September 2010: seven Cisco vulnerabilities

The Cisco Product Security Incident Response Team (PSIRT) has published seven important vulnerability advisories:

• Cisco IOS Software H.323 Denial of Service Vulnerabilities
• Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerabilities
• Cisco IOS Software Internet Group Management Protocol Denial of Service Vulnerability
• Cisco IOS Software Network Address Translation Vulnerabilities
• Cisco IOS SSL VPN Vulnerability
• Cisco Unified Communications Manager Session Initiation Protocol Denial of Service Vulnerabilities
• Multiple Vulnerabilities in Cisco Wireless LAN Controllers

Cisco IOS Software H.323 Denial of Service Vulnerabilities
The H.323 implementation in Cisco IOS Software contains two vulnerabilities that may be exploited remotely to cause a denial of service (DoS) condition on a device that is running a vulnerable version of Cisco IOS Software. Cisco has released free software updates that address these vulnerabilities

Vulnerable Products
Cisco devices that are running affected Cisco IOS Software versions that are configured to process H.323 messages are affected by these vulnerabilities. H.323 is not enabled by default. To determine if the Cisco IOS Software device is running H.323 services, issue the show process cpu | include H323 command.

Details
H.323 is the International Telecommunication Union (ITU) standard for real-time multimedia communications and conferencing over packet-based (IP) networks. A subset of the H.323 standard is H.225.0, a standard that is used for call signaling protocols and media stream packetization over IP networks. The H.323 implementation in Cisco IOS Software contains two DoS vulnerabilities. An attacker can exploit these vulnerabilities remotely by sending crafted H.323 packets to an affected device that is running Cisco IOS Software. A TCP three-way handshake is required to exploit these vulnerabilities.

Impact
Successful exploitation of the vulnerabilities described in this advisory may cause the affected device to reload. Theses vulnerabilities could be exploited repeatedly to cause an extended DoS condition.

Link: http://www.cisco.com/…/products_security_advisory09186a0080b4a300.shtml

Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerabilities
Multiple vulnerabilities exist in the Session Initiation Protocol (SIP) implementation in Cisco IOS® Software that could allow an unauthenticated, remote attacker to cause a reload of an affected device when SIP operation is enabled. Cisco has released free software updates that address these vulnerabilities

Vulnerable Products
Cisco devices are affected when they are running affected Cisco IOS Software versions that are configured to process SIP messages.

Details
Three vulnerabilities exist in the SIP implementation in Cisco IOS Software that may allow a remote attacker to cause an affected device to reload. These vulnerabilities are triggered when the device running Cisco IOS Software processes crafted SIP messages.

Impact
Successful exploitation of the vulnerabilities in this advisory may result in a reload of the device. Repeated exploitation could result in a sustained denial of service condition.

Link: http://www.cisco.com/…/products_security_advisory09186a0080b4a30f.shtml

Cisco IOS Software Internet Group Management Protocol Denial of Service Vulnerability
A vulnerability in the Internet Group Management Protocol (IGMP) version 3 implementation of Cisco IOS® Software and Cisco IOS XE Software allows a remote unauthenticated attacker to cause a reload of an affected device. Repeated attempts to exploit this vulnerability could result in a sustained denial of service (DoS) condition. Cisco has released free software updates that address this vulnerability.

Vulnerable Products
The following products are affected by this vulnerability:

• Cisco IOS Software
• Cisco IOS XE Software

Details
A malformed IGMP packet can cause a vulnerable device to reload. This vulnerability can only be exploited if the malformed IGMP packet is received on an interface that has been enabled for IGMP version 3 and Protocol Independent Multicast (PIM). The malformed IGMP packet destination address can be unicast, multicast, or broadcast and can be addressed to any IP address in the vulnerable device, including loopback addresses. To exploit this vulnerability, a malformed packet must be received on a vulnerable interface, but it can be addressed to any IP address on the vulnerable device.

Impact
Successful exploitation of this vulnerability may cause the affected device vulnerable device to reload. Repeated exploitation may result in a sustained DoS condition.

Link: http://www.cisco.com/…/products_security_advisory09186a0080b4a310.shtml

Cisco IOS Software Network Address Translation Vulnerabilities
The Cisco IOS® Software Network Address Translation functionality contains three denial of service (DoS) vulnerabilities. The first vulnerability is in the translation of Session Initiation Protocol (SIP) packets, the second vulnerability in the translation of H.323 packets and the third vulnerability is in the translation of H.225.0 call signaling for H.323 packets.

Vulnerable Products
Cisco devices running Cisco IOS Software that are configured for NAT and that support NAT for SIP, H.323, or H.225.0 call signaling for H.323 packets are affected.

Details
The three vulnerabilities are triggered by transit traffic that needs to be processed by the NAT feature. Each vulnerability is independent of each other.

• NAT for SIP DoS Vulnerability
• NAT for H.323 DoS Vulnerability
• NAT for H.225.0 DoS vulnerability

Impact
Successful exploitation of any of the vulnerabilities described in this document may cause the affected device to reload. Repeated exploitation will result in an extended denial of service (DoS) condition.

Link: http://www.cisco.com/…/products_security_advisory09186a0080b4a311.shtml

Cisco IOS SSL VPN Vulnerability
Cisco IOS® Software contains a vulnerability when the Cisco IOS SSL VPN feature is configured with an HTTP redirect. Exploitation could allow a remote, unauthenticated user to cause a memory leak on the affected devices, that could result in a memory exhaustion condition that may cause device reloads, the inability to service new TCP connections, and other denial of service (DoS) conditions.

Vulnerable Products
Devices running affected versions of Cisco IOS Software are vulnerable if configured with SSL VPN and HTTP port redirection.

Details
A device configured for SSL VPN with HTTP port redirection may leak transmission control blocks (TCBs) when processing an abnormally disconnected SSL session. Continued exploitation may cause the device to deplete memory resources, which could result in device reloads, the inability to service new TCP connections, and other DoS conditions. Authentication is not required to exploit this vulnerability.

Impact
Successful exploitation of the vulnerability may result in a lack of available memory resources on the affected device, which could affect new connections to the device such as SSH and Telnet connections. Depletion of memory resources may also result in failing of routing protocols and other services.

Link: http://www.cisco.com/…/products_security_advisory09186a0080b4a312.shtml

Cisco Unified Communications Manager Session Initiation Protocol Denial of Service Vulnerabilities
Cisco Unified Communications Manager contains two denial of service (DoS) vulnerabilities that affect the processing of Session Initiation Protocol (SIP) messages. Exploitation of these vulnerabilities could cause an interruption of voice services.

Vulnerable Products
The following products are affected by the vulnerabilities that are described in this advisory:

• Cisco Unified Communications Manager 6.x
• Cisco Unified Communications Manager 7.x
• Cisco Unified Communications Manager 8.x

Details
Cisco Unified Communications Manager contains two DoS vulnerabilities that involve the processing of SIP messages. Each vulnerability is triggered by a malformed SIP message that could cause a critical process to fail, which could result in the disruption of voice services. All SIP ports (TCP ports 5060 and 5061 and UDP ports 5060 and 5061) are affected.

Impact
Successful exploitation of the vulnerabilities that are described in this advisory could result in the interruption of voice services. Cisco Unified Communications Manager will restart the affected processes, but repeated attacks may result in a sustained DoS Condition.

Link: http://www.cisco.com/…/products_security_advisory09186a0080b4a313.shtml

Multiple Vulnerabilities in Cisco Wireless LAN Controllers
The Cisco Wireless LAN Controller (WLC) product family is affected by these vulnerabilities:

• Two denial of service (DoS) vulnerabilities
• Three privilege escalation vulnerabilities
• Two access control list (ACL) bypass vulnerabilities

Vulnerable Products
These products are each affected by at least one vulnerability covered in this Security Advisory:

• Cisco 2000 Series WLCs
• Cisco 2100 Series WLCs
• Cisco 4100 Series WLCs
• Cisco 4400 Series WLCs
• Cisco 5500 Series WLCs
• Cisco Wireless Services Modules (WiSMs)
• Cisco WLC Modules for Integrated Services Routers (ISRs)
• Cisco Catalyst 3750G Integrated WLCs

Details
Cisco WLCs and Cisco WiSMs are responsible for system-wide wireless LAN functions, such as security policies, intrusion prevention, RF management, quality of service (QoS), and mobility. The Cisco WLC family of devices is affected by 2 denial of service vulnerabilities, 3 privilege escalation vulnerabilities, and 2 access control list bypass vulnerabilities. The following are the details about these vulnerabilities.

• IKE Denial of Service Vulnerability: An attacker with the ability to send a malicious IKE packet to an affected Cisco WLC could cause the device to crash and reload. This vulnerability can be exploited from both wired and wireless segments.
• HTTP Denial of Service Vulnerability: An authenticated attacker with the ability to send a series of malicious HTTP packets to an affected Cisco WLC could cause the device to reload. This vulnerability can be exploited from both wired and wireless segments. A TCP three-way handshake is needed in order to exploit this vulnerability.
• Privilege Escalation Vulnerabilities: Three privilege escalation vulnerabilities exist in the Cisco WLCs that could allow an authenticated attacker with read-only privileges to modify the device configuration.
• Access Control List Bypass Vulnerabilities: ACLs can be configured in the Cisco WLCs and applied to data traffic to and from wireless clients or to all traffic that is destined for the controller CPU. After ACLs are defined, they can be applied to the management interface, the access point manager (AP-manager) interface, or any of the dynamic interfaces for client data traffic or to the Network Processing Unit (NPU) interface for traffic to the controller CPU. Two vulnerabilities exist in the Cisco WLCs that could allow an unauthenticated attacker to bypass policies that should be enforced by CPU-based ACLs. No other ACL types are affected by these vulnerabilities.

Impact
Successful exploitation of the DoS vulnerabilities could cause an affected device to reload. Repeated exploitation could result in a sustained DoS condition.
Successful exploitation of the privilege escalation vulnerabilities could allow an authenticated attacker with read-only privileges to modify the device configuration.
Successful exploitation of the ACL bypass vulnerabilities could allow an attacker to bypass policies that should be enforced by CPU-based ACLs.

Link: http://www.cisco.com/…/products_security_advisory09186a0080b466e9.shtml