Mar
30
2010

March 2010: seven more new Cisco vulnerabilities

On March 24 2010, the The Cisco Product Security Incident Response Team (PSIRT) has published seven important vulnerability advisories:

  • Cisco Security Advisory: Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerabilities
  • Cisco Security Advisory: Cisco IOS Software H.323 Denial of Service Vulnerabilities
  • Cisco Security Advisory: Cisco IOS Software Multiprotocol Label Switching Packet Vulnerability
  • Cisco Security Advisory: Cisco IOS Software IPsec Vulnerability
  • Cisco Security Advisory: Cisco IOS Software NAT Skinny Call Control Protocol Vulnerability
  • Cisco Security Advisory: Cisco Unified Communications Manager Express Denial of Service Vulnerabilities
  • Cisco Security Advisory: Cisco IOS Software Crafted TCP Packet Denial of Service Vulnerability

Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerabilities
Multiple vulnerabilities exist in the Session Initiation Protocol (SIP) implementation in Cisco IOS® Software that could allow an unauthenticated, remote attacker to cause a reload of an affected device when SIP operation is enabled. Remote code execution may also be possible. Cisco has released free software updates that address these vulnerabilities. For devices that must run SIP there are no workarounds; however, mitigations are available to limit exposure of the vulnerabilities.

Vulnerable Products
Cisco devices running affected Cisco IOS Software versions that are configured to process SIP messages are affected.

Details
SIP is a popular signaling protocol that is used to manage voice and video calls across IP networks such as the Internet. SIP is responsible for handling all aspects of call setup and termination. Voice and video are the most popular types of sessions that SIP handles, but the protocol has the flexibility to accommodate other applications that require call setup and termination. SIP call signaling can use UDP (port 5060), TCP (port 5060), or TLS (TCP port 5061) as the underlying transport protocol.

Three vulnerabilities exist in the SIP implementation in Cisco IOS Software that may allow a remote attacker to cause a device reload, or execute arbitrary code. These vulnerabilities are triggered when the device running Cisco IOS Software processes malformed SIP messages. In cases where SIP is running over TCP transport, a TCP three-way handshake is necessary to exploit these vulnerabilities.

Impact
Successful exploitation of the vulnerabilities in this advisory may result in a reload of the device. Repeated exploitation could result in a sustained denial of service condition. There is a potential to execute arbitrary code. In the event of successful remote code execution, device integrity could be completely compromised.

Link: http://www.cisco.com/…/security_advisory09186a0080b20f32.shtml

Cisco IOS Software H.323 Denial of Service Vulnerabilities
The H.323 implementation in Cisco IOS Software contains two vulnerabilities that may be exploited remotely to cause a denial of service (DoS) condition on a device that is running a vulnerable version of Cisco IOS Software. Cisco has released free software updates that address these vulnerabilities. There are no workarounds to mitigate these vulnerabilities other than disabling H.323 on the vulnerable device if H.323 is not required.

Vulnerable Products
Cisco devices that are running affected Cisco IOS Software versions that are configured to process H.323 messages are affected by these vulnerabilities. H.323 is not enabled by default.

Details
H.323 is the ITU standard for real-time multimedia communications and conferencing over packet-based (IP) networks. A subset of the H.323 standard is H.225.0, a standard used for call signaling protocols and media stream packetization over IP networks. The H.323 implementation in Cisco IOS Software contains two DoS vulnerabilities. An attacker can exploit these vulnerabilities remotely by sending crafted H.323 packets to the affected device that is running Cisco IOS Software. A TCP three-way handshake is needed to exploit these vulnerabilities. When exploited, the first vulnerability may lead to an interface queue wedge. The second vulnerability may cause a memory leak and, in most cases, the device to reload.

Impact
Successful exploitation of the vulnerabilities described in this advisory may cause the affected device to experience an interface queue wedge or to reload. Theses vulnerabilities could be exploited repeatedly to cause an extended DoS condition.

Link: http://www.cisco.com/…/security_advisory09186a0080b20ee4.shtml

Cisco IOS Software Multiprotocol Label Switching Packet Vulnerability
A device running Cisco IOS® Software, Cisco IOS XE Software, or Cisco IOS XR Software is vulnerable to a remote denial of service (DoS) condition if it is configured for Multiprotocol Label Switching (MPLS) and has support for Label Distribution Protocol (LDP). A crafted LDP UDP packet can cause an affected device running Cisco IOS Software or Cisco IOS XE Software to reload. On devices running affected versions of Cisco IOS XR Software, such packets can cause the device to restart the mpls_ldp process.
A system is vulnerable if configured with either LDP or Tag Distribution Protocol (TDP).

Vulnerable Products
Several features within Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software require the device to listen for either targeted LDP hello messages or link LDP hello messages. The most reliable way to determine if the device is configured to listen to LDP hello messages, is to log into the device and perform these actions:

  1. Confirm whether MPLS forwarding is enabled.
  2. Confirm whether the device is listening to LDP hello messages.

Details
MPLS LDP enables peer label switch routers (LSRs) in an MPLS network to exchange label binding information for supporting hop-by-hop forwarding in an MPLS network.
A vulnerability exists in Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software when processing a specially crafted LDP packet. For the device to be vulnerable, it has to be configured to process LDP hello messages, as explained within the Affected Products section of this advisory.
The crafted LDP packet, can be received as either a unicast or multicast UDP packet on port UDP 646 on any listening IP address of the device. Transit traffic will not trigger this vulnerability.

Impact
Successful exploitation of this vulnerability on a device running a vulnerable version of Cisco IOS Software or Cisco IOS XE Software will cause the affected device to reload. Exploitation on a router running a vulnerable version of Cisco IOS XR Software will result in a restart of the mpls_ldp process.
The issue could be repeatedly exploited to cause an extended DoS condition.

Link: http://www.cisco.com/…/security_advisory09186a0080b20ee2.shtml


Cisco IOS Software IPsec Vulnerability
A malformed Internet Key Exchange (IKE) packet may cause a device running Cisco IOS Software to reload. Only Cisco 7200 Series and Cisco 7301 routers running Cisco IOS software with a VPN Acceleration Module 2+ (VAM2+) installed are affected.

Vulnerable Products
Only Cisco 7200 Series and Cisco 7301 routers with VPN Acceleration Module 2+ (VAM2+) are affected by this vulnerability.

Details
IPsec is an IP security feature that provides robust authentication and encryption of IP packets. IKE is a key management protocol standard that is used with the IPsec standard. A vulnerability exists in the Cisco IOS Software implementation of IKE where a malformed packet may cause a device running Cisco IOS Software to reload. Only Cisco 7200 Series and Cisco 7301 routers running Cisco IOS software with a VPN Acceleration Module 2+ (VAM2+) installed are affected.

Impact
Successful exploitation of this vulnerability may cause the affected device to reload. Repeated exploitation will result in a denial of service (DoS) condition.

Link: http://www.cisco.com/…/advisory09186a0080b20ee5.shtml

Cisco IOS Software NAT Skinny Call Control Protocol Vulnerability
Skinny Client Control Protocol (SCCP) crafted messages may cause a Cisco IOS device that is configured with the Network Address Translation (NAT) SCCP Fragmentation Support feature to reload.
Cisco has released free software updates that address this vulnerability. A workaround that mitigates this vulnerability is available.

Vulnerable Products
This security advisory applies to all Cisco products that run Cisco IOS Software configured for Network Address Translation (NAT) and that support the NAT SCCP Fragmentation Support feature. This feature was first introduced in Cisco IOS Software Release 12.4(6)T.

Details
The Skinny Client Control Protocol (SCCP) enables voice communication between an SCCP client and a Call Manager (CM). Typically, the CM provides service to the SCCP clients on TCP Port 2000 by default. Initially, an SCCP client connects to the CM by establishing a TCP connection; the client will also establish a TCP connection with a secondary CM, if available.
The NAT SCCP Fragmentation Support feature enables the Skinny Application Layer Gateway (ALG) to reassemble skinny control messages. Since this feature was introduced in Cisco IOS version 12.4(6)T, SCCP payloads requiring reassembly and NAT are no longer dropped.
A series of crafted SCCP packets may cause a Cisco IOS router that is running the NAT SCCP Fragmentation Support feature to reload.

Impact
Successful exploitation of this vulnerability may cause the affected device to reload. Repeated exploitation will result in a denial of service (DoS) condition.

Link: http://www.cisco.com/…/security_advisory09186a0080b20ee6.shtml

Cisco Unified Communications Manager Express Denial of Service Vulnerabilities
Devices running Cisco IOS® Software and configured for Cisco Unified Communications Manager Express (CME) or Cisco Unified Survivable Remote Site Telephony (SRST) operation are affected by two denial of service vulnerabilities that may result in a device reload if successfully exploited. The vulnerabilities are triggered when the Cisco IOS device processes specific, malformed Skinny Call Control Protocol (SCCP) messages.

Vulnerable Products
To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to “Cisco Internetwork Operating System Software” or “Cisco IOS Software.” The image name is displayed in parentheses, followed by “Version” and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output.

Details
Cisco Unified CME is the call processing component of an enhanced IP telephony solution that is integrated into Cisco IOS Software. Cisco Unified SRST is a critical component of a centralized call-processing architecture in which a Cisco Unified Communications Manager cluster, located at a central site, provides telephony services for all sites of an organization.
The Cisco Unified CME and Cisco Unified SRST features in Cisco IOS Software are affected by two denial of service (DoS) vulnerabilities that may cause a device reload when processing specific, malformed SCCP messages. The malformed SCCP messages can only come from registered phone IP addresses. If the auto-registration feature is enabled (Cisco Unified CME only), an attacker can register its IP address and subsequently send a malformed payload to exploit these vulnerabilities. The auto-registration feature is enabled by default. More information on auto-registration can be found at the following link: http://www.cisco.com/…/reference/cme_a1ht.html#wp1031242
Exploitation of these vulnerabilities requires that a TCP three-way handshake to the SCCP port be completed. By default, the SCCP port is TCP port 2000, but this can be changed with the ip source-address command in telephony service configuration mode.

Impact
Successful exploitation of the vulnerabilities in this advisory may result in a reload of the affected device. Repeated exploitation could result in a sustained denial of service condition.

Link: http://www.cisco.com/…/advisory09186a0080b20f33.shtml

Cisco IOS Software Crafted TCP Packet Denial of Service Vulnerability
Cisco IOS® Software is affected by a denial of service vulnerability that may allow a remote unauthenticated attacker to cause an affected device to reload or hang. The vulnerability may be triggered by a TCP segment containing crafted TCP options that is received during the TCP session establishment phase. In addition to specific, crafted TCP options, the device must have a special configuration to be affected by this vulnerability.

Vulnerable Products
Vulnerable devices are running an affected version of Cisco IOS Software, and are configured for any of the following:

  • A specific TCP window size
  • TCP path MTU discovery (PMTUD)
  • Stateful Network Address Translation (SNAT) with TCP as the transport protocol

Details
Cisco IOS Software is affected by a denial of service vulnerability that may allow a remote unauthenticated attacker to cause a device reload or hang. The vulnerability may only be triggered by a TCP segment received during the TCP session establishment phase. The received TCP segment must contain crafted, not malformed, TCP options. A TCP three-way handshake does not need to be completed to exploit the vulnerability. To be affected by this vulnerability, a device must be configured for any of the following:

  • A specific TCP receive window size
  • PMTUD
  • SNAT with TCP as the transport protocol

Impact
Successful exploitation of the vulnerability may cause the affected device to reload or hang. Repeated exploitation could result in a sustained denial of service condition. In the case of a hang, cycling power to the device may be required to put the device back in service.

Link: http://www.cisco.com/…/advisory09186a0080b20f34.shtml

  • you are really good