From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 19 Jul 2007 14:36:05 +0200
Subject: [NEWS] Cisco Wide Area Application Services (WAAS) Software DoS Vulnerability
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20070719122936.37A9757B1@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Cisco Wide Area Application Services (WAAS) Software DoS Vulnerability
SUMMARY
The Cisco Wide Area Application Services (WAAS) software contains a denial
of service (DoS) vulnerability that may cause some devices that run WAAS
software (WAE appliance and NM-WAE-502 module) to stop processing all
types of traffic, including data traffic and management traffic. This
condition may occur if a device running WAAS software is configured for
Edge Services, which utilizes Common Internet File System (CIFS)
optimization and receives a flood of TCP SYN packets on port 139 or 445.
Cisco has made free software available to address this vulnerability for
affected customers. Workarounds are available to mitigate the effects of
this vulnerability.
DETAILS
Affected Products:
Vulnerable Products
The vulnerability described in this document applies to both the WAE
appliance and the NM-WAE-502 network module with Edge Services configured,
which use CIFS optimization. Edge Services and CIFS optimization are
disabled by default. CIFS functionality is only available once Edge
Services are manually configured from the WAAS Central Manager. Only WAAS
software versions 4.0.7 and 4.0.9 are affected by this vulnerability.
In order to determine whether Edge Services are configured and to display
the WAAS software version information, use the WAAS Central Manager GUI.
The show version EXEC command from the CLI will also display the WAAS
software version information.
Determine whether Edge Services are configured and display the WAAS
software version information by following the steps below.
1. Log on to WAAS Central Manager.
2. Select the "Devices" tab.
3. Look under the Services column. "Edge" will denote if Edge Services are
configured.
4. Look under the Software Version column. The software version for each
device is identified.
The example below shows the output of the show version command from a WAE
appliance CLI. In this example, the WAE is running version 4.0.9.
CE-115-16#show version
Cisco Wide Area Application Services Software (WAAS)
Copyright (c) 1999-2007 by Cisco Systems, Inc.
Cisco Wide Area Application Services Software Release 4.0.9 (build b10
Apr 6 2007)
Version: fe611-4.0.9.10
Compiled 15:26:06 Apr 6 2007 by cnbuild
System was restarted on Sat Jun 16 05:03:41 2007.
The system has been up for 33 minutes, 40 seconds.
CE-115-16#
Products Confirmed Not Vulnerable
No other Cisco products or versions of WAAS software that are not
explicitly identified in this advisory are currently known to be affected
by this vulnerability.
WAE appliances and NM-WAE-502 modules that are not configured to provide
Edge Services performing CIFS optimization are not affected. The
NM-WAE-302 is not susceptible to this vulnerability as it cannot be
configured for CIFS optimization.
Details:
The Cisco Wide Area Application Services solution uses a combination of
application acceleration and WAN optimization techniques to mitigate
application and transport latency. WAAS software is utilized on the Wide
Area Application Engine appliance and the Wide Area Application Services
Network Module that are incorporated in the solution.
A DoS vulnerability exists in some versions of WAAS software that may
cause some devices that run WAAS software (WAE appliance and NM-WAE-502
module) to stop processing all types of traffic, including traffic going
through the device (data traffic) and traffic terminating on the device
(management traffic). If the WAAS device has Edge Services, which uses
CIFS optimization configured, and receives a flood of TCP SYN packets on
ports 139 or 445, this vulnerability may be triggered, resulting in a DoS
condition. Ports 139 and 445 are utilized by the CIFS functionality of the
WAAS software. This condition may result from network traffic that is sent
directly to the WAAS platform, or by automated systems such as
hostscanners, portscanners, or network worms.
This vulnerability is documented in Cisco Bug ID
<http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsi58809>;
CSCsi58809 ( registered customers only)
Impact:
Successful exploitation of the vulnerability described in this document
may allow a remote host to cause a device that is running an affected
version of the WAAS software with Edge Services using CIFS optimization
configured to enter into an unresponsive state. During this unresponsive
state, no services are provided, including management access to the
device. Recovery of the system from this unresponsive state can only be
accomplished by resetting or power cycling the affected device. The
following process can be used to remotely recover the NM-WAE-502.
Remote Recovery of the NM-WAE-502
Log in to the router and issue the following command from IOS CLI to
reboot the NM-WAE-502:
Router# service-module integrated-Service-Engine <slot>/<port> reset
Workarounds:
If the device that is running WAAS software does not need to provide Edge
Services, then disabling Edge Services is a viable workaround. When the
Edge Services are turned off, CIFS clients may not benefit from the
response time reduction that is associated with the operation of the CIFS
cache, preposition and other CIFS latency optimizations. However, other
Layer 4 optimizations will continue to apply according to the application
policy settings.
In order to disable Edge Services, which includes the CIFS accelerator and
CIFS auto discovery features, follow the steps below.
1. Log in to WAAS Central Manager.
2. Select the "Devices" tab.
3. Select the "Devices" category (or "Device Groups" if using multiple
devices in groups).
4. Choose target device or group.
5. Choose "File Services" located in the left column under "Contents."
6. Choose "Edge configuration" located under "File Services."
7. Uncheck "Enable Edge Server."
8. Click Submit.
Transit ACLs (tACL)
Filters that block access to TCP ports 139 and 445 packets should be
deployed at the network edge as part of a transit access list, which will
protect the router where the filter is configured as well as other devices
behind it. Filters should also be deployed in front of vulnerable network
devices so that TCP ports 139 and 445 packets are only allowed from
trusted CIFS Clients to trusted CIFS Servers.
Further information about transit ACLs is available in the white paper
"Transit Access Control Lists: Filtering at Your Edge" at the following
link:
<http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml>; http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml
Further information about configuring ACLs on the WAAS client is in the
"Creating and Managing IP Access Control Lists for WAAS Devices" chapter
of the WAAS Configuration Guide at the following link:
<http://www.cisco.com/en/US/products/ps6870/products_configuration_guide_chapter09186a00807bb6b9.html>; http://www.cisco.com/en/US/products/ps6870/products_configuration_guide_chapter09186a00807bb6b9.html
Additional mitigations that can be deployed on Cisco devices within the
network are discussed in the Cisco Applied Intelligence companion document
for this advisory available at the following link:
<http://www.cisco.com/warp/public/707/cisco-air-20070718-waas.shtml>;
http://www.cisco.com/warp/public/707/cisco-air-20070718-waas.shtml
ADDITIONAL INFORMATION
The information has been provided by <mailto:psirt@cisco.com.> Cisco
Systems Product Security Incident Response Team.
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20070718-waas.shtml>;
http://www.cisco.com/warp/public/707/cisco-sa-20070718-waas.shtml
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
