Apr
2
2012

March 2012: twelve Cisco vulnerabilities

The Cisco Product Security Incident Response Team (PSIRT) has published twelve important vulnerability advisories:

  • Cisco IOS Software Reverse SSH Denial of Service Vulnerability
  • Cisco IOS Software RSVP Denial of Service Vulnerability
  • Vulnerabilities in Cisco IOS Software Traffic Optimization Features
  • Cisco IOS Software Multicast Source Discovery Protocol Vulnerability
  • Cisco IOS Software Network Address Translation Vulnerability
  • Cisco IOS Internet Key Exchange Vulnerability
  • Cisco IOS Software Smart Install Denial of Service Vulnerability
  • Cisco IOS Software Command Authorization Bypass
  • Cisco IOS Software Zone-Based Firewall Vulnerabilities
  • Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module
  • Cisco Firewall Services Module Crafted Protocol Independent Multicast Message Denial of Service Vulnerability
  • Cisco ASA 5500 Series Adaptive Security Appliance Clientless VPN ActiveX Control Remote Code Execution Vulnerability

Cisco IOS Software Reverse SSH Denial of Service Vulnerability
The Secure Shell (SSH) server implementation in Cisco IOS Software and Cisco IOS XE Software contains a denial of service (DoS) vulnerability in the SSH version 2 (SSHv2) feature. An unauthenticated, remote attacker could exploit this vulnerability by attempting a reverse SSH login with a crafted username.  Successful exploitation of this vulnerability could allow an attacker to create a DoS condition by causing the device to reload.  Repeated exploits could create a sustained DoS condition.

Vulnerable Products
Cisco devices that are running affected Cisco IOS Software or Cisco IOS XE Software versions are vulnerable when they have the SSH server enabled and allow SSHv2 logins.  Only SSHv2 is affected.

Details
The SSH server implementation in Cisco IOS Software and Cisco IOS XE Software contains a DoS vulnerability in the SSH version 2 (SSHv2) feature that could allow an unauthenticated remote attacker to cause a device to reload.  An attacker could exploit this vulnerability by attempting a reverse SSH login with a crafted username.  Successful exploitation of this vulnerability could allow an attacker to create a DoS condition by causing the device to reload.  Repeated exploits could create a sustained DoS condition.

Impact
Successful exploitation of this vulnerability could allow an unauthenticated, remote attacker to create a DoS condition by causing the device to reload.  Repeated exploits could create a sustained DoS condition.

Link: http://tools.cisco.com/…/cisco-sa-20120328-ssh

Cisco IOS Software RSVP Denial of Service Vulnerability
Cisco IOS Software and Cisco IOS XE Software contain a vulnerability in the RSVP feature when used on a device configured with VPN routing and forwarding (VRF) instances. This vulnerability could allow an unauthenticated, remote attacker to cause an interface wedge, which can lead to loss of connectivity, loss of routing protocol adjacency, and other denial of service (DoS) conditions. This vulnerability could be exploited repeatedly to cause an extended DoS condition.

Vulnerable Products
Only devices with specific configurations are affected. Cisco devices that are running affected Cisco IOS Software or Cisco IOS XE Software versions are vulnerable when they are configured with RSVP and also have one or more VRF interfaces. A device is vulnerable if both the following criteria are met:

  • At least one VRF is configured without RSVP
  • At least one other interface (physical or virtual), not in the same VRF, is configured with RSVP

Details
A device is vulnerable if it is configured with VRF and none of the interfaces in that VRF have RSVP enabled, but any other interface (physical or virtual) does have RSVP enabled. An attacker with some knowledge of the affected infrastructure could exploit this vulnerability by sending RSVP packets to vulnerable devices. Successful exploitation of the vulnerability could allow an attacker to wedge the receive queue of any RSVP ingress interface.

Impact
Successful exploitation of this vulnerability will result in an interface queue wedge, which can lead to loss of connectivity, loss of routing protocol adjacency, and other DoS conditions. This vulnerability could be exploited repeatedly to cause an extended DoS condition.

Link: http://tools.cisco.com/…/cisco-sa-20120328-rsvp

Multiple Vulnerabilities in Cisco IOS Software Traffic Optimization Features
Cisco IOS Software contains a denial of service (DoS) vulnerability in the Wide Area Application Services (WAAS) Express feature that could allow an unauthenticated, remote attacker to cause the router to leak memory or to reload. Cisco IOS Software also contains a DoS vulnerability in the Measurement, Aggregation, and Correlation Engine (MACE) feature that could allow an unauthenticated, remote attacker to cause the router to reload.

Vulnerable Products
Cisco devices that are running Cisco IOS Software are vulnerable when they are configured with the mace enable or waas enable interface configuration commands on one or more interfaces. Additional configuration is required for WAAS Express or MACE to be configured; more details follow.

Details
Cisco IOS Software contains a DoS vulnerability in the WAAS Express feature that could allow an unauthenticated, remote attacker to cause the router to leak memory or to reload.

This vulnerability is documented in Cisco bug ID CSCtt45381 (registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2012-1314.

Cisco IOS Software contains a DoS vulnerability in the MACE feature that could allow an unauthenticated, remote attacker to cause the router to reload. This vulnerability is documented in Cisco bug IDs CSCtq64987 and CSCtu57226 and has been assigned CVE ID CVE-2012-1312.

Impact
Successful exploitation of these vulnerabilities could allow an unauthenticated, remote attacker to cause the router to leak memory or to reload. Repeated exploits could allow a sustained DoS condition.

Link: http://tools.cisco.com/…/cisco-sa-20120328-mace

Cisco IOS Software Multicast Source Discovery Protocol Vulnerability
A vulnerability in the Multicast Source Discovery Protocol (MSDP) implementation of Cisco IOS Software and Cisco IOS XE Software could allow a remote, unauthenticated attacker to cause a reload of an affected device. Repeated attempts to exploit this vulnerability could result in a sustained denial of service (DoS) condition.

Vulnerable Products
The following products are affected by this vulnerability:

  • Cisco IOS Software
  • Cisco IOS XE Software

Details
An MSDP packet containing encapsulated Internet Group Management Protocol (IGMP) data, received from an external MSDP-configured peer router, can cause an affected device to reload. This vulnerability can only be exploited if the router is explicitly joined to the multicast group. The MSDP packet destination address is a unicast address and can be addressed to any IP address on the affected device, including loopback addresses. Transit traffic will not trigger this vulnerability.

Impact
Successful exploitation of this vulnerability may cause the affected device to reload. Repeated exploitation may result in a sustained DoS condition.

Link: http://tools.cisco.com/…/cisco-sa-20120328-msdp

Cisco IOS Software Network Address Translation Vulnerability
The Cisco IOS Software Network Address Translation (NAT) feature contains a denial of service (DoS) vulnerability in the translation of Session Initiation Protocol (SIP) packets.

Vulnerable Products
Cisco devices that are running Cisco IOS Software are vulnerable when they are configured for NAT and contain support for NAT for Session Initiation Protocol.

Details
NAT SIP application level gateway (ALG)  translation of SIP packets could cause a memory resource exhaustion condition that can lead to a DoS condition, which could cause the reload of the vulnerable device.

Impact
Successful exploitation of this vulnerability may cause incrementing use of memory that will not be released until the device is reloaded. This memory consumption could lead to a DoS condition and cause the vulnerable device to become unresponsive or reload.

Link: http://tools.cisco.com/…/cisco-sa-20120328-nat

Cisco IOS Internet Key Exchange Vulnerability
The Cisco IOS Software Internet Key Exchange (IKE) feature contains a  denial of service (DoS) vulnerability.

Vulnerable Products
Cisco devices that are running Cisco IOS Software are vulnerable when they are configured to use IKE version 1 (IKEv1).

A number of features use IKEv1, including different Virtual Private Networks (VPN) such as:

  • LAN-to-LAN VPN
  • Remote access VPN (excluding SSLVPN)
  • Dynamic Multipoint VPN (DMVPN)
  • Group Domain of Interpretation (GDOI)

There are two methods to determine if a device is configured for IKE:

  • Determine if IKE ports are open on a running device
  • Determine if IKE features are included in the device configuration

Details
Cisco IOS Software supports IKE for IPv4 and IPv6 communications.  IKE communication can use any of the following UDP ports:

  • UDP port 500
  • UDP port 4500, NAT Traversal (NAT-T)
  • UDP port 848,  Group Domain of Interpretation (GDOI)
  • UDP port 4848, GDOI NAT-T

The IKEv1 feature of Cisco IOS Software contains a vulnerability that could allow an unauthenticated, remote attacker to cause a reload of an affected device.

An attacker could exploit this vulnerability using either IPv4 or IPv6 on any of the listed UDP ports. Spoofing of packets that could exploit this vulnerability is limited because the attacker needs to either receive or have access to the initial response from the vulnerable device.

Impact
Successful exploitation of the vulnerability may cause the vulnerable device to reload.

Link: http://tools.cisco.com/…/cisco-sa-20120328-ike

Cisco IOS Software Smart Install Denial of Service Vulnerability
Cisco IOS Software contains a vulnerability in the Smart Install feature that could allow an unauthenticated, remote attacker to cause a reload of an affected device if the Smart Install feature is enabled. The vulnerability is triggered when an affected device processes a malformed Smart Install message on TCP port 4786.

Vulnerable Products
Devices configured as a Smart Install client or director are affected by this vulnerability. To display Smart Install information, use the show vstack config privileged EXEC command on the Smart Install director or client. The outputs of show commands are different when entered on the director or on the client.

Details
A vulnerability exists in the Smart Install feature of Cisco IOS Software that could allow an unauthenticated, remote attacker to cause a reload of an affected device. Smart Install uses a Cisco proprietary protocol that runs over TCP port 4786. To exploit this vulnerability, an attacker needs to establish a TCP session on port 4786 of an affected device that has the Smart Install feature enabled, and then send a malformed Smart Install message.

Impact
Successful exploitation of the vulnerability that is described in this advisory may cause a reload of an affected device. Repeated exploitation could result in a sustained denial of service condition.

Link: http://tools.cisco.com/…/cisco-sa-20120328-smartinstall

Cisco IOS Software Command Authorization Bypass
A vulnerability exists in the Cisco IOS Software that may allow a remote application or device to exceed its authorization level when authentication, authorization, and accounting (AAA) authorization is used. This vulnerability requires that the HTTP or HTTPS server is enabled on the Cisco IOS device.

Vulnerable Products
Any device running Cisco IOS Software release after 12.2 that has an HTTP or HTTPS server configured is affected by this vulnerability if AAA authorization is used.

Details
A vulnerability exists that may allow the Cisco IOS command authorization to be bypassed, allowing a remote, authenticated HTTP or HTTPS session to execute any Cisco IOS command that is configured for their authorization level. This vulnerability does not allow unauthenticated access; a valid username and password are required to successfully exploit this vulnerability. Additionally, the vulnerability does not allow a user to execute commands that are not configured for their privilege level.

Impact
Successful exploitation of the vulnerability may allow the Cisco IOS command authorization to be bypassed, allowing a remote, authenticated HTTP or HTTPS session to execute any Cisco IOS command that is configured for its authorization level.

Link: http://tools.cisco.com/…/cisco-sa-20120328-pai

Cisco IOS Software Zone-Based Firewall Vulnerabilities
Cisco IOS Software contains four vulnerabilities related to Cisco IOS Zone-Based Firewall features. These vulnerabilities are as follows:

  • Memory Leak Associated with Crafted IP Packets
  • Memory Leak in HTTP Inspection
  • Memory Leak in H.323 Inspection
  • Memory Leak in SIP Inspection

Vulnerable Products
Cisco IOS devices running vulnerable versions of Cisco IOS Software are affected by four vulnerabilities in the Cisco IOS Zone-Based Firewall. The vulnerabilities are independent of each other. Details to confirm affected configurations are provided below.

Details
The vulnerabilities described in this advisory affect the Zone-Based Firewall feature. The Zone-Based Policy Firewall (also known as Zone-Policy Firewall or ZFW) updates the firewall configuration from the older interface-based model to a more flexible, more easily understood zone-based model. Interfaces are assigned to zones, and inspection policy is applied to traffic moving between the zones. Inter-zone policies offer considerable flexibility and granularity, so different inspection policies can be applied to multiple host groups connected to the same router interface.

Impact
Successful exploitation of these vulnerabilities may result in a reload of the affected device. Repeated exploit attempts may result in a sustained denial of service (DoS) attack.

Link: http://tools.cisco.com/…/cisco-sa-20120328-zbfw

Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module
Cisco ASA 5500 Series Adaptive Security Appliances (ASA) and Cisco Catalyst 6500 Series ASA Services Module (ASASM) are affected by the following vulnerabilities:

  • Cisco ASA UDP Inspection Engine Denial of Service Vulnerability
  • Cisco ASA Threat Detection Denial of Service Vulnerability
  • Cisco ASA Syslog Message 305006 Denial of Service Vulnerability
  • Protocol Independent Multicast Denial of Service Vulnerability

Vulnerable Products
Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module are affected by multiple vulnerabilities. Affected versions of Cisco ASA Software will vary depending on the specific vulnerability. Consult the “Software Versions and Fixes” section of this security advisory for more information about the affected version.

Cisco PIX Security Appliances may be affected by some of the vulnerabilities described in this security advisory. Cisco PIX has reached end of maintenance support. Cisco PIX Security Appliance customers are encouraged to migrate to Cisco ASA 5500 Series Adaptive Security Appliances.

Details

  • Cisco ASA UDP Inspection Engine Denial of Service Vulnerability: The Cisco ASA UDP inspection engine that is used to inspect UDP-based protocols contains a vulnerability that could allow a remote unauthenticated attacker to trigger a reload of the Cisco ASA. The vulnerability is due to improper flow handling by the inspection engine. An attacker could exploit this vulnerability by sending a specially crafted sequence through the affected system.
  • Cisco ASA Threat Detection Denial of Service Vulnerability: The vulnerability is due to improper handling of the internal flaw that is triggered by the shun event. An attacker may exploit this vulnerability by sending IP packets through the affected system in a way that triggers the shun option of Threat Detection scanning feature.
  • Cisco ASA Syslog Message 305006 Denial of Service Vulnerability: A denial of service vulnerability is in the implementation of one specific syslog message (message ID 305006), that can cause a reload of the Cisco ASA if this syslog message needs to be generated. An attacker could exploit this vulnerability by sending a sequence of packets that could trigger the generation of the syslog message.
  • Protocol Independent Multicast Denial of Service Vulnerability: A vulnerability exists in the way PIM is implemented that may cause affected devices to reload during the processing of a PIM message when multicast routing is enabled. The vulnerability is due to improper handling of PIM messages. An attacker could exploit this vulnerability by sending a crafted PIM message to the affected system.

Impact
Successful exploitation of any of the vulnerabilities described in this security advisory may allow a remote, unauthenticated attacker to reload the affected system.

Link: http://tools.cisco.com/…/cisco-sa-20120314-asa

Cisco Firewall Services Module Crafted Protocol Independent Multicast Message Denial of Service Vulnerability
The Cisco Catalyst 6500 Series Firewall Services Module (FWSM) contains a Protocol Independent Multicast (PIM) Denial of Service Vulnerability.

Vulnerable Products
The Cisco FWSM is affected by a vulnerability that may cause affected devices to reload during the processing of a PIM message when multicast routing is enabled. Multicast routing is disabled by default, however when multicast routing is enabled on the Cisco FWSM, PIM is automatically enabled on all interfaces.

Details
A vulnerability exists in the way PIM is implemented that may cause affected devices to reload during the processing of a PIM message when multicast routing is enabled. The vulnerability is due to improper handling of PIM messages. An attacker could exploit this vulnerability by sending a crafted PIM message to the affected system.

Impact
Successful exploitation of the vulnerability may allow a remote, unauthenticated attacker to cause the affected system to reload.

Link: http://tools.cisco.com/…/cisco-sa-20120314-fwsm

Cisco ASA 5500 Series Adaptive Security Appliance Clientless VPN ActiveX Control Remote Code Execution Vulnerability
The affected ActiveX control is distributed to endpoint systems by Cisco ASA.  However, the impact of successful exploitation of this vulnerability is to the endpoint system only and does not compromise Cisco ASA devices.

Vulnerable Products
Cisco ASA 5500 Series Adaptive Security Appliances that are running one of the following versions contain the affected ActiveX component:
Cisco Adaptive Security Appliance Software 7.x: 7.1, 7.2
Cisco Adaptive Security Appliance Software 8.x: 8.0, 8.1, 8.2, 8.3, 8.4, 8.6

Details
When a browser that supports Microsoft ActiveX technology is used to create the Clientless VPN tunnel, the Cisco Port Forwarder ActiveX control may be sent to the endpoint system on which the browser is running.  This control contains an exploitable buffer overflow vulnerability that could allow an unauthenticated, remote attacker who can convince a user to visit a malicious website to execute attacker-controlled arbitrary code on the endpoint device.  The attacker-supplied code would be executed with the privileges of the user who invoked the browser used to visit the attacker-controlled website.  If the user has administrative privileges, a complete compromise may occur.

Impact
Successful exploitation of the vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code on the affected end-user system with the privileges of the user who invoked the web browser.  If the user has administrative privileges, code execution may result in a complete compromise of the affected system.

Link: http://tools.cisco.com/…/cisco-sa-20120314-asaclient