[NEWS] Cisco IOS Firewall Authentication Proxy for FTP and Telnet Sessions Buffer Overflow
From: SecuriTeam (support_at_securiteam.com)
Date: 09/08/05
- Previous message: SecuriTeam: "[NT] IIS 5.1 Source Disclosure Under FAT/FAT32 Volumes Using WebDAV"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 8 Sep 2005 10:04:50 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Cisco IOS Firewall Authentication Proxy for FTP and Telnet Sessions Buffer
Overflow
------------------------------------------------------------------------
SUMMARY
The Cisco IOS Firewall Authentication Proxy for FTP and/or Telnet Sessions
feature in specific versions of Cisco IOS software is vulnerable to a
remotely-exploitable buffer overflow condition.
Devices that do not support, or are not configured for Firewall
Authentication Proxy for FTP and/or Telnet Services are not affected.
Devices configured with only Authentication Proxy for HTTP and/or HTTPS
are not affected.
Only devices running certain versions of Cisco IOS are affected.
Cisco has made free software available to address this vulnerability.
There are workarounds available to mitigate the effects of the
vulnerability.
DETAILS
Vulnerable Products
Devices that are running the following release trains of Cisco IOS are
affected if Firewall Authentication Proxy for FTP and/or Telnet Sessions
is configured and applied to an active interface.
* 12.2ZH and 12.2ZL based trains
* 12.3 based trains
* 12.3T based trains
* 12.4 based trains
* 12.4T based trains
To determine the software running on a Cisco product, log in to the device
and issue the show version command to display the system banner. Cisco IOS
software will identify itself as "Internetwork Operating System Software"
or simply "IOS." On the next line of output, the image name will be
displayed between parentheses, followed by "Version" and the Cisco IOS
release name. Other Cisco devices will not have the show version command,
or will give different output.
The following example identifies a Cisco 7200 router running Cisco IOS
release 12.3(10a) with an installed image name of C7200-JK8O3S-M.
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) 7200 Software (C7200-JK8O3S-M), Version 12.3(10a), RELEASE
SOFTWARE (fc2)
Copyright (c) 1986-2004 by cisco Systems, Inc.
Additional information about Cisco IOS release naming can be found at
<http://www.cisco.com/warp/public/620/1.html>
http://www.cisco.com/warp/public/620/1.html.
Refer to the Details section for more information about affected and
unaffected configurations.
Products Confirmed Not Vulnerable
* Products that are not running Cisco IOS are not affected
* Products that are running Cisco IOS versions 12.2 and earlier
(including 12.0S) are not affected. (excluding 12.2ZH and 12.2ZL)
* Products that are running Cisco IOS are not affected unless they are
configured for Firewall Authentication Proxy for FTP and/or Telnet
Sessions.
* Products that are running Cisco IOS XR are not affected.
No other Cisco products are currently known to be affected by this
vulnerability.
Details
The Cisco IOS Firewall Authentication Proxy feature allows network
administrators to apply specific security policies on a per-user basis.
With the Firewall Authentication Proxy for FTP and/or Telnet Sessions
feature, users can log into the network services via FTP and/or Telnet,
and their specific access profiles are automatically retrieved and applied
from a Remote Authentication Dial In User Service (RADIUS), or Terminal
Access Controller Access Control System Plus (TACACS+) authentication
server.
Cisco IOS Software is vulnerable to a Denial of Service (DoS) and
potentially an arbitrary code execution attack when processing the
user authentication credentials from an Authentication Proxy Telnet/FTP
session. To exploit this vulnerability an attacker must first complete a
TCP connection to the IOS device running affected software and receive an
auth-proxy authentication prompt.
This vulnerability is documented in the Cisco Bug Toolkit as Bug ID
CSCsa54608 (registered customers only)
To determine if your device is running Firewall Authentication Proxy for
FTP and/or Telnet Sessions feature, log into the device and issue the show
ip auth-proxy configuration command to display the configuration of
Firewall Authentication Proxy services. The following example identifies
Firewall Authentication Proxy services running for Telnet and FTP under
the proxy rule name proxy_example.
Router#show ip auth-proxy configuration
Authentication global cache time is 60 minutes
Authentication global absolute time is 0 minutes
Authentication Proxy Watch-list is disabled
Authentication Proxy Rule Configuration
Auth-proxy name proxy_example
ftp list not specified auth-cache-time 60 minutes
telnet list not specified auth-cache-time 60 minutes
The following will be seen if Firewall Authentication Proxy services are
not enabled but supported in your IOS version:
Router#show ip auth-proxy configuration
Authentication global cache time is 60 minutes
Authentication global absolute time is 0 minutes
Authentication Proxy Watch-list is disabled
Router#
The following will be seen if running a version of IOS that does not
support Firewall Authentication Proxy services:
Router#show ip auth-proxy configuration
^
% Invalid input detected at '^' marker.
Router#
A router that has Firewall Authentication Proxy services assigned to an
interface will have ip auth-proxy command under an interface in the show
running-config output.
The following example identifies Firewall Authentication Proxy services
running under the proxy rule name "proxy_example" applied to the interface
Ethernet 2/1:
Router#show ip auth-proxy configuration
Authentication global cache time is 60 minutes
Authentication global absolute time is 0 minutes
Authentication Proxy Watch-list is disabled
Authentication Proxy Rule Configuration
Auth-proxy name proxy_example
ftp list not specified auth-cache-time 60 minutes
telnet list not specified auth-cache-time 60 minutes
Router#show running-config
!
!
!
interface Ethernet2/1
ip address 10.1.1.1 255.255.255.0
ip auth-proxy proxy_example
!
!
!
Additional information about Cisco IOS Firewall Authentication Proxy
services refer to:
<http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t5/iosfw2/iosfw2_1.htm> Cisco IOS Firewall Authentication Proxy.
Additional information about Cisco IOS Firewall Authentication Proxy for
FTP and/or Telnet Sessions refer to:
<http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123_1/ftp_tel.htm> Firewall Authentication Proxy for FTP and Telnet Sessions
Impact
Successful exploitation of the vulnerability on Cisco IOS may result in a
reload of the device or execution of arbitrary code. Repeated exploitation
could result in a sustained DoS attack or execution of arbitrary code on
Cisco IOS devices.
Software Versions and Fixes
The following link provides information on affected versions and their
appropriate patches:
<http://www.cisco.com/warp/public/707/cisco-sa-20050907-auth_proxy.shtml#software> http://www.cisco.com/warp/public/707/cisco-sa-20050907-auth_proxy.shtml#software
Workarounds
The effectiveness of any workaround is dependent on specific customer
situations such as product mix, network topology, traffic behavior, and
organizational mission. Due to the variety of affected products and
releases, customers should consult with their service provider or support
organization to ensure any applied workaround is the most appropriate for
use in the intended network before it is deployed.
Disable Cisco IOS Firewall Authentication Proxy feature for Telnet/FTP
sessions
In networks where Cisco IOS Firewall Authentication Proxy feature for
Telnet/FTP sessions is not required but enabled, disabling the feature on
an IOS device will eliminate exposure to this vulnerability. On a router
which is configured for Cisco IOS Firewall Authentication Proxy feature
for Telnet/FTP sessions, this must be done by issuing the command:
"no ip auth-proxy name 'auth-proxy-name' {ftp | telnet}"
Deploy Cisco IOS Firewall Authentication Proxy feature for HTTP/HTTPS
sessions
Configure the device with Cisco IOS Firewall Authentication Proxy feature
for HTTP and/or HTTPS sessions and allow the Telnet and FTP services
within the per-user TACACS+/RADIUS profile. Disable Authentication proxy
for Telnet/FTP sessions to eliminate exposure.
An example of the configuration statements for HTTP session Auth-proxy is:
! Configure auth-proxy for http session authentication
ip auth-proxy name http-proxy http
! Configure the router's web server to service auth-proxy
authentication attempts
ip http server
! Set the HTTP server authentication method to AAA
ip http authentication aaa
Additional auth-proxy and web server configuration settings are available.
For details see:
<http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t5/iosfw2/iosfw2_1.htm> Cisco IOS Firewall Authentication Proxy
After successful authentication via HTTP/HTTPS, the user can initiate
required FTP or Telnet sessions. The example shown below for Cisco Secure
Windows (TACACS+) server profile Group setting allows FTP and Telnet as
part of access-list entry proxyacl#2=permit tcp any any
priv-lvl=15
proxyacl#1=permit icmp any any
proxyacl#2=permit tcp any any
proxyacl#3=permit udp any any
Mitigations
Not all of the mitigation strategies listed will work for all customers.
Some of the workarounds listed are dependent on which versions and
feature-sets of IOS you have in your network. These mitigation
strategies, may help reduce exposure to this vulnerability. To eliminate
exposure to this vulnerability, customers should apply one of the
workarounds listed above, or upgrade to a fixed release of Cisco IOS.
Access Control Lists (ACLs)
Deploying IP access-lists can mitigate the effects of this vulnerability
by allowing Firewall Authentication Proxy access only from trusted
subnets. This feature must be used in conjunction with interface
access-lists to ensure that IP traffic from un-trusted subnets is dropped
by the router and not forwarded around the auth-proxy feature. Once the IP
access-list is created, it is applied to the Authentication proxy by
adding the keyword "list" followed by the IP access-list name or number.
In the example below the trusted network is 169.160.160.0/24 and the
auth-proxy router interface is 10.66.65.47. Example:
! Permit trusted network 169.160.160.0/24 to access auth-proxy
access-list 105 permit tcp 169.160.160.0 0.0.0.255 any eq telnet
!
! Deny all IP traffic that is not authenticated by auth-proxy
! Note: Management and Control traffic to the router itself would
! need to be allowed in this access-list
access-list 106 deny ip any any
!
! Modify the telnet auth-proxy config to use access-list 105
ip auth-proxy name tel-proxy telnet inactivity-time 60 list 105
!
! Apply interface access-list 106 and auth-proxy test
interface FastEthernet1/0
ip address 10.66.65.47 255.255.255.0
ip access-group 106 in
ip auth-proxy tel-proxy
For further information on creating IP access lists see Protecting Your
Core: Infrastructure Protection Access Control Lists
<http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml> Protecting Your Core: Infrastructure Protection Access Control Lists
and
Transit Access Control Lists: Filtering at Your Edge
<http://www.cisco.com/warp/public/707/tacl.html>
http://www.cisco.com/warp/public/707/tacl.html
Control Plane Policing
The Control Plane Policy (CoPP) feature can be used to mitigate the
effects of this vulnerability by only allowing trusted hosts to attempt
connections through the auth-proxy router.
Care must be taken to ensure that legitimate management connections to the
auth-proxy router itself are not dropped by the CoPP policy.
In the following example trusted management host 169.160.160.1 is allowed
to establish Telnet connections to the auth-proxy router itself. Trusted
network 169.160.160.0/24 is allowed to attempt FTP and Telnet auth-proxy
connections to IP networks and addresses other than the auth-proxy router
itself. All other inbound FTP and Telnet connections attempts are denied.
The auth-proxy router's IP addresses are 172.16.1.1 (Internet Side),
1.1.1.1/24 and 10.66.65.47 (Internal). Telnet/FTP server is 172.168.1.1.
! Do not police Telnet from trusted management host 169.160.160.1
to the auth-proxy
! router
access-list 105 remark ** Do not police telnet from Trusted Hosts
to Auth-Proxy Router **
access-list 105 deny tcp host 169.160.160.1 host 172.16.1.1 eq
telnet
access-list 105 deny tcp host 172.168.1.1 host 1.1.1.1 eq telnet
access-list 105 deny tcp host 172.168.1.1 host 10.66.65.47 eq
telnet
!
! Police all other telnet and ftp connections to the auth-proxy
router
access-list 105 remark ** Police all other telnet/ftp attempts to
Auth-Proxy Router **
access-list 105 permit tcp any host 172.16.1.1 eq telnet
access-list 105 permit tcp any host 1.1.1.1 eq telnet
access-list 105 permit tcp any host 10.66.65.47 eq telnet
access-list 105 permit tcp any host 172.16.1.1 eq ftp
access-list 105 permit tcp any host 1.1.1.1 eq ftp
access-list 105 permit tcp any host 10.66.65.47 eq ftp
!
! Allow telnet and ftp auth-proxy for trusted network
169.160.160.0/24
access-list 105 remark ** Allow Auth-Proxy sessions from trusted
networks **
access-list 105 deny tcp 169.160.160.0 0.0.0.255 any eq telnet
access-list 105 deny tcp 169.160.160.0 0.0.0.255 any eq ftp
!
! Allow telnet and ftp auth-proxy for trusted network back to
169.160.160.0/24
access-list 105 remark ** Allow Auth-Proxy sessions to trusted
networks **
access-list 105 deny tcp host 172.168.1.1 169.160.160.0 0.0.0.255
!
! Allow TACACS+ from ACS server 10.66.79.229
access-list 105 remark ** Ensure we can still communicate with
TACACS+ Server **
access-list 105 deny tcp host 10.66.79.229 gt 1023 host
10.66.65.47 eq 49
access-list 105 deny tcp host 10.66.79.229 eq 49 host 10.66.65.47
gt 1023
!
! Police all TCP based management traffic from un-trusted hosts
! Note: If BGP is configured it would need to be allowed before
this access-list entry
access-list 105 remark ** Drop any other TCP connections **
access-list 105 permit tcp any any
!
! Do not police any other type of traffic going to the router
access-list 105 remark ** Rest do not police **
access-list 105 deny ip any any
!
class-map match-all only-allow-trusted-hosts
match access-group 105
!
policy-map control-plane-policy
! Drop all traffic that matches the class
"only-allow-trusted-hosts"
class only-allow-trusted-hosts
drop
!
control-plane
service-policy input control-plane-policy
Note: CoPP is available only in IOS release trains 12.0S, 12.2S and 12.3T.
Additional information on the configuration and use of the CoPP feature
can be found at the following URL:
<http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_white_paper09186a00801afad4.shtml> Control Plane Policing
Transit Access Control Lists
Additional mitigation can be added by Transit Access Control Lists that
filter transit and edge traffic at network ingress points should be
configured so that IP traffic is only allowed from legitimate, trusted IP
addresses. For more information on tACLs, refer to:
<http://www.cisco.com/warp/public/707/tacl.html>
http://www.cisco.com/warp/public/707/tacl.html
ADDITIONAL INFORMATION
The information has been provided by <mailto:psirt@cisco.com> Cisco
Systems Product Security Incident Response Team.
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20050907-auth_proxy.shtml>
http://www.cisco.com/warp/public/707/cisco-sa-20050907-auth_proxy.shtml
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] IIS 5.1 Source Disclosure Under FAT/FAT32 Volumes Using WebDAV"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
