[NEWS] Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Vulnerabilities

• Previous message: SecuriTeam: "[NT] Apache for Cygwin Directory Traversal (%5C)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 24 Feb 2004 11:22:08 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Vulnerabilities
------------------------------------------------------------------------

SUMMARY

Multiple vulnerabilities exist in the Cisco ONS 15327 Edge Optical
Transport Platform, the Cisco ONS 15454 Optical Transport Platform, the
Cisco ONS 15454 SDH Multiplexer Platform, and the Cisco ONS 15600
Multiservice Switching Platform.

These vulnerabilities are documented as Cisco bug ID
CSCec17308/CSCec19124(tftp), CSCec17406(port 1080), and
CSCec66884/CSCec71157(SU access). There are workarounds available to
mitigate the effects of these vulnerabilities.

DETAILS

Affected Products:
CSCec17308/CSCec19124(tftp)
Product - Affected Releases
15327 - 4.1(0) to 4.1(2), 4.0(x)
15454, 15454 SDH - 4.5(x), 4.1(0) to 4.1(2), 4.0(x)
15600 - 1.0(x)

CSCec17406(port 1080)
Product - Affected Releases
15327 - 4.1(0), 4.0(0) to 4.0(1)
15454, 15454 SDH - 4.5(x), 4.1(0), 4.0(0) to 4.0(1)
15600 - Not Affected

CSCec66884/CSCec71157(SU access)
Product - Affected Releases
15327 - 4.1(0) to 4.1(2), 4.0(x)
15454, 15454 SDH - 4.5(x), 4.1(0) to 4.1(2), 4.0(x)
15600 - 1.x(x) except for 1.1(1)

Products not affected by these vulnerabilities include the Cisco ONS 15800
series, ONS 15500 series extended service platform, ONS 15302, ONS 15305,
ONS 15200 series metro DWDM systems, and the ONS 15190 series IP transport
concentrator.

Cisco ONS 15327 hardware running ONS Release 1.x(x) and 3.x(x) and Cisco
ONS 15454 hardware running ONS Releases 2.x(x) and 3.x(x) are not affected
by these vulnerabilities.

No other Cisco products are currently known to be affected by these
vulnerabilities.

To determine your software revision, view the Help > About window on the
CTC management software.

Details:
The affected Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600
hardware is managed through the XTC, TCC+/TCC2, TCCi/TCC2, and TSC control
cards respectively. These control cards are usually connected to a network
isolated from the Internet and local to the customer's environment. This
limits the exposure to the exploitation of the vulnerabilities from the
Internet.

CSCec17308/CSCec19124(tftp)
The TFTP service on UDP port 69 is enabled by default to allow both GET
and PUT commands to be executed without any authentication. Using a TFTP
client, it is possible to connect to the optical device and upload or
retrieve ONS system files on the current active TCC in the /flash0 or
/flash1 directories. It is not possible to upload or retrieve any user
data files.

Cisco bug ID CSCec17308 documents the issue on the Cisco ONS 15327, ONS
15454 and ONS 15454 SDH, and Cisco bug ID CSCec19124 documents the issue
on the Cisco ONS 15600 hardware.

CSCec17406(port 1080)
The Cisco ONS 15327, ONS 15454 and ONS 15454 SDH hardware is susceptible
to an ACK Denial of Service (DoS) attack on TCP port 1080. TCP port 1080
is used by network management applications to communicate with the
controller card. The controller card on the optical device will reset
under such an attack.

An ACK DoS attack is conducted by not sending the final ACK required for a
3-way TCP handshake to complete, and instead sending an invalid response
to move the connection to an invalid TCP state.

The Cisco ONS 15600 Multiservice Switching Platform is not affected by
this vulnerability.

CSCec66884/CSCec71157(SU access)
Telnet access to the underlying VxWorks operating system, by default, is
restricted to Superusers only. Due to this vulnerability, a superuser
whose account is locked out, disabled, or suspended is still able to login
(Telnet) into the VxWorks shell, using their previously configured
password.

Cisco bug ID CSCec66884 documents the issue on the Cisco ONS 15327, ONS
15454 and ONS 15454 SDH, and Cisco bug ID CSCec71157 documents the issue
on the Cisco ONS 15600 hardware.

 The Internetworking Terms and Cisco Systems Acronyms online guides can be
found at <http://www.cisco.com/univercd/cc/td/doc/cisintwk/>
http://www.cisco.com/univercd/cc/td/doc/cisintwk/.

These vulnerabilities are documented in the Cisco Bug Toolkit ( registered
customers only) as Cisco bug IDs CSCec17308/CSCec19124(tftp),
CSCec17406(port 1080), and CSCec66884/CSCec71157(SU access). To access
this tool, you must be a registered user and you must be logged in.

Impact:
CSCec17308/CSCec19124(tftp) -- This vulnerability could be exploited to
launch a DoS attack on the optical device if corrupt ONS system files were
to be uploaded to the controller card.

CSCec17406(port 1080) -- This vulnerability could be exploited to launch a
DoS attack on the optical device.

The timing for the data channels traversing the switch is provided by the
control cards.

On the Cisco ONS 15454, ONS 15327, and ONS 15454 SDH hardware, whenever
both the active and standby control cards are rebooting at the same time,
the synchronous data channels traversing the switch drop traffic until the
card reboots. Asynchronous data channels traversing the switch are not
impacted. Manageability functions provided by the network element using
the TCC+/TCC2, XTC, and TCCi/TCC2 control cards are not available until
the control card reboots.

On the Cisco ONS 15600 hardware, whenever both the active and standby
control cards are rebooting at the same time, there is no impact to the
data channels traversing the switch because the TSC does a software reset
which does not impact the timing being provided by the TSC for the data
channels.

Manageability functions provided by the network element through the TSC
control cards are not available until the control card reboots.

CSCec66884/CSCec71157(SU access) -- This vulnerability could be exploited
to gain unauthorized access to the optical device.

Software Versions and Fixes:
CSCec17308/CSCec19124(tftp)
Product - Fixed Releases
15327 - 4.1(3) and later
15454, 15454 SDH - 4.6(1) and later, 4.1(3) and later
15600 - 1.3(0) and later, 1.1(0) and later

CSCec17406(port 1080)
Product - Fixed Releases
15327 - 4.1(1) and later, 4.0(2) and later
15454, 15454 SDH - 4.6(1) and later, 4.1(1) and later, 4.0(2) and later
15600 - Not Affected

CSCec66884/CSCec71157(SU access)
Product - Fixed Releases
15327 - 4.1(3) and later
15454, 15454 SDH - 4.6(1) and later, 4.1(3) and later
15600 - 1.1(1), 5.0 and later (when available)

Cisco ONS Release 4.6(0) is not affected by these vulnerabilities. The
recommended release to upgrade to is Cisco ONS release 4.6(1).

Upgrade procedures can be found as indicated below.

The procedure to upgrade to the fixed software version on the Cisco ONS
15327 hardware is detailed at
<http://www.cisco.com/univercd/cc/td/doc/product/ong/15327/327doc41/index.htm> http://www.cisco.com/univercd/cc/td/doc/product/ong/15327/327doc41/index.htm.

The procedure to upgrade to the fixed software version on the Cisco ONS
15454 hardware is detailed at
<http://www.cisco.com/univercd/cc/td/doc/product/ong/15400/r46docs/index.htm> http://www.cisco.com/univercd/cc/td/doc/product/ong/15400/r46docs/index.htm.

The procedure to upgrade to the fixed software version on the Cisco ONS
15600 hardware is detailed at
<http://cisco.com/univercd/cc/td/doc/product/ong/15600/index.htm>
http://cisco.com/univercd/cc/td/doc/product/ong/15600/index.htm.

Workarounds:
There are mitigation workarounds available for these vulnerabilities. The
Cisco PSIRT recommends that affected users upgrade to a fixed software
version of code.

CSCec17308/CSCec19124(tftp)
Use access control lists on routers and firewalls that are installed in
the network to allow only valid network management workstations to gain
TFTP access to the XTC, TCC+/TCC2, TCCi/TCC2, or TSC control cards.

CSCec17406(port 1080)
Use access control lists on routers and firewalls that are installed in
the network to allow only valid network management workstations to gain
TCP port 1080 access to the XTC, TCC+/TCC2, TCCi/TCC2, or TSC control
cards.

CSCec66884/CSCec71157(SU access)
Use access control lists on routers and firewalls that are installed in
the network to allow only valid network management workstations to gain
login (Telnet) access to the XTC, TCC+/TCC2, TCCi/TCC2, or TSC control
cards.

Refer to <http://www.cisco.com/warp/public/707/iacl.html>
http://www.cisco.com/warp/public/707/iacl.html for examples on how to
apply access control lists (ACLs) on Cisco routers.

ADDITIONAL INFORMATION

The information has been provided by <mailto:psirt@cisco.com> Cisco
Systems Product Security Incident Response Team.

The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20040219-ONS.shtml>
http://www.cisco.com/warp/public/707/cisco-sa-20040219-ONS.shtml

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Apache for Cygwin Directory Traversal (%5C)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]