Date: 10 Jun 2004 11:25:20 +0200
From: SecuriTeam <support@securiteam.com.>
To: [email protected]Subject: [NEWS] Cisco CatOS Telnet, HTTP and SSH Vulnerability
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Cisco CatOS Telnet, HTTP and SSH Vulnerability
------------------------------------------------------------------------
SUMMARY
Cisco CatOS is susceptible to a TCP-ACK Denial of Service (DoS) attack on
the Telnet, HTTP and SSH service. If exploited, the vulnerability causes
the Cisco CatOS running device to stop functioning and reload.
This vulnerability is documented as Cisco bug IDs CSCec42751, CSCed45576,
and CSCed48590. There are techniques available to mitigate the potential
effects of this vulnerability in the workaround section of this advisory.
Cisco is providing fixed software, and recommends that customers upgrade
to it.
DETAILS
Affected Products:
Vulnerable Products
Hardware
* Catalyst 6000 series
* Catalyst 5000 series
* Catalyst 4500 series
* Catalyst 4000 series
* Catalyst 2948G, 2980G, 2980G-A, 4912G - use Catalyst 4000 series code
base
* Catalyst 2901, 2902, 2926[T,F,GS,GL], 2948 - use Catalyst 5000 series
code base
Software
CatOS Release Train - Affected Releases
8.xGLX - earlier than 8.3(2)GLX
8.x - earlier than 8.2(2)
7.x - earlier than 7.6(6)
6.x - earlier than 6.4(9)
5.x and earlier - earlier than 5.5(20)
Products Confirmed Not Vulnerable:
The following Catalyst switches do not run Cisco CatOS.
* Catalyst 8500 series
* Catalyst 4800 series
* Catalyst 4200 series
* Catalyst 4840G
* Catalyst 4908G-l3
* Catalyst 4224 Access Gateway Switch
* Catalyst 3750
* Catalyst 3750 Metro
* Catalyst 3560
* Catalyst 3550
* Catalyst 3500 XL
* Catalyst 2948G-l3
* Catalyst 2970
* Catalyst 2955
* Catalyst 2950
* Catalyst 2950 LRE
* Catalyst 2940
* Catalyst 2900 XL
* Catalyst 2900 LRE XL
* Catalyst 2820
* Catalyst 1900
Cisco IOS is not vulnerable to this issue.
No other Cisco products are currently known to be affected by this
vulnerability.
To determine your software revision, type show version at the command line
prompt of the network device.
Details:
Not sending the regular final ACK required for a 3-way TCP handshake to
complete, and instead sending an invalid response to move the connection
to an invalid TCP state conduct a TCP-ACK DoS attack. This attack can be
initiated from a remote spoofed source.
This vulnerability is currently known to be exploitable only if you have
the Telnet, HTTP or SSH service configured on a device that is running
Cisco CatOS.
CatOS release 5.4 was the first CatOS release which incorporated the HTTP
feature. Software releases that contain a "cv" in the image filename
support the HTTP feature. The HTTP server is disabled by default. It is
typically enabled to allow web-based management of the switch using
CiscoView. To disable the HTTP server on the switch type set ip http
server disable.
CatOS K9 (crypto) release 6.1 was the first CatOS release which
incorporated the SSH feature. The SSH server is disabled by default. To
verify if SSH has been configured on the switch type show crypto key. If
this shows you the RSA key then SSH has been configured and enabled on the
switch. To remove the crypto key type clear crypto key RSA and this will
disable the SSH server on the switch.
To check if the HTTP or SSH services are enabled one can also do the
following: For HTTP, try and connect to the default HTTP port, TCP 80,
using Telnet. telnet ip_address_of_device 80. If the session connects, the
service is enabled and accessible. Similarly, for SSH try and connect to
the SSH port, TCP 22.
The Internetworking Terms and Cisco Systems Acronyms online guides can be
found at <http://www.cisco.com/univercd/cc/td/doc/cisintwk/>;
http://www.cisco.com/univercd/cc/td/doc/cisintwk/.
This vulnerability is documented in the Cisco Bug Toolkit as Bug IDs
CSCec42751 (registered customers only), CSCed45576 (registered customers
only), and CSCed48590 (registered customers only).
Impact:
When exploited, the vulnerability causes the Cisco CatOS running device to
stop functioning and reload.
Software Versions and Fixes:
A table illustrating which versions are vulnerable and their corresponding
fixes is available at:
<http://www.cisco.com/warp/public/707/cisco-sa-20040609-catos.shtml#software> http://www.cisco.com/warp/public/707/cisco-sa-20040609-catos.shtml#software
Workarounds:
Implement the best practice of assigning all switch management interfaces
to a dedicated VLAN and apply appropriate access controls on routers
switching between the switch management interface VLAN and the rest of the
network. To read more about best practices for Catalyst 4500/4000,
5500/5000, and 6500/6000 Series Switches running CatOS configuration and
management, refer to
<http://www.cisco.com/en/US/partner/products/hw/switches/ps663/products_tech_note09186a0080094713.shtml>; http://www.cisco.com/en/US/partner/products/hw/switches/ps663/products_tech_note09186a0080094713.shtml.
Apply ACLs on routers / switches / firewalls in front of the vulnerable
switches such that traffic destined for the Telnet TCP port 23, HTTP TCP
port 80 and SSH TCP port 22 on the vulnerable switches is only allowed
from the network management workstations. Refer to
http://www.cisco.com/warp/public/707/iacl.html for examples on how to
apply access control lists (ACLs) on Cisco routers.
On the Catalyst 6000 series switches, if the VLAN Access Control List
(VACL) feature is available in the code base, you can use VACLs to enable
Telnet, HTTP and SSH access to the switch's management interface only from
the network management workstations, refer to
<http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sft_6_1/configgd/acc_list.htm>; http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sft_6_1/configgd/acc_list.htm.
Please note, these workarounds will not prevent spoofed IP packets with
the source IP address set to that of the network management station from
reaching the switch's management interface. For more information on
anti-spoofing refer to
<http://www.cisco.com/warp/public/707/21.html#sec_ip>
http://www.cisco.com/warp/public/707/21.html#sec_ip and
<http://www.ietf.org/rfc/rfc2827.txt>; http://www.ietf.org/rfc/rfc2827.txt.
The Unicast Reverse Path Forwarding (Unicast RPF) feature helps to
mitigate problems that are caused by malformed or forged IP source
addresses that are passing through a router, refer to
<http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fothersf/scfrpf.htm>; http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fothersf/scfrpf.htm.
IP Permit Lists will not provide any mitigation against this
vulnerability.
The Cisco PSIRT recommends that affected users upgrade to a fixed software
version of code.
ADDITIONAL INFORMATION
The information has been provided by <mailto:psirt@cisco.com.> Cisco
Systems Product Security Incident Response Team.
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20040609-catos.shtml>;
http://www.cisco.com/warp/public/707/cisco-sa-20040609-catos.shtml
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
