[NEWS] Cisco IOS ARP Table Overwrite Vulnerability

From: support@securiteam.com
Date: 11/20/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NEWS] Cisco IOS ARP Table Overwrite Vulnerability
Message-Id: <20011120154127.2E92A138BF@mail.der-keiler.de>
Date: Tue, 20 Nov 2001 16:41:27 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Cisco IOS ARP Table Overwrite Vulnerability
------------------------------------------------------------------------

SUMMARY

It is possible to send an Address Resolution Protocol (ARP) packet on a
local broadcast interface (for example: Ethernet, cable, token-ring, FDDI)
which could cause a router or switch running specific versions of Cisco
IOS Software Release or CatOS to stop sending and receiving ARP packets on
the local router interface. This in a short time will cause the router and
local hosts to be unable to send packets to each other. ARP packets
received by the router for the router's own interface address but a
different Media Access Control (MAC) address will overwrite the router's
MAC address in the ARP table with the one from the received ARP packet.
This was demonstrated to attendees of the Black Hat conference and should
be considered to be public knowledge. This attack is only successful
against devices on the segment local to the attacker or attacking host.

This vulnerability is documented in Cisco Bug ID CSCdu81936, and a
workaround is available.

DETAILS

Affected Products:
The following products are affected if they run a software release that
has the defect.
To determine if a Cisco product is running an affected IOS, log in to the
device and issue the command show version. Cisco IOS software will
identify itself as "Internetwork Operating System Software" or "IOS (tm)"
software and will display a version number. Other Cisco devices either
will not have the command show version, or will give different output.
Compare the version number obtained from the router with the versions
presented in the Software Versions and Fixes section below.

Cisco devices that may be running with affected IOS software releases
include:
 * Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000,
1400, 1500, 1600, 1700, 2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700,
AS5200, AS5300, AS5800, 6400, 7000, 7200, ubr7200, 7500, and 12000 series.

 * Most recent versions of the LS1010 ATM switch.
 * The Catalyst 6000.
 * The Catalyst 2900XL LAN switch.
 * The Catalyst 1900, 2800, 2900, 3000, and 5000 series LAN switches are
affected.
 * The Cisco DistributedDirector.

If you are not running Cisco IOS software, you are not affected by this
vulnerability.
Cisco products that do not run Cisco IOS software and are not affected by
this defect include, but are not limited to:
 * 700 series dialup routers (750, 760, and 770 series) are not affected.
 * WAN switching products in the IGX and BPX lines are not affected.
 * The MGX (formerly known as the AXIS shelf) is not affected.
 * No host-based software is affected.
 * The Cisco PIX Firewall is not affected.
 * The Cisco LocalDirector is not affected.
 * The Cisco Cache Engine is not affected.

Details:
ARP packets, both request and reply, received by the router for the
router's own interface address or global Network Address Translation (NAT)
entries, but a different MAC address will overwrite the router's MAC
address in the router's ARP table with the one in the ARP request or
reply. Cisco IOS router devices will defend the MAC address of an
interface for several attempts, but in an attempt to prevent an ARP storm,
the device will accept the incorrect information into the ARP table, which
causes the interface to stop accepting new ARP entries, and entries will
not be accepted or updated in the ARP table. This behavior has been
repaired to properly defend the interface MAC address, with rate limiting
the response to avoid an ARP storm on the local network. This attack can
only be carried out from the local network. This defect is documented in
Cisco Bug ID CSCdu81936 and is repaired in future versions of Cisco IOS
code. This defect is duplicated by the follow!

Impact:
This issue can cause a Cisco Router to be vulnerable to a
Denial-of-Service attack, once the ARP table entries time out. This defect
does not result in a failure of confidentiality of information stored on
the unit, nor does this defect allow hostile code to be loaded onto a
Cisco device. This defect may cause a Denial-of-Service on the management
functions of a Cisco Switch, but does not affect traffic through the
device.

Software versions and fixes:
For a complete table of software fixes, please refer to:
 
<http://www.cisco.com/warp/public/707/IOS-arp-overwrite-vuln-pub.shtml#software> http://www.cisco.com/warp/public/707/IOS-arp-overwrite-vuln-pub.shtml#software

Obtaining fixed software:
Cisco is offering free software upgrades to remedy this vulnerability for
all affected customers. Customers with service contracts may upgrade to
any software version. Customers without contracts may upgrade only within
a single row of the table above, except that any available fixed software
will be provided to any customer who can use it and for whom the standard
fixed software is not yet available. As always, customers may install only
the feature sets they have purchased.

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's Worldwide Web
site at http://www.cisco.com. Customers whose Cisco products are provided
or maintained through prior or existing agreement with third-party support
organizations such as Cisco Partners, authorized resellers, or service
providers should contact that support organization for assistance with the
upgrade, which should be free of charge.

Customers without contracts should get their upgrades by contacting the
Cisco Technical Assistance Center (TAC). TAC contacts are as follows:
 * +1 800 553 2447 (toll-free from within North America)
 * +1 408 526 7209 (toll call from anywhere in the world)
 * e-mail: tac@cisco.com
Give the URL of this notice as evidence of your entitlement to a free
upgrade. Free upgrades for non-contract customers must be requested
through the TAC. Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.

Workarounds:
The workaround for this vulnerability is to enter the router interface MAC
address into the ARP table with a configuration entry, sometimes known as
"hard coding" the ARP table entry.
The syntax for this command for routers and switches running IOS is as
follows:

arp <ip-address> <hardware-address> <type>

The syntax for this command for switches running CatOS is as follows:

set arp [dynamic|permanent|static] <ip_address> <hardware_address>

The caveat to this workaround is identified with defect CSCdv04366, which
will clear all manually entered MAC addresses from the ARP table, when
they are the same as the interface MAC address, when the command "clear
arp" is issued on the router. This workaround does not survive a reboot of
the router, and must be re-written to the configuration after any reload
or reboot.

ADDITIONAL INFORMATION

The information has been provided by <mailto:MTRINGALI@PARTNERS.ORG>
Tringali, Michael J. and <mailto:psirt@cisco.com> Cisco Systems Product
Security Incident Response Team.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages