[Full-disclosure] Cisco Security Advisory: Vulnerabilities in Cisco IOS Secure Shell Server

From: Cisco Systems Product Security Incident Response Team (psirt_at_cisco.com)
Date: 04/06/05

  • Next message: pokley: "[Full-disclosure] runcms/e-xoops 1.1A and below file upload vulnerability"
    To: full-disclosure@lists.grok.org.uk
    Date: Wed, 06 Apr 2005 13:35:54 -0400
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Cisco Security Advisory:
    =======================
    Vulnerabilities in Cisco IOS Secure Shell Server
    ================================================

    Revision 1.0

    For Public Release 2005 April 06 1600 UTC (GMT)

    - -----------------------------------------------------------------------

    Contents
    ========

        Summary
        Affected Products
        Details
        Impact
        Software Versions and Fixes
        Obtaining Fixed Software
        Workarounds
        Exploitation and Public Announcements
        Status of This Notice: FINAL
        Distribution
        Revision History
        Cisco Security Procedures

    - -----------------------------------------------------------------------

    Summary
    =======

    Certain release trains of Cisco Internetwork Operating System (IOS),
    when configured to use the IOS Secure Shell (SSH) server in combination
    with Terminal Access Controller Access Control System Plus (TACACS+) as
    a means to perform remote management tasks on IOS devices, may contain
    two vulnerabilities that can potentially cause IOS devices to exhaust
    resources and reload. Repeated exploitation of these vulnerabilities
    can result in a Denial of Service (DoS) condition. Use of SSH with
    Remote Authentication Dial In User Service (RADIUS) is not affected by
    these vulnerabilities.

    Cisco has made free software available to address these vulnerabilities
    for all affected customers. There are workarounds available to mitigate
    the effects of the vulnerability (see the Workarounds section.)

    This advisory will be posted at
    http://www.cisco.com/warp/public/707/cisco-sa-20050406-ssh.shtml.

    Affected Products
    =================

    Vulnerable Products
    +------------------

    These issues affect any Cisco device running an unfixed version of
    Cisco IOS that supports, and is configured to use, the SSH server
    functionality.

    To determine the software running on a Cisco product, log in to the
    device and issue the show version command to display the system banner.
    Cisco IOS Software will identify itself as "Internetwork Operating
    System Software" or simply "IOS." The image name will be displayed
    between parentheses shortly after this identification (possibly in the
    next line), followed by "Version" and the IOS release name. Other Cisco
    devices will not have the show version command or will give different
    output.

    The following example identifies a Cisco device running IOS release
    12.2(15)T14 (release train label "12.2T") with an installed image name
    of C806-K9OSY6-M:

        Router1>show version
        Cisco Internetwork Operating System Software
        IOS (tm) C806 Software (C806-K9OSY6-M), Version 12.2(15)T14, RELEASE SOFTWARE (fc4)
        [...]

    The next example shows a device running IOS release 12.3(10) (release
    train label "12.3 mainline") with an image name of C2600-IK9OS3-M:

        Router2>show version
        Cisco Internetwork Operating System Software
        IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.3(10), RELEASE SOFTWARE (fc3)
        [...]

    Additional information about Cisco IOS release naming can be found at
    http://www.cisco.com/warp/public/620/1.html.

    SSH protocol was introduced in the following IOS release trains:

      * IOS 12.0S (SSH version 1)
      * IOS 12.1T (SSH version 1)
      * IOS 12.2 (SSH version 1)
      * IOS 12.2T (SSH version 1)
      * IOS 12.3T (SSH version 2)

    To determine if the IOS image that your IOS device is running supports
    the server side of the SSH protocol, whether it is enabled (if
    supported), and the SSH protocol version being used (if SSH is
    supported and enabled), use the show ip ssh command in global mode:

        Router>show ip ssh
        SSH Enabled - version 1.5
        Authentication timeout: 120 secs; Authentication retries: 3

    The previous output shows that SSH is enabled on this device and that
    the SSH protocol major version that is being supported is 1. Possible
    values for the SSH protocol version reported by IOS are:

      * 1.5: only SSH protocol version 1 is enabled.
      * 1.99: SSH protocol version 2 with SSH protocol version 1
        compatibility enabled.
      * 2.0: only SSH protocol version 2 is enabled.

    For more information about SSH versions in IOS, please check the
    following URL:
    http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_7/gt_ssh2.htm.

    Note: SSH protocols versions 1 and 2 cannot interoperate, but usually
    a SSH server knows how to handle connections from clients using either
    version of the protocol, but in most cases the server has to be
    explicitly configured to do this. The latest revision of protocol
    version 1 is "1.5", which is documented in a now expired Internet
    Engineering Task Force (IETF) draft.

    The show ip ssh command was introduced in IOS release 12.1(1)T. If this
    command is not available then the IOS image in use does not have SSH
    server support and therefore it is not vulnerable to the issues
    discussed in this advisory.

    As you will see in the Details section, the behavior of the
    vulnerabilities described in this document can depend on the version of
    the SSH protocol that the IOS device is using. Therefore, it is
    important to use the show ip ssh command as shown above to obtain this
    information.

    When the show ip ssh command is executed on an image that does not
    support SSH the following output will be generated:

        Router>show ip ssh
                        ^
        % Invalid input detected at '^' marker.

        Router>

    Finally, even if the release and image running on an IOS device support
    SSH, the SSH server may not be enabled. The following example shows the
    output from the show ip ssh command on a device that supports SSH but
    that does not have the SSH server enabled (note the "SSH Disabled"
    message):

        Router>sh ip ssh
        SSH Disabled - version 1.5
        %Please create RSA keys to enable SSH.
        Authentication timeout: 120 secs; Authentication retries: 3
        Router>

    Products Confirmed Not Vulnerable
    +--------------------------------

    Devices not running IOS, running an IOS train without the SSH server
    functionality, or running an IOS version supporting SSH but without the
    SSH server enabled are not affected.

    See the Affected Products section for a detailed list of IOS release
    trains that implement the SSH functionality. In particular, the
    following IOS release train do not contain any SSH code:

      * All IOS versions prior to 12.0.
      * IOS 12.0 (mainline - the "S" train is affected.)
      * IOS 12.1 (mainline - the "T" train is affected.)
      * IOS 12.3 (mainline - the "T" train is affected.)

    Cisco IOS XR is not affected.

    No other Cisco products are currently known to be affected by these
    vulnerabilities.

    Details
    =======

    Secure Shell (SSH) is a protocol that provides a secure, remote
    connection to a network device. There are currently two versions of the
    SSH protocol, SSH Version 1 and SSH Version 2, both of which are
    supported by Cisco IOS. The SSH server component of IOS identifies
    itself as version "1.5" if running only version 1.0 of the protocol, as
    version "2.0" if running only version 2 of the protocol, and as version
    "1.99" if running protocol version 2 with fall-back to protocol version
    1.

    The SSH server feature of IOS enables a SSH client to make a secure,
    encrypted connection to a Cisco IOS device. This connection provides
    functionality that is similar to a telnet connection with the
    difference that all traffic between the server and the client,
    including authentication information, travels encrypted through the
    wires.

    TACACS provides a way to centrally validate users attempting to gain
    access to servers, workstations, routers, switches, access servers, and
    other network devices.

    The two vulnerabilities described in this document can cause denial of
    service (DoS) conditions that affect IOS devices configured to use the
    IOS SSH server feature for remote management.

    The first vulnerability may cause a device to reload when the IOS
    device is configured to act as a SSH version 2 server and any of the
    following events occurs:

      * The device is configured to authenticate users against a TACACS+
        server (via a command like aaa authentication login <group name>
        group tacacs+ local) and the account username includes a domain
        name. Please note that the device is not affected if users are
        being authenticated against a RADIUS server or the local user
        database.
      * A new SSH session is in the authentication phase (the server is
        waiting for a username or password) and another, already logged-in
        user uses the send command.
      * Logging of messages is being directed to a SSH session that is
        already established (through the terminal monitor command) and the
        SSH session to the IOS device terminates while the SSH server is
        still sending data to the client.

    This vulnerability is documented in the Cisco bug ID CSCed65778 -- Crash
    in SSHv2 due to TACACS+ username containing domain name.

    Note: this vulnerability affects SSH protocol version 2. SSH protocol
    version 1 is not affected.

    The second vulnerability consists of a memory leak that happens when an
    IOS device is configured to authenticate SSH users against a TACACS+
    server and the login fails due to an invalid username or password. This
    affects both SSH version 1 and version 2 connections. In the case of
    SSH version 2 connections, the memory leak occurs even after a
    successful login. Please note that the device is not affected if users
    are being authenticated against a RADIUS server or the local user
    database.

    The memory leak can be detected by running the command show tcp brief,
    like in the following example:

        Router#sh tcp brief
        TCB Local Address Foreign Address (state)
        637202B8 10.0.0.19.13294 172.16.112.29.49 ESTAB
        6371C978 10.0.0.19.13233 172.16.112.29.49 ESTAB
        636CB228 10.0.0.19.13041 172.16.112.29.49 CLOSEWAIT
        636B6900 10.0.0.19.12912 172.16.112.29.49 CLOSEWAIT
        63697548 10.0.0.19.12848 172.16.112.29.49 CLOSEWAIT
        63687930 10.0.0.19.12784 172.16.112.29.49 CLOSEWAIT
        635F4A80 10.0.0.19.12659 172.16.112.29.49 CLOSEWAIT

    In the output above, those Transmission Control Blocks (TCBs) in the
    state CLOSEWAIT will not go away and represent memory leaks. Please
    note that only TCP connections with a foreign TCP port of 49 (the
    well-known port for TACACS) are relevant.

    This vulnerability is documented in the Cisco bug ID CSCed65285 -- SSH
    leaks memory and buffers.

    Impact
    ======

    Successful exploitation of the vulnerability described in Cisco bug ID
    CSCed65778 may result in a reload of the device. Repeated exploitation
    could result in a sustained denial of service condition.

    Successful exploitation of the vulnerability described in Cisco bug ID
    CSCed65285 may result in resource depletion. Repeated exploitation could
    cause a reload of the device, which in turn could result in a sustained
    denial of service condition.

    Software Versions and Fixes
    ===========================

    Each row of the Cisco IOS software table (below) describes a release
    train and the platforms or products for which it is intended. If a
    given release train is vulnerable, then the earliest possible releases
    that contain the fix (the "First Fixed Release") and the anticipated
    date of availability for each are listed in the "Rebuild" and
    "Maintenance" columns. A device running a release in the given train
    that is earlier than the release in a specific column (less than the
    First Fixed Release) is known to be vulnerable. The release should be
    upgraded at least to the indicated release or a later version (greater
    than or equal to the First Fixed Release label).

    For further information on the terms "Rebuild" and "Maintenance" please
    consult the following URL:

    http://www.cisco.com/warp/public/620/1.html

    When considering software upgrades, please also consult
    http://www.cisco.com/en/US/products/products_security_advisories_listing.html
    and any subsequent advisories to determine exposure and a complete
    upgrade solution.

    In all cases, customers should exercise caution to be certain the
    devices to be upgraded contain sufficient memory and that current
    hardware and software configurations will continue to be supported
    properly by the new release. If the information is not clear, contact
    the Cisco Technical Assistance Center ("TAC") for assistance.

    +-------------------------------------------------------------+
    | Major Release | Availability of Repaired Releases |
    |----------------------+--------------------------------------|
    | Affected 12.0-Based | Rebuild | Maintenance |
    | Release | | |
    |----------------------+------------------------+-------------|
    | | 12.0(26)S5 | |
    | |------------------------+-------------|
    | | 12.0(27)S4 | |
    | 12.0S |------------------------+-------------|
    | | 12.0(28)S2 | |
    | |------------------------+-------------|
    | | | 12.0(30)S |
    |----------------------+------------------------+-------------|
    | 12.0SX | | 12.0(30)SX |
    |----------------------+------------------------+-------------|
    | Affected 12.1-Based | Rebuild | Maintenance |
    | Release | | |
    |----------------------+------------------------+-------------|
    | 12.1AX | Migrate to 12.2(25)EY | |
    | | or later | |
    |----------------------+------------------------+-------------|
    | 12.1AZ | Migrate to 12.2(22)EA1 | |
    | | or later | |
    |----------------------+--------------------------------------|
    | 12.1DB | Migrate to 12.3(4)T11 or later |
    |----------------------+--------------------------------------|
    | 12.1DC | Migrate to 12.3(4)T11 or later |
    |----------------------+--------------------------------------|
    | 12.1E | | 12.1(23)E |
    |----------------------+------------------------+-------------|
    | 12.1EA | 12.1(22)EA1 | |
    |----------------------+------------------------+-------------|
    | 12.1EB | | 12.1(23)EB |
    |----------------------+--------------------------------------|
    | 12.1EC | Migrate to 12.3(9a)BC2 or later |
    |----------------------+--------------------------------------|
    | 12.1EU | Migrate to 12.2(20)EU or later |
    |----------------------+--------------------------------------|
    | 12.1EW | Migrate to 12.2(18)EW2 or later |
    |----------------------+--------------------------------------|
    | 12.1EX | Migrate to 12.1(23)E or later |
    |----------------------+--------------------------------------|
    | 12.1T | Migrate to 12.2(26) or later |
    |----------------------+--------------------------------------|
    | 12.1XD | Migrate to 12.2(26) or later |
    |----------------------+--------------------------------------|
    | 12.1XE | Migrate to 12.1(23)E or later |
    |----------------------+--------------------------------------|
    | 12.1XF | Migrate to 12.2(26) or later |
    |----------------------+--------------------------------------|
    | 12.1XG | Migrate to 12.3(8)T or later |
    |----------------------+--------------------------------------|
    | 12.1XH | Migrate to 12.2(26) or later |
    |----------------------+--------------------------------------|
    | 12.1XI | Migrate to 12.2(26) or later |
    |----------------------+--------------------------------------|
    | 12.1XL | Migrate to 12.3(8)T or later |
    |----------------------+--------------------------------------|
    | 12.1XM | Migrate to 12.3(8)T or later |
    |----------------------+--------------------------------------|
    | 12.1XP | Migrate to 12.2(26) or later |
    |----------------------+--------------------------------------|
    | 12.1XQ | Migrate to 12.3(8)T or later |
    |----------------------+--------------------------------------|
    | 12.1XR | Migrate to 12.3(8)T or later |
    |----------------------+--------------------------------------|
    | 12.1XT | Migrate to 12.3(8)T or later |
    |----------------------+--------------------------------------|
    | 12.1XU | Migrate to 12.3(8)T or later |
    |----------------------+--------------------------------------|
    | 12.1XV | Migrate to 12.3(8)T or later |
    |----------------------+--------------------------------------|
    | 12.1YA | Migrate to 12.3(8)T or later |
    |----------------------+--------------------------------------|
    | 12.1YB | Migrate to 12.3(8)T or later |
    |----------------------+--------------------------------------|
    | 12.1YC | Migrate to 12.3(8)T or later |
    |----------------------+--------------------------------------|
    | 12.1YD | Migrate to 12.3(8)T or later |
    |----------------------+--------------------------------------|
    | 12.1YE | Migrate to 12.3(8)T or later |
    |----------------------+--------------------------------------|
    | 12.1YF | Migrate to 12.3(8)T or later |
    |----------------------+--------------------------------------|
    | 12.1YH | Migrate to 12.3(8)T or later |
    |----------------------+--------------------------------------|
    | 12.1YI | Migrate to 12.3(8)T or later |
    |----------------------+--------------------------------------|
    | Affected 12.2-Based | Rebuild | Maintenance |
    | Release | | |
    |----------------------+------------------------+-------------|
    | 12.2 | | 12.2(26) |
    |----------------------+--------------------------------------|
    | 12.2B | Migrate to 12.3(4)T11 or later |
    |----------------------+--------------------------------------|
    | 12.2DD | Migrate to 12.3(4)T11 or later |
    |----------------------+--------------------------------------|
    | 12.2DX | Migrate to 12.3(4)T11 or later |
    |----------------------+--------------------------------------|
    | 12.2EU | | 12.2(20)EU |
    |----------------------+------------------------+-------------|
    | | 12.2(18)EW2 | |
    | 12.2EW |------------------------+-------------|
    | | | 12.2(25)EW |
    |----------------------+------------------------+-------------|
    | 12.2EWA | | 12.2(20)EWA |
    |----------------------+--------------------------------------|
    | 12.2EX | Migrate to 12.2(25)SEA or later |
    |----------------------+--------------------------------------|
    | | 12.2(14)S13 | |
    | |------------------------+-------------|
    | | 12.2(18)S7 | |
    | |------------------------+-------------|
    | 12.2S | 12.2(20)S7 | |
    | |--------------------------------------|
    | | 12.2(22)S users Migrate to 12.2(25)S |
    | | or later |
    | |--------------------------------------|
    | | | 12.2(25)S |
    |----------------------+------------------------+-------------|
    | | 12.2(20)SE4 | |
    | 12.2SE |------------------------+-------------|
    | | | 12.2(25)SE |
    |----------------------+------------------------+-------------|
    | 12.2SEA | | 12.2(25)SEA |
    |----------------------+------------------------+-------------|
    | 12.2SEB | | 12.2(25)SEB |
    |----------------------+--------------------------------------|
    | 12.2SU | Migrate to 12.3(11)T3 or later |
    |----------------------+--------------------------------------|
    | 12.2SV | | 12.2(24)SV |
    |----------------------+--------------------------------------|
    | 12.2SX | Migrate to 12.2(17d)SXB1 or later |
    |----------------------+--------------------------------------|
    | 12.2SXA | Migrate to 12.2(17d)SXB1 or later |
    |----------------------+--------------------------------------|
    | 12.2SXB | 12.2(17d)SXB1 | |
    |----------------------+------------------------+-------------|
    | 12.2SXD | | 12.2(18)SXD |
    |----------------------+--------------------------------------|
    | 12.2SY | Migrate to 12.2(17d)SXB1 or later |
    |----------------------+--------------------------------------|
    | 12.2SZ | Migrate to 12.2(20)S7 or later |
    |----------------------+--------------------------------------|
    | | 12.2(11)T and earlier -- vulnerable |
    | 12.2T | |
    | | 12.2(13)T and later -- not |
    | | vulnerable |
    |----------------------+--------------------------------------|
    | 12.2XA | Migrate to 12.3(8)T or later |
    |----------------------+--------------------------------------|
    | 12.2XC | Migrate to 12.3(8)T or later |
    |----------------------+--------------------------------------|
    | 12.2XF | Migrate to 12.3(9a)BC2 or later |
    |----------------------+--------------------------------------|
    | 12.2XN | Migrate to 12.3(8)T or later |
    |----------------------+--------------------------------------|
    | 12.2XS | Migrate to 12.3(8)T or later |
    |----------------------+--------------------------------------|
    | 12.2YE | Migrate to 12.2S or later |
    |----------------------+--------------------------------------|
    | 12.2YK | Migrate to 12.3(8)T or later |
    |----------------------+--------------------------------------|
    | 12.2YO | Migrate to 12.2(17d)SXB1 |
    |----------------------+--------------------------------------|
    | 12.2YX | Migrate to 12.3(11)T3 or later |
    |----------------------+--------------------------------------|
    | 12.2YZ | Migrate to 12.2(20)S7 or later |
    |----------------------+--------------------------------------|
    | 12.2ZA | Migrate to 12.2(17d)SXB1 or later |
    |----------------------+--------------------------------------|
    | Affected 12.3-Based | Rebuild | Maintenance |
    | Release | | |
    |----------------------+------------------------+-------------|
    | | 12.3(4)T11 | |
    | |------------------------+-------------|
    | 12.3T | 12.3(7)T7 | |
    | |------------------------+-------------|
    | | | 12.3(8)T |
    |----------------------+--------------------------------------|
    | 12.3XD | Migrate to 12.3(7)T7 or later |
    |----------------------+--------------------------------------|
    | 12.3XE | Migrate to 12.3(8)T or later |
    |----------------------+--------------------------------------|
    | 12.3XF | Migrate to 12.3(11)T or later |
    |----------------------+--------------------------------------|
    | 12.3XG | Migrate to 12.3(11)T or later |
    |----------------------+--------------------------------------|
    | 12.3XH | Migrate to 12.3(11)T or later |
    |----------------------+--------------------------------------|
    | 12.3XI | 12.3(7)XI3 | |
    |----------------------+--------------------------------------|
    | 12.3XJ | Migrate to 12.3(8)XW |
    |----------------------+--------------------------------------|
    | 12.3XK | Migrate to 12.3(14)T |
    |----------------------+--------------------------------------|
    | 12.3XL | | 12.3(11)XL |
    |----------------------+------------------------+-------------|
    | 12.3XM | | 12.3(7)XM |
    |----------------------+------------------------+-------------|
    | 12.3XQ | 12.3(4)XQ1 | |
    |----------------------+------------------------+-------------|
    | 12.3XR | | 12.3(7)XR |
    |----------------------+------------------------+-------------|
    | 12.3XS | | 12.3(7)XS |
    |----------------------+------------------------+-------------|
    | 12.3XU | | 12.3(8)XU |
    |----------------------+------------------------+-------------|
    | 12.3XW | | 12.3(8)XW |
    |----------------------+------------------------+-------------|
    | 12.3XX | | 12.3(8)XX |
    |----------------------+------------------------+-------------|
    | 12.3XY | | 12.3(8)XY |
    |----------------------+------------------------+-------------|
    | 12.3YA | | 12.3(8)YA |
    |----------------------+------------------------+-------------|
    | 12.3YD | | 12.3(8)YD |
    |----------------------+------------------------+-------------|
    | 12.3YF | | 12.3(11)YF |
    |----------------------+------------------------+-------------|
    | 12.3YG | | 12.3(8)YG |
    |----------------------+------------------------+-------------|
    | 12.3YH | | 12.3(8)YH |
    |----------------------+------------------------+-------------|
    | 12.3YJ | | 12.3(11)YJ |
    |----------------------+------------------------+-------------|
    | 12.3YK | | 12.3(11)YK |
    +-------------------------------------------------------------+

    Obtaining Fixed Software
    ========================

    Customers with Service Contracts
    +-------------------------------

    Customers with contracts should obtain upgraded software through their
    regular update channels. For most customers, this means that upgrades
    should be obtained through the Software Center on Cisco's worldwide
    website at http://www.cisco.com.

    Customers using Third-party Support Organizations
    +------------------------------------------------

    Customers whose Cisco products are provided or maintained through prior
    or existing agreement with third-party support organizations such as
    Cisco Partners, authorized resellers, or service providers should
    contact that support organization for assistance with the upgrade,
    which should be free of charge.

    Customers without Service Contracts
    +----------------------------------

    Customers who purchase direct from Cisco but who do not hold a Cisco
    service contract and customers who purchase through third-party vendors
    but are unsuccessful at obtaining fixed software through their point of
    sale should get their upgrades by contacting the Cisco Technical
    Assistance Center (TAC). TAC contacts are as follows.

      * +1 800 553 2447 (toll free from within North America)
      * +1 408 526 7209 (toll call from anywhere in the world)
      * e-mail: tac@cisco.com

    Please have your product serial number available and give the URL of
    this notice as evidence of your entitlement to a free upgrade. Free
    upgrades for non-contract customers must be requested through the TAC.

    Please do not contact either "psirt@cisco.com" or
    "security-alert@cisco.com" for software upgrades.

    See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for
    additional TAC contact information, including special localized
    telephone numbers and instructions and e-mail addresses for use in
    various languages.

    Customers may only install and expect support for the feature sets they
    have purchased. By installing, downloading, accessing or otherwise
    using such software upgrades, customers agree to be bound by the terms
    of Cisco's software license terms found at
    http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set
    forth at Cisco.com Downloads at
    http://www.cisco.com/public/sw-center/sw-usingswc.shtml

    Workarounds
    ===========

    The effectiveness of any workaround is dependent on specific customer
    situations such as product mix, network topology, traffic behavior, and
    organizational mission. Due to the variety of affected products and
    releases, customers should consult with their service provider or
    support organization to ensure any applied workaround is the most
    appropriate for use in the intended network before it is deployed.

    Mitigation Strategies
    +--------------------

    Not all of the mitigation strategies listed will work for all
    customers. Some of the workarounds listed are dependent on which
    versions and feature-sets of IOS you have in your network.

    Configuring a VTY Access Class
    +-----------------------------

    It is possible to limit the exposure of the Cisco device by applying a
    VTY access class to permit only known, trusted hosts to connect to the
    device via SSH.

    For more information on restricting traffic to VTYs, please consult:

    http://cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a00800873c8.html#wp1017389.

    The following example permits access to VTYs from the 192.168.1.0/24
    netblock and the single IP address 172.16.1.2 while denying access from
    anywhere else:

        Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
        Router(config)# access-list 1 permit host 172.16.1.2
        Router(config)# line vty 0 4
        Router(config-line)# access-class 1 in

    Different Cisco platforms support different numbers of terminal lines.
    Check your device's configuration to determine the correct number of
    terminal lines for your platform.

    Configuring Access Lists (ACLs)
    +------------------------------

    In addition to configuring a VTY Access Class, it may be desirable to
    block all SSH traffic destined to your network infrastructure.

    Telnet and reverse telnet should be blocked as part of a Transit ACL
    controlling all access to the trusted network. Transit ACLs are
    considered a network security best practice and should be considered as
    a long-term addition to good network security, as well as a workaround
    for this specific vulnerability. The white paper entitled "Transit
    Access Control Lists: Filtering at Your Edge" presents guidelines and
    recommended deployment techniques for transit ACLs:

    http://www.cisco.com/warp/public/707/tacl.html

    Configuring Infrastructure Access Lists (iACLs)
    +----------------------------------------------

    Although it is often difficult to block traffic transiting your
    network, it is possible to identify traffic which should never be
    allowed to target your infrastructure devices and block that traffic at
    the border of your network. Infrastructure ACLs are considered a
    network security best practice and should be considered as a long-term
    addition to good network security as well as a workaround for this
    specific vulnerability. The white paper entitled "Protecting Your Core:
    Infrastructure Protection Access Control Lists" presents guidelines and
    recommended deployment techniques for infrastructure protection ACLs:

    http://www.cisco.com/warp/public/707/iacl.html

    Configuring Receive Access Lists (rACLs)
    +---------------------------------------

    For distributed platforms, rACLs may be an option starting in Cisco IOS
    Software Versions 12.0(21)S2 for the 12000 series GSR and 12.0(24)S for
    the 7500 series. The receive access lists protect the device from
    harmful traffic before the traffic can impact the route processor.
    Receive path ACLs are considered a network security best practice, and
    should be considered as a long-term addition to good network security,
    as well as a workaround for this specific vulnerability. The CPU load
    is distributed to the line card processors and helps mitigate load on
    the main route processor. The white paper entitled "GSR: Receive Access
    Control Lists" will help identify and allow legitimate traffic to your
    device and deny all unwanted packets:

    http://www.cisco.com/warp/public/707/racl.html

    Control Plane Policing
    +---------------------

    The Control Plane Policy (CoPP) feature may be used to mitigate this
    vulnerability, as in the following example:

        ! Do not police SSH traffic from trusted hosts
        access-list 140 deny tcp host <trusted host 1's IP address> any any eq 22
        access-list 140 deny tcp host <trusted host 2's IP address> any any eq 22
        [...]
        access-list 140 deny tcp host <trusted host N's IP address> any any eq 22
        ! Trust an entire network if desired
        access-list 140 deny tcp <trusted network address> <trusted network mask> any eq 22
        ! Police SSH traffic from untrusted hosts
        access-list 140 permit tcp any any eq 22
        ! Do not police any other type of traffic going to the router
        access-list 140 deny ip any any
        !
        class-map match-all ssh-class
          match access-group 140
        !
        policy-map control-plane-policy
          ! Drop all traffic that matches the class "icmp-class"
          class ssh-class
             drop
        !
        control-plane
          service-policy input control-plane-policy

    Note: CoPP is available only in IOS release trains 12.0S, 12.2S and
    12.3T. Additional information on the configuration and use of the CoPP
    feature can be found at the following URL:
    http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a00801afad4.html

    Exploitation and Public Announcements
    =====================================

    The Cisco PSIRT is not aware of any public announcements or malicious
    use of the vulnerability described in this advisory.

    This vulnerability was discovered by Cisco during internal testing.

    Status of This Notice: FINAL
    ============================

    THIS ADVISORY IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
    KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF
    MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE ADVISORY OR
    MATERIALS LINKED FROM THE ADVISORY IS AT YOUR OWN RISK. CISCO RESERVES
    THE RIGHT TO CHANGE OR UPDATE THIS NOTICE AT ANY TIME.

    A stand-alone copy or paraphrase of the text of this security advisory
    that omits the distribution URL in the following section is an
    uncontrolled copy, and may lack important information or contain
    factual errors.

    Distribution
    ============

    This advisory will be posted on Cisco's worldwide website at
    http://www.cisco.com/warp/public/707/cisco-sa-20050406-ssh.shtml.

    In addition to worldwide web posting, a text version of this notice is
    clear-signed with the Cisco PSIRT PGP key and is posted to the
    following e-mail and Usenet news recipients.

      * cust-security-announce@cisco.com
      * first-teams@first.org (includes CERT/CC)
      * bugtraq@securityfocus.com
      * cisco@spot.colorado.edu
      * cisco-nsp@puck.nether.net
      * full-disclosure@lists.grok.org.uk
      * comp.dcom.sys.cisco@newsgate.cisco.com

    Future updates of this advisory, if any, will be placed on Cisco's
    worldwide website, but may or may not be actively announced on mailing
    lists or newsgroups. Users concerned about this problem are encouraged
    to check the above URL for any updates.

    Revision History
    ================

    +-------------------------------------------------------------+
    | Revision 1.0 | 2005-April-06 | Initial Public Release |
    +-------------------------------------------------------------+

    Cisco Security Procedures
    =========================

    Complete information on reporting security vulnerabilities in Cisco
    products, obtaining assistance with security incidents, and registering
    to receive security information from Cisco, is available on Cisco's
    worldwide website at
    http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
    This includes instructions for press inquiries regarding Cisco security
    notices.All Cisco security advisories are available at
    http://www.cisco.com/go/psirt.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.0 (GNU/Linux)

    iD8DBQFCVB0BezGozzK2tZARApPtAKDK8M9Plij3lTXGpd9XQaEjzfOx0QCg5OZN
    b1TkAVAtNvK3ne/TrII+P8Q=
    =TN0K
    -----END PGP SIGNATURE-----
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


  • Next message: pokley: "[Full-disclosure] runcms/e-xoops 1.1A and below file upload vulnerability"

    Relevant Pages