Apr
7
2014

March 2014: nine Cisco vulnerabilities

The Cisco Product Security Incident Response Team (PSIRT) has published nine important vulnerability advisories:

  • Cisco IOS Software SSL VPN Denial of Service Vulnerability
  • Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability
  • Cisco IOS Software Internet Key Exchange Version 2 Denial of Service Vulnerability
  • Cisco IOS Software Crafted IPv6 Packet Denial of Service Vulnerability
  • Cisco 7600 Series Route Switch Processor 720 with 10 Gigabit Ethernet Uplinks Denial of Service Vulnerability
  • Cisco IOS Software Network Address Translation Vulnerabilities
  • Cisco AsyncOS Software Code Execution Vulnerability
  • Cisco Small Business Router Password Disclosure Vulnerability
  • Multiple Vulnerabilities in Cisco Wireless LAN Controllers

Cisco IOS Software SSL VPN Denial of Service Vulnerability
A vulnerability in the Secure Sockets Layer (SSL) VPN subsystem of Cisco IOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

Vulnerable Products
Only devices that have been configured for the WebVPN Enhancements feature (Cisco IOS SSLVPN) are affected by this vulnerability.

Details
The vulnerability is due to a failure to process certain types of HTTP requests. To exploit the vulnerability, an attacker could submit crafted requests designed to consume memory to an affected device. An exploit could allow the attacker to consume and fragment memory on the affected device. This may cause reduced performance, a failure of certain processes, or a restart of the affected device.
A three-way TCP handshake must be completed for each malicious connection to an affected device; however, authentication is not required. The default TCP port number for SSLVPN is 443.

Impact
Successful exploitation of the vulnerability described in this document could allow an unauthenticated remote attacker to cause a DoS condition. This may take the form of either reduced performance of an affected device, a failure to maintain routing protocols, or a restart of the device.

Link: http://tools.cisco.com/…/cisco-sa-20140326-ios-sslvpn

 

Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability
A vulnerability in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device. To exploit this vulnerability, affected devices must be configured to process SIP messages. Limited Cisco IOS Software and Cisco IOS XE Software releases are affected.

Vulnerable Products
Cisco devices are affected when they are running affected Cisco IOS Software or Cisco IOS XE Software that are configured to process SIP messages. The following Cisco IOS Software and Cisco IOS XE Software releases are affected by this vulnerability:

  • Cisco IOS Software release 15.3(3)M and 15.3(3)M1
  • Cisco IOS XE Software release 3.10.0S, 3.10.0aS and 3.10.1S1

Details
A vulnerability in the SIP functionality of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a device reload. The vulnerability is due to incorrect processing of specific SIP messages. An attacker could exploit this vulnerability by sending specific SIP messages, which may be considered well formed or crafted to the SIP gateway. An exploit could allow the attacker to trigger a device reload.

Impact
Successful exploitation of the vulnerability in this advisory may result in a reload of an affected device. Repeated exploitation could result in a sustained denial of service (DoS) condition.

Link: http://tools.cisco.com/…/cisco-sa-20140326-sip

 

Cisco IOS Software Internet Key Exchange Version 2 Denial of Service Vulnerability
The vulnerability is due to how an affected device processes certain malformed IKEv2 packets. An attacker could exploit this vulnerability by sending malformed IKEv2 packets to an affected device to be processed. An exploit could allow the attacker to cause a reload of the affected device that would lead to a DoS condition.

Vulnerable Products
Although only IKEv2 packets can be used to trigger this vulnerability, devices that are running Cisco IOS Software or Cisco IOS XE Software are vulnerable when ISAKMP is enabled.
A device does not need to be configured with any IKEv2-specific features to be vulnerable.

Details
The vulnerability is due to how an affected device processes certain malformed IKEv2 packets. An attacker could exploit this vulnerability by sending malformed IKEv2 packets to an affected device to be processed. An exploit could allow the attacker to cause a reload of the affected device that would lead to a DoS condition. Although IKEv2 is automatically enabled on Cisco IOS Software and Cisco IOS XE Software when ISAKMP is enabled, the vulnerability can be triggered only by sending a malformed IKEv2 packet.

Only IKEv2 packets can trigger this vulnerability. An exploit could cause Cisco IOS Software to reload, leading to a DoS condition.

Impact
Successful exploitation of the vulnerability may cause a reload of the affected device and lead to a DoS condition.

Link: http://tools.cisco.com/…/cisco-sa-20140326-ikev2

 

Cisco IOS Software Crafted IPv6 Packet Denial of Service Vulnerability
A vulnerability in the implementation of the IP version 6 (IPv6) protocol stack in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause I/O memory depletion on an affected device that has IPv6 enabled. The vulnerability is triggered when an affected device processes a malformed IPv6 packet.

Vulnerable Products
A Cisco device running an affected version of Cisco IOS Software or Cisco IOS XE Software release and has IPv6 enabled will show interfaces with assigned IPv6 addresses when the show ipv6 interface brief command is issued.

Details
A vulnerability in the implementation of the IPv6 protocol stack in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause I/O memory depletion on the affected device. The vulnerability is due to incorrect processing of crafted IPv6 packets. An attacker could exploit this vulnerability by sending specially crafted IPv6 packets to the affected device. An exploit could allow the attacker to trigger I/O memory depletion, causing device instability and could cause a device to reload.

Impact
Successful exploitation of the vulnerability that is described in this advisory may cause the I/O memory of an affected device to be depleted. Memory depletion could cause routing protocols to fail, remote access to the device to be inaccessible, and could cause a reload of the affected device. Repeated exploitation could result in a sustained denial of service (DoS) condition.

Link: http://tools.cisco.com/…/cisco-sa-20140326-ipv6

 

Cisco 7600 Series Route Switch Processor 720 with 10 Gigabit Ethernet Uplinks Denial of Service Vulnerability
A vulnerability in the Cisco 7600 Series Route Switch Processor 720 with 10 Gigabit Ethernet Uplinks models RSP720-3C-10GE and RSP720-3CXL-10GE could allow an unauthenticated, remote attacker to cause the route processor to reboot or stop forwarding traffic. The vulnerability is due to an issue in the Kailash field-programmable gate array (FPGA) versions prior to 2.6.

Vulnerable Products
This vulnerability affects only the Cisco 7600 Series Route Switch Processor 720 with 10 Gigabit Ethernet Uplinks models RSP720-3C-10GE and RSP720-3CXL-10GE that have onboard Kailash FPGA versions prior to 2.6 and are running a Cisco IOS Software release that does not contain the fix.

Details
A vulnerability the Cisco 7600 Series Route Switch Processor 720 with 10 Gigabit Ethernet Uplinks models RSP720-3C-10GE and RSP720-3CXL-10GE with a Kailash FPGA version prior to 2.6, could allow an unauthenticated, remote attacker to cause the route switch processor to reboot or stop forwarding traffic.

The vulnerability is due to an issue in the Kailash FPGA versions prior to 2.6. An attacker could exploit this vulnerability by sending crafted IP packets to or through the affected device. An exploit could allow the attacker to cause the route processor to no longer forward traffic or reboot.

Impact
Successful exploitation of the vulnerability may cause intermittent traffic disruption or a reboot of the device.

Link: http://tools.cisco.com/…/cisco-sa-20140326-RSP72010GE

 

Cisco IOS Software Network Address Translation Vulnerabilities
The Cisco IOS Software implementation of the Network Address Translation (NAT) feature contains two vulnerabilities when translating IP packets that could allow an unauthenticated, remote attacker to cause a denial of service condition.

Vulnerable Products
These vulnerabilities affect devices that are running vulnerable versions of Cisco IOS Software and have NAT configured.

Details
The Cisco IOS Software implementation of the Network Address Translation (NAT) feature contains two vulnerabilities when translating IP packets that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

Cisco IOS Software NAT DNS Vulnerability: A vulnerability in the Application Layer Gateway (ALG) module of Cisco IOS Software could allow an unauthenticated, remote attacker to cause a reload of the affected device which could lead to a denial of service (DoS) condition. The vulnerability is due to the way certain malformed DNS packets are processed on an affected device when those packets undergo Network Address Translation (NAT). An attacker could exploit this vulnerability by sending malformed DNS packets to be processed and translated by an affected device. An exploit could allow the attacker to cause a reload of the affected device that would lead to a DoS condition.

Cisco IOS Software TCP Input Vulnerability: A vulnerability in the TCP Input module of Cisco IOS Software could allow an unauthenticated, remote attacker to cause a memory leak or a reload of the affected device which could lead to a denial of service (DoS) condition. The vulnerability is due to the way certain sequences of TCP packets are processed on an affected device when those packets undergo Network Address Translation (NAT). An attacker could exploit this vulnerability by sending a specific sequence of TCP packets to be processed by an affected device. An exploit could allow the attacker to cause a memory leak or reload of the affected device that would lead to a DoS condition.

Impact
A successful exploitation of either vulnerability may cause a reload of the affected device that could lead to a DoS condition. Successful exploitation of the Cisco IOS Software TCP Input Vulnerability may result in a memory leak on the affected device.

Link: http://tools.cisco.com/…/cisco-sa-20140326-nat

 

Cisco AsyncOS Software Code Execution Vulnerability
Cisco AsyncOS Software for Email Security Appliance (ESA) and Cisco Content Security Management Appliance (SMA) contain a vulnerability that could allow an authenticated remote attacker to execute arbitrary code with the privileges of the root user.

Vulnerable Products
In order to exploit this vulnerability an attacker would need to enable the FTP service and Safelist/Blocklist (SLBL) service on the affected system, rely on the fact that these services are already enabled or convince the system administrator to at least temporarily enable them.

Details
A vulnerability in the End User Safelist/Blocklist (SLBL) function of Cisco AsyncOS Software for Cisco Email Security Appliance and Cisco Content Security Management Appliance could allow an authenticated, remote attacker to execute arbitrary code on an affected system.

Impact
Successful exploitation of the vulnerability may cause arbitrary code execution on the affected system with the privileges of the root user.

Link: http://tools.cisco.com/…/cisco-sa-20140319-asyncos

 

Cisco Small Business Router Password Disclosure Vulnerability
A vulnerability in the web management interface of the Cisco RV110W Wireless-N VPN Firewall, the Cisco RV215W Wireless-N VPN Router, and the Cisco CVR100W Wireless-N VPN Router could allow an unauthenticated, remote attacker to gain administrative-level access to the web management interface of the affected device.

Vulnerable Products
The following products are affected by the vulnerability that is described in this advisory:

  • Cisco RV110W Wireless-N VPN Firewall running firmware versions 1.2.0.9 and prior
  • Cisco RV215W Wireless-N VPN Router running firmware versions 1.1.0.5 and prior
  • Cisco CVR100W Wireless-N VPN Router running firmware versions 1.0.1.19 and prior

Details
A vulnerability in the web management interface of the Cisco RV110W Wireless-N VPN Firewall, the Cisco RV215W Wireless-N VPN Router, and the Cisco CVR100W Wireless-N VPN Router could allow an unauthenticated, remote attacker to gain administrative-level access to the web management interface of the affected device.

The vulnerability is due to improper handling of authentication requests by the web framework. An attacker could exploit this vulnerability by intercepting, modifying and resubmitting an authentication request. Successful exploitation of this vulnerability would give an attacker administrative-level access to the web-based administration interface on the affected device.

Impact
Successful exploitation of the vulnerability may allow an attacker to gain full control of the affected device. An attacker with full administrative access to the device can configure all the settings of the router through the web-based administration user interface.

Link: http://tools.cisco.com/…/cisco-sa-20140305-rpd

 

Multiple Vulnerabilities in Cisco Wireless LAN Controllers
The Cisco Wireless LAN Controller (WLC) product family is affected by the following vulnerabilities:

  • Cisco Wireless LAN Controller Denial of Service Vulnerability
  • Cisco Wireless LAN Controller Unauthorized Access to Associated Access Points Vulnerability
  • Cisco Wireless LAN Controller IGMP Version 3 Denial of Service Vulnerability
  • Cisco Wireless LAN Controller MLDv2 Denial of Service Vulnerability
  • Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability
  • Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability

Vulnerable Products
Stand Alone Controllers: 

  • Cisco 500 Series Wireless Express Mobility Controllers
  • Cisco 2000 Series Wireless LAN Controllers
  • Cisco 2100 Series Wireless LAN Controllers
  • Cisco 2500 Series Wireless Controllers
  • Cisco 4100 Series Wireless LAN Controllers
  • Cisco 4400 Series Wireless LAN Controllers
  • Cisco 5500 Series Wireless Controllers
  • Cisco Flex 7500 Series Wireless Controllers
  • Cisco 8500 Series Wireless Controllers
  • Cisco Virtual Wireless Controller

Modular Controllers:

  • Cisco Catalyst 6500 Series/7600 Series Wireless Services Module (Cisco WiSM)
  • Cisco Wireless Services Module version 2 (WiSM2)
  • Cisco NME-AIR-WLC Module for Integrated Services Routers (ISRs)
  • Cisco NM-AIR-WLC Module for Integrated Services Routers (ISRs)
  • Cisco Catalyst 3750G Integrated WLC
  • Cisco Wireless Controller Software for Services-Ready Engine (SRE)

Details
Cisco Wireless LAN Controller Denial of Service Vulnerability: A vulnerability in the WebAuth feature of Cisco Wireless LAN Controllers (WLC) could allow an unauthenticated, remote attacker to cause the device to reload.

Cisco Wireless LAN Controller Unauthorized Access to Associated Access Points Vulnerability: A vulnerability in the Cisco IOS code that is pushed to Cisco Aironet 1260, 2600, 3500, and 3600 Series access points (AP) by a Cisco Wireless LAN Controller (WLC) could allow an unauthenticated, remote attacker to gain unauthorized, privileged access to the affected device.

Cisco Wireless LAN Controller IGMP Version 3 Denial of Service Vulnerability: A vulnerability in the IGMP processing subsystem of Cisco Wireless LAN Controllers (WLC) could allow an unauthenticated, remote attacker to cause a DoS condition.

Cisco Wireless LAN Controller MLDv2 Denial of Service Vulnerability: A vulnerability in the multicast listener discovery (MLD) service of a Cisco WLC configured for IPv6 could allow an unauthenticated, remote attacker to cause a denial of service condition.

Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability: A vulnerability in the Cisco WLC could allow an unauthenticated, remote attacker to trigger a critical error, resulting in a DoS condition while the device restarts.

Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability: A vulnerability in the Cisco WLC could allow an unauthenticated, remote attacker to trigger a critical error, resulting in a DoS condition while the device restarts.

Impact
Successful exploitation of the Cisco Wireless LAN Controller Denial of Service Vulnerability, Cisco Wireless LAN Controller IGMP Version 3 Denial of Service Vulnerability, or Cisco Wireless LAN Controller MLDv2 Denial of Service Vulnerability could allow an unauthenticated, remote attacker to cause an affected device to reload. Repeated exploitation could result in a sustained DoS Condition.

Successful exploitation of the Cisco Wireless LAN Controller Unauthorized Access to Associated Access Points Vulnerability could allow an unauthenticated, remote attacker to take complete control of an AP that has been associated to an affected Cisco WLC.

Successful exploitation of either of the vulnerabilities identified as Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability could allow an unauthenticated, adjacent attacker to cause an affected device to reload.

Link: http://tools.cisco.com/…/cisco-sa-20140305-wlc

Summary
Article Name
March 2014: nine Cisco vulnerabilities
Description
March 2014: The Cisco Product Security Incident Response Team (PSIRT) has published nine important vulnerability advisories.
Author