[nsp] Cisco Security Advisory: Cable Modem Termination System Authentication Bypass

From: Cisco Systems Product Security Incident Response Team (psirt@cisco.com)
Date: Mon Jun 17 2002 - 15:00:00 EDT


-----BEGIN PGP SIGNED MESSAGE-----

Cisco Security Advisory: Cable Modem Termination System Authentication
Bypass

Revision 1.0 Final

For Public Release 2002 June 17 at 19:00 GMT

- ---------------------------------------------------------------------------

Contents

    Summary
    Affected Products
    Details
    Impact
    Software Versions and Fixes
    Obtaining Fixed Software
    Workarounds
    Exploitation and Public Announcements
    Status of This Notice
    Distribution
    Revision History
    Cisco Security Procedures

- ---------------------------------------------------------------------------

Summary
=======

Two issues are described in this security advisory.

The first issue involves cable modems not manufactured by Cisco that allow
a configuration file to be downloaded from an interface that is not
connected to the network of the cable modem's service provider. This
historical behavior allows an unauthorized configuration to be downloaded
to the cable modem. Cisco is providing a feature in its own software that
mitigates this vulnerability. This feature is documented as CSCdx57688.

The second issue concerns a vulnerability in Cisco IOS Software on only
the Cisco uBR7200 series and uBR7100 series Universal Broadband Routers. A
defect, documented as CSCdx72740, allows the creation of a truncated,
invalid configuration file that is improperly accepted as valid by the
affected routers.

Both of these vulnerabilities have been exploited to steal service by
reconfiguring the cable modem to remove bandwidth restrictions. Cisco is
making free software upgrades available to address these issues. The most
current official copy of this document is available at
http://www.cisco.com/warp/public/707/cmts-MD5-bypass-pub.shtml.

Affected Products
=================

Only the Cisco uBR7200 series and uBR7100 series Universal Broadband
Routers are affected.

Note that the Cisco uBR10000 series Universal Broadband Routers are not
affected.

Part of the problem described in detail below is present in products
produced by other manufacturers, but Cisco is providing a fix to mitigate
the vulnerability.

No other Cisco products are affected.

Details
=======

The two issues described in this document affect the proper operation of
cable modem systems. One issue results from historical behavior of cable
modems not manufactured by Cisco. The other issue results from a defect in
Cisco IOS Software running on a cable modem termination system (CMTS) that
allows a cable modem to operate with an invalid configuration.

When a cable modem in a customer premises environment (CPE) initializes, it
obtains a configuration file from the service provider's network using the
Trivial File Transfer Protocol (TFTP) via a coaxial cable connection to the
service provider's network. Historically, cable modems from other,
non-Cisco manufacturers allow the configuration information to be
downloaded via the device's Ethernet interface. By running a TFTP server on
a customer premises computer and setting that computer's IP address equal
to the service provider's TFTP server, a different configuration file can
be downloaded to such a cable modem from the customer premises network.

The industry-standard Data Over Cable Service Interface Specification
(DOCSIS) for cable modem configuration information includes a Message
Integrity Check (MIC) based on a Message Digest 5 (MD5) hash of the
contents of the configuration. MD5 is a one-way (non-invertible) hash?
meaning that the input cannot be recovered from the output?and the output
is considered unique for a specific input. If the MIC is not correct, the
cable modem registration process fails and it will not be allowed to come
on line. Publicly available tools exist to create a DOCSIS-compliant
configuration, including a valid MIC. The cable shared-secret command in
Cisco IOS Software configures a password that is included in the MD5 hash
that produces the MIC; without the password, it is computationally
infeasible to produce the correct matching MIC, and the cable modem is
prevented from registering with the service provider's network.

If the shared secret is configured identically on all of the systems within
a service provider's network and TFTP spoofing is possible as shown above,
then other valid configurations containing different parameters for the
same service provider network can be interchanged and downloaded to a cable
modem. The modem will be allowed to come on line because the shared secret
is the same. In addition, while the MD5 hash is non-invertible, the shared
secret to compute it can be recovered from the CMTS router configuration.
It can be protected by using the "service password-encryption" command in
Cisco IOS Software, but the command uses "mode 7" encryption, which is
considered adequate only for basic protection from casual viewing.

A defect in Cisco IOS Software for the uBR7200 and uBR7100 series Universal
Broadband Routers causes the MD5 test to be skipped if an MIC is not
provided in the DOCSIS configuration file. A DOCSIS configuration can be
modified with a hex editor to truncate the file just before the MIC and
adjust other fields to produce an invalid configuration file that will be
accepted by the cable modem and the CMTS. When the cable modem attempts to
register, a vulnerable CMTS fails to challenge the missing MIC and allows
the cable modem to come on line. Using this vulnerability, the range of
possible configurations is no longer restricted to a small alternative set
for the same service provider; a completely custom configuration can be
generated in which all of the options can be specified. This defect is
documented as CSCdx72740, and details are available to registered users of
the Cisco website.

The Cisco IOS Software configuration command cable tftp-enforce prohibits a
cable modem from registering and coming on line if there is no matching
TFTP traffic through the CMTS preceding the registration attempt. This
feature has been introduced via CSCdx57688 and can be viewed by registered
users of the Cisco website. This new command is available on the uBR10012
router as well as the uBR7200 and uBR7100 series.

Both the cable tftp-enforce command feature and the fix for the MD5
authentication bypass are necessary to properly mitigate these
vulnerabilities, and Cisco is making fixed software available as shown
below.

Some non-Cisco cable modems may be running older versions of software that
save a local copy of the configuration information and use that cached copy
at registration time instead of obtaining the actual file from a TFTP
server. In addition to the possibility that the cable modem is not using
the proper configuration information, the cable modem's user may be
mistakenly accused of attempting theft of service.

Impact
======

These vulnerabilities can be exploited to commit theft of service. For
example, an attacker could obtain a basic level of service from a service
provider and then exploit these vulnerabilities to reconfigure the CPE
cable modem to provide greater upstream and downstream data rates. Thus the
attacker obtains premium service at a basic cost.

Removing limits on bandwidth could result in a denial of service or
degradation of performance for other users of the same cable network
segment.

Software Versions and Fixes
===========================

The Cisco IOS Software table below provides the label of the first release
within a release train that contains the fix for the vulnerability
described in this notice. A release train is assumed to be vulnerable if it
is included below unless it is specifically labeled "Not Vulnerable". Each
row of the table describes a release train and the platforms or products
for which it is intended. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (the "First Fixed Release")
and the anticipated date of availability for each are listed in the
Rebuild, Interim, and Maintenance columns. A device running a release in
the given train that is earlier than the release in a specific column (less
than the First Fixed Release) is known to be vulnerable. The release should
be upgraded at least to the indicated release or a later version (greater
than or equal to the First Fixed Release label). When selecting a release,
keep in mind the following definitions:

    Maintenance
        Most heavily tested, stable, and highly recommended release of a
        release train in any given row of the table.
       
    Rebuild
        Constructed from the previous maintenance or major release in the
        same train, it contains the fix for a specific defect. Although it
        receives less testing, it contains only the minimal changes
        necessary to repair the vulnerability.
       
    Interim
        Built at regular intervals between maintenance releases and
        receives less testing. Interims should be selected only if there is
        no other suitable release that addresses the vulnerability. Interim
        images should be upgraded to the next available maintenance release
        as soon as possible. Interim releases are not available through
        manufacturing, and usually they are not available for customer
        download from CCO without prior arrangement with the Cisco
        Technical Assistance Center (TAC).
       
Please note that the release label shown below may not be the best release
for a specific situation. In all cases, customers should exercise caution
to confirm that the devices to be upgraded contain sufficient memory and
that current hardware and software configurations will continue to be
supported properly by the new software release. If the information is not
clear, contact the Cisco TAC for assistance as shown in Obtaining Fixed
Software.

More information on Cisco IOS software release names and abbreviations is
available at http://www.cisco.com/warp/public/620/1.html.

The fixes will be available at the Software Center located at
http://www.cisco.com/public/sw-center/.

Software installation and upgrade procedures are available at
http://www.cisco.com/warp/public/130/upgrade_index.shtml.

+------------------------------------------------------------------------+
| Train | Image Description | Availability of Fixed Releases* |
| | or Platform | |
|----------------------------+-------------------------------------------|
| 11.x Releases | Rebuild | Interim** | Maintenance |
|----------------------------+-------------------------------------------|
| | Early Deployment | |
| 11.3NA | release for | Vulnerable, no fix available |
| | uBR7200 series | |
|--------+-------------------+-------------------------------------------|
| | Early Deployment | |
| | Technology | |
| 11.3T | release for | Vulnerable, no fix available |
| | multiple | |
| | platforms | |
|--------+-------------------+-------------------------------------------|
| | Early Deployment | |
| 11.3XA | Technology | Vulnerable, obsolete |
| | release for cable | |
| | platforms | |
|----------------------------+-------------------------------------------|
| 12.0 Releases | Rebuild | Interim** | Maintenance |
|----------------------------+-------------------------------------------|
| | General | |
| | Deployment | |
| 12.0 | release for | Vulnerable, no fix available |
| | multiple | |
| | platforms | |
|--------+-------------------+-------------------------------------------|
| | Early Deployment | |
| | release for | |
| 12.0SC | data-over-cable | Vulnerable, no fix available |
| | service | |
| | providers, | |
| | uBR7200 series | |
|--------+-------------------+-------------------------------------------|
| | Early Deployment | |
| | Technology | |
| 12.0T | release for | Vulnerable, no fix available |
| | multiple | |
| | platforms | |
|--------+-------------------+-------------------------------------------|
| | Early Deployment | |
| 12.0XR | Technology | Vulnerable, obsolete |
| | release for cable | |
| | platforms | |
|----------------------------+-------------------------------------------|
| 12.1 Releases | Rebuild | Interim** | Maintenance |
|----------------------------+-------------------------------------------|
| | General | |
| | Deployment | |
| 12.1 | candidate release | Vulnerable, no fix available |
| | for multiple | |
| | platforms | |
|--------+-------------------+-------------------------------------------|
| | Early Deployment | |
| 12.1CX | Technology | Vulnerable, obsolete |
| | release for cable | |
| | platforms | |
|--------+-------------------+-------------------------------------------|
| | Specific | | | |
| | Technology Early | 12.1(11b)EC1 | 12.1(11.5)EC | 12.1(12)EC |
| | Deployment | | | |
|12.1EC |release for |--------------+--------------+-------------|
| | uBR7200 and | | | |
| | uBR10k series | 2002/06/10 | 2002/06/14 | 2002/07/15 |
| | platforms | | | |
|--------+-------------------+-------------------------------------------|
| | Early Deployment | |
| 12.1T | release for | Vulnerable, no fix available |
| | multiple | |
| | platforms | |
|----------------------------+-------------------------------------------|
| 12.2 Releases | Rebuild | Interim** | Maintenance |
|----------------------------+-------------------------------------------|
| | General | |
| | Deployment | |
| 12.2 | candidate release | Vulnerable, no fix available |
| | for multiple | |
| | platforms | |
|--------+-------------------+-------------------------------------------|
| | Specific | | | |
| | Technology Early | | | |
| | Deployment | 12.2(8)BC1b | | 12.2(8)BC2 |
| | release for | | | |
| | uBR7100, uBR7200, | | | |
|12.2BC |and uBR10k series |--------------| |-------------|
| | platforms; NOT | | | |
| | VULNERABLE, but | | | |
| | includes | 2002/06/17 | | 2002/07/15 |
| | tftp-enforce | | | |
| | feature | | | |
|--------+-------------------+-------------------------------------------|
| | Early Deployment | |
| | Technology | |
| 12.2T | release for | Vulnerable, no fix available |
| | multiple | |
| | platforms | |
|--------+-------------------+-------------------------------------------|
| | Early Deployment | |
| 12.2XF | Technology | Vulnerable, obsolete |
| | release for cable | |
| | platforms | |
|------------------------------------------------------------------------|
| Notes |
|------------------------------------------------------------------------|
| * All dates are estimates and subject to change. |
| |
| ** Interim releases are subjected to less rigorous testing than |
| regular maintenance releases, and may have serious bugs. |
+------------------------------------------------------------------------+

Obtaining Fixed Software
========================

Cisco is offering free software upgrades to correct this vulnerability for
all affected customers. Customers with service contracts may upgrade to any
software release containing the feature sets they have purchased. Customers
without contracts may upgrade only within a single row of the table above,
except that any available fixed software release will be provided to any
customer who can use it and for whom the standard fixed software release is
not yet available. Customers may only install and expect support for the
feature sets they have purchased.

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on the Cisco worldwide
website at http://www.cisco.com/. Customers whose Cisco products are
provided or maintained through prior or existing agreement with third-party
support organizations such as Cisco Partners, authorized resellers, or
service providers should contact that support organization for assistance
with the upgrade, which should be free of charge.

Customers without contracts should get their upgrades by contacting the
Cisco TAC:

  * +1 800 553 2447 (toll-free from within North America)
  * +1 408 526 7209 (toll call from anywhere in the world)
  * e-mail: tac@cisco.com

Give the URL of this notice as evidence of your entitlement to a free
upgrade. Free upgrades for non-contract customers must be requested through
the TAC. Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.

Workarounds
===========

There is no workaround for the MD5 bypass vulnerability. Customers are
strongly encouraged to use the cable tftp-enforce command, deploy a
shared-secret scheme and change the secret routinely, and monitor CMTS
routers for evidence of tampering with bandwidth restrictions.

If the service provider has only one service profile, then the cable qos
profile enforce command can be used to prevent cable modems from coming on
line with a configuration containing any other service profile. This
command is effective in all releases where it is supported.

The no cable qos permission modem command prevents a configuration with a
new service profile from being created. This would restrict service theft
to service profiles from known, pre-existing configuration files on the
service provider's TFTP server, assuming the file names could be guessed
and the server could be reached.

Exploitation and Public Announcements
=====================================

These vulnerabilities have been widely discussed in public and instructions
for exploiting them are available on multiple websites. The Cisco PSIRT is
aware of numerous incidents of theft of service by exploiting these
vulnerabilities.

Status of This Notice: FINAL
============================

This is a final notice. Although Cisco cannot guarantee the accuracy of all
statements in this notice, all of the facts have been checked to the best
of our ability. Cisco does not anticipate issuing updated versions of this
notice unless there is some material change in the facts. Should there be a
significant change in the facts, Cisco may update this notice.

A standalone copy or paraphrase of the text of this security advisory that
omits the origin URL in the following section is an uncontrolled copy, and
may lack important information or contain factual errors.

Distribution
============

This notice will be posted on Cisco's worldwide website at
http://www.cisco.com/warp/public/707/cmts-MD5-bypass-pub.shtml. In
addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients:

  * cust-security-announce@cisco.com
  * bugtraq@securityfocus.com
  * first-teams@first.org (includes CERT/CC)
  * cisco@spot.colorado.edu
  * cisco-nsp@puck.nether.net
  * comp.dcom.sys.cisco
  * firewalls@lists.gnac.com
  * Various internal Cisco mailing lists

Future updates of this notice, if any, will be placed on Cisco's worldwide
web server, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
URL given above for any updates.

Revision History
================

+------------------------------------------------------------------------+
|Revision 1.0 |2002/06/17 |Initial public release |
+------------------------------------------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering to
receive security information from Cisco, is available on Cisco's worldwide
website at http://www.cisco.com/warp/public/707/sec_incident_response.shtml.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt/.

- ---------------------------------------------------------------------------

This notice is Copyright 2002 by Cisco Systems, Inc. This notice may be
redistributed freely after the release date given at the top of the text,
provided that redistributed copies are complete and unmodified, and include
all date and version information.

- ---------------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2

iQEVAwUBPQ5BkA/VLJ+budTTAQFn+Qf/aVdrPI6Bb6mw/msfTaZON6EgMC9EqJp/
sCAVKVVKNILtkkpa8aromCVmxZEzDZGh22rYLtfk9XGS5fM5EKbBx9sDokNDkgN3
fJbDoV8OsuHFe0bPVj1fZ66EpS4SpxRyXeT7BTXjzsZQIFTPs9fqYwMXgkhVVZnw
I9npUYx25eNIE8MALQPq+/m+b0zSu7Oidj2WWDAvg+9uiNuTjde24J2R15VKFpla
fg3/bIQvpamXDLWBi+tlL7wTcpRdWftpGpxaX6KyLTWhOwdlZUma6aO7hfG66e+G
FqTvMywNunpNnZk+eglTxODQalJXPLZwQg/Cd0rF/TlOZxnEjvr0QQ==
=kvM/
-----END PGP SIGNATURE-----



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:00 EDT