Oct
11
2011

September 2011: fifteen Cisco vulnerabilities

The Cisco Product Security Incident Response Team (PSIRT) has published fifteen important vulnerability advisories:

  • Cisco IOS Software IP Service Level Agreement Vulnerability
  • Cisco Identity Services Engine Database Default Credentials Vulnerability
  • Cisco IOS Software IPv6 over MPLS Vulnerabilities
  • Cisco IOS Software IPv6 Denial of Service Vulnerability
  • Cisco 10000 Series Denial of Service Vulnerability
  • Cisco IOS Software Smart Install Remote Code Execution Vulnerability
  • Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerabilities
  • Cisco IOS Software IPS and Zone-Based Firewall Vulnerabilities
  • Cisco IOS Software Data-Link Switching Vulnerability
  • Cisco IOS Software Network Address Translation Vulnerabilities
  • Cisco Unified Communications Manager Session Initiation Protocol Memory Leak Vulnerability
  • Jabber Extensible Communications Platform and Cisco Unified Presence XML Denial of Service Vulnerability
  • Cisco Unified Service Monitor and Cisco Unified Operations Manager Remote Code Execution Vulnerabilities
  • CiscoWorks LAN Management Solution Remote Code Execution Vulnerability
  • Cisco Nexus 5000 and 3000 Series Switches Access Control List Bypass Vulnerability

Cisco IOS Software IP Service Level Agreement Vulnerability
The Cisco IOS IP Service Level Agreement (IP SLA) feature contains a denial of service (DoS) vulnerability. The vulnerability is triggered when malformed UDP packets are sent to a vulnerable device. The vulnerable UDP port numbers depend on the device configuration. Default ports are not used for the vulnerable UDP IP SLA operation or for the UDP responder ports.

Vulnerable Products
Cisco devices that are running Cisco IOS Software are vulnerable when they are configured for IP SLA, either as responders or as originators of vulnerable IP SLA operations.

To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to “Cisco Internetwork Operating System Software” or “Cisco IOS Software.” The image name displays in parentheses, followed by “Version” and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output.

Details
IP SLA is an embedded agent in Cisco IOS Software designed to measure and monitor common network performance metrics like jitter, latency (delay), and packet loss.

The vulnerability that is described in this document is triggered by malformed IP SLA packets sent to the vulnerable device and port. A vulnerable device can be an IP SLA responder or the source device of a vulnerable IP SLA operation.

Impact
Successful exploitation of the vulnerability described in this document may result in the reload of a vulnerable device. Repeated exploitation could result in a DoS condition.

Link: http://www.cisco.com/…/advisory09186a0080b95d4c.shtml

Cisco Identity Services Engine Database Default Credentials Vulnerability
Cisco Identity Services Engine (ISE) contains a set of default credentials for its underlying database. A remote attacker could use those credentials to modify the device configuration and settings or gain complete administrative control of the device.

Vulnerable Products
This vulnerability affects all releases of Cisco ISE prior to release 1.0.4.573. This applies to both the hardware appliance and the software-only versions of the product.

Details
The Cisco Identity Services Engine provides an attribute-based access control solution that combines authentication, authorization, and accounting (AAA); posture; profiling; and guest management services on a single platform. Administrators can centrally create and manage access control policies for users and endpoints in a consistent fashion, and gain end-to-end visibility into everything that is connected to the network.

The Cisco ISE contains a set of default credentials for its underlying database. A remote attacker could use those credentials to modify the device configuration and settings or gain complete administrative control of the device.

Impact
Successful exploitation of this vulnerability may allow an attacker to modify the device configuration and settings or gain complete administrative control of the device.

Link: http://www.cisco.com/…/advisory09186a0080b95105.shtml

Cisco IOS Software IPv6 over MPLS Vulnerabilities
Cisco IOS Software is affected by two vulnerabilities that cause a Cisco IOS device to reload when processing IP version 6 (IPv6) packets over a Multiprotocol Label Switching (MPLS) domain. These vulnerabilities are:

  • Crafted IPv6 Packet May Cause MPLS-Configured Device to Reload
  • ICMPv6 Packet May Cause MPLS-Configured Device to Reload

Vulnerable Products
Cisco IOS Software or Cisco IOS XE Software devices (hereafter both referenced as Cisco IOS Software in this document) that are running vulnerable versions of Cisco IOS Software and configured for MPLS are affected by two vulnerabilities related to IPv6 traffic that traverses an MPLS domain. The two vulnerabilities are independent of each other.

Details
The packet handling nodes in an MPLS network are called provider routers (P routers) and provider edge routers (PE routers) and are configured with MPLS. Both P and PE routers are vulnerable to both the vulnerabilities disclosed in this advisory.

In networks that have MPLS enabled and could carry MPLS label switched packets with IPv6 payloads, the device may crash when processing MPLS label switched packets with specific IPv6 payloads. Typical deployment scenarios that would be affected by either vulnerability would be Cisco IPv6 Provider Edge Router (6PE) or IPv6 VPN Provider Edge Router (6VPE).

Impact
Successful exploitation of these vulnerabilities may cause the device to reload. Repeated exploitation could result in a sustained denial of service condition.

Link: http://www.cisco.com/…/advisory09186a0080b95d52.shtml

Cisco IOS Software IPv6 Denial of Service Vulnerability
Cisco IOS Software contains a vulnerability in the IP version 6 (IPv6) protocol stack implementation that could allow an unauthenticated, remote attacker to cause a reload of an affected device that has IPv6 enabled. The vulnerability may be triggered when the device processes a malformed IPv6 packet.

Vulnerable Products
Cisco devices that are running an affected version of Cisco IOS Software and configured for IPv6 operation are vulnerable. A device that is running Cisco IOS Software and that has IPv6 enabled will show some interfaces with assigned IPv6 addresses when the show ipv6 interface brief command is executed.

Details
IPv6, which was designed by the Internet Engineering Task Force (IETF), is intended to replace the current version, IP Version 4 (IPv4).

A vulnerability exists when Cisco IOS Software processes IPv6 packets. An attacker could exploit this vulnerability by sending malformed IPv6 packets to physical or logical interfaces that are configured to process IPv6 traffic. Transit traffic cannot trigger this vulnerability. Exploitation could cause an affected system to reload.

Impact
Successful exploitation of the vulnerability that is described in this advisory may cause a reload of an affected device. Repeated exploitation could result in a sustained denial of service condition.

Link: http://www.cisco.com/…/advisory09186a0080b95d59.shtml

Cisco 10000 Series Denial of Service Vulnerability
The Cisco 10000 Series Router is affected by a denial of service (DoS) vulnerability that can allow an attacker to cause a device reload by sending a series of ICMP packets.

Vulnerable Products
Cisco 10000 Series Routers that are running an affected version of Cisco IOS are affected.

To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to “Cisco Internetwork Operating System Software” or “Cisco IOS Software.” The image name displays in parentheses, followed by “Version” and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output.

Details
The Cisco 10000 Series Router is affected by a denial of service (DoS) vulnerability where an unauthenticated attacker could cause a device reload by sending a series of ICMP packets.

Impact
Successful exploitation of this vulnerability could cause an affected device to reload. Repeated exploitation could result in a sustained DoS condition.

Link: http://www.cisco.com/…/advisory09186a0080b95d50.shtml

Cisco IOS Software Smart Install Remote Code Execution Vulnerability
A vulnerability exists in the Smart Install feature of Cisco Catalyst Switches running Cisco IOS Software that could allow an unauthenticated, remote attacker to perform remote code execution on the affected device.

Vulnerable Products
Devices configured as a Smart Install client or director are affected by this vulnerability. To display Smart Install information, use the show vstack config privileged EXEC command on the Smart Install director or client. The outputs of the show commands are different when entered on the director or on the client.

Details
Smart Install is a plug-and-play configuration and image-management feature that provides zero-touch deployment for new switches and Cisco Integrated Services Routers. This means that a customer can ship a device to a location, place it in the network and power it on with no configuration required on the device.

A vulnerability exists in the Smart Install feature of Cisco Catalyst Switches running Cisco IOS Software that could allow an unauthenticated, remote attacker to perform remote code execution on the affected device. Smart Install uses TCP port 4786 for communication. An established TCP connection with a completed TCP three-way handshake is needed to be able to trigger this vulnerability.

Impact
Successful exploitation could allow an unauthenticated, remote attacker to perform remote code execution on the affected device.

Link: http://www.cisco.com/…/advisory09186a0080b95d4f.shtml

Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerabilities
Multiple vulnerabilities exist in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software and Cisco IOS XE Software that could allow an unauthenticated, remote attacker to cause a reload of an affected device or trigger memory leaks that may result in system instabilities. Affected devices would need to be configured to process SIP messages for these vulnerabilities to be exploitable.

Vulnerable Products
Cisco devices are affected when they are running affected Cisco IOS Software and Cisco IOS XE Software versions that are configured to process SIP messages.

Details
SIP is a popular signaling protocol that is used to manage voice and video calls across IP networks such as the Internet. SIP is responsible for handling all aspects of call setup and termination. Voice and video are the most popular types of sessions that SIP handles, but the protocol has the flexibility to accommodate other applications that require call setup and termination. SIP call signaling can use UDP (port 5060), TCP (port 5060), or Transport Layer Security (TLS; TCP port 5061) as the underlying transport protocol.

Impact
Successful exploitation of the vulnerabilities in this advisory may result in system instabilities or a reload of an affected device. Repeated exploitation could result in a sustained DoS condition.

Link: http://www.cisco.com/…/advisory09186a0080b95d5a.shtml

Cisco IOS Software IPS and Zone-Based Firewall Vulnerabilities
Cisco IOS Software contains two vulnerabilities related to Cisco IOS Intrusion Prevention System (IPS) and Cisco IOS Zone-Based Firewall features. These vulnerabilities are:

  • Memory leak in Cisco IOS Software
  • Cisco IOS Software Denial of Service when processing specially crafted HTTP packets

Vulnerable Products
Cisco IOS devices running vulnerable versions of Cisco IOS Software are affected by two vulnerabilities in Cisco IOS IPS and Cisco IOS Zone-Based Firewall. The two vulnerabilities are independent of each other.

Details
Firewalls are networking devices that control access to the network assets of an organization. Firewalls are often positioned at the entrance points of networks. Cisco IOS Software provides a set of security features that allow the configuration of a simple or elaborate firewall policy according to particular requirements.

Impact
Successful exploitation of these vulnerabilities may result in:

  • Memory leak in Cisco IOS Software: The device may run out of memory resulting in instability or the device crashing.
  • Cisco IOS Software Denial of Service when processing specially crafted HTTP packets: The device may crash or hang. If the device hangs, it will have to be power cycled to recover. If the device supports and is configured with scheduler isr-watchdog then the device will reset and reload if the vulnerability is exploited.

Link: http://www.cisco.com/…/advisory09186a0080b95d57.shtml

Cisco IOS Software Data-Link Switching Vulnerability
Cisco IOS Software contains a memory leak vulnerability in the Data-Link Switching (DLSw) feature that could result in a device reload when processing crafted IP Protocol 91 packets.

Vulnerable Products
Cisco IOS devices with the DLSw promiscuous feature enabled are affected by the vulnerability described in this advisory. Devices with the DLSw promiscuous feature enabled contain a line in the configuration defining a local DLSw peer with the promiscuous keyword.

Details
DLSw provides a means of transporting IBM Systems Network Architecture (SNA) and network BIOS (NetBIOS) traffic over an IP network. The Cisco implementation of DLSw over Fast Sequence Transport (FST) uses IP Protocol 91. The promiscuous DLSw feature permits the local peer to establish connection with remote peers that are not statically configured.

A Cisco IOS device that is configured for DLSw listens for IP protocol 91 packets. Depending on the DLSw configuration, UDP port 2067, and, one or more TCP ports can also be opened. The vulnerability described in this document can only be exploited via IP Protocol 91 and can not be exploited using either the UDP or TCP transports.

Impact
Successful exploitation of the vulnerability may result in a memory leak that can lead to a denial of service condition. Memory exhaustion can cause an affected Cisco IOS device to reload or become unresponsive; a power cycle might be required to recover from the condition.

Link: http://www.cisco.com/…/advisory09186a0080b95d4e.shtml

Cisco IOS Software Network Address Translation Vulnerabilities
The Cisco IOS Software network address translation (NAT) feature contains multiple denial of service (DoS) vulnerabilities in the translation of the following protocols:

  • NetMeeting Directory (Lightweight Directory Access Protocol, LDAP)
  • Session Initiation Protocol (Multiple vulnerabilities)
  • H.323 protocol

Vulnerable Products
Cisco devices that are running Cisco IOS Software are vulnerable when they are configured for NAT and contain support for one or more of the following features:

  • NetMeeting Directory NAT (LDAP on TCP port 389)
  • NAT for Session Initiation Protocol (SIP)
  • NAT for H.323

Details

  • NAT for NetMeeting Directory (LDAP) Vulnerability: LDAP is a protocol for querying and modifying data of directory services implemented in IP networks. NAT for NetMeeting Directory, also known as the Internet Locator Service (ILS), translates LDAP packets on TCP port 389. The inspected port is not configurable. This vulnerability is triggered by malformed transit LDAP traffic that needs to be processed by the NAT for NetMeeting Directory feature.
  • Four vulnerabilities in the NAT for SIP feature are described in this document:
    • NAT of SIP over TCP vulnerability: Crafted SIP packets on TCP port 5060 could cause unpredictable results, including the reload of the vulnerable device. Translation of SIP over TCP packets will be disabled by default with the fix for this vulnerability.
    • Provider edge Multiprotocol Label Switching (MPLS) NAT of SIP over UDP packets DoS vulnerability: A malformed SIP packet on UDP 5060 that transits an MPLS enabled vulnerable device that needs an MPLS tag to be imposed on the malformed packet might reload the device.
    • NAT of crafted SIP over UDP packets DoS vulnerabilities: There are two DoS vulnerabilities related to similar crafted packets on UDP port 5060 that require SIP translation: the first is a vulnerability that will cause the device to reload and the second will cause a memory leak that could lead to a DoS condition, including reload of the vulnerable device.
    • NAT of H.323 Packets DoS Vulnerability
  • Transit crafted H.323 packets on TCP port 1720 could cause a reload of the vulnerable device.

Impact
Successful exploitation of these vulnerabilities can cause the device to reload or become unresponsive. For the NAT of UDP over SIP vulnerability that corresponds to Cisco bug CSCtj04672, it is also possible that exploitation can cause a memory leak. Repeated exploitation of the memory leak vulnerability can lead to a DoS condition in which the device reloads or becomes unresponsive. Reloading may occur automatically, or the device may require manual intervention to reload.

Link: http://www.cisco.com/…/advisory09186a0080b95d4d.shtml

Cisco Unified Communications Manager Session Initiation Protocol Memory Leak Vulnerability
Cisco Unified Communications Manager contains a memory leak vulnerability that could be triggered through the processing of malformed Session Initiation Protocol (SIP) messages. Exploitation of this vulnerability could cause an interruption of voice services. Cisco has released free software updates for supported Cisco Unified Communications Manager versions to address the vulnerability. A workaround exists for this SIP vulnerability.

Vulnerable Products
The following products are affected by the vulnerability that is described in this advisory:

  • Cisco Unified Communications Manager 6.x
  • Cisco Unified Communications Manager 7.x
  • Cisco Unified Communications Manager 8.x

Details
Cisco Unified Communications Manager contains a vulnerability that involves the processing of SIP messages. Cisco Unified Communications Manager may leak session control buffers (SCBs) or cause a reload of the affected device when processing a malformed SIP message. Exploitation of the vulnerability may cause a critical process to fail, which could result in the disruption of voice services. All SIP ports (TCP ports 5060 and 5061 and UDP ports 5060 and 5061) are affected.

Impact
Successful exploitation of the vulnerability that is described in this advisory could allow a remote attacker to trigger a device reload that could result in the interruption of voice services. Cisco Unified Communications Manager will restart the affected processes, but repeated attacks may result in a sustained denial of service (DoS) condition.

Link: http://www.cisco.com/…/advisory09186a0080b95d58.shtml

Jabber Extensible Communications Platform and Cisco Unified Presence XML Denial of Service Vulnerability
A denial of service (DoS) vulnerability exists in Jabber Extensible Communications Platform (Jabber XCP) and Cisco Unified Presence. An unauthenticated, remote attacker could exploit this vulnerability by sending malicious XML to an affected server. Successful exploitation of this vulnerability could cause elevated memory and CPU utilization, resulting in memory exhaustion and process crashes. Repeated exploitation could result in a sustained DoS condition.

Vulnerable Products
The following versions of Cisco Unified Presence and Jabber Extensible Communications Platform (Jabber XCP) are affected by the vulnerability in this advisory. JabberNow appliances are also affected if they are running a vulnerable version of Jabber XCP software.

  • Cisco Unified Presence: All versions of Cisco Unified Presence prior to 8.5(4) are affected by the vulnerability in this advisory.
  • Jabber XCP and JabberNow Appliances.

Details
Jabber XCP and Cisco Unified Presence provide an open and extensible platform that facilitates the secure exchange of availability and instant messaging (IM) information.

The XML parsers in Jabber XCP (including JabberNow appliances) and Cisco Unified Presence are vulnerable to the Exponential Entity Expansion attack. This attack is also known as an XML Bomb referring to an XML document that is valid according to the rules of an XML schema yet results in the hanging or crash of the parser or underlying server. The attack is often referred to as the Billion Laughs Attack because many proof of concept examples caused XML parsers to expand the string lol or ha up to a billion times or until server resources were exhausted.

The attack combines certain properties of XML to create valid but malicious XML using an extreme level of nested substitutions. When an XML parser attempts to expand all the nested entities it quickly exhausts all server resources.

This technique will cause the XML parsers in Cisco Unified Presence and Jabber XCP (including JabberNow appliances) to trigger high CPU and memory usage resulting in process crashes. The attack affects both client-to-server connections as well as server-to-server (federation) links.

Impact
Successful exploitation of this vulnerability could cause elevated memory and CPU utilization, resulting in memory exhaustion and process crashes. Repeated exploitation could result in a sustained DoS condition.

Link: http://www.cisco.com/…/advisory09186a0080b95d47.shtml

Cisco Unified Service Monitor and Cisco Unified Operations Manager Remote Code Execution Vulnerabilities
Two vulnerabilities exist in Cisco Unified Service Monitor and Cisco Unified Operations Manager software that could allow an unauthenticated, remote attacker to execute arbitrary code on affected servers.

Vulnerable Products
All versions of Cisco Unified Service Monitor and Cisco Unified Operations Manager prior to 8.6 are affected.

Details
Cisco Unified Service Monitor and Cisco Unified Operations Manager are products from the Cisco Unified Communications Management Suite. They provides a way to continuously monitor active calls supported by the Cisco Unified Communications System.

Two vulnerabilities exist in Cisco Unified Service Monitor and Cisco Unified Operations Manager software that could allow an unauthenticated, remote attacker to execute arbitrary code on affected servers. These vulnerabilities can be triggered by sending a series of crafted packets to the affected server over TCP port 9002.

Impact
Successful exploitation of these vulnerabilities could allow an unauthenticated, remote attacker to execute arbitrary code on affected servers.

Link: http://www.cisco.com/…/advisory09186a0080b9351e.shtml

CiscoWorks LAN Management Solution Remote Code Execution Vulnerabilities
Two vulnerabilities exist in CiscoWorks LAN Management Solution software that could allow an unauthenticated, remote attacker to execute arbitrary code on affected servers.

Vulnerable Products
CiscoWorks LAN Management Solution software releases 3.1, 3.2, and 4.0 are affected by this vulnerability.

Cisco LAN Management Solution versions 3.1 and 3.2 are vulnerable only if the Device Fault Management component (DFM) is installed. Cisco LAN Management Solution versions 4.0 are vulnerable regardless of the options selected during installation.

Details
Two vulnerabilities exist in CiscoWorks LAN Management Solution software that could allow an unauthenticated, remote attacker to execute arbitrary code on affected servers.

Impact
Successful exploitation of these vulnerabilities could allow an unauthenticated, remote attacker to execute arbitrary code on affected servers.

Link: http://www.cisco.com/…/advisory09186a0080b9351f.shtml

Cisco Nexus 5000 and 3000 Series Switches Access Control List Bypass Vulnerability
A vulnerability exists in Cisco Nexus 5000 and 3000 Series Switches that may allow traffic to bypass deny statements in access control lists (ACLs) that are configured on the device.

Vulnerable Products
All Cisco Nexus 5000 NX-OS Software Releases 5.0(2) and 5.0(3) prior to 5.0(3)N2(1) are affected by this vulnerability. All Cisco Nexus 3000 NX-OS Software Releases prior to 5.0(3)U1(2a) or 5.0(3)U2(1) are affected by this vulnerability.

Details
A vulnerability in Cisco Nexus 5000 and 3000 Series Switches may allow traffic to bypass deny statements in IP, VLAN, or MAC ACLs that are configured in the device. This behavior is experienced when an ACL remark is configured prior to any deny statement on such ACL.

Impact
Successful exploitation of the vulnerability may allow an attacker to access resources that should be protected by the ACL configured in Cisco Nexus 5000 and 3000 Series Switches.

Link: http://www.cisco.com/…/advisory09186a0080b9250c.shtml

Email Updates

Enter your email address to receive notifications of new posts.

Ciscozine on Facebook


Partners