On September 23, 2009, the The Cisco Product Security Incident Response Team (PSIRT) has published 11 important vulnerability advisories.
Cisco Unified Communications Manager Express Vulnerability
Cisco IOS® devices that are configured for Cisco Unified Communications Manager Express (CME) and the Extension Mobility feature are vulnerable to a buffer overflow vulnerability. Successful exploitation of this vulnerability may result in the execution of arbitrary code or a Denial of Service (DoS) condition on an affected device.
Vulnerable Products
To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to “Cisco Internetwork Operating System Software” or “Cisco IOS Software.” The image name is displayed in parentheses, followed by “Version” and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output.
Details
A vulnerability in the login section of the Extension Mobility feature may allow an unauthenticated attacker to execute arbitrary code or cause a Denial of Service (DoS) condition. Such packets can only come from registered phone IP addresses in the form of HTTP requests. If the auto-registration feature is enabled, an attacker can register its IP address and subsequently send a crafted payload to exploit this vulnerability. The auto-registration feature is enabled by default.
Impact
Successful exploitation of this vulnerability may result in the execution of arbitrary code or a Denial of Service (DoS) condition on an affected device.
Link: http://www.cisco.com/…/advisory09186a0080af8116.shtml
Cisco IOS Software Internet Key Exchange Resource Exhaustion Vulnerability
Cisco IOS® devices that are configured for Internet Key Exchange (IKE) protocol and certificate based authentication are vulnerable to a resource exhaustion attack. Successful exploitation of this vulnerability may result in the allocation of all available Phase 1 security associations (SA) and prevent the establishment of new IPsec sessions.
Vulnerable Products
Cisco IOS devices that are configured for IKE and certificate based authentication are affected.
Details
A vulnerability exists in the IKE implementation of Cisco IOS Software, if the certificate based authentication method is used. Successful exploitation of this vulnerability may result in the allocation of all available Phase 1 SAs, which may prevent new IPSec sessions from being established.
Impact
Successful exploitation of this vulnerability may result in the allocation of all available Phase 1 SAs, which may prevent new IPsec sessions from being established.
Link: http://www.cisco.com/…/advisory09186a0080af8117.shtml
Cisco IOS Software Tunnels Vulnerability
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.
Vulnerable Products
Cisco devices are vulnerable when running an affected version of Cisco IOS Software and configured for Generic Routing Encapsulation (GRE), IPinIP, Generic Packet Tunneling in IPv6 or IPv6 over IP tunnels with Cisco Express Forwarding enabled. The Cisco IOS Point to Point Tunneling Protocol (PPTP) feature creates GRE tunnels that are transparent to the user. Therefore systems configured for PPTP are also vulnerable. The Cisco multicast Virtual Private Network (MVPN) feature also creates GRE tunnels that are transparent to the user, however MVPN configurations are not vulnerable, unless there are other tunnels that are configured explicitly.
Details
A tunnel protocol encapsulates a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link between internetworking devices over an IP network. Cisco Express Forwarding is a Layer 3 IP switching technology. It improves network performance and scalability for networks with high and dynamic traffic patterns.
Impact
Successful exploitation of the vulnerability may result in the reload of an affected system, causing a DoS condition.
Link: http://www.cisco.com/…/advisory09186a0080af8115.shtml
Cisco IOS Software Object-group Access Control List Bypass Vulnerability
A vulnerability exists in Cisco IOS® software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature.
Vulnerable Products
Any Cisco device configured with ACLs using the object group feature and running an affected Cisco IOS software version is affected by this vulnerability.
Details
In Cisco IOS Software an object group can contain a single object (such as a single IP address, network, or subnet) or multiple objects (such as a combination of multiple IP addresses, networks, or subnets). In an ACL that is based on an object group, administrators can create a single access control entry (ACE) that uses an object group name instead of creating many ACEs, which each would require a different IP address. A similar object group, such as a protocol port group, can be extended to limit access to a set of applications for a user group to a server group.
Impact
Successful exploitation of the vulnerability may allow an attacker to access resources that should be protected by the Cisco IOS device.
Link: http://www.cisco.com/…/advisory09186a0080af8119.shtml
Cisco Unified Communications Manager Session Initiation Protocol Denial of Service Vulnerability
Cisco Unified Communications Manager, which was formerly Cisco Unified CallManager, contains a denial of service (DoS) vulnerability in the Session Initiation Protocol (SIP) service. An exploit of this vulnerability may cause an interruption in voice services.
Vulnerable Products
The following Cisco Unified Communications Manager versions are affected:
- Cisco Unified Communications Manager 5.x versions prior to 5.1(3g)
- Cisco Unified Communications Manager 6.x versions prior to 6.1(4)
- Cisco Unified Communications Manager 7.0.x versions prior to 7.0(2a)su1
- Cisco Unified Communications Manager 7.1.x versions prior to 7.1(2)
Details
A DoS vulnerability exists in the SIP implementation of the Cisco Unified Communications Manager. This vulnerability could be triggered when Cisco Unified Communications Manager processes crafted SIP messages. An exploit could lead to a reload of the main Cisco Unified Communications Manager process.
Impact
Successful exploitation of the vulnerability that is described in this advisory could result in a reload of the Cisco Unified Communications Manager process, which may result in the interruption of voice services.
Link: http://www.cisco.com/…/advisory09186a0080af8118.shtml
Cisco IOS Software H.323 Denial of Service Vulnerability
The H.323 implementation in Cisco IOS® Software contains a vulnerability that can be exploited remotely to cause a device that is running Cisco IOS Software to reload.
Vulnerable Products
Cisco devices that are running affected Cisco IOS Software versions that are configured to process H.323 messages are affected by this vulnerability. H.323 is not enabled by default. To determine the Cisco IOS Software device is running H.323 services use the show process cpu | include 323 command
Details
The H.323 implementation in Cisco IOS Software contains a vulnerability. An attacker can exploit this vulnerability remotely by sending an H.323 crafted packet to the affected device that is running Cisco IOS Software. A TCP three-way handshake is needed to exploit this vulnerability.
Impact
Successful exploitation of the vulnerability described in this document may cause the affected device to reload. The issue could be exploited repeatedly to cause an extended DoS condition.
Link: http://www.cisco.com/…/advisory09186a0080af811a.shtml
Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability
A vulnerability exists in the Session Initiation Protocol (SIP) implementation in Cisco IOS® Software that could allow an unauthenticated attacker to cause a denial of service (DoS) condition on an affected device when the Cisco Unified Border Element feature is enabled.
Vulnerable Products
This vulnerability only affects devices running Cisco IOS Software with SIP voice services enabled.
Details
SIP is a popular signaling protocol that is used to manage voice and video calls across IP networks such as the Internet. SIP is responsible for handling all aspects of call setup and termination. Voice and video are the most popular types of sessions that SIP handles, but the protocol has the flexibility to accommodate other applications that require call setup and termination. SIP call signaling can use UDP (port 5060), TCP (port 5060), or TLS (TCP port 5061) as the underlying transport protocol. A DoS vulnerability exists in the SIP implementation in Cisco IOS Software when devices are running a Cisco IOS image that contains the Cisco Unified Border Element feature. This vulnerability is triggered by processing a series of crafted SIP messages.
Impact
Successful exploitation of the vulnerability described in this document may result in a reload of the device. The issue could be repeatedly exploited to cause an extended DoS condition.
Link: http://www.cisco.com/…/advisory09186a0080af811b.shtml
Cisco IOS Software Crafted Encryption Packet Denial of Service Vulnerability
Cisco IOS® Software contains a vulnerability that could allow an attacker to cause a Cisco IOS device to reload by remotely sending a crafted encryption packet.
Vulnerable Products
Devices running affected versions of Cisco IOS Software are susceptible if configured with any of the following features:
- Secure Socket Layer (SSL) Virtual Private Network (VPN)
- Secure Shell (SSH)
- Internet Key Exchange (IKE) Encrypted Nonces
Details
A Cisco IOS device that is configured for SSLVPN or SSH may reload when it receives a specially crafted TCP packet on TCP port 443 (SSLVPN) or TCP port 22 (SSH). Completion of the three-way handshake to the associated TCP port number of these features is required for the vulnerability to be successfully exploited; however, authentication is not required. A Cisco IOS device that is configured for IKE encrypted nonces may reload when it receives a specially crafted UDP packet on port 500 or 4500 (if configured for NAT Traversal (NAT-T)).
Impact
Successful exploitation of the vulnerability described in this document may result in a reload of the device. The issue could be repeatedly exploited to cause an extended DoS condition.
Link: http://www.cisco.com/…/advisory09186a0080af811c.shtml
Cisco IOS Software Authentication Proxy Vulnerability
Cisco IOS® Software configured with Authentication Proxy for HTTP(S), Web Authentication or the consent feature, contains a vulnerability that may allow an unauthenticated session to bypass the authentication proxy server or bypass the consent webpage.
Vulnerable Products
Devices running affected versions of Cisco IOS Software and configured with Authentication Proxy for HTTP(S) or Web Authentication or the consent feature are vulnerable.
Details
This vulnerability allows a session to be permitted without first being authenticated by the authentication proxy, or to be permitted without first acknowledging the consent webpage. At least one successfully authenticated session or accepted consent session must exist for the vulnerability to be exposed. When this occurs, the RADIUS or TACACS+ server will show subsequent users as authenticated, all with the same username as the initial connection if performing authentication, regardless of the authentication information provided by the user and whether it was defined on the AAA server, and regardless of whether the password was correct.
Impact
Successful exploitation of the vulnerability may result in an unauthenticated and unauthorized user bypassing the authentication proxy services offered in Cisco IOS Authentication Proxy for HTTP(S) and/or bypassing the consent accept webpage.
Link: http://www.cisco.com/…/advisory09186a0080af8132.shtml
Cisco IOS Software Zone-Based Policy Firewall Vulnerability
Cisco IOS® devices that are configured with Cisco IOS Zone-Based Policy Firewall Session Initiation Protocol (SIP) inspection are vulnerable to denial of service (DoS) attacks when processing a specific SIP transit packet. Exploitation of the vulnerability could result in a reload of the affected device.
Vulnerable Products
Only devices that are configured with Cisco IOS Zone-Based Policy Firewall SIP inspection (UDP port 5060, TCP ports 5060, and 5061) are vulnerable. Cisco IOS devices that are configured with legacy Cisco IOS Firewall Support for SIP (context-based access control (CBAC)) are not vulnerable.
Details
Firewalls are networking devices that control access to the network assets of an organization. Firewalls are often positioned at the entrance points into networks. Cisco IOS software provides a set of security features that enable you to configure a simple or elaborate firewall policy, according to your particular requirements. Cisco IOS Software that is configured with Cisco IOS Zone-Based Policy Firewall SIP inspection are vulnerable to a DoS attack when processing a specific SIP transit packet. Exploitation of this vulnerability will result in a reload of the affected device.
Impact
Successful exploitation of the vulnerability may result in a reload of the affected device. Repeated exploit attempts may result in a sustained DoS attack.
Link: http://www.cisco.com/…/advisory09186a0080af8130.shtml
Cisco IOS Software Network Time Protocol Packet Vulnerability
Cisco IOS® Software with support for Network Time Protocol (NTP) version (v4) contains a vulnerability processing specific NTP packets that will result in a reload of the device. This results in a remote denial of service (DoS) condition on the affected device.
Vulnerable Products
Cisco IOS Software devices are vulnerable if they support NTPv4 and are configured for NTP operations. NTP is not enabled in Cisco IOS Software by default.
Details
The Network Time Protocol (NTP) is a protocol designed to time-synchronize a network of machines. NTP runs over UDP, which in turn runs over IP. NTPv3 is documented in RFC1305 . NTPv4 is a significant revision of the NTP standard, and is the current development version, but has not been formalized into an RFC at the time of publication of this advisory. NTPv4 is currently documented in draft-ietf-ntp-ntpv4-proto-11.
Impact
Successful exploitation of the vulnerability may result in a reload of the device. The vulnerability could be repeatedly exploited to cause an extended DoS condition.
