Mar
27
2009

Mar.25, 2009?! 8 new Cisco vulnerability advisories!

On March 25, 2009, the The Cisco Product Security Incident Response Team (PSIRT) has published 8 new vulnerability advisories. Mainly these vulnerabilities are DOS attack.

 

1) Cisco IOS cTCP Denial of Service Vulnerability
A series of TCP packets may cause a denial of service (DoS) condition on Cisco IOS devices that are configured as Easy VPN servers with the Cisco Tunneling Control Protocol (cTCP) encapsulation feature.

Vulnerable Products
Cisco IOS devices running versions 12.4(9)T or later and configured for Cisco Tunneling Control Protocol (cTCP) encapsulation for EZVPN server are vulnerable.

Details
The Cisco Tunneling Control Protocol (cTCP) feature is used by Easy VPN remote device operating in an environment in which standard IPSec does not function transparently without modification to existing firewall rules. The cTCP traffic is actually TCP traffic. Cisco IOS cTCP packets are Internet Key Exchange (IKE) or Encapsulating Security Payload (ESP) packets that are being transmitted over TCP.

A vulnerability exists where a series of TCP packets may cause a Cisco IOS device that is configured as an Easy VPN server with the cTCP encapsulation feature to run out of memory.

Impact
Successful exploitation of this vulnerability may cause the affected device to run out of memory. Repeated exploitation will result in a denial of service (DoS) condition.

Link: http://www.cisco.com/…/products_security_advisory09186a0080a90459.shtml

 

2) Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability
A vulnerability exists in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software that can be exploited remotely to cause a reload of the Cisco IOS device.

Vulnerable Products
Cisco devices running affected Cisco IOS Software versions that process SIP messages are affected. The only requirement for this vulnerability is that the Cisco IOS device process SIP messages as part of configured VoIP functionality. Note that this does not apply to the processing of SIP messages as part of the NAT and firewall feature sets.

Details
SIP is a popular signaling protocol that is used to manage voice and video calls across IP networks such as the Internet. SIP is responsible for handling all aspects of call setup and termination. Voice and video are the most popular types of sessions that SIP handles, but the protocol has the flexibility to accommodate other applications that require call setup and termination. SIP call signaling can use UDP (port 5060), TCP (port 5060), or TLS (TCP port 5061) as the underlying transport protocol.

A denial of service (DoS) vulnerability exists in the SIP implementation in Cisco IOS Software. This vulnerability is triggered by processing a specific and valid SIP message.

Impact
Successful exploitation of the vulnerability described in this document may result in a reload of the device. The issue could be repeatedly exploited to cause an extended DoS condition.

Link: http://www.cisco.com/…/products_security_advisory09186a0080a904c0.shtml

 

3) Cisco IOS Software Secure Copy Privilege Escalation Vulnerability
The server side of the Secure Copy (SCP) implementation in Cisco IOS software contains a vulnerability that could allow authenticated users with an attached command-line interface (CLI) view to transfer files to and from a Cisco IOS device that is configured to be an SCP server, regardless of what users are authorized to do, per the CLI view configuration. This vulnerability could allow valid users to retrieve or write to any file on the device’s file system, including the device’s saved configuration and Cisco IOS image files, even if the CLI view attached to the user does not allow it. This configuration file may include passwords or other sensitive information.

The Cisco IOS SCP server is an optional service that is disabled by default. CLI views are a fundamental component of the Cisco IOS Role-Based CLI Access feature, which is also disabled by default. Devices that are not specifically configured to enable the Cisco IOS SCP server, or that are configured to use it but do not use role-based CLI access, are not affected by this vulnerability.

This vulnerability does not apply to the Cisco IOS SCP client feature.

Vulnerable Products
Cisco devices running an affected Cisco IOS software release, configured to offer SCP server functionality, and configured to use role-based ACL access are affected by this issue.

Details
SCP is a protocol similar to the Remote Copy (RCP) protocol, which allows the transfer of files between systems. The main difference between SCP and RCP is that in SCP, all aspects of the file transfer session, including authentication, occur in encrypted form, which makes SCP a more secure alternative than RCP. SCP relies on the Secure Shell (SSH) protocol, which uses TCP port 22 by default.

The Role-Based CLI Access feature allows the network administrator to define “views”. Views are sets of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS software EXEC and configuration (Config) mode commands. Views restrict user access to Cisco IOS command-line interface (CLI) and configuration information; that is, a view can define what commands are accepted and what configuration information is visible. For more information about the Role-Based CLI Access feature, reference http://www.cisco.com/…/feature/guide/gtclivws.html.

The server side of the SCP implementation in Cisco IOS software contains a vulnerability that allows authenticated users with an attached command-line interface (CLI) view to transfer files to and from a Cisco IOS device that is configured to be a SCP server, regardless of what users are authorized to do, per the CLI view configuration. This vulnerability could allow authenticated users to retrieve or write to any file on the device’s file system, including the device’s saved configuration and Cisco IOS image files. This configuration file may include passwords or other sensitive information.

In the affected configuration presented in the Affected Products section, users confined to a CLI view can elevate their privileges by using SCP to write to the device’s configuration. Note that a view can be attached to a user when defining the user in the local database (via the username <user name> view … command), or by passing the attribute cli-view-name from an AAA server.

This vulnerability does not allow for authentication bypass; login credentials are verified and access is only granted if a valid username and password is provided. This vulnerability may cause authorization to be bypassed.

Impact
Successful exploitation of the vulnerability described in this advisory may allow valid but unauthorized users to retrieve or write to any file on the device’s file system, including the device’s saved configuration and Cisco IOS image files. This configuration file may include passwords or other sensitive information.

Link: http://www.cisco.com/…/products_security_advisory09186a0080a904c8.shtml

 

4) Cisco IOS Software Mobile IP and Mobile IPv6 Vulnerabilities
Devices that are running Cisco IOS Software and configured for Mobile IP Network Address Translation (NAT) Traversal feature or Mobile IPv6 are vulnerable to a denial of service (DoS) attack that may result in a blocked interface.

Vulnerable Products
Devices running Cisco IOS Software and configured for Mobile IP NAT Traversal feature will have a line similar to the following in the output of the show running-config command:

ip mobile home-agent nat traversal […]or

ip mobile foreign-agent nat traversal […]or

ip mobile router-service collocated registration nat traversal […]

Devices running Cisco IOS Software and configured for Mobile IPv6 will have a line similar to the following in the output of the show running-config command:

ipv6 mobile home-agent

Details
Mobile IP is part of both IPv4 and IPv6 standards. Mobile IP allows a host device to be identified by a single IP address even though the device may move its physical point of attachment from one network to another. Regardless of movement between different networks, connectivity at the different points is achieved seamlessly without user intervention. Roaming from a wired network to a wireless or wide-area network is also possible.
More information on Mobile IPv6 can be found at the following link: http://www.cisco.com/…/guide/ip6-mobile.html
The Mobile IP Support NAT Traversal feature is documented in RFC 3519. It introduces an alternative method for tunneling Mobile IP data traffic. New extensions in the Mobile IP registration request and reply messages have been added for establishing User Datagram Protocol (UDP) tunneling. This feature allows mobile devices in collocated mode that use a private IP address (RFC 1918) or foreign agents (FAs) that use a private IP address for the care-of address (CoA) to establish a tunnel and traverse a NAT-enabled router with mobile node (MN) data traffic from the home agent (HA).
More information on Mobile IP NAT Traversal feature can be found at the following link: http://www.cisco.com/…/feature/guide/gtnatmip.html
Devices that are running an affected version of Cisco IOS Software and configured for Mobile IPv6 or Mobile IP NAT Traversal feature are affected by a DoS vulnerability. A successful exploitation of this vulnerability could cause an interface to stop processing traffic until the system is restarted. Offending packets need to be destined to the router for a successful exploit.

Impact
Successful exploitation of the vulnerability may result in an interface to stop processing traffic, causing a DoS condition.

Link: http://www.cisco.com/…/products_security_advisory09186a0080a9042f.shtml

 

5) Cisco IOS Software WebVPN and SSLVPN Vulnerabilities
Cisco IOS software contains two vulnerabilities within the Cisco IOS WebVPN or Cisco IOS SSLVPN feature (SSLVPN) that can be remotely exploited without authentication to cause a denial of service condition. Both vulnerabilities affect both Cisco IOS WebVPN and Cisco IOS SSLVPN features:

  • Crafted HTTPS packet will crash device.
  • SSLVPN sessions cause a memory leak in the device.

Vulnerable Products
Devices running affected versions of Cisco IOS software are affected if configured with SSLVPN.

Details
The Cisco SSLVPN feature provides remote access to enterprise sites by users from anywhere on the Internet. The SSLVPN provides users with secure access to specific enterprise applications, such as e-mail and web browsing, without requiring them to have VPN client software installed on their end-user devices.

The WebVPN Enhancements feature (Cisco IOS SSLVPN), released in Cisco IOS Release 12.4(6)T, obsoletes the commands and configurations originally put forward in Cisco IOS WebVPN.

Impact
Successful exploitation of any of the two vulnerabilities may result in the device crashing, not accepting any new SSLVPN sessions or a memory leak. Repeated exploitation may result in an extended denial of service (DoS) condition.

Link: http://www.cisco.com/…/products_security_advisory09186a0080a90424.shtml

 

6) Cisco IOS Software Multiple Features IP Sockets Vulnerability
A vulnerability in the handling of IP sockets can cause devices to be vulnerable to a denial of service attack when any of several features of Cisco IOS® Software are enabled. A sequence of specially crafted TCP/IP packets could cause any of the following results:

  • The configured feature may stop accepting new connections or sessions.
  • The memory of the device may be consumed.
  • The device may experience prolonged high CPU utilization.
  • The device may reload.

Vulnerable Products
Devices that are running affected versions of Cisco IOS Software and Cisco IOS XE Software are affected if they are running any of the following features. Details about confirming whether the affected feature is enabled on a device are in the “Details” section of this advisory.

  • Cisco Unified Communications Manager Express
  • SIP Gateway Signaling Support Over Transport Layer Security (TLS) Transport
  • Secure Signaling and Media Encryption
  • Blocks Extensible Exchange Protocol (BEEP)
  • Network Admission Control HTTP Authentication Proxy
  • Per-user URL Redirect for EAPoUDP, Dot1x, and MAC Authentication Bypass
  • Distributed Director with HTTP Redirects
  • DNS (TCP mode only)

Details
For successful exploitation of this vulnerability, the TCP three-way handshake must be completed to the associated TCP port number(s) for any of the features described in this section.

Impact
Successful exploitation of the vulnerability may result in the any of the following occurring:

  • The configured feature may stop accepting new connections or sessions.
  • The memory of the device may be consumed.
  • The device may experience prolonged high CPU utilization.
  • The device may reload.

Repeated attempts to exploit this vulnerability could result in a sustained DoS condition.

Link: http://www.cisco.com/…/products_security_advisory09186a0080a904c6.shtml

 

7) Cisco IOS Software Multiple Features Crafted TCP Sequence Vulnerability
Cisco IOS® Software contains a vulnerability in multiple features that could allow an attacker to cause a denial of service (DoS) condition on the affected device. A sequence of specially crafted TCP packets can cause the vulnerable device to reload.

Vulnerable Products
Devices running affected versions of Cisco IOS Software and Cisco IOS XE Software are affected when configured to use any of the following features within Cisco IOS:

  • Airline Product Set (ALPS)
  • Serial Tunnel Code (STUN) and Block Serial Tunnel Code (BSTUN)
  • Native Client Interface Architecture support (NCIA)
  • Data-link switching (DLSw)
  • Remote Source-Route Bridging (RSRB)
  • Point to Point Tunneling Protocol (PPTP)
  • X.25 for Record Boundary Preservation (RBP)
  • X.25 over TCP (XOT)
  • X.25 Routing

Details
Completion of the 3-way handshake to the associated TCP port number(s) of any of the features outlined below is required in order for the vulnerability to be successfully exploited.

Impact
Successful exploitation of this vulnerability will cause the device to reload. Repeated attempts to exploit this vulnerability could result in a sustained DoS condition.

Link: http://www.cisco.com/…/products_security_advisory09186a0080a904cb.shtml

 

8 ) Cisco IOS Software Multiple Features Crafted UDP Packet Vulnerability
Several features within Cisco IOS Software are affected by a crafted UDP packet vulnerability. If any of the affected features are enabled, a successful attack will result in a blocked input queue on the inbound interface. Only crafted UDP packets destined for the device could result in the interface being blocked, transit traffic will not block the interface.

Vulnerable Products
Devices running affected versions of Cisco IOS Software and Cisco IOS XE Software are affected when running any of the following features:

  • IP Service Level Agreements (SLA) Responder
  • Session Initiation Protocol (SIP)
  • H.323 Annex E Call Signaling Transport
  • Media Gateway Control Protocol (MGCP)

Details
A device is vulnerable if any of the features outlined below is configured and their associated UDP port number accessible. For each feature, in addition to inspecting the Cisco IOS device for vulnerable configurations, administrators can also use some show commands to determine if the Cisco IOS device is running processes that handle the UDP service, or if the device is listening on the affected UDP ports.

Different versions of Cisco IOS Software have different methods of showing the UDP ports on which the Cisco IOS Software device is listening. The “show ip sockets” or “show udp” commands can be used to determine these ports. For each feature, one example is given using the above commands to show the affected UDP port number.

Successful exploitation of this vulnerability can block an interface on the device. The interface type is not relevant for this vulnerability so all Ethernet based interfaces, ATM, Serial, POS and other types of interfaces can be affected. All defined sub interfaces under a main physical interface are affected if the main interface is blocked. If the attack originates over a sub interface, the main interface will block. A blocked interface will stop receiving any subsequent packets until it is unblocked. All other interfaces are not affected and they will continue receiving and transmitting packets.

Only packets destined for a reachable configured IP address on any interface of the device can exploit this vulnerability. Transit traffic will not exploit this vulnerability.

A symptom of this type of blocked queue is the failure of control-plane protocols such as routing protocols (OSPF, EIGRP, BGP, ISIS, etc.) and MPLS TDP/LDP to properly establish connections over an affected interface. Transit traffic may be affected once protocol timers expire on the affected device.

Impact
Successful exploitation of this vulnerability may cause the inbound interface to be blocked and will silently drop any received traffic. A reload of the device is required to restore normal functionality.

Link: http://www.cisco.com/…/products_security_advisory09186a0080a90426.shtml