[NEWS] Cisco CatOS Telnet, HTTP and SSH Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 06/10/04

  • Next message: SecuriTeam: "[UNIX] CVS Multiple Vulnerabilities (getline, serve_notify, serve_max_dotdot, wrapper, error_prog_name)"
    To: list@securiteam.com
    Date: 10 Jun 2004 11:25:20 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Cisco CatOS Telnet, HTTP and SSH Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

    Cisco CatOS is susceptible to a TCP-ACK Denial of Service (DoS) attack on
    the Telnet, HTTP and SSH service. If exploited, the vulnerability causes
    the Cisco CatOS running device to stop functioning and reload.

    This vulnerability is documented as Cisco bug IDs CSCec42751, CSCed45576,
    and CSCed48590. There are techniques available to mitigate the potential
    effects of this vulnerability in the workaround section of this advisory.
    Cisco is providing fixed software, and recommends that customers upgrade
    to it.

    DETAILS

    Affected Products:
    Vulnerable Products
    Hardware
     * Catalyst 6000 series
     * Catalyst 5000 series
     * Catalyst 4500 series
     * Catalyst 4000 series
     * Catalyst 2948G, 2980G, 2980G-A, 4912G - use Catalyst 4000 series code
    base
     * Catalyst 2901, 2902, 2926[T,F,GS,GL], 2948 - use Catalyst 5000 series
    code base

    Software
    CatOS Release Train - Affected Releases
    8.xGLX - earlier than 8.3(2)GLX
    8.x - earlier than 8.2(2)
    7.x - earlier than 7.6(6)
    6.x - earlier than 6.4(9)
    5.x and earlier - earlier than 5.5(20)

    Products Confirmed Not Vulnerable:
    The following Catalyst switches do not run Cisco CatOS.
     * Catalyst 8500 series
     * Catalyst 4800 series
     * Catalyst 4200 series
     * Catalyst 4840G
     * Catalyst 4908G-l3
     * Catalyst 4224 Access Gateway Switch
     * Catalyst 3750
     * Catalyst 3750 Metro
     * Catalyst 3560
     * Catalyst 3550
     * Catalyst 3500 XL
     * Catalyst 2948G-l3
     * Catalyst 2970
     * Catalyst 2955
     * Catalyst 2950
     * Catalyst 2950 LRE
     * Catalyst 2940
     * Catalyst 2900 XL
     * Catalyst 2900 LRE XL
     * Catalyst 2820
     * Catalyst 1900

    Cisco IOS is not vulnerable to this issue.

    No other Cisco products are currently known to be affected by this
    vulnerability.

    To determine your software revision, type show version at the command line
    prompt of the network device.

    Details:
    Not sending the regular final ACK required for a 3-way TCP handshake to
    complete, and instead sending an invalid response to move the connection
    to an invalid TCP state conduct a TCP-ACK DoS attack. This attack can be
    initiated from a remote spoofed source.

    This vulnerability is currently known to be exploitable only if you have
    the Telnet, HTTP or SSH service configured on a device that is running
    Cisco CatOS.

    CatOS release 5.4 was the first CatOS release which incorporated the HTTP
    feature. Software releases that contain a "cv" in the image filename
    support the HTTP feature. The HTTP server is disabled by default. It is
    typically enabled to allow web-based management of the switch using
    CiscoView. To disable the HTTP server on the switch type set ip http
    server disable.

    CatOS K9 (crypto) release 6.1 was the first CatOS release which
    incorporated the SSH feature. The SSH server is disabled by default. To
    verify if SSH has been configured on the switch type show crypto key. If
    this shows you the RSA key then SSH has been configured and enabled on the
    switch. To remove the crypto key type clear crypto key RSA and this will
    disable the SSH server on the switch.

    To check if the HTTP or SSH services are enabled one can also do the
    following: For HTTP, try and connect to the default HTTP port, TCP 80,
    using Telnet. telnet ip_address_of_device 80. If the session connects, the
    service is enabled and accessible. Similarly, for SSH try and connect to
    the SSH port, TCP 22.

    The Internetworking Terms and Cisco Systems Acronyms online guides can be
    found at <http://www.cisco.com/univercd/cc/td/doc/cisintwk/>
    http://www.cisco.com/univercd/cc/td/doc/cisintwk/.

    This vulnerability is documented in the Cisco Bug Toolkit as Bug IDs
    CSCec42751 (registered customers only), CSCed45576 (registered customers
    only), and CSCed48590 (registered customers only).

    Impact:
    When exploited, the vulnerability causes the Cisco CatOS running device to
    stop functioning and reload.

    Software Versions and Fixes:
    A table illustrating which versions are vulnerable and their corresponding
    fixes is available at:
     
    <http://www.cisco.com/warp/public/707/cisco-sa-20040609-catos.shtml#software> http://www.cisco.com/warp/public/707/cisco-sa-20040609-catos.shtml#software

    Workarounds:
    Implement the best practice of assigning all switch management interfaces
    to a dedicated VLAN and apply appropriate access controls on routers
    switching between the switch management interface VLAN and the rest of the
    network. To read more about best practices for Catalyst 4500/4000,
    5500/5000, and 6500/6000 Series Switches running CatOS configuration and
    management, refer to
    <http://www.cisco.com/en/US/partner/products/hw/switches/ps663/products_tech_note09186a0080094713.shtml> http://www.cisco.com/en/US/partner/products/hw/switches/ps663/products_tech_note09186a0080094713.shtml.

    Apply ACLs on routers / switches / firewalls in front of the vulnerable
    switches such that traffic destined for the Telnet TCP port 23, HTTP TCP
    port 80 and SSH TCP port 22 on the vulnerable switches is only allowed
    from the network management workstations. Refer to
    http://www.cisco.com/warp/public/707/iacl.html for examples on how to
    apply access control lists (ACLs) on Cisco routers.

    On the Catalyst 6000 series switches, if the VLAN Access Control List
    (VACL) feature is available in the code base, you can use VACLs to enable
    Telnet, HTTP and SSH access to the switch's management interface only from
    the network management workstations, refer to
    <http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sft_6_1/configgd/acc_list.htm> http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sft_6_1/configgd/acc_list.htm.

    Please note, these workarounds will not prevent spoofed IP packets with
    the source IP address set to that of the network management station from
    reaching the switch's management interface. For more information on
    anti-spoofing refer to
    <http://www.cisco.com/warp/public/707/21.html#sec_ip>
    http://www.cisco.com/warp/public/707/21.html#sec_ip and
    <http://www.ietf.org/rfc/rfc2827.txt> http://www.ietf.org/rfc/rfc2827.txt.
    The Unicast Reverse Path Forwarding (Unicast RPF) feature helps to
    mitigate problems that are caused by malformed or forged IP source
    addresses that are passing through a router, refer to
    <http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fothersf/scfrpf.htm> http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fothersf/scfrpf.htm.

    IP Permit Lists will not provide any mitigation against this
    vulnerability.

    The Cisco PSIRT recommends that affected users upgrade to a fixed software
    version of code.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:psirt@cisco.com> Cisco
    Systems Product Security Incident Response Team.
    The original article can be found at:
    <http://www.cisco.com/warp/public/707/cisco-sa-20040609-catos.shtml>
    http://www.cisco.com/warp/public/707/cisco-sa-20040609-catos.shtml

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[UNIX] CVS Multiple Vulnerabilities (getline, serve_notify, serve_max_dotdot, wrapper, error_prog_name)"

    Relevant Pages

    • Cisco Security Advisory: Cisco CatOS Telnet Buffer Vulnerability
      ... Cisco Security Advisory: Cisco CatOS Telnet Buffer Vulnerability ... Some Cisco Catalyst switches, running certain CatOS based software releases, ... For the switches above, the following CatOS based switch software revisions are ...
      (Bugtraq)
    • [NEWS] Cisco CatOS Embedded HTTP Server Buffer Overflow
      ... Cisco Catalyst switches running specific versions of Cisco CatOS software ... are vulnerable to a buffer overflow in an embedded HTTP server. ... can be remotely exploited which will cause the switch to fail and reload. ... The vulnerability can be exploited repeatedly and result in a denial of ...
      (Securiteam)
    • [NEWS] Cisco CatOS Telnet Buffer Vulnerability
      ... Some Cisco Catalyst switches, running CatOS based software releases, have ... a vulnerability wherein a buffer overflow in the telnet option handling ... This vulnerability is documented as Cisco bug ID CSCdw19195. ...
      (Securiteam)
    • [Full-disclosure] S21sec-034-en: Cisco VTP DoS vulnerability
      ... Cisco VTP Denial Of Service ... For instance, when you configure a VLAN in a switch, the VLAN ... In order to trigger the vulnerability, ...
      (Full-Disclosure)
    • S21sec-034-en: Cisco VTP DoS vulnerability
      ... Cisco VTP Denial Of Service ... For instance, when you configure a VLAN in a switch, the VLAN information ... In order to trigger the vulnerability, ...
      (Bugtraq)