The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Cisco Security Advisory: Cisco CatOS Telnet Buffer Vulnerability


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Tue, 29 Jan 2002 07:15:57 -0800
From: "PSIRT (Product Security Incident Response Team)" <psirt-support@cisco.com.>
To: [email protected]
Subject: Cisco Security Advisory: Cisco CatOS Telnet Buffer Vulnerability
Cc: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----

Cisco Security Advisory: Cisco CatOS Telnet Buffer Vulnerability

Revision 1.0 For Public Release 2002 January 29 at 1500 UTC - ------------------------------------------------------------------------------- Summary - ------- Some Cisco Catalyst switches, running certain CatOS based software releases, have a vulnerability wherein a buffer overflow in the telnet option handling can cause the telnet daemon to crash and result in a switch reload. This vulnerability can be exploited to initiate a denial of service (DoS) attack. This vulnerability is documented as Cisco bug ID CSCdw19195. There are workarounds available to mitigate the vulnerability. This advisory will be posted at http://www.cisco.com/warp/public/707/ catos-telrcv-vuln-pub.shtml . Affected Products - ----------------- Cisco's various Catalyst family of switches run CatOS-based releases or IOS-based releases. IOS-based releases are not vulnerable. The following Cisco Catalyst Switches are vulnerable : * Catalyst 6000 series * Catalyst 5000 series * Catalyst 4000 series * Catalyst 2948G * Catalyst 2900 For the switches above, the following CatOS based switch software revisions are vulnerable. +-----------------------------------------------------------------------------+ | | Release 4 | Release 5 | Release 6 | Release 7 | | | code base | code base | code base | code base | |---------------+---------------+---------------+--------------+--------------| | Catalyst 6000 | Not | earlier than | earlier than | earlier than | | series | Applicable | 5.5(13) | 6.3(4) | 7.1(2) | |---------------+---------------+---------------+--------------+--------------| | Catalyst 5000 | earlier than | earlier than | earlier than | Not | | series | 4.5(13a) | 5.5(13) | 6.3(4) | Applicable | |---------------+---------------+---------------+--------------+--------------| | Catalyst 4000 | All releases | earlier than | earlier than | earlier than | | series | | 5.5(13) | 6.3(4) | 7.1(2) | +-----------------------------------------------------------------------------+ To determine your software revision, type show version at the command line prompt. Not Affected Products - --------------------- The following Cisco Catalyst Switches are not vulnerable : * Catalyst 8500 series * Catalyst 4800 series * Catalyst 4200 series * Catalyst 3900 series * Catalyst 3550 series * Catalyst 3500 XL series * Catalyst 4840G * Catalyst 4908G-l3 * Catalyst 2948G-l3 * Catalyst 2950 * Catalyst 2900 XL * Catalyst 2900 LRE XL * Catalyst 2820 * Catalyst 1900 No other Cisco product is currently known to be affected by this vulnerability. Details - ------- Some Cisco Catalyst switches, running certain CatOS-based software releases, have a vulnerability wherein a buffer overflow in the telnet option handling can cause the telnet daemon to crash and result in a switch reload. This vulnerability can be exploited to initiate a denial of service (DoS) attack. Once the switch has reloaded, it is still vulnerable and the attack can be repeated as long as the switch is IP reachable on port 23 and has not been upgraded to a fixed version of CatOS switch software. This vulnerability is documented as Cisco bug ID CSCdw19195, which requires a CCO account to view and can be viewed after 2002 January 30 at 1500 UTC. Impact - ------ This vulnerability can be exploited to produce a denial of service (DoS) attack. When the vulnerability is exploited it can cause the Cisco Catalyst switch to crash and reload. Software Versions and Fixes - --------------------------- This vulnerability has been fixed in the following switch software revisions and the fix will be carried forward in all future releases. +-------------------------------------------------------------------------------+ | | Release 4 | Release 5 | Release 6 | Release 7 | | | code base | code base | code base | code base | |---------------+---------------+---------------+---------------+---------------| | Catalyst 6000 | Not | 5.5(13) and | 6.3(4) and | 7.1(2) and | | series | Applicable | later | later | later | |---------------+---------------+---------------+---------------+---------------| | Catalyst 5000 | 4.5(13a) | 5.5(13) and | 6.3(4) and | Not | | series | | later | later | Applicable | |---------------+---------------+---------------+---------------+---------------| | Catalyst 4000 | Not Available | 5.5(13) and | 6.3(4) and | 7.1(2) and | | series | | later | later | later | +-------------------------------------------------------------------------------+ All previous releases must upgrade to the above releases. CatOS switch software release 4.5(13a) for the Catalyst 5000 series is expected on CCO by 2002 February 4. CatOS switch software release 7.1(2) is expected on CCO by 2002 February 4. Software upgrade can be performed via the console interface. Please refer to software release notes for instructions. Obtaining Fixed Software - ------------------------ Cisco is offering free software upgrades to remedy this vulnerability for all affected customers. Customers with service contracts may upgrade to any software release containing the feature sets they have purchased. Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's Worldwide Web site at http:// www.cisco.com . Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with the upgrade, which should be free of charge. Customers who purchased directly from Cisco but who do not hold a Cisco service contract, and customers who purchase through third party vendors but are unsuccessful at obtaining fixed software through their point of sale, should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows: * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: [email protected] See http://www.cisco.com/warp/public/687/Directory.shtml for additional TAC contact information, including instructions and e-mail addresses for use in various languages. Please have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non contract customers must be requested through the TAC. Please do not contact either "[email protected]" or "[email protected]" for software upgrades. Workarounds - ----------- The following workarounds can be implemented. * If ssh is available in the code base use ssh instead of Telnet and disable Telnet. For instructions how to do this please refer http://www.cisco.com/warp/ public/707/ssh_cat_switches.html * Apply Access Control Lists (ACLs) on routers / switches / firewalls in front of the vulnerable switches such that traffic destined for the Telnet port 23 on the vulnerable switches is only allowed from the network management subnets. For an example see http://www.cisco.com/univercd/cc/td/doc/product/lan/ cat6000/sw_5_4/msfc/acc_list.htm Exploitation and Public Announcements - ------------------------------------- This vulnerability has been exploited to initiate Denial of Service (DoS) attacks. This vulnerability was reported by TESO and is detailed at http://www.cert.org/ advisories/CA-2001-21.html Status of This Notice: Final - ---------------------------- This is a final notice. Although Cisco cannot guarantee the accuracy of all statements in this notice, all of the facts have been checked to the best of our ability. Cisco does not anticipate issuing updated versions of this notice unless there is some material change in the facts. Should there be a significant change in the facts, Cisco may update this notice. A standalone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution - ------------ This notice will be posted on Cisco's Worldwide Web site at http:// www.cisco.com/warp/public/707/catos-telrcv-vuln-pub.shtml . In addition to Worldwide Web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients: * [email protected] * [email protected] * [email protected] * [email protected] (includes CERT/CC) * [email protected] * [email protected] * comp.dcom.sys.cisco * Various internal Cisco mailing lists Future updates of this notice, if any, will be placed on Cisco's Worldwide Web server, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History - ---------------- +-----------------------------------------------------------------------------+ | Revision 1.0 | 2002-Jan-29 | For Public Release 2002 January 29 at 1500 UTC | +-----------------------------------------------------------------------------+ Cisco Security Procedures - ------------------------- Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's Worldwide Web site at http://www.cisco.com/go/psirt . This includes instructions for press inquiries regarding Cisco security notices. - ------------------------------------------------------------------------------- This notice is copyright 2002 by Cisco Systems, Inc. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. - ------------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Signed by Sharad Ahlawat, Cisco Systems PSIRT iQEVAwUBPFa4iw/VLJ+budTTAQGkywf9GkyUO77MFWJHqhGR+ZtNpk63NAzK4ath TGE/GyRJlht4YXvP4sTuKgRmsBkefXRoFttN0T8G1HytxTfFP75THbh5kk2kRFYo R4qcxM6QExs1FbJwx42MOjmD5Cyds8pdZ8ZSGdVTDe96k/0D+BNiN1oe672x1hkM 6Nrt1wnyRzKj7ZfF7NRnlN7DsR4gAPIIP0yLiP2KLJheqDnZNThANng97i9YP1Mz gve9jAwZtiKij6mv0LDG/Jkk/NUl5VijxfuoRFM4ZvAEn8hFYDLnvPJUVb+CvKpt 3AJ3/J+MBS8EAKTM98sGr5ywp7/cQfXWZsoJAYgHbGtEs3Qy6xbK+w== =1bxQ -----END PGP SIGNATURE-----

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру