Oct
12
2013

September 2013: eleven Cisco vulnerabilities

The Cisco Product Security Incident Response Team (PSIRT) has published eleven important vulnerability advisories:

  • Cisco IOS Software Queue Wedge Denial of Service Vulnerability
  • Cisco IOS Software Internet Key Exchange Memory Leak Vulnerability

  • Cisco IOS Software Zone-Based Firewall and Content Filtering Vulnerability
  • Cisco IOS Software Resource Reservation Protocol Interface Queue Wedge Vulnerability
  • Cisco IOS Software DHCP Denial of Service Vulnerability
  • Cisco IOS Software Multicast Network Time Protocol Denial of Service Vulnerability
  • Cisco IOS Software Network Address Translation Vulnerabilities
  • Cisco IOS Software IPv6 Virtual Fragmentation Reassembly Denial of Service Vulnerability
  • Cisco Prime Central for Hosted Collaboration Solution Assurance Unauthenticated Username and Password Enumeration Vulnerability
  • Multiple Vulnerabilities in Cisco Prime Data Center Network Manager
  • Multiple Vulnerabilities in the Cisco WebEx Recording Format and Advanced Recording Format Players

Cisco IOS Software Queue Wedge Denial of Service Vulnerability
A vulnerability in the T1/E1 driver queue implementation of Cisco IOS Software could allow an unauthenticated, remote attacker to cause an interface wedge condition, which could lead to loss of connectivity, loss of routing protocol adjacency, and could result in a denial of service (DoS) scenario.

Vulnerable Products
A device is vulnerable if all the following criteria are met:

  • An interface controller configured for T1/E1 channel group is using the affected High-Level Data Link Control 32 (HDLC32) driver.
  • T1/E1 controller clock source is configured for line or internal.

Details
An attacker with some knowledge of the affected infrastructure could exploit this vulnerability by sending a bursty profile of network packets through vulnerable devices. Successful exploitation of the vulnerability could allow an attacker to wedge the transmit queue of an egress interface. Workarounds to mitigate this vulnerability are available.

Impact
Successful exploitation of this vulnerability will result in an interface queue wedge, which can lead to loss of connectivity, loss of routing protocol adjacency, and other DoS scenarios. This vulnerability could be exploited repeatedly to cause an extended DoS condition.

Link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-wedge

Cisco IOS Software Internet Key Exchange Memory Leak Vulnerability
A vulnerability in the Internet Key Exchange (IKE) protocol of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a memory leak that could lead to a device reload.

Vulnerable Products
Although only IKEv1 packets can be used to trigger this vulnerability, devices that are running Cisco IOS Software or Cisco IOS XE Software are vulnerable when they are configured to use IKEv1 or IKEv2. Configuring IKEv2 on Cisco IOS Software or Cisco IOS XE Software automatically enables IKEv1.

A number of features use IKEv1, including different types of VPNs such as the following:

  • LAN-to-LAN VPN
  • Remote access VPN (excluding SSLVPN)
  • Dynamic Multipoint VPN (DMVPN)
  • Group Domain of Interpretation (GDOI)

The preferred method to determine whether a device has been configured for IKE is to issue the show ip sockets or show udp EXEC command. If the device has UDP port 500, UDP port 4500, or UDP port 848 open, it is processing IKE packets.

Details
Although IKEv1 is automatically enabled on a Cisco IOS Software and Cisco IOS XE Software when IKEv1 or IKE version 2 (IKEv2) is configured, the vulnerability can be triggered only by sending a malformed IKEv1 packet.

In specific conditions, normal IKEv1 packets can also cause an affected release of Cisco IOS Software to leak memory.

Only IKEv1 is affected by this vulnerability.

An exploit could cause Cisco IOS Software not to release allocated memory, causing a memory leak. A sustained attack may result in a device reload.
An attacker could exploit this vulnerability using either IPv4 or IPv6 on any of the listed UDP ports.

Impact
Successful exploitation of the vulnerability may cause Cisco IOS Software or Cisco IOS XE Software not to release allocated memory, causing a memory leak. A sustained attack may result in a device reload.

Link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-ike

Cisco IOS Software Zone-Based Firewall and Content Filtering Vulnerability
A vulnerability in the Zone-Based Firewall (ZBFW) component of Cisco IOS Software could allow an unauthenticated, remote attacker to cause an affected device to hang or reload.

Vulnerable Products
Cisco devices that are running affected Cisco IOS Software versions are vulnerable when HTTP ALG inspection or Cisco IOS Content Filtering is configured under the ZBFW.

Details
The vulnerability is due to improper processing of specific HTTP packets when the device is configured for content filtering or HTTP application layer gateway inspection. An attacker could exploit this vulnerability by sending specific HTTP packets through an affected device. An exploit could allow the attacker to cause an affected device to hang or reload.
Only transit traffic can trigger this vulnerability; HTTP traffic destined to a vulnerable device cannot trigger this vulnerability.

In devices that meet the vulnerable configuration criteria, valid HTTP packets could trigger this vulnerability. This vulnerability can only be exploited with IPv4 traffic. IPv6 traffic cannot be used to exploit this vulnerability.

Impact
Successful exploitation of the vulnerability may cause the affected device to crash or hang. If the device hangs, it must be power cycled to recover. If the device supports and is configured with scheduler isr-watchdog then the device will reset and reload if the vulnerability is exploited.

Link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-cce

Cisco IOS Software Resource Reservation Protocol Interface Queue Wedge Vulnerability
A vulnerability in the Resource Reservation Protocol (RSVP) feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger an interface queue wedge on the affected device.

Vulnerable Products
Only devices with specific configurations are affected. Cisco devices that are running affected Cisco IOS Software or Cisco IOS XE Software versions are vulnerable when they are configured with RSVP and also have one or more virtual routing and forwarding (VRF) interfaces. A device is vulnerable if both of the following criteria are met:

At least one VRF instance is configured without RSVP
At least one other interface (physical or virtual), not in the same VRF (or is in the global table), that is configured with RSVP

Details
The vulnerability is due to improper parsing of UDP RSVP packets. An attacker could exploit this vulnerability by sending UDP RSVP packets to the vulnerable device. An exploit could cause Cisco IOS Software and Cisco IOS XE Software to incorrectly process incoming packets, resulting in an interface queue wedge, which can lead to loss of connectivity, loss of routing protocol adjacency, and other DoS conditions.

In devices that meet the vulnerable configuration criteria, valid UDP RSVP packets could trigger this vulnerability. An attacker with knowledge of the infrastructure could craft valid RSVP packets with set conditions to exploit this vulnerability. Recovery from this interface queue wedge requires a reload of the device.

This vulnerability can be exploited using both RSVP over UDP over IPv4 and RSVP over UDP over IPv6 on UDP port 1698. Exploitation with UDP over IPv6 affects only Cisco IOS Software releases 15.2(3)T, 15.2(4)M, and later only.

Impact
Successful exploitation of this vulnerability will result in an interface queue wedge, which can lead to loss of connectivity, loss of routing protocol adjacency, and other DoS conditions. This vulnerability could be exploited repeatedly to cause an extended DoS condition.

Link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-rsvp

Cisco IOS Software DHCP Denial of Service Vulnerability
A vulnerability in the DHCP implementation of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

Vulnerable Products
Cisco devices that are running affected Cisco IOS Software or Cisco IOS XE Software with the DHCP server or DHCP relay feature enabled are vulnerable. The DHCP server or DHCP relay feature is not enabled by default. Cisco devices that are configured as DHCP clients are not affected by this vulnerability. To determine whether a Cisco IOS device or Cisco IOS XE device is configured as a DHCP server, issue the show ip dhcp pool command.

Details
Cisco IOS Software and Cisco IOS XE Software contain a vulnerability that could allow an unauthenticated, remote attacker to cause a DoS condition. An attacker could exploit this vulnerability by sending a crafted request to an affected device that has the DHCP server or DHCP relay agent feature enabled, causing a reload.

The vulnerability is triggered when the affected Cisco IOS device attempts to process a crafted DHCP packet. Valid DHCP packets will not trigger this vulnerability. DHCP packets that the Cisco IOS device forwards (for example, transit DHCP traffic) will not trigger this vulnerability, but the packets forwarded to the DHCP relay agent will trigger the vulnerability.

Impact
Successful exploitation of the vulnerability may cause an affected device to reload. Repeated exploitation could result in a sustained DoS condition.

Link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-dhcp

Cisco IOS Software Multicast Network Time Protocol Denial of Service Vulnerability
A vulnerability in the implementation of the Network Time Protocol (NTP) feature in Cisco IOS Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.

Vulnerable Products
A Cisco device that is running an affected Cisco IOS Software release is vulnerable when the following two conditions are met:

  • The device configuration includes any multicast NTP configuration commands
  • The device has has at least one MSDP peer configured

Details
A vulnerability in the implementation of the Network Time Protocol (NTP) feature in Cisco IOS Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.

The vulnerability is due to the improper handling of multicast NTP packets that are sent to an affected device encapsulated in a Multicast Source Discovery Protocol (MSDP) Source-Active (SA) message from a configured MSDP peer. An attacker could exploit this vulnerability by sending multicast NTP packets to an affected device. Repeated exploitation could result in a sustained DoS condition.

Impact
Successful exploitation of this vulnerability may cause the affected device to reload. Repeated exploitation could result in a sustained DoS condition.

Link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-ntp

Cisco IOS Software Network Address Translation Vulnerabilities
The Cisco IOS Software implementation of the network address translation (NAT) feature contains three vulnerabilities when translating IP packets that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

Vulnerable Products
Cisco devices that are running Cisco IOS Software are vulnerable when they are configured for NAT. There are two methods to determine whether a device is configured for NAT:

  • Determine whether NAT is active on a device.
  • Determine whether NAT commands are included in the device configuration.

The preferred method to verify whether NAT is enabled on a Cisco IOS device is to determine whether NAT is active on a device.

Details
Three vulnerabilities exist in the NAT function of Cisco IOS Software. Two of the vulnerabilities are in the translation of DNS packets and one vulnerability is in the translation of Point-to-Point Tunneling Protocol packets. None of the vulnerabilities require a three-way handshake.

  • Cisco IOS Software NAT DNS Vulnerabilities: Two vulnerabilities exist in the NAT of DNS over TCP packets function of Cisco IOS Software that could allow an unauthenticated remote attacker to reload the affected device. The vulnerabilities are due to improper handling of certain valid DNS TCP streams. An attacker could exploit theses vulnerabilities by sending certain DNS packets on TCP port 53. These DNS vulnerabilities cannot be exploited using UDP port 53 packets nor can they be exploited using IPv6 packets.
  • Cisco IOS Software NAT PPTP Vulnerability: A vulnerability exists in the NAT of PPTP packets of Cisco IOS Software that could allow an unauthenticated remote attacker to reload the affected device. The vulnerability is due to the improper handling of the certain valid PPTP packets. An attacker could exploit this vulnerability by sending PPTP packets on TCP port 1723.

Impact
Successful exploitation of the NAT DNS or NAT PPTP vulnerabilities may cause the vulnerable device to reload. Continued exploitation will result in a sustained denial of service attack.

Link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-nat

Cisco IOS Software IPv6 Virtual Fragmentation Reassembly Denial of Service Vulnerability
A vulnerability in the implementation of the virtual fragmentation reassembly (VFR) feature for IP version 6 (IPv6) in Cisco IOS Software could allow an unauthenticated, remote attacker to cause an affected device to hang or reload, resulting in a denial of service (DoS) condition.

Vulnerable Products
Cisco devices running an affected Cisco IOS Software release are vulnerable if the IPv6 VFR feature is enabled.

Details
A vulnerability in the implementation of the virtual fragmentation reassembly (VFR) feature for IP version 6 (IPv6) in Cisco IOS Software could allow an unauthenticated, remote attacker to cause an affected device to hang or reload, resulting in a denial of service (DoS) condition.

The vulnerability is due to a race condition while accessing the reassembly queue for IPv6 fragments. An attacker could exploit this vulnerability by sending a crafted stream of valid IPv6 fragments. Repeated exploitation may result in a sustained DoS condition.

Impact
Successful exploitation of this vulnerability may cause the affected device to hang or reload, resulting in a DoS condition.

Link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-ipv6vfr

Cisco Prime Central for Hosted Collaboration Solution Assurance Unauthenticated Username and Password Enumeration Vulnerability
A vulnerability in the web framework of Cisco Prime Central for Hosted Collaboration Solution (HCS) Assurance could allow an unauthenticated, remote attacker to access sensitive information on the system.

Vulnerable Products
The following products are affected by the vulnerability that is described in this advisory:

  • Cisco Prime Central for HCS Assurance version 1.0.1
  • Cisco Prime Central for HCS Assurance version 1.1

Details
A vulnerability in the web framework of Cisco Prime Central for HCS Assurance could allow an unauthenticated, remote attacker to access sensitive information on the system, including user credentials.
The vulnerability is due to improper user authentication and inadequate session management. An attacker could exploit this vulnerability by submitting a crafted HTTP request to the web user interface.

Impact
Successful exploitation of this vulnerability could allow an unauthenticated, remote attacker to access sensitive information on the system, including user credentials.

Link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130918-pc

Multiple Vulnerabilities in Cisco Prime Data Center Network Manager
Cisco Prime Data Center Network Manager (DCNM) contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to disclose file components, and access text files on an affected device. Various components of Cisco Prime DCNM are affected. These vulnerabilities can be exploited independently on the same device; however, a release that is affected by one of the vulnerabilities may not be affected by the others.

Vulnerable Products
The vulnerabilities described in this advisory affect all versions of Cisco Prime DCNM prior to 6.2(1).

Details

  • Cisco Prime DCNM Information Disclosure Vulnerability: The Cisco DCNM-SAN Server component of Cisco Prime DCNM contains a vulnerability that could allow an unauthenticated, remote attacker to disclose arbitrary file contents on an affected system.
  • Cisco Prime DCNM Remote Command Execution Vulnerabilities: The Cisco DCNM-SAN Server component of Cisco Prime DCNM contains two vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system that hosts the Cisco Prime DCNM application.
  • Cisco Prime DCNM XML External Entity Injection Vulnerability: Cisco Prime DCNM is affected by a vulnerability which could allow an unauthenticated, remote attacker to access arbitrary text files on the underlying operating system with the privilege of root using an XML external entity injection attack. When processing incoming requests, XML external entity references and injected tags can result in disclosure of information.

Impact

  • Cisco Prime DCNM Remote Command Execution Vulnerabilities: Successful exploitation of the remote command execution vulnerability could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system that hosts the Cisco Prime DCNM application in the context of the System user for Cisco Prime DCNM running on Microsoft Windows, or the root user for Cisco Prime DCNM running on Linux.
  • Cisco Prime DCNM Information Disclosure Vulnerability: Successful exploitation of the information disclosure vulnerability could allow an unauthenticated, remote attacker to disclose arbitrary file contents on an affected system.
  • Cisco Prime DCNM XML External Entity Injection Vulnerability: Successful exploitation of the XML external entity injection vulnerability could allow an unauthenticated, remote attacker to read arbitrary file contents on an affected system.

Link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130918-dcnm

Multiple Vulnerabilities in the Cisco WebEx Recording Format and Advanced Recording Format Players
Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Recording Format (WRF) and Advanced Recording Format (ARF) Players. Exploitation of these vulnerabilities could allow a remote attacker to crash an affected player, and in some cases, could allow a remote attacker to execute arbitrary code on the system of a targeted user.

Vulnerable Products
The vulnerabilities disclosed in this advisory affect the Cisco WebEx WRF Player and the Cisco WebEx ARF Player. The following client builds of Cisco WebEx Business Suite (WBS27 and WBS28), Cisco WebEx 11, and Cisco WebEx Meetings Server are affected by at least one of the vulnerabilities described in this advisory:

Cisco WebEx Business Suite (WBS28) client builds prior to T28.8 (28.8)
Cisco WebEx Business Suite (WBS27) client builds prior to T27LDSP32EP16 (27.32.16)
Cisco WebEx 11 versions prior to 1.2 SP6 (1.2.6.0) with client builds prior to T28.8 (28.8)
Cisco WebEx Meetings Server client builds prior to T27L10NSP32_ORION111

Details
The vulnerabilities are:

  • Cisco WebEx ARF Player Memory Corruption Vulnerability
  • Cisco WebEx ARF Player Heap Corruption Vulnerability
  • Cisco WebEx WRF Player Exception Handler Corruption Vulnerability
  • Cisco WebEx WRF Player Stack Buffer Overflow Vulnerability
  • Cisco WebEx WRF Player JPEG DHT Index Memory Corruption Vulnerability

To exploit one of these vulnerabilities, the player applications would need to open a malicious ARF or WRF file. An attacker may be able to accomplish this exploit by providing the malicious recording file directly to users (for example, by using email), or by directing a user to a malicious web page. The vulnerabilities cannot be triggered by users who are attending a WebEx meeting.

Impact
Successful exploitation of the vulnerabilities described in this document could cause player applications to crash and, in some cases, allow a remote attacker to execute arbitrary code on the system with the privileges of the user who is running the player applications.

Link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130904-webex

Summary
Article Name
September 2013: eleven Cisco vulnerabilities
Description
September 2013: The Cisco Product Security Incident Response Team (PSIRT) has published eleven important vulnerability advisories.
Author