26 March, 2009
Summary:
- These vulnerabilities affect: Many devices running Cisco IOS
- How an attacker exploits them: Multiple vectors of attack; in the most common, the attacker sends specially crafted network packets
- Impact: Various results; these include many Denial of Service (DoS) vulnerabilities and a privilege elevation flaw
- What to do: Administrators who manage Cisco IOS devices should download, test, and deploy the appropriate Cisco updates as soon as possible
26 March, 2009
Summary:
- These vulnerabilities affect: Many devices running Cisco IOS
- How an attacker exploits them: Multiple vectors of attack; in the most common, the attacker sends specially crafted network packets
- Impact: Various results; these include many Denial of Service (DoS) vulnerabilities and a privilege elevation flaw
- What to do: Administrators who manage Cisco IOS devices should download, test, and deploy the appropriate Cisco updates as soon as possible
Six months ago, Cisco announced plans to implement a twice-yearly patch cycle that would fall on the fourth Wednesday of March and September. Yesterday marked another Cisco biannual patch day, for which they released eight security advisories. All of these advisories cover security vulnerabilities that affect devices running Cisco’s Internetwork Operating System (IOS) software. IOS is the operating system that runs on most Cisco routers and switches.
While Cisco’s IOS advisories differ in technical ways, all but one of them cover vulnerabilities that attackers could exploit in Denial of Service (DoS) attacks. The remaining flaw involves a privilege elevation that a local attacker could exploit to read and write to files on your Cisco device. For a complete list of today’s IOS alerts, check out the Cisco’s Bundled Advisory for March 25th. However, we summarize three of the IOS advisories
below:
Cisco Document ID 109323: IOS Secure Copy privilege escalation vulnerability.
The Secure Copy Protocol (SCP) is a network protocol designed to securely transfer files between two hosts (based on SSH). In short, IOS’s SCP server implementation suffers from a vulnerability that allows authenticated users to transfer files to and from your Cisco device, even if you haven’t authorized that user to have SCP access. A local attacker could exploit this flaw to retrieve or write to any file on your IOS device, including its configuration file which may contain sensitive information, such as passwords. However, in order to exploit this flaw the attacker must have valid credentials on your IOS device, which limits this to primarily an inside threat.
Base CVSS Score: 9.0(10 being the most severe)
Cisco Document ID 109314: IOS cTCP DoS vulnerabilities.
According to Cisco, the Cisco Tunneling Control Protocol (cTCP) is a proprietary Cisco protocol used by Easy VPN remote devices operating in environments in which standard IPSec does not function transparently without modification to existing firewall rules. Cisco’s implementation of this protocol suffers from a memory exhaustion vulnerability. By sending a series of TCP packets, an attacker could exploit this flaw to exhaust your IOS device’s memory, leading to a DoS condition. If you use a Cisco IOS router to get to the Internet, an attacker could repeatedly exploit these vulnerabilities to knock your network offline. However, only administrators who have configured their IOS device with Cisco Tunneling Control Protocol (cTCP) encapsulation for EZVPN server are vulnerable to this flaw.
Base CVSS Score:7.8
Cisco Document ID 109322: IOS SIP DoS vulnerability.
The Session Initiation Protocol (SIP) is a popular signaling standard used by many Voice over IP (VoIP) products. Unfortunately, IOS’s SIP handling implementation suffers from an unspecified DoS vulnerability. By sending a specially crafted SIP message to your IOS device, an attacker could exploit this vulnerability to reload your IOS device. If you use a Cisco IOS router to get to the Internet, an attacker could repeatedly exploit these vulnerabilities to knock your network offline. This vulnerability only affects IOS devices with SIP voice services enabled.
Average CVSS Score: 7.8
The remaining five advisories fix flaws just as severe as the ones described above. For greater detail on all of Cisco’s March vulnerabilities, check out the individual advisories in the References section of this alert, or refer to Cisco’s bundled security advisory for March 2009.
Solution Path:
Cisco has released patches to fix these vulnerabilities. If you use any Cisco device running IOS software, you should immediately consult the “Software Versions and Fixes” and “Obtaining Fixed Software” section of Cisco’s bundled security advisory for March 2009 to learn which fixes apply to your devices, and how to obtain them. You can also refer to the “Software Versions and Fixes” and “Obtaining Fixed Software” section of each of the individual alerts linked below.
For All WatchGuard Users:
Since these vulnerabilities can affect your router, which is typically in front of your WatchGuard firewall, the solutions above are your primary recourse.
Status:
Cisco has made fixes available.
References:
- Cisco Bundled March 2009 Security Advisory
- Cisco IOS cTCP Denial of Service Vulnerability
- Cisco IOS Software Multiple Features IP Sockets Vulnerability
- Cisco IOS Software Mobile IP and Mobile IPv6 Vulnerabilities
- Cisco IOS Software Secure Copy Privilege Escalation Vulnerability
- Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability
- Cisco IOS Software Multiple Features Crafted TCP Sequence Vulnerability
- Cisco IOS Software Multiple Features Crafted UDP Packet Vulnerability
- Cisco IOS Software WebVPN and SSLVPN Vulnerabilities