 1434 and attempting to exploit a buffer overflow vulnerability in Microsoft's SQL server. We have received reports that the worm targets port 1433 as well, however this is unverified at this time. Microsoft has issued a security advisory about this issue, the details are here: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS02-039.asp leaving cisco.com For infected servers, MS recommends downloading Service Pack 3 for SqlSvr, located here: http://www.microsoft.com/sql/downloads/2000/sp3.asp?SD=GNLN=en-usgssnb=1 leaving cisco.com Symptoms You may see instability in networks due to increased load. The traffic load generated by this DoS is very high. Workarounds === Thus far the best mitigation is to block inbound and outbound traffic destined to UDP port 1434. Care must be taken in regards to the impact on mission critical services as 1434/udp and 1433/udp are used by Microsoft SQL Server. Before blocking traffic to these ports completely make sure that the possible effects on your network are understood. Note: These workarounds block both ports 1433 and 1434, although we have received no evidence yet that blocking port 1433 has any affect on the attack. If your network requires traffic to flow on port 1433 please leave that portion of the ACL out and monitor your results closely. VACL on the 6500 To configure: set security acl ip WORM deny udp any eq 1434 any set security acl ip WORM deny udp any any eq 1434 set security acl ip WORM deny udp any eq 1433 any set security acl ip WORM deny udp any any eq 1433 set security acl ip WORM permit any commit security acl WORM set security acl map WORM vlan Set port to vlan based: set port qos mod/port vlan-based To verify: show security acl info all To remove: clear security acl WORM commit security acl WORM ACL for IOS Note: Log statement removed due to load issues on the router. If you are trying to track source addresses, use NetFlow. access-list 115 deny udp any any eq 1433 access-list 115 deny udp any any eq 1434 access-list 115 permit ip any any int interface ip access-group 115 in ip access-group 115 out Exploitation and Public Announcements = This issue is being exploited actively and has been discussed in numerous public announcements and messages. References include: * http://www.cert.org/advisories/CA-2003-04.html leaving cisco.com * http://www.eeye.com/html/Research/Flash/AL20030125.html leaving cisco.com Status of This Notice: INTERIM == This is an interim notice. Although Cisco cannot guarantee the accuracy of all statements in this notice, all of the facts have been checked to the best of our ability. Cisco anticipates issuing updated versions of this notice when there is material change in the facts. Distribution This notice will be posted on Cisco's worldwide website at http://www.cisco.com /warp/public/707/cisco-sn-20030125-worm.shtml. In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients: * [EMAIL PROTECTED] * [EMAIL PROTECTED] * [EMAIL PROTECTED] * [EMAIL PROTECTED] (includes CERT/CC) * [EMAIL PROTECTED] * [EMAIL PROTECTED] * comp.dcom.sys.cisco * Various internal Cisco mailing lists Future updates of this notice, if any, will be placed on Cisco's worldwide web Users concerned about this problem are encouraged to check the URL given above for any updates. Revision History +---+ |Revision
[Full-Disclosure] Cisco Security Advisory: Cisco Security Advisory: SSH Malformed Packet Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: SSH Malformed Packet Vulnerabilities Revision 1.0: INTERIM For Public Release 2002 December 19th 23:00 GMT - -- Please provide your feedback on this document. - -- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice Distribution Revision History Cisco Security Procedures - -- Summary === Certain Cisco products containing support for the Secure Shell (SSH) server are vulnerable to a Denial of Service (DoS) if the SSH server is enabled on the device. A malformed SSH packet directed at the affected device can cause a reload of the device. No authentication is necessary for the packet to be received by the affected device. The SSH server in Cisco IOS is disabled by default. Cisco will be making free software available to correct the problem as soon as possible. The malformed packets can be generated using the SSHredder test suite from Rapid7, Inc. Workarounds are available. The Cisco PSIRT is not aware of any malicious exploitation of this vulnerability. This advisory is available at http://www.cisco.com/warp/public/707/ssh-packet-suite-vuln.shtml. Affected Products = Multiple Cisco products which contain support for an SSH server are vulnerable if the SSH server is enabled. Cisco routers and Catalyst switches running the affected versions of IOS shown in the Software Version and Fixes section below have been confirmed to be vulnerable. Cisco products which contain SSH server functionality that are confirmed not to be vulnerable include: * Cisco Catalyst Switches running Cisco CatOS * Cisco VPN3000 series concentrators * Cisco PIX Firewall * Cisco Secure Intrusion Detection System (NetRanger) appliance * Cisco Secure Intrusion Detection System Catalyst Module * Cisco SN5400 Series Storage Routers Details === A suite of crafted packets has been developed to test implementations of the Secure Shell (SSH) protocol. If the SSH server has been enabled, several of the test cases cause a forced reload of the device before the authentication process is called. Each time an SSH connection attempt is made to a Cisco device running IOS with one of the crafted packets, and the SSH server is enabled on the device, the device reboots. The SSH server feature is available in the following Cisco IOS release trains: 12.0S, 12.0ST, 12.1T, 12.1E, 12.2, 12.2T, 12.2S. All releases which have the SSH server feature are vulnerable when the SSH server is enabled by issuing the command crypto key generate rsa in configuration mode. All products running vulnerable versions of Cisco IOS except the Cisco 3550 will automatically reload and resume service following the crash. The Cisco 3550 will not reload, and will require manual intervention to resume normal processing. This Cisco IOS defect is documented in DDTS CSCdz60229. Impact == The vulnerability can be exploited to make an affected product unavailable for several minutes while the device reloads. Once it has resumed normal processing, the device is still vulnerable and can be forced to reload repeatedly. Software Versions and Fixes === The SSH server feature is available beginning in the following Cisco IOS releases: 12.0(5)S, 12.0(16)ST, 12.1(1)T, 12.1(5a)E, 12.2(1), 12.2(1)T, 12.2(1)S. All of these versions are vulnerable if the SSH feature is enabled. Each row of the Cisco IOS software table (below) describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix (the First Fixed Release) and the anticipated date of availability for each are listed in the Rebuild, Interim, and Maintenance columns. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label). When selecting a release, keep in mind the following definitions: Maintenance Most heavily tested, stable, and highly recommended release of a release train in any given row of the table. Rebuild Constructed from the previous maintenance or major release in the same train, it contains the fix for a specific defect. Although it receives less testing, it contains only the minimal changes necessary to repair the vulnerability. Interim Built at regular intervals between
[Full-Disclosure] Cisco Security Advisory: Cisco PIX Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco PIX Multiple Vulnerabilities Revision 1.0 For Public Release 2002 November 20 at 1600 UTC (GMT) -- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice Distribution Revision History Cisco Security Procedures -- Summary The Cisco PIX Firewall provides robust, enterprise-class security services including stateful inspection firewalling, standards-based IP Security (IPsec) Virtual Private Networking (VPN), intrusion protection and much more in cost-effective, easy to deploy solutions. Two vulnerabilities have been resolved for the PIX firewall for which fixes are available. These vulnerabilities are documented as Cisco bug ID CSCdv83490 and CSCdx35823. There are no workarounds available to mitigate the effects of these vulnerabilities. This advisory will be posted at http://www.cisco.com/warp/public/707/pix-multiple-vuln-pub.shtml. Affected Products All PIX Firewall units running the vulnerable releases and using the specific features are affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. +-+ | DDTs-Description|Affected Release | |---+-| |CSCdv83490-While processing|6.0.3 and earlier| |initial contact notify messages|6.1.3 and earlier| |the PIX does not delete| | |duplicate Internet Security| | |Authentication Key Management | | |Protocol Security Associations | | |(ISAKMP SAs) with the peer.| | |---+-| |CSCdx35823-Buffer overflow |5.2.8 and earlier| |while doing HTTP traffic |6.0.3 and earlier| |authentication using Terminal |6.1.3 and earlier| |Access Controller Access |6.2.1 and earlier| |Control System Plus (TACACS+) | | |or Remote Authentication | | |Dial-In User Service (RADIUS). | | +-+ To determine your software revision, type show version at the command line prompt. Details CSCdv83490 When a user establishes a VPN session upon successful peer and user authentication, the PIX creates an ISAKMP SA associating the user and his IP address. If an attacker is now able to block the logged-in user's connection and establish a connection to the PIX using the same IP address as that of the user, he will be able to establish a VPN session with the PIX, using only peer authentication, provided he already has access to the peer authentication key also known as the group pre-shared key (PSK) or group password key. CSCdx35823 A user starting a connection via FTP, Telnet, or over the World Wide Web (HTTP) is prompted for their user name and password. If the user name and password are verified by the designated TACACS+ or RADIUS authentication server, the PIX Firewall unit will allow further traffic between the authentication server and the connection to interact independently through the PIX Firewall unit's cut-through proxy feature. The PIX may crash and reload due to a buffer overflow vulnerability while processing HTTP traffic requests for authentication using TACACS+ or RADIUS. The Internetworking Terms and Acronyms online guide can be found at http://www.cisco.com/univercd/cc/td/doc/cisintwk/ita/index.htm. The Cisco Systems Terms and Acronyms online guide can be found at http://www.cisco.com/univercd/cc/td/doc/cisintwk/ita/cisco12.htm. These vulnerabilities are documented in the Bug Toolkit as Bug IDs CSCdv83490 and CSCdx35823, and can be viewed after 2002 November 21 at 1600 UTC. To access this tool, you must be a registered user and you must be logged in. Impact +-+ |DDTs-Description |Impact | |-+---| |CSCdv83490-While |This vulnerability can | |processing initial |be exploited to| |contact notify messages |initiate a | |the PIX does not delete |Man-In-The-Middle | |duplicate ISAKMP SA's|attack for VPN sessions| |with the peer. |to the
[Full-Disclosure] Cisco Security Advisory: Cisco ONS15454 and Cisco ONS15327 Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco ONS15454 and Cisco ONS15327 Vulnerabilities Revision 1.0 For Public Release 2002 October 31 at 1600 UTC -- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice Distribution Revision History Cisco Security Procedures -- Summary Multiple vulnerabilities exist in the Cisco ONS15454 optical transport platform and the Cisco ONS15327 edge optical transport platform. All Cisco ONS software releases earlier than 3.4 are vulnerable. The Cisco ONS15454E is affected only by CSCdx82962. These vulnerabilities are documented as Cisco bug ID CSCds52295, CSCdt84146, CSCdv62307, CSCdw15690, CSCdx82962 and CSCdy70756. There are workarounds available to mitigate the effects of these vulnerabilities. This advisory will be posted at http://www.cisco.com/warp/public/707/ons-multiple-vuln-pub.shtml. Affected Products All Cisco ONS15454 and ONS15327 hardware running Cisco ONS releases earlier than 3.4 are affected by these vulnerabilities. Hardware not affected includes the Cisco ONS15540 extended service platform, ONS15800 series, ONS15200 series metro DWDM systems and the ONS15194 IP transport concentrator. The Cisco ONS15454E is affected only by CSCdx82962. No other Cisco product is currently known to be affected by these vulnerabilities. To determine your software revision, view the help-about window on the CTC network management software. Details The ONS hardware is managed via the TCC, TCC+, TCCi or the XTC control cards which are usually connected to a network isolated from the Internet and local to the customer's environment. This limits the exposure to the exploitation of the vulnerabilites from the Internet. These vulnerabilities are documented as Cisco bug ID CSCds52295, CSCdt84146, CSCdv62307, CSCdw15690, CSCdx82962 and CSCdy70756, which requires a CCO account to view and can be viewed after 2002 November 1 at 1600 UTC. CSCds52295 It is possible to open a FTP connection to the TCC, TCC+ or XTC using any nonexistent user-name and password. In order to exploit this vulnerability a person must be able to establish a FTP connection to the TCC, TCC+ or XTC. CSCdt84146 User-names and passwords are stored in clear text in the running image database of the TCC, TCC+ or XTC. In order to exploit this vulnerability a person needs access to the backup of the image database. CSCdv62307 The SNMP community string public cannot be changed in the Cisco ONS software. In order to exploit this vulnerability a person must be able to establish a SNMP connection to the TCC, TCC+ or XTC. CSCdw15690 Requesting an invalid CORBA Interoperable Object Reference (IOR) via HTTP may cause the TCC, TCC+ or XTC to reset. In order to exploit this vulnerability a person must be able to establish a HTTP connection to the TCC, TCC+ or XTC. CSCdx82962 HTTP requests starting with any character other than '/' may cause the TCC, TCC+, TCCi or XTC to reset. In order to exploit this vulnerability a person must be able to establish a HTTP connection to the TCC, TCC+ or XTC. CSCdy70756 The TCC, TCC+ and XTC have a user-name and password that can be used to gain access to the underlying VxWorks Operating System and it is not possible to change or disable this account. In order to exploit this vulnerability a person must be able to establish a Telnet connection to TCC, TCC+ or XTC. Impact CSCds52295 Once a FTP connection has been opened a person could upload modified configuration files and delete software images from the TCC, TCC+ or XTC. CSCdt84146 By analyzing an offline database backup of the TCC, TCC+ or XTC, it is possible to extract user-name and password pairs. Using the administrator password a person can access the TCC, TCC+ or XTC either remotely or locally and gain complete control over the Cisco ONS platform. CSCdv62307 By using the SNMP read-only community string a person may gain unauthorized access to information in the SNMP MIBs on the TCC, TCC+ or XTC. User-names and passwords cannot be extracted using this method. CSCdw15690 By requesting an invalid CORBA IOR object via HTTP a person may cause the TCC, TCC+ or XTC to
[Full-Disclosure] Cisco Security Advisory: Cisco CatOS Embedded HTTP Server Buffer Overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco CatOS Embedded HTTP Server Buffer Overflow Revision 1.0 FINAL == For Public Release 2002 October 16 17:00 (UTC) - -- Please provide your feedback on this document. - -- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice Distribution Revision History Cisco Security Procedures - -- Summary === Cisco Catalyst switches running specific versions of Cisco CatOS software are vulnerable to a buffer overflow in an embedded HTTP server. Only CatOS versions from 5.4 up to and including 7.3 which contain a cv in the image name are affected. If the HTTP server is enabled a buffer overflow can be remotely exploited which will cause the switch to fail and reload. The vulnerability can be exploited repeatedly and result in a denial of service. Workarounds are available that limit the ability to exploit the vulnerability. This advisory will be published at http://www.cisco.com/warp/public/707/catos-http-overflow-vuln.shtml. Affected Products = This vulnerability is only present in Cisco Catalyst switches running Cisco CatOS software versions 5.4 through 7.3 that contain an embedded HTTP server to support CiscoView network management software. The affected software images contain cv in the image name as seen here: cat6000-supcv.5-5-16.bin. Details === If the HTTP server is enabled on a Cisco Catalyst switch running an affected CiscoView image, an overly long HTTP query can be received by the embedded HTTP server that will cause a buffer overflow and result in a software reset of the switch. Once the switch has recovered and has resumed normal processing it is vulnerable again. It remains vulnerable until the HTTP server is disabled, HTTP queries to the switch management port are blocked, or the switch's software has been upgraded to a fixed version. The HTTP server is disabled by default. It is typically enabled to allow web based management of the switch using CiscoView. Only a small subset of CatOS images contain this embedded HTTP server. This vulnerability is documented as DDTS: CSCdy26428 - CatOS crash with web server enabled in http_get_token. Impact == The exploitation of this issue can result in a software forced reset of this device. Repeated exploitation may lead to a denial of service until the workaround for this vulnerability has been implemented or a fixed version of software has been loaded onto the device. Software Versions and Fixes === All versions of CatOS software with the embedded HTTP server are vulnerable prior to the fixed versions listed below. Each row of the table describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix and the anticipated date of availability for each are listed in the Rebuild, Interim, and Maintenance columns. A device running any release in the given train that is earlier than the release in a specific column (less than the earliest fixed release) is known to be vulnerable, and it should be upgraded at least to the indicated release or a later version (greater than the earliest fixed release label). When selecting a release, keep in mind the following definitions: Maintenance === Most heavily tested and highly recommended release of any label in a given row of the table. Interim === Built at regular intervals between maintenance releases and receives less testing. Interims should be selected only if there is no other suitable release that addresses the vulnerability, and interim images should be upgraded to the next available maintenance release as soon as possible. Interim releases are not available via manufacturing, and usually they are not available for customer download from CCO without prior arrangement with the Cisco Technical Assistance Center (TAC). +-+ | Release | Interim |Maintenance | |---++| | 5.x | 5.5(16.2) | 5.5(17)| |---++| | 6.x | 6.3(8.3) | 6.3(9) | |---++| | 7.3 | not yet fixed | not yet fixed | |---++| | 7.4 | 7.4(0.63) | 7.4(1) | +-+ Obtaining
[Full-Disclosure] Cisco Security Advisory: Predefined Restriction Tables Allow Calls to International Operator
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Predefined Restriction Tables Allow Calls to International Operator Revision 1.0: Final For Public Release 2002 October 04 15:30 GMT - --- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice Distribution Revision History Cisco Security Procedures - --- Summary === The predefined restriction tables in Cisco Unity do not block calls to the international operator. The default configuration only blocks North American Numbering Plan (NANP) International Direct Dial (IDD) prefixes, or those prefixes that start with 9 011. Customers may expect that since direct dial international calls are blocked, it is not possible for users to forward calls to international numbers, but the loophole of the international operator is still allowed under the predefined restriction table. This subversion can be accomplished by anyone inside or outside of a company who is familiar with how to configure Cisco Unity and has access to a valid system username and password, which is further compounded by the common existence of the Example Administrator and Example Subscriber accounts in many installations. This vulnerability has been documented as CSCdy54570. The following products are identified as affected by this vulnerability: * Cisco Unity software versions 2.x, 3.x Unless explicitly stated otherwise, all other Cisco products are not affected. A workaround exists for this vulnerability which is detailed in the Workarounds section below. This advisory is available at http://www.cisco.com/warp/public/707/toll-fraud-pub.shtml. Affected Products = The following products are affected: * Cisco Unity software versions 2.x, 3.x Details === The predefined restriction tables in Cisco Unity are for North American dial plans and do not block calls to the international operator. The default configuration only blocks IDD patterns that start with 9 011. This may pose a problem because subscribers can configure call forwarding in Cisco Unity to point to the international operator (9 00) and then place international calls. After installing Unity, customers often ignore the Example Administrator and Example Subscriber accounts. These can be exploited by dialing into Cisco Unity, logging into the accounts with the default extension and password, and configuring it to call forward to the international operator or other toll number. Two other scenarios in which this could happen are: 1. Internal users can set their own Cisco Unity mailboxes to forward to international numbers or toll numbers. 2. External callers could log into a poorly password protected mailbox (for example: password=1234), and forward to international numbers or toll numbers. This vulnerability has been documented as CSCdy54570. Impact == The predefined restriction tables within the Cisco Unity configuration allows direct dialing of the international operator or other toll calls which may not be desired. Due to the existence of well known default user accounts, successful exploitation of those default accounts or policies allowing weak passwords on accounts can result in toll fraud which may go unnoticed until the end of a billing cycle. Software Versions and Fixes === The default configuration of Cisco Unity will be modified to disallow forwarding to the international operator in future versions, however a software upgrade is not necessary in order to mitigate the vulnerability. Obtaining Fixed Software As the fix for this vulnerability is a default configuration change, and a workaround is available, a software upgrade is not required to address this vulnerability. However, if you have a service contract, and wish to upgrade to unaffected code, you may obtain upgraded software through your regular update channels once that software is available. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's Worldwide Web site at http://www.cisco.com/. If you need assistance with the implementation of the workarounds, or have questions on the workarounds, please contact the Cisco Technical Assistance Center (TAC). Cisco TAC contacts are as follows: * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: [EMAIL PROTECTED] See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Please do