[NEWS] Cisco Vulnerable to SSH Malformed Packet Vulnerabilities
From: support@securiteam.com
Date: 12/26/02
- Previous message: support@securiteam.com: "[UNIX] Multiple Vulnerabilities in KDE (command shell)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 26 Dec 2002 23:53:03 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -
Cisco Vulnerable to SSH Malformed Packet Vulnerabilities
------------------------------------------------------------------------
SUMMARY
Certain Cisco products containing support for the Secure Shell (SSH)
server are vulnerable to a Denial of Service (DoS) if the SSH server is
enabled on the device. A malformed SSH packet directed at the affected
device can cause a reload of the device. No authentication is necessary
for the packet to be received by the affected device. The SSH server in
Cisco IOS is disabled by default.
Cisco will be making free software available to correct the problem as
soon as possible.
The malformed packets can be generated using the SSHredder test suite from
Rapid7, Inc. Workarounds are available. The Cisco PSIRT is not aware of
any malicious exploitation of this vulnerability.
DETAILS
Affected Products:
Multiple Cisco products which contain support for an SSH server are
vulnerable if the SSH server is enabled. Cisco routers and Catalyst
switches running the affected versions of Cisco IOS shown in the Software
Version and Fixes section below have been confirmed to be vulnerable.
Cisco products which contain SSH server functionality that are confirmed
not to be vulnerable include:
* Cisco Catalyst Switches running Cisco CatOS
* Cisco VPN3000 series concentrators
* Cisco PIX Firewall
* Cisco Secure Intrusion Detection System (NetRanger) appliance
* Cisco Secure Intrusion Detection System Catalyst Module
* Cisco SN5400 Series Storage Routers
* CiscoWorks 1105 Wireless LAN Solution Engine (WLSE)
* CiscoWorks 1105 Hosting Solution Engine (WLSE)
Details:
A suite of crafted packets has been developed to test implementations of
the Secure Shell (SSH) protocol. If the SSH server has been enabled,
several of the test cases cause a forced reload of the device before the
authentication process is called. Each time an SSH connection attempt is
made to a Cisco device running Cisco IOS with one of the crafted packets,
and the SSH server is enabled on the device, the device reboots.
The SSH server feature is available in the following Cisco IOS release
trains: 12.0S, 12.0ST, 12.1T, 12.1E, 12.2, 12.2T, 12.2S. All releases
which have the SSH server feature are vulnerable when the SSH server is
enabled by issuing the command "crypto key generate rsa" in configuration
mode.
All products running vulnerable versions of Cisco IOS except the Cisco
3550 will automatically reload and resume service following the crash. The
Cisco 3550 will not reload, and will require manual intervention to resume
normal processing.
This Cisco IOS defect is documented in DDTS CSCdz60229.
Impact:
The vulnerability can be exploited to make an affected product unavailable
for several minutes while the device reloads. Once it has resumed normal
processing, the device is still vulnerable and can be forced to reload
repeatedly.
Software Versions and Fixes:
A table listing all the versions being affected, and their available fixes
can be found here:
<http://www.cisco.com/warp/public/707/ssh-packet-suite-vuln.shtml#Software> http://www.cisco.com/warp/public/707/ssh-packet-suite-vuln.shtml#Software
Obtaining Fixed Software:
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at <http://www.cisco.com/tacpage/sw-center/>
http://www.cisco.com/tacpage/sw-center/.
Customers whose Cisco products are provided or maintained through prior or
existing agreement with third-party support organizations such as Cisco
Partners, authorized resellers, or service providers should contact that
support organization for assistance with obtaining the free software
upgrade(s).
Customers who purchase direct from Cisco but who do not hold a Cisco
service contract and customers who purchase through third-party vendors
but are unsuccessful at obtaining fixed software through their point of
sale should get their upgrades by contacting the Cisco Technical
Assistance Center (TAC). TAC contacts are as follows:
* +1 800 553 2447 (toll-free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* email: tac@cisco.com .
See <http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml>
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional
TAC contact information, including special localized telephone numbers and
instructions and e-mail addresses for use in various languages.
Please have your product serial number available and give the URL of this
advisory as evidence of your entitlement to a free upgrade. Free upgrades
for non-contract customers must be requested through the TAC.
Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.
Workarounds:
Workarounds consist of disabling the SSH server, removing SSH as a remote
access method, permitting only trusted hosts to connect to the server, and
blocking SSH traffic to the device completely via external mechanisms.
Caution: The following workaround will have undesirable side effects for
IPSEC sessions that terminate on the device that use RSA key pairs for
device authentication, or that use certificates based on those RSA key
pairs. IPSEC sessions using other authentication methods will not be
affected.
For Cisco IOS the SSH server can be disabled by applying the command
"crypto key zeroize rsa" while in configuration mode. The SSH server is
enabled automatically upon generating an RSA key pair. Zeroing the RSA
keys is the only way to completely disable the SSH server.
Access to the SSH server on Cisco IOS may also be disabled via removing
SSH as a valid transport protocol. This can be done by reapplying the
"transport input" command with 'ssh' removed from the list of permitted
transports on VTY lines while in configuration mode. For example:
line vty 0 4
transport input telnet
end
If SSH server functionality is desired, access to the server can be
restricted to specific source IP addresses or blocked entirely through the
use of Access Control Lists (ACLs) on the VTY lines as shown in the
following URL:
<http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/1219ea1/scg/swacl.htm#xtocid14> http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/1219ea1/scg/swacl.htm#xtocid14
More information on configuring ACLs can be found on Cisco's public
website:
<http://www.cisco.com/warp/public/707/confaccesslists.html>
http://www.cisco.com/warp/public/707/confaccesslists.html
An example of a VTY access-list can be found here:
access-list 2 permit 10.1.1.0 0.0.0.255
access-list 2 deny any
line vty 0 4
access-class 2 in
end
You may also block inbound SSH connections for your device with an
external packet filtering device such as a firewall or a router that
blocks traffic to TCP port 22.
ADDITIONAL INFORMATION
The information has been provided by <mailto:psirt@cisco.com> Cisco
Systems Product Security Incident Response Team.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next message: support@securiteam.com: "[UNIX] Web server vulnerability in Axis Network Cameras, Video Servers and Network Digital Video Recorders"
- Previous message: support@securiteam.com: "[UNIX] Multiple Vulnerabilities in KDE (command shell)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
