[NEWS] Denial-of-Service of TCP-based Services in CatOS

From: SecuriTeam (support_at_securiteam.com)
Date: 07/15/03

  • Next message: SecuriTeam: "[NT] IE Chromeless Window Vulnerabilities (More Examples)" 
    To: list@securiteam.com
Date: 15 Jul 2003 18:12:58 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security in Canada

    Toronto-based Sunrays Technologies is now Beyond Security's representative in Canada.
    We welcome ISPs, system integrators and IT systems resellers
    to promote the most advanced vulnerability assessment solutions today.

    Contact us at 416-482-0038 or at canadasales@beyondsecurity.com

    - - - - - - - - -

      Denial-of-Service of TCP-based Services in CatOS
    ------------------------------------------------------------------------

    SUMMARY

    After receiving eight TCP connection attempts using a non-standard TCP
    flags combination, a Catalyst switch will stop responding to further TCP
    connections to that particular service. In order to re-establish
    functionality of that service, the switch must be rebooted. There is no
    workaround. This vulnerability affects only CatOS. No other Cisco products
    are affected.

    DETAILS

    Affected Products:
    The CatOS for the following Catalyst models are affected:
     * Catalyst 4000 Series including models 2948G and 2980G/2980G-A
     * Catalyst 5000 Series including models 2901, 2902 and 2926
     * Catalyst 6000

    No other Cisco products are affected.

    Details:
    After receiving eight connection attempts on any TCP service, the switch
    will stop responding to any further connection attempts to that service.
    These attempts must use a non-standard combination of TCP flags. The
    switch will continue to pass other switched traffic normally and the
    console is not affected. Only the service to which connections were made
    will become unresponsive. Standard TCP services include HTTP, Telnet, and
    SSH.

    Impact:
    By exploiting this vulnerability, an attacker can prevent further use of
    the specified TCP-based service. Depending on the configuration of the
    device, if SSH or Telnet are enabled and exploited, the availability of
    those services could be affected, possibly resulting in a loss of
    management capability using those same services. However, UDP-based
    services such as Simple Network Management Protocol (SNMP) would still be
    available and unaffected.

    Software Versions and Fixes:
    The vulnerability is fixed in the following releases. All previous
    releases are vulnerable and all higher releases, from the ones in the
    table, are fixed. A table listing available software versions and fixes is
    available at:
    <http://www.cisco.com/warp/public/707/cisco-sa-20030709-swtcp.shtml>
    http://www.cisco.com/warp/public/707/cisco-sa-20030709-swtcp.shtml

    Obtaining Fixed Software:
    Cisco is offering free software upgrades to address these vulnerabilities
    for all affected customers. Customers may only install and expect support
    for the feature sets they have purchased. By installing, downloading,
    accessing or otherwise using such software upgrades, Customers agree to be
    bound by the terms of Cisco software license terms found at
    <http://www.cisco.com/public/sw-license-agreement.html>
    http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set
    forth at the Cisco Connection Online Software Center at
    <http://www.cisco.com/public/sw-center/sw-usingswc.shtml>
    http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

    Customers with service contracts should contact their regular update
    channels to obtain the free software upgrade identified via this advisory.
    For most customers with service contracts, this means that upgrades should
    be obtained through the Software Center on the Cisco worldwide website at
    <http://www.cisco.com/tacpage/sw-center/sw-lan.shtml>
    http://www.cisco.com/tacpage/sw-center/sw-lan.shtml. To access the
    software download URL, you must be a registered user and you must be
    logged in.

    Customers whose Cisco products are provided or maintained through prior or
    existing agreement with third-party support organizations such as Cisco
    Partners, authorized resellers, or service providers should contact that
    support organization for assistance with the upgrade, which should be free
    of charge.

    Customers who purchase direct from Cisco but who do not hold a Cisco
    service contract and customers who purchase through third-party vendors
    but are unsuccessful at obtaining fixed software through their point of
    sale should get their upgrades by contacting the Cisco Technical
    Assistance Center (TAC). TAC contacts are as follows.
     * +1 800 553 2447 (toll free from within North America)
     * +1 408 526 7209 (toll call from anywhere in the world)
     * e-mail: tac@cisco.com

    Please have your product serial number available and give the URL of this
    notice as evidence of your entitlement to a free upgrade. Free upgrades
    for non-contract customers must be requested through the TAC.

    Please do not contact either "psirt@cisco.com" or
    "security-alert@cisco.com" for software upgrades.

    Workarounds:
    There is no workaround. In order to continue using an affected TCP
    service, the switch must be rebooted.

    It is possible to mitigate the exposure by configuring VLAN Access Control
    Lists (VACLs) on the switch (where they are supported) that will allow
    only legitimate hosts to connect to the desired services. This must be
    combined with Unicast Reverse Path Forwarding (uRPF), or some other
    anti-spoofing technique, on the network edge to protect against spoofed
    packets from the outside of the network.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:psirt@cisco.com> Cisco
    Systems Product Security Incident Response Team.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] IE Chromeless Window Vulnerabilities (More Examples)"

    Relevant Pages