[nsp] Cisco Security Advisory: Multiple Vulnerabilities in CBOS

From: Cisco Systems Product Security Incident Response Team (psirt@cisco.com)
Date: Mon Dec 04 2000 - 14:30:00 EST


-----BEGIN PGP SIGNED MESSAGE-----

    
                        Multiple Vulnerabilities in CBOS
                                        
Revision 1.0

   For Public Release 2000 December 04 08:00 (GMT +0800)
      _________________________________________________________________
    
Summary

    Multiple vulnerabilities have been identified and fixed in CBOS, an
    operating system for the Cisco 600 family of routers.
      * Any router in the Cisco 600 family that is configured to allow Web
        access can be locked by sending a specific URL. Web access is
        disabled by default, and it is usually enabled in order to
        facilitate remote configuration. This defect is documented as
        Cisco bug ID CSCdr98772.
      * By sending a stream of TCP SYN packets to the router, it is
        possible to exhaust all available TCP sockets. The consequence is
        that no new TCP sessions addressed to the router will be
        established. The difference between this vulnerability and a SYN
        Denial-of-Service attack is that this one can be accomplished by a
        slow stream of packets (one per second). This defect is documented
        as Cisco bug ID CSCds59206.
      * Invalid login attempts using the Web interface are not logged.
        This defect is documented as Cisco bug ID CSCds19142.
      * It is possible to lock up the router by sending a large ICMP ECHO
        (PING) packet to it. This defect is documented as Cisco bug ID
        CSCds23921.
        
    The following releases of CBOS are vulnerable to all defects: 2.0.1,
    2.1.0, 2.1.0a, 2.2.0, 2.2.1, 2.2.1a, 2.3, 2.3.2, 2.3.5, 2.3.7 and
    2.3.8.
    
    These defects will be fixed in the following CBOS releases: 2.3.5.015,
    2.3.7.002, 2.3.9 and 2.4.1. Customers are urged to upgrade to releases
    that are not vulnerable to this defect as shown in detail in the
    section Software Versions and Fixes below.
    
    This advisory is available at the
    http://www.cisco.com/warp/public/707/CBOS-multiple.shtml .
    
Affected Products

    The affected models are: 627, 633, 673, 675, 675E, 677, 677i and 678.
    
    These models are vulnerable if they run any of the following, or
    earlier, CBOS releases: 2.0.1, 2.1.0, 2.1.0a, 2.2.0, 2.2.1, 2.2.1a,
    2.3, 2.3.2, 2.3.5, 2.3.7 and 2.3.8.
    
    No other releases of CBOS software are affected by this vulnerability.
    No other Cisco products are affected by this vulnerability.
    
    These defects will be fixed in the following CBOS releases: 2.3.5.015,
    2.3.7.002, 2.3.9 and 2.4.1
    
Details

    CSCdr98772
           The behavior is caused by inadequate URL parsing in CBOS. Each
           URL was expected to terminate with a minimum of a single space
           character (ACSII code 32, decimal). Sending a URL that does not
           terminate with a space causes CBOS to enter an infinite loop.
           It is necessary to power cycle the router to resume operation.
           
           In order to exploit this vulnerability, a router must be
           configured to accept Web connections. Having a Web access
           password configured does not provide protection against this
           vulnerability.
           
           Note:Web access on all Cisco 600 routers is disabled by default
           and must be explicitly enabled.
           
    CSCds59206
           By sending a stream of SYN packets addressed to the router, it
           is possible to exhaust all available TCP sockets within CBOS.
           This is due to the memory leak in CBOS. When a router is set
           into a state where it cannot accept a new connection, it can be
           maintained in this state by a slow stream of SYN packets until
           the router is rebooted. The stream can be as slow as one packet
           per second, so one machine with a 64Kb connection can hold up
           approximately 150 routers.
           
           Note: This does not effect non-TCP traffic. All User Datagram
           Protocol (UDP) and Internet Control Message Protocol (ICMP)
           packets can be handled by a router without any problems. All
           existing and new TCP sessions through the router will not be
           affected.
           
           When an attacking stream is terminated, a router recovers
           itself within a few minutes.
           
    CSCds19142
           Using the Cisco Web Management interface, it is possible to
           keep guessing an access password without those password
           attempts being logged. A password may be either "exec-only" or
           "enable". A user with an "exec-only" password cannot change a
           router configuration.
           
    CSCds23921
           By sending a large (at least 65500 bytes in size) ICMP ECHO
           (PING) packet to the router itself, it is possible to overflow
           an internal variable and cause router lockup. The router is not
           affected by the packets which are routed through it.
           
Impact

    CSCdr98772
           By sending a tailored URL to a router, it is possible to cause
           a Denial-of-Service. Every affected router must be powered off
           and back on in order to restore its normal functionality.
           
    CSCds59206
           It is possible to prevent all TCP access to a router. This
           blocks all attempts at remote router administration.
           
    CSCds19142
           Long term, brute force password guessing can be performed
           without being noticed. When the correct password is guessed, it
           can be used to view or modify router configuration. This may be
           particularly dangerous in installations where multiple routers
           have the same password.
           
    CSCds23921
           It is possible to lock up the router thus causing
           Denial-of-Service. Every affected device must be powered off
           and back on in order to restore its normal functionality.
           
Software Versions and Fixes

    The following table summarizes the CBOS software releases affected by
    the defects described in this notice and scheduled dates on which the
    earliest corresponding fixed releases will be available. Dates are
    tentative and subject to change.
    
+===========+================+==============================================+
| | | |
| Release | Description or | Availability of Repaired Releases* |
| | Platform |==================+===========================+
| | | Patch release** | General Availability (GA) |
+===========+================+==================+===========================+
| All | 627, 633, 673 | 2.3.5.015 | |
| releases | 675, 677, 678 | 2000-DEC-11 | |
+-----------+----------------+------------------+---------------------------+
| 2.3.7.001 | 677i | 2.3.7.002 | |
| | | 2000-DEC-11 | |
+-----------+----------------+------------------+---------------------------+
| All | All platforms | | 2.3.9 |
| releases | | | 2001-JAN |
+-----------+----------------+------------------+---------------------------+
| All | All platforms | | 2.4.1 |
| releases | | | 2000-DEC-11 |
+===========+================+==================+===========================+
| Notes |
+===========================================================================+
|* All dates are estimated and subject to change. |
+---------------------------------------------------------------------------+
|** Patch releases are subjected to less rigorous testing than regular |
| GA releases, and may have serious bugs. |
+===========================================================================+

    
Obtaining Fixed Software

    Cisco is offering free software upgrades to eliminate this
    vulnerability for all affected customers.
    
    Customers with contracts should obtain upgraded software through their
    regular update channels. For most customers, this means that upgrades
    should be obtained through the Software Center on Cisco's Worldwide
    Web site at http://www.cisco.com.
    
    Customers without contracts should get their upgrades by contacting
    the Cisco Technical Assistance Center (TAC). TAC contacts are as
    follows:
      * +1 800 553 2447 (toll-free from within North America)
      * +1 408 526 7209 (toll call from anywhere in the world)
      * e-mail: tac@cisco.com
        
    Give the URL of this notice as evidence of your entitlement to a free
    upgrade. Free upgrades for non-contract customers must be requested
    through the TAC. Please do not contact either "psirt@cisco.com" or
    "security-alert@cisco.com" for software upgrades.
    
Workarounds

    CSCdr98772
           There are two workarounds for this vulnerability. The potential
           for exploitation can be lessened by ensuring that Web access to
           the router is limited to a legitimate IP address.
           
           This can be done by entering the following commands while in
           enable mode:
           
           cbos# set web remote 10.0.0.1
           cbos# set web remote enabled
           
           where 10.0.0.1 is the address of the host with a legitimate
           need for Web access to the router.
           
           Alternatively, disabling the Web access completely will also
           prevent this vulnerability from being exploited. This can be
           done by entering the following command while in enable mode:
           
           cbos# set web remote disable
           
    CSCds59206
           There is no workaround for this vulnerability.
           
    CSCds19142
           The Web Management interface can be disabled by entering the
           following commands in enable mode:
           
           cbos# set web remote disable
           
    CSCds23921
           All incoming ICMP ECHO (PING) packets destined to the router
           itself should be denied. That can be achieved by following
           commands:
           
           cbos# set filter number on deny incoming all 0.0.0.0 0.0.0.0
           <eth0_IP_address> 255.255.255.255 protocol ICMP
           cbos# set filter number+1 on deny incoming all 0.0.0.0 0.0.0.0
           <wan0_IP_address> 255.255.255.255 protocol ICMP
           
           Where number is a free filter number between 0 and 17.
           
Exploitation and Public Announcements

    The vulnerability CSCdr98772 was discovered by several customers. It
    was also discussed at public forums. PSIRT has received reports that
    this vulnerability has been exploited in vivo.
    
    The vulnerability CSCds23921 was discovered by a customer. The other
    two vulnerabilities (CSCds59206 and CSCds19142) were discovered during
    internal testing.
    
    The Cisco Product Security Incident Response Team (PSIRT) is not aware
    of any public announcements of CSCds59206, CSCds19142 and CSCds23921.
    
Status of This Notice: INTERIM

    This is an interim notice. Cisco expects the contents of this report
    to change. The reader is warned that this notice may contain
    inaccurate or incomplete information. Although Cisco cannot guarantee
    the accuracy of all statements in this notice, all of the facts have
    been checked to the best of our ability. Cisco anticipates issuing
    monthly updates of this notice until it reaches final status.
    
Distribution

    This notice will be posted on Cisco's Worldwide Web site at
    http://www.cisco.com/warp/public/707/CBOS-multiple.shtml. In addition
    to Worldwide Web posting, a text version of this notice is
    clear-signed with the Cisco PSIRT PGP key and is posted to the
    following e-mail and Usenet news recipients:
      * cust-security-announce@cisco.com
      * bugtraq@securityfocus.com
      * first-teams@first.org (includes CERT/CC)
      * cisco@spot.colorado.edu
      * comp.dcom.sys.cisco
      * firewalls@lists.gnac.com
      * Various internal Cisco mailing lists
        
    Future updates of this notice, if any, will be placed on Cisco's
    Worldwide Web server, but may or may not be actively announced on
    mailing lists or newsgroups. Users concerned about this problem are
    encouraged to check the URL given above for any updates.
    
Revision History

    Revision 1.0 2000-December-03 21:00 GMT+00 Draft for initial public
    release
    
Cisco Security Procedures

    Complete information on reporting security vulnerabilities in Cisco
    products, obtaining assistance with security incidents, and
    registering to receive security information from Cisco, is available
    on Cisco's Worldwide Web site at
    http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This
    includes instructions for press inquiries regarding Cisco security
    notices.

    ----------------------------------------------------------------------
    This notice is Copyright 2000 by Cisco Systems, Inc. This notice may
    be redistributed freely after the release date given at the top of the
    text, provided that redistributed copies are complete and unmodified,
    and include all date and version information.
    ----------------------------------------------------------------------
    

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2

iQEVAwUBOiv9sWiN3BRdFxkbAQF2CAgAhKReLyLJF6V+k0w/+e9w1MGS1ajrikeN
AgpbC3Mw60dgBZojrLkWGuUUTR/Le4mBFJmtLVGt1xTiu2K+TEsGxfXrZWCSffl/
JyQaCk2+8Jh1FMkA91XDCLYs2Bi94sJyrTrKZ7zc9K4rmiGKId85/WFCDsiScOEI
Ss7uZ7UmRNcvZ/dvwnUHEfjKNe770mNNnPo5bfG6eLTvEhCTOvw4ssgWcBpmcdS/
kVjpCViI3uuHBBr0Z6fdqVue6/1GfCPi1kJg8PEhi1K3lShKeQ4Vh8W5WTOa9SYo
YRiCSkruqC0TQu4ZLiX2vWSgoIncEc9YemSlhgGFMdc2sRMmhiSBvg==
=VpM3
-----END PGP SIGNATURE-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 6.5.2

mQENAzhQ8qUCYQEIALshjezuQIzQT3zZrKrQit2HTNarH8iba6HLdN2niIDGW9LN
ShhH0kPdD57EeOAkO2ccNvgY4HvJESgykBS6z86HULeiSVMv89TfQsKOv34cczYm
BeYtcfbgkm4MM/37UjFxUGAIoOxVX/bzya/tegiYPAaTsOcaonxqaOds/kLIR32S
/+3vcV6tu9QiiLwdKAGSN+KkrREP3qTFzKxmus1DKFz5o03yDMtYGplRQ62iae21
I8NbQtVXvARN5bdG5+4KaqI9hsT/tz8dh8OgapdaD6ht0qkY8J2DGIa1xnai4Vbe
hoz7Vozf65LErlbRWBVAn6XBD3qtaI3cFF0XGRsABRG0R0Npc2NvIFN5c3RlbXMg
UHJvZHVjdCBTZWN1cml0eSBJbmNpZGVudCBSZXNwb25zZSBUZWFtIDxwc2lydEBj
aXNjby5jb20+iQEVAwUQOFDypWiN3BRdFxkbAQEVgAf/Qins/ms1PNhD4ucJyGCY
V60wz6hQX5FXCKxewSxPOMOxkbQeiNxqENYldTwH6RZ2eVXYJX0PKZjhUmpQCwg7
aYQUv8GeROxQYlJx/j2FKmQcjIWLHQZImb7FxTFt0rgcCJI+ChGu8U3IqOmyeBmE
44qXxU/IGhJaXj8jIkSUxeKFQtI9JSxsfNiqX8itjeJlYTF8Y1MnTiuhikM3y7JM
sQFzrKSzhzfPcc3RqDAtbwYtvmb+6/9IGkHks2hox5ltJZ5v2c4lbReEpmLweDSf
enojuPPoPug8zRS/xa1uHzSZ3XKQwLWfjwZwGMzTTHOAiMWo6wlbhNnR4LlN/upv
uIkARgQQEQIABgUCOFDzRAAKCRBwkpqcbcMYIVfZAJ4z5xm+IJuj+byK+gNsNY7X
FK4THgCfS0n95c/Gxvu9tOvRFH+uwQh2dgGJAHUDBRA4UPNs3nAfbKMmz4kBAejY
AvoD771l0JZWwf5XmoCWLL0ChzbdFJqTsnd2zG4jGr1J91dkES4YDir4itqyWVRA
VFzalYCYouNPhOJZKLXUphQnAQ7x74cDznEw+MYT9eavbYcSeKkBZNEdjE3vf67x
4fSJAJUDBRA4UP5XwAV6rQ+eJbkBAX2CA/9GPlvk9EWTS54M6uTJCtC/6Bcx7phz
InAUYEX7gjlBmNF7MdIy1UdUsNL2rTdR26peB6VwzT6uXRG+RbhpGVvfHdEmJ2ec
brKaUmFisrVWB7Ho9NOo72xTru7GeJxGHb0xRcsDMCIYfyOCMvbr6lxMMAcD9zx3
nMx4VDJ7RfSStrRQQ2lzY28gU3lzdGVtcyBQcm9kdWN0IFNlY3VyaXR5IEluY2lk
ZW50IFJlc3BvbnNlIFRlYW0gPHNlY3VyaXR5LWFsZXJ0QGNpc2NvLmNvbT6JARUD
BRA4UPL6aI3cFF0XGRsBAdYKCACIhd2yDPXITE2pQzukNo+jxrMeSnqvl4DUoP6f
Ai64KLGYAqo+ZWuyFd1JLT5CtsaWuLXEBvt/9SevI/qbN18c9eSBko3wNcO49C+T
s0uttahHplxMgArqTK8y1u35C7QUz0T9xRLPaKvXYARw3/wFdaPQYehrVWBThbxk
KxJuamT3OT5uB7NgtkHK1nHpxuATj39EnvZSUTWe45ZBVulduGMG7grYRCQJ1jrG
2Ei0FO/adFKZU6DxSygwjWCM9Fdh/dncs00G7tXW8fpfIRmdsVZuYIQ7HPkoiUJF
87Hw+mdkZHiTAhPMuNO9AamZsIF65QcD4vera/zOXwU+MUcaiQBGBBARAgAGBQI4
UPNYAAoJEHCSmpxtwxghi9gAn12vk1AazXrc9GVCdXC5oFpi1TmlAJ9BsHkWwGUr
mLSAE3OE70LjxHHhDokAdQMFEDhQ84DecB9soybPiQEB2NoC/jSF5glFC5jfYjAp
VMiZHgGZDA49lcf/VZDz7ZeJAkOtZZHzlycVAlCukLl0sXfIhgygmWj6WQPPIF2z
COEjVgR625CRbYhrqC0H9ieWYJ3fu7GILoEb200GbSgUZifvq4kAlQMFEDhQ/mvA
BXqtD54luQEBWzAD/31F6aic5ZV/u6HY/ChORildURolK8LfNTwwsmwN32ZcJOUb
gSsU5cafE5XGaWvgVrPVKwAH9DFcviElBK+n7fhw+SRS5x+Ar8tZMKEgP5I9yIZX
DHwNZmFdpmk95xoK4TvCd3iyj23HcaoAGroRtuVrv5UtBG9P+FDMxScgO/cR
=sJ3p
-----END PGP PUBLIC KEY BLOCK-----



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:22 EDT