[NEWS] Security Vulnerability in Cisco's IOS Firewall Feature Set

From: support@securiteam.com
Date: 12/03/01 

From: support@securiteam.com
To: list@securiteam.com
Date: Mon,  3 Dec 2001 14:58:01 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Security Vulnerability in Cisco's IOS Firewall Feature Set
------------------------------------------------------------------------

SUMMARY

The IOS Firewall Feature set, also known as Cisco Secure Integrated
Software, or Context Based Access Control, was introduced in IOS version
11.2P.
A vulnerability in the IOS Firewall Feature set permits traffic that
should be denied by the dynamic access control lists.
   
This vulnerability is documented as Cisco Bug ID CSCdv48261. No other
Cisco product is vulnerable.
There is no workaround.

DETAILS

Affected Products:
Only configurations implementing CBAC are affected. An affected
configuration includes the lines "ip inspect" in your router's
configuration. Here is one example:

ip inspect name rule1 udp
ip inspect name rule1 tcp
!
!
interface FastEthernet0/1
 ip address 1.2.3.4 255.255.255.0
 ip inspect rule1 in
 duplex auto
 speed auto
!

The filename of the router image, available via show version command,
includes an "o" in the section between the hyphens, if the software
includes the IOS Firewall Featureset, as in the following example.
   
   Router>show version
   Cisco Internetwork Operating System Software
   IOS (tm) C2600 Software (C2600-IO3-M),
   Version 12.1(5)T, RELEASE SOFTWARE (fc1)
   (the rest is truncated)
   
In this example the image file name is c2600-io3-m. Since it has an "o" in
its name, this image can support CBAC. For additional information
regarding Cisco IOS image identifiers consult the document at
<http://www.cisco.com/warp/public/620/5.shtml#identifiers>
http://www.cisco.com/warp/public/620/5.shtml#identifiers. The major
affected Cisco IOS trains are:

 * 11.2P
 * 11.3T
 * 12.0, 12.0T
 * 12.1, 12.1T, 12.1E
 * 12.2, 12.2T

In addition to these, several Early Deployment (also known as X releases)
are affected. The complete list is given in the Software Versions and
Fixes section of this advisory.

Affected hardware models are:
 * Cisco routers in the following series: 800, 820, 950, 1400, 1600, 1700,
2500, 2600, 3600, 4000 Gateway, 4224, 7100, 7200, 7400, 7500, SOHO 70,
ubr900, ICS7750.
 * The Catalyst 5000 and 6000 if they are running Cisco IOS software.

No other Cisco products are affected.

Details:
Cisco IOS Firewall is a packet inspection system. It is also a stateful
system; it keeps information about connections that last beyond the
lifetime of a single packet. CBAC is an IP-only feature. A router running
CBAC recognizes Transmission Control Protocol (TCP), User Datagram
Protocol (UDP), and some higher-layer protocols, and examines packet data
beyond the IP headers. If configured, CBAC maintains session information
based on packets examined.

When a session is initiated from the protected network, CBAC creates a
dynamic access list entry allowing return traffic for that session. Upon
inspection of the return traffic through a dynamic access list, source and
destination addresses and ports are checked, however IP protocol type is
not checked. This could allow a packet of different protocol type into the
protected network.

This vulnerability is documented as Cisco Bug ID CSCdv48261.

Impact:
By allowing packets of different type into the protected network, the
customer is exposed to a much bigger threat. This vulnerability can be
exploited for reconnaissance purposes, but only for a single port and host
that initiated a session in the first place. Depending on the exact
session parameters, it may be possible to send data to processes that were
supposed to be accessible only from within the trusted network. In the
worst case, it is possible to open an interactive session to a host on the
protected network. In that case, there must be a process running on the
host that is listening to the port for which a hole is opened by CBAC.

Software Versions and Fixes:
Please use the provided table to verify whether your product is
vulnerable, and a fix is available for it:
 <http://www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml#Software>
http://www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml#Software

Obtaining Fixed Software:
Cisco is offering free software upgrades to eliminate this vulnerability
for all affected customers.

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's Worldwide Web
site at <http://www.cisco.com> http://www.cisco.com.

Customers whose Cisco products are provided or maintained through prior or
existing agreement with third-party support organizations such as Cisco
Partners, authorized resellers, or service providers should contact that
support organization for assistance with the upgrade, which should be free
of charge.

Customers without contracts should get their upgrades by contacting the
Cisco Technical Assistance Center (TAC). TAC contacts are as follows:

 * +1 800 553 2447 (toll-free from within North America)
 * +1 408 526 7209 (toll call from anywhere in the world)
 * e-mail: tac@cisco.com
Give the URL of this notice as evidence of your entitlement to a free
upgrade. Free upgrades for non-contract customers must be requested
through the TAC. Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.

Workarounds:
There is no workaround.

ADDITIONAL INFORMATION

The information has been provided by <mailto:psirt@cisco.com> Cisco
Systems Product Security Incident Response Team.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages