The Cisco Product Security Incident Response Team (PSIRT) has published one important vulnerability advisory:
- Cisco Content Services Gateway Vulnerabilities
Cisco Content Services Gateway Vulnerabilities
A service policy bypass vulnerability exists in the Cisco Content Services Gateway – Second Generation (CSG2), which runs on the Cisco Service and Application Module for IP (SAMI). Under certain configurations this vulnerability could allow:
- Customers to access sites that would normally match a billing policy to be accessed without being charged to the end customer
- Customers to access sites that would normally be denied based on configured restriction policies
To determine the version of Cisco IOS Software that is running on the Cisco CSG2, issue the “show module” command from Cisco IOS Software on the switch on which the Cisco CSG2 module is installed to identify what modules and sub-modules are installed on the system.
The Cisco Content Services Gateway – Second Generation (CSG2) provides intelligent network capabilities such as flexible policy management and billing based on deep-packet inspection, as well as subscriber and application awareness capabilities that enable mobile operators to quickly and easily offer value-added, differentiated services over their mobile data networks.
The service policy bypass vulnerability affects configurations that allow end users to first access non-accounted or billed sites. After a user accesses a non-accounted site, it is possible to access other sites that are defined by a billing service policy or to access sites that may be blocked by other policies by sending specially crafted HTTP packets. This vulnerability only affects HTTP content traffic. HTTPS and other traffic types are not affected.
Both denial of service vulnerabilities require only a single content service to be active on the Cisco CSG2 and can be exploited via crafted TCP packets. A three-way handshake is not required to exploit either of these vulnerabilities. The vulnerabilities are triggered by TCP traffic that transits the Cisco CSG2.
Successful exploitation of the service policy bypass can allow customers to obtain access to sites that would normally be accounted and billed according to the billing policy without the billing policy being engaged. Additionally, customers could gain access to URLs that are configured in the Cisco CSG2 to be explicitly denied. Successful exploitation of either denial of service vulnerability could result in the Cisco CSG2 reloading or potentially hanging.