[NEWS] CBOS - Improving Resilience to Denial-of-Service Attacks

From: support@securiteam.com
Date: 05/26/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sun, 26 May 2002 08:52:45 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  CBOS - Improving Resilience to Denial-of-Service Attacks
------------------------------------------------------------------------

SUMMARY

Three new vulnerabilities are identified in Cisco Broadband Operating
System (CBOS), an operating system for the Cisco 600 family of routers.
Each vulnerability can cause a Denial of Service (DoS) by freezing the
customer premises equipment (CPE). All three vulnerabilities can be
exploited remotely.

No other Cisco product is vulnerable.

Workarounds are provided for two of the three vulnerabilities. Note that
the workarounds provided may not be applicable in all cases. See the
Workarounds section for further details.

DETAILS

Affected Products:
All Cisco DSL CPE devices from the 600 family running CBOS software up to
and including 2.4.4 release are vulnerable. The complete list of
vulnerable hardware models is: 605, 626, 627, 633, 673, 675, 675e, 676,
677, 677i and 678.

No other Cisco products are affected.

Details:
CSCdw90020
By sending a large packet to the Dynamic Host Configuration Protocol
(DHCP) port, it is possible to freeze the CPE. DHCP service is enabled by
default.

CSCdv50135
By sending a large packet to the Telnet port, it is possible to freeze the
CPE. It is not necessary to be logged in or to authenticate in any way.
Telnet is enabled by default.

CSCdx36121
The TCP/IP stack will consume all memory while processing received
packets. This will happen only if the CPE must process a high number of
overly large packets. These packets must have the CPE as the destination.
After the memory is exhausted, the CPE will lock up and stop forwarding
any further packets.

Impact:
By repeatedly exploiting these vulnerabilities, an attacker can cause a
DOS for an indeterminate period.

Software Versions and Fixes:
All vulnerabilities are fixed in CBOS version 2.4.5.

Obtaining Fixed Software:
Cisco is offering free software upgrades to eliminate this vulnerability
for all affected customers.
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's Worldwide Web
site at <http://www.cisco.com> http://www.cisco.com.

Customers whose Cisco products are provided or maintained through prior or
existing agreement with third-party support organizations such as Cisco
Partners, authorized resellers, or service providers should contact that
support organization for assistance with the upgrade, which should be free
of charge.

Customers who purchase direct from Cisco but who do not hold a Cisco
service contract and customers who purchase through third-party vendors
but are unsuccessful at obtaining fixed software through their point of
sale should get their upgrades by contacting the Cisco Technical
Assistance Center (TAC). TAC contacts are as follows:

 * +1 800 553 2447 (toll-free from within North America)
 * +1 408 526 7209 (toll call from anywhere in the world)
 * e-mail: tac@cisco.com

Please have your product serial number available and give the URL of this
notice as evidence of your entitlement to a free upgrade. Free upgrades
for non-contract customers must be requested through the TAC.

Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.

Workaround:
CSCdw90020
The workaround is to filter DHCP requests. This task must be executed
while in enable mode.
To filter DHCP packets use this procedure:

cbos# set filter 0 on allow incoming eth0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
protocol udp srcport 68-68 destport 67-67
cbos#set filter 1 on allow outgoing eth0 1.2.3.4 255.255.255.255 0.0.0.0
0.0.0.0 protocol udp srcport 67-67 destport 68-68

The filter "0" will allow all DHCP requests from your internal network to
the CPE. The filter "1" will allow all DHCP responses from the CPE. In
this example, the eth0 interface of the CPE has the IP address of 1.2.3.4.
You must substitute this address with the IP address of your eth0 port.
This configuration is not the complete workaround since you are still
exposed from you LAN side (behind the eth0 interface).

Note: There is an implicit "deny all" as the last filter so you must
include additional "permit" filters to allow a normal traffic flow. If you
already have filters configured, you should combine this example with the
configured filters and probably change the filter numbers to suit your
configuration. Also, note that this workaround is not applicable if you
must have DHCP enabled on the WAN side.

For information regarding filters, refer to:
<http://www.cisco.com/univercd/cc/td/doc/product/dsl_prod/c600s/cbos/cbos240/03chap02.htm#xtocid365615> http://www.cisco.com/univercd/cc/td/doc/product/dsl_prod/c600s/cbos/cbos240/03chap02.htm#xtocid365615.

CSCdv50135
The workaround is to disable Telnet. This task must be executed while in
enable mode.
To disable Telnet use this procedure:

cbos# set telnet disable
cbos# write

CSCdx36121
There is no workaround.

ADDITIONAL INFORMATION

The information has been provided by <mailto:psirt@cisco.com> Cisco
Systems Product Security Incident Response Team.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages