Oct
18
2012

September 2012: eleven Cisco vulnerabilities

The Cisco Product Security Incident Response Team (PSIRT) has published eleven important vulnerability advisories:

  • Cisco IOS Software Network Address Translation Vulnerabilities
  • Cisco IOS Software Intrusion Prevention System Denial of Service Vulnerability
  • Cisco Unified Communications Manager Session Initiation Protocol Denial of Service Vulnerability
  • Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability
  • Cisco IOS Software DHCP Denial of Service Vulnerability
  • Cisco IOS Software Tunneled Traffic Queue Wedge Vulnerability
  • Cisco Catalyst 4500E Series Switch with Cisco Catalyst Supervisor Engine 7L-E Denial of Service Vulnerability
  • Cisco IOS Software DHCP Version 6 Server Denial of Service Vulnerability
  • Cisco IOS Software Malformed Border Gateway Protocol Attribute Vulnerability
  • Cisco Unified Presence and Jabber Extensible Communications Platform Stream Header Denial of Service Vulnerability
  • Cisco ASA-CX and Cisco PRSM Log Retention Denial of Service Vulnerability

Cisco IOS Software Network Address Translation Vulnerabilities
The Cisco IOS Software Network Address Translation (NAT) feature contains two denial of service (DoS) vulnerabilities in the translation of IP packets. The vulnerabilities are caused when packets in transit on the vulnerable device require translation.

Vulnerable Products
Cisco devices that are running Cisco IOS Software are vulnerable when they are configured for NAT. One of the vulnerabilities requires support for NAT for Session Initiation Protocol (SIP) to be present in the release.

There are two methods to determine whether a device is configured for NAT:

  • Determine whether NAT is active on a running device.
  • Determine whether NAT commands are included in the device configuration.

Details

  • Cisco IOS Software NAT for SIP Denial of Service Vulnerability
    The NAT SIP application layer gateway (ALG) feature adds the ability to deploy Cisco IOS NAT between VoIP solutions based on SIP by translating IP addresses that are embedded in the SIP payload of IP packets. Cisco IOS Software contains a vulnerability in the NAT processing of SIP packets. This vulnerability is present when the NAT SIP ALG feature is enabled. NAT SIP ALG is enabled by default, and performs the SIP payload translation of IP packets. NAT SIP translation is done on UDP port 5060 packets by default. The port is configurable using the ip nat service sip udp port global configuration command.
  • Cisco IOS Software NAT Denial of Service Vulnerability
    The IP NAT feature permits interconnection of networks when the IP addresses of packets that are moving between the networks need to be translated to be valid in the destination network. Cisco IOS Software contains a vulnerability in the NAT processing of IP packets. Exploitation of the vulnerability will cause a DoS condition.

Impact
Successful exploitation of the vulnerabilities that are described in this advisory may cause a reload of an affected device. Repeated exploitation could result in a sustained DoS condition.

Link: http://tools.cisco.com/…/cisco-sa-20120926-nat

Cisco IOS Software Intrusion Prevention System Denial of Service Vulnerability
Cisco IOS Software contains a vulnerability in the Intrusion Prevention System (IPS) feature that could allow an unauthenticated, remote attacker to cause a reload of an affected device if specific Cisco IOS IPS configurations exist.

Vulnerable Products
Devices configured with Cisco IOS IPS are affected by this vulnerability under certain Cisco IOS IPS configurations when running a vulnerable version of Cisco IOS Software.

A device will have an affected configuration if both of the following two conditions are true:

  1. Any of the following categories are enabled in the Cisco IOS IPS configuration:
    • diag2 (in configurations)
    • general_os (in os)
    • general_attack (in attack)
    • general_service (in other_services)
    • tcp (in l2/l3/l4_protocol/ip)
    • udp (in l2/l3/l4_protocol/ip)
    • dns (network_services)
    • advanced (in ios_ips)
    • basic (in ios_ips)
    • past_releases (in releases)
  2. If the four IPS signatures 6054:0, 6054:1, 6062:0, 6062:1 are all not compiled.

Details
Cisco IOS Software contains a denial of service vulnerability that could allow an unauthenticated, remote attacker to cause an affected device to reload. An attacker could exploit this vulnerability by sending legitimate DNS packets through a device with an affected Cisco IOS IPS configuration. An exploit could allow the attacker to cause a reload of the affected device.

Impact
Successful exploitation of the vulnerability that is described in this advisory may cause a reload of an affected device. Repeated exploitation could result in a sustained denial of service condition.

Link: http://tools.cisco.com/…/cisco-sa-20120926-ios-ips

Cisco Unified Communications Manager Session Initiation Protocol Denial of Service Vulnerability
Cisco Unified Communications Manager contains a vulnerability in its Session Initiation Protocol (SIP) implementation that could allow an unauthenticated, remote attacker to cause a critical service to fail, which could interrupt voice services. Affected devices must be configured to process SIP messages for this vulnerability to be exploitable.

Vulnerable Products
The following Cisco Unified Communications Manager software releases are affected:

  • Cisco Unified Communications Manager 6.x
  • Cisco Unified Communications Manager 7.x
  • Cisco Unified Communications Manager 8.x

Details
A vulnerability exists in the SIP implementation in Cisco Unified Communications Manager that could allow a remote attacker to cause a critical service to fail, which could interrupt voice services. This vulnerability is triggered when an affected device processes a crafted SIP message that contains a valid Session Description Protocol (SDP) message. Only traffic destined to the device can trigger the vulnerability; transit SIP traffic is not an exploit vector.
Note: In cases where SIP is running over TCP transport, a TCP three-way handshake is necessary to exploit this vulnerability.

Impact
Successful exploitation of the vulnerability could allow a remote attacker to cause a critical service to fail, which interrupt voice services. Cisco Unified Communications Manager will restart the affected processes, but repeated attacks may result in a sustained denial of service (DoS) condition.

Link: http://tools.cisco.com/…/cisco-sa-20120926-cucm

Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability
A vulnerability exists in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software and Cisco IOS XE Software that could allow an unauthenticated, remote attacker to cause an affected device to reload. Affected devices must be configured to process SIP messages and for pass-through of Session Description Protocol (SDP) for this vulnerability to be exploitable.

Vulnerable Products
Cisco devices that are running affected Cisco IOS Software or Cisco IOS XE Software versions are vulnerable when they are configured to process SIP messages and when pass-through of Session Description Protocol (SDP) is enabled.

Details
A vulnerability exists in the SIP implementation in Cisco IOS Software and Cisco IOS XE Software that could allow a remote attacker to cause an affected device to reload. This vulnerability is triggered when an affected device processes a crafted SIP message that contains a valid Session Description Protocol (SDP) message. Only traffic destined to the device can trigger the vulnerability; transit SIP traffic is not an exploit vector. SDP pass-through must be enabled, either at the global level, or at the dial-peer level, for a device to be affected by this vulnerability.

Note: In cases where SIP is running over TCP transport, a TCP three-way handshake is necessary to exploit this vulnerability.

Impact
Successful exploitation of the vulnerability could cause an affected device to reload. Repeated exploitation could result in a sustained denial of service (DoS) condition.

Link: http://tools.cisco.com/…/cisco-sa-20120926-sip

Cisco IOS Software DHCP Denial of Service Vulnerability
Cisco IOS Software contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. An attacker could exploit this vulnerability by sending a single DHCP packet to or through an affected device, causing the device to reload.

Vulnerable Products
Cisco devices that are running Cisco IOS Software versions that include the Device Sensor feature are affected by this vulnerability. Devices that have at least one interface with an IP address are affected. To determine whether the Cisco IOS Software release includes the Device Sensor feature, issue the show subsys command.

Details
Cisco IOS Software contains a vulnerability that could allow an unauthenticated, remote attacker to cause a DoS condition. An attacker could exploit this vulnerability by sending a single DHCP packet to or through an affected device, causing the device to reload. The Device Sensor feature, enabled by default, is vulnerable on devices that have at least one interface with an IP address. The vulnerability is triggered when the Device Sensor feature attempts to process a DHCP packet. In affected releases, valid DHCP packets could trigger this vulnerability.

Impact
Successful exploitation of the vulnerability may cause an affected device to reload. Repeated exploitation could result in a sustained DoS condition.

Link: http://tools.cisco.com/…/cisco-sa-20120926-dhcp

Cisco IOS Software Tunneled Traffic Queue Wedge Vulnerability
Cisco IOS Software contains a queue wedge vulnerability that can be triggered when processing IP tunneled packets. Only Cisco IOS Software running on the Cisco 10000 Series router has been demonstrated to be affected. Successful exploitation of this vulnerability may prevent traffic from transiting the affected interfaces.

Vulnerable Products
Cisco 10000 Series routers running Cisco IOS Software are potentially affected. See the “Details” section below for information on affected versions.

Details
The queue wedge may be triggered when processing ingress IP tunneled packets. The packets that trigger the vulnerability are tunneled IP packets of the following types: GRE/IP, IPIP, and IPv6 in IPv4 packets, for tunnels that terminate at the router. Transit traffic does not cause this vulnerability to be triggered. Successful exploitation of this vulnerability may result in an inability to pass traffic on affected interfaces.

Impact
Successful exploitation of the vulnerability may prevent traffic from transiting the affected interfaces.

Link: http://tools.cisco.com/…/cisco-sa-20120926-c10k-tunnels

Cisco Catalyst 4500E Series Switch with Cisco Catalyst Supervisor Engine 7L-E Denial of Service Vulnerability
The Catalyst 4500E series switch with Supervisor Engine 7L-E contains a denial of service (DoS) vulnerability when processing specially crafted packets that can cause a reload of the device.

Vulnerable Products
The following products are affected by this vulnerability, when running Cisco IOS XE Software Release 03.02.00.XO.15.0(2)XO:

  • Catalyst 4500E series switch with Supervisor Engine 7L-E.

Details
The vulnerability is due to improper processing of malformed network packets. An unauthenticated, remote attacker could exploit this vulnerability by sending specially crafted packets to or through the affected device. An exploit could allow the attacker to reload the affected device supervisor card, resulting in a DoS condition.
When the specially crafted packets are received the device will indicate an error message about an uncorrected error-correcting code (ECC) failure.

Impact
Successful exploitation of the vulnerability may cause the supervisor card on the affected device to reload. Continued exploitation will result in a sustained denial of service attack.

Link: http://tools.cisco.com/…/cisco-sa-20120926-ecc

Cisco IOS Software DHCP Version 6 Server Denial of Service Vulnerability
Cisco IOS Software and Cisco IOS XE Software contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. An attacker could exploit this vulnerability by sending a crafted request to an affected device that has the DHCP version 6 (DHCPv6) server feature enabled, causing a reload.

Vulnerable Products

Cisco devices that are running affected Cisco IOS Software or Cisco IOS XE Software with the DHCPv6 server feature enabled are vulnerable. The DHCPv6 server feature is not enabled by default. Cisco devices that are configured as DHCPv6 clients or relay agents are not affected by this vulnerability. To determine whether a Cisco IOS device or Cisco IOS XE device is configured as a DHCPv6 server, issue the show ipv6 dhcp interface command.

Details
Cisco IOS Software and Cisco IOS XE Software contain a vulnerability that could allow an unauthenticated, remote attacker to cause a DoS condition. An attacker could exploit this vulnerability by sending a crafted request to an affected device that has the DHCPv6 server feature enabled, causing a reload.

The vulnerability is triggered when the affected Cisco IOS device attempts to process a malformed DHCPv6 packet. Valid DHCPv6 packets will not trigger this vulnerability. DHCPv6 packets that the Cisco IOS device forwards (for example, transit DHCPv6 traffic) will not trigger this vulnerability.

Cisco IOS devices that are configured as a DHCP server for IPv4 are not affected by this vulnerability.

Impact

Successful exploitation of the vulnerability may cause an affected device to reload. Repeated exploitation could result in a sustained DoS condition.

Link: http://tools.cisco.com/…/cisco-sa-20120926-dhcpv6

Cisco IOS Software Malformed Border Gateway Protocol Attribute Vulnerability
Cisco IOS Software contains a vulnerability in the Border Gateway Protocol (BGP) routing protocol feature. The vulnerability can be triggered when the router receives a malformed attribute from a peer on an existing BGP session. Successful exploitation of this vulnerability can cause all BGP sessions to reset. Repeated exploitation may result in an inability to route packets to BGP neighbors during reconvergence times.

Vulnerable Products
A Cisco IOS router is potentially vulnerable when it is running an affected version of Cisco IOS Software, BGP routing is enabled on the router, and the router has at least one established BGP neighbor session. For more information on affected versions, see the “Software Versions and Fixes” section below.

Details
The vulnerability may be triggered when the router receives a malformed attribute from a peer on an existing BGP session. At least one BGP neighbor session must be established for a router to be vulnerable. Successful exploitation of this vulnerability may cause all BGP peers to reset. Repeated exploitation may result in an inability to route packets to BGP neighbors during reconvergence times.

Impact
Successful exploitation of the vulnerability may cause all BGP peers to reset. Repeated exploitation may result in an inability to route packets to BGP neighbors during reconvergence times.

Link: http://tools.cisco.com/…/cisco-sa-20120926-bgp

Cisco Unified Presence and Jabber Extensible Communications Platform Stream Header Denial of Service Vulnerability
A denial of service (DoS) vulnerability exists in Cisco Unified Presence and Jabber Extensible Communications Platform (Jabber XCP). An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted Extensible Messaging and Presence Protocol (XMPP) stream header to an affected server. Successful exploitation of this vulnerability could cause the Connection Manager process to crash. Repeated exploitation could result in a sustained DoS condition.

Vulnerable Products
The following versions of Cisco Unified Presence and Jabber Extensible Communications Platform (Jabber XCP) are affected by the vulnerability in this advisory. JabberNow appliances are also affected if they are running a vulnerable version of Jabber XCP software.

All versions of Cisco Unified Presence prior to 8.6(3) are affected by the vulnerability in this advisory.

  • Jabber XCP and JabberNow Appliances
  • All versions of Jabber XCP software prior to 5.3 are affected by the vulnerability in this advisory.

Details
Jabber Extensible Communications Platform, including JabberNow Appliance, contains a vulnerability that could allow an unauthenticated, remote attacker to cause a DoS condition. XMPP clients initiate communication with an XMPP server by sending a stream header using IP version 4 (IPv4) or IP version 6 (IPv6). The vulnerability is due to the incorrect handling of stream headers. An attacker could exploit this vulnerability by sending a specially crafted XMPP stream header to an affected system. A successful exploit could cause the Connection Manager processes to terminate, resulting in dropped connections for existing clients and preventing new clients from connecting. The Connection Manager processes will restart automatically. However, repeated exploitation could create a sustained DoS condition.

Impact
Successful exploitation of this vulnerability could cause Connection Manager processes to terminate, resulting in dropped connections for existing clients and preventing new clients from connecting. The Connection Manager processes will restart automatically. However, repeated exploitation could result in a sustained DoS condition for all users of the server.

Link: http://tools.cisco.com/…/cisco-sa-20120912-cupxcp

Cisco ASA-CX and Cisco PRSM Log Retention Denial of Service Vulnerability
Cisco ASA-CX Context-Aware Security appliance and Cisco Prime Security Manager (PRSM) contain a denial of service (DoS) vulnerability in versions prior to 9.0.2-103. Successful exploitation of this vulnerability on the Cisco ASA-CX could cause the device to stop processing user traffic and prevent management access to the Cisco ASA-CX. Successful exploitation of this vulnerability on the Cisco PRSM could cause the software to become unresponsive and unavailable.

Vulnerable Products
All versions of Cisco ASA-CX Content-Aware Security and Cisco PRSM software prior to 9.0.2-103 are affected by the vulnerability in this advisory.

Details
An attacker could exploit this vulnerability by sending certain types of IPv4 packets to the management interface of the Cisco ASA-CX or Cisco PRSM. As a result, the log files grow and consume the /var/log partition. Once the /var/log partition is full, the Cisco ASA-CX module or Cisco PRSM will become unresponsive. Successful exploitation on a Cisco ASA-CX device could cause the Cisco ASA-CX to become unresponsive and stop processing user traffic. Successful exploitation on a Cisco PRSM software could cause the Cisco PRSM to become unresponsive.

Impact
Successful exploitation of the vulnerability on the Cisco ASA-CX Context-Aware Security appliance may cause the device to become unresponsive and stop processing user traffic.

Link: http://tools.cisco.com/…/cisco-sa-20120912-asacx

Summary
Article Name
September 2012: eleven Cisco vulnerabilities
Description
September 2012: The Cisco Product Security Incident Response Team (PSIRT) has published eleven important vulnerability advisories.
Author