-----BEGIN PGP SIGNED MESSAGE-----
Multiple Vulnerabilities in CBOS
Revision 1.0
For Public Release 2000 December 04 08:00 (GMT +0800)
_________________________________________________________________
Summary
Multiple vulnerabilities have been identified and fixed in CBOS, an
operating system for the Cisco 600 family of routers.
* Any router in the Cisco 600 family that is configured to allow Web
access can be locked by sending a specific URL. Web access is
disabled by default, and it is usually enabled in order to
facilitate remote configuration. This defect is documented as
Cisco bug ID CSCdr98772.
* By sending a stream of TCP SYN packets to the router, it is
possible to exhaust all available TCP sockets. The consequence is
that no new TCP sessions addressed to the router will be
established. The difference between this vulnerability and a SYN
Denial-of-Service attack is that this one can be accomplished by a
slow stream of packets (one per second). This defect is documented
as Cisco bug ID CSCds59206.
* Invalid login attempts using the Web interface are not logged.
This defect is documented as Cisco bug ID CSCds19142.
* It is possible to lock up the router by sending a large ICMP ECHO
(PING) packet to it. This defect is documented as Cisco bug ID
CSCds23921.
The following releases of CBOS are vulnerable to all defects: 2.0.1,
2.1.0, 2.1.0a, 2.2.0, 2.2.1, 2.2.1a, 2.3, 2.3.2, 2.3.5, 2.3.7 and
2.3.8.
These defects will be fixed in the following CBOS releases: 2.3.5.015,
2.3.7.002, 2.3.9 and 2.4.1. Customers are urged to upgrade to releases
that are not vulnerable to this defect as shown in detail in the
section Software Versions and Fixes below.
This advisory is available at the
http://www.cisco.com/warp/public/707/CBOS-multiple.shtml .
Affected Products
The affected models are: 627, 633, 673, 675, 675E, 677, 677i and 678.
These models are vulnerable if they run any of the following, or
earlier, CBOS releases: 2.0.1, 2.1.0, 2.1.0a, 2.2.0, 2.2.1, 2.2.1a,
2.3, 2.3.2, 2.3.5, 2.3.7 and 2.3.8.
No other releases of CBOS software are affected by this vulnerability.
No other Cisco products are affected by this vulnerability.
These defects will be fixed in the following CBOS releases: 2.3.5.015,
2.3.7.002, 2.3.9 and 2.4.1
Details
CSCdr98772
The behavior is caused by inadequate URL parsing in CBOS. Each
URL was expected to terminate with a minimum of a single space
character (ACSII code 32, decimal). Sending a URL that does not
terminate with a space causes CBOS to enter an infinite loop.
It is necessary to power cycle the router to resume operation.
In order to exploit this vulnerability, a router must be
configured to accept Web connections. Having a Web access
password configured does not provide protection against this
vulnerability.
Note:Web access on all Cisco 600 routers is disabled by default
and must be explicitly enabled.
CSCds59206
By sending a stream of SYN packets addressed to the router, it
is possible to exhaust all available TCP sockets within CBOS.
This is due to the memory leak in CBOS. When a router is set
into a state where it cannot accept a new connection, it can be
maintained in this state by a slow stream of SYN packets until
the router is rebooted. The stream can be as slow as one packet
per second, so one machine with a 64Kb connection can hold up
approximately 150 routers.
Note: This does not effect non-TCP traffic. All User Datagram
Protocol (UDP) and Internet Control Message Protocol (ICMP)
packets can be handled by a router without any problems. All
existing and new TCP sessions through the router will not be
affected.
When an attacking stream is terminated, a router recovers
itself within a few minutes.
CSCds19142
Using the Cisco Web Management interface, it is possible to
keep guessing an access password without those password
attempts being logged. A password may be either "exec-only" or
"enable". A user with an "exec-only" password cannot change a
router configuration.
CSCds23921
By sending a large (at least 65500 bytes in size) ICMP ECHO
(PING) packet to the router itself, it is possible to overflow
an internal variable and cause router lockup. The router is not
affected by the packets which are routed through it.
Impact
CSCdr98772
By sending a tailored URL to a router, it is possible to cause
a Denial-of-Service. Every affected router must be powered off
and back on in order to restore its normal functionality.
CSCds59206
It is possible to prevent all TCP access to a router. This
blocks all attempts at remote router administration.
CSCds19142
Long term, brute force password guessing can be performed
without being noticed. When the correct password is guessed, it
can be used to view or modify router configuration. This may be
particularly dangerous in installations where multiple routers
have the same password.
CSCds23921
It is possible to lock up the router thus causing
Denial-of-Service. Every affected device must be powered off
and back on in order to restore its normal functionality.
Software Versions and Fixes
The following table summarizes the CBOS software releases affected by
the defects described in this notice and scheduled dates on which the
earliest corresponding fixed releases will be available. Dates are
tentative and subject to change.
+===========+================+==============================================+
| | | |
| Release | Description or | Availability of Repaired Releases* |
| | Platform |==================+===========================+
| | | Patch release** | General Availability (GA) |
+===========+================+==================+===========================+
| All | 627, 633, 673 | 2.3.5.015 | |
| releases | 675, 677, 678 | 2000-DEC-11 | |
+-----------+----------------+------------------+---------------------------+
| 2.3.7.001 | 677i | 2.3.7.002 | |
| | | 2000-DEC-11 | |
+-----------+----------------+------------------+---------------------------+
| All | All platforms | | 2.3.9 |
| releases | | | 2001-JAN |
+-----------+----------------+------------------+---------------------------+
| All | All platforms | | 2.4.1 |
| releases | | | 2000-DEC-11 |
+===========+================+==================+===========================+
| Notes |
+===========================================================================+
|* All dates are estimated and subject to change. |
+---------------------------------------------------------------------------+
|** Patch releases are subjected to less rigorous testing than regular |
| GA releases, and may have serious bugs. |
+===========================================================================+
Obtaining Fixed Software
Cisco is offering free software upgrades to eliminate this
vulnerability for all affected customers.
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's Worldwide
Web site at http://www.cisco.com.
Customers without contracts should get their upgrades by contacting
the Cisco Technical Assistance Center (TAC). TAC contacts are as
follows:
* +1 800 553 2447 (toll-free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Give the URL of this notice as evidence of your entitlement to a free
upgrade. Free upgrades for non-contract customers must be requested
through the TAC. Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.
Workarounds
CSCdr98772
There are two workarounds for this vulnerability. The potential
for exploitation can be lessened by ensuring that Web access to
the router is limited to a legitimate IP address.
This can be done by entering the following commands while in
enable mode:
cbos# set web remote 10.0.0.1
cbos# set web remote enabled
where 10.0.0.1 is the address of the host with a legitimate
need for Web access to the router.
Alternatively, disabling the Web access completely will also
prevent this vulnerability from being exploited. This can be
done by entering the following command while in enable mode:
cbos# set web remote disable
CSCds59206
There is no workaround for this vulnerability.
CSCds19142
The Web Management interface can be disabled by entering the
following commands in enable mode:
cbos# set web remote disable
CSCds23921
All incoming ICMP ECHO (PING) packets destined to the router
itself should be denied. That can be achieved by following
commands:
cbos# set filter number on deny incoming all 0.0.0.0 0.0.0.0
<eth0_IP_address> 255.255.255.255 protocol ICMP
cbos# set filter number+1 on deny incoming all 0.0.0.0 0.0.0.0
<wan0_IP_address> 255.255.255.255 protocol ICMP
Where number is a free filter number between 0 and 17.
Exploitation and Public Announcements
The vulnerability CSCdr98772 was discovered by several customers. It
was also discussed at public forums. PSIRT has received reports that
this vulnerability has been exploited in vivo.
The vulnerability CSCds23921 was discovered by a customer. The other
two vulnerabilities (CSCds59206 and CSCds19142) were discovered during
internal testing.
The Cisco Product Security Incident Response Team (PSIRT) is not aware
of any public announcements of CSCds59206, CSCds19142 and CSCds23921.
Status of This Notice: INTERIM
This is an interim notice. Cisco expects the contents of this report
to change. The reader is warned that this notice may contain
inaccurate or incomplete information. Although Cisco cannot guarantee
the accuracy of all statements in this notice, all of the facts have
been checked to the best of our ability. Cisco anticipates issuing
monthly updates of this notice until it reaches final status.
Distribution
This notice will be posted on Cisco's Worldwide Web site at
http://www.cisco.com/warp/public/707/CBOS-multiple.shtml. In addition
to Worldwide Web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients:
* cust-security-announce@cisco.com
* bugtraq@securityfocus.com
* first-teams@first.org (includes CERT/CC)
* cisco@spot.colorado.edu
* comp.dcom.sys.cisco
* firewalls@lists.gnac.com
* Various internal Cisco mailing lists
Future updates of this notice, if any, will be placed on Cisco's
Worldwide Web server, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the URL given above for any updates.
Revision History
Revision 1.0 2000-December-03 21:00 GMT+00 Draft for initial public
release
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's Worldwide Web site at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This
includes instructions for press inquiries regarding Cisco security
notices.
----------------------------------------------------------------------
This notice is Copyright 2000 by Cisco Systems, Inc. This notice may
be redistributed freely after the release date given at the top of the
text, provided that redistributed copies are complete and unmodified,
and include all date and version information.
----------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2
iQEVAwUBOiv9sWiN3BRdFxkbAQF2CAgAhKReLyLJF6V+k0w/+e9w1MGS1ajrikeN
AgpbC3Mw60dgBZojrLkWGuUUTR/Le4mBFJmtLVGt1xTiu2K+TEsGxfXrZWCSffl/
JyQaCk2+8Jh1FMkA91XDCLYs2Bi94sJyrTrKZ7zc9K4rmiGKId85/WFCDsiScOEI
Ss7uZ7UmRNcvZ/dvwnUHEfjKNe770mNNnPo5bfG6eLTvEhCTOvw4ssgWcBpmcdS/
kVjpCViI3uuHBBr0Z6fdqVue6/1GfCPi1kJg8PEhi1K3lShKeQ4Vh8W5WTOa9SYo
YRiCSkruqC0TQu4ZLiX2vWSgoIncEc9YemSlhgGFMdc2sRMmhiSBvg==
=VpM3
-----END PGP SIGNATURE-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 6.5.2
mQENAzhQ8qUCYQEIALshjezuQIzQT3zZrKrQit2HTNarH8iba6HLdN2niIDGW9LN
ShhH0kPdD57EeOAkO2ccNvgY4HvJESgykBS6z86HULeiSVMv89TfQsKOv34cczYm
BeYtcfbgkm4MM/37UjFxUGAIoOxVX/bzya/tegiYPAaTsOcaonxqaOds/kLIR32S
/+3vcV6tu9QiiLwdKAGSN+KkrREP3qTFzKxmus1DKFz5o03yDMtYGplRQ62iae21
I8NbQtVXvARN5bdG5+4KaqI9hsT/tz8dh8OgapdaD6ht0qkY8J2DGIa1xnai4Vbe
hoz7Vozf65LErlbRWBVAn6XBD3qtaI3cFF0XGRsABRG0R0Npc2NvIFN5c3RlbXMg
UHJvZHVjdCBTZWN1cml0eSBJbmNpZGVudCBSZXNwb25zZSBUZWFtIDxwc2lydEBj
aXNjby5jb20+iQEVAwUQOFDypWiN3BRdFxkbAQEVgAf/Qins/ms1PNhD4ucJyGCY
V60wz6hQX5FXCKxewSxPOMOxkbQeiNxqENYldTwH6RZ2eVXYJX0PKZjhUmpQCwg7
aYQUv8GeROxQYlJx/j2FKmQcjIWLHQZImb7FxTFt0rgcCJI+ChGu8U3IqOmyeBmE
44qXxU/IGhJaXj8jIkSUxeKFQtI9JSxsfNiqX8itjeJlYTF8Y1MnTiuhikM3y7JM
sQFzrKSzhzfPcc3RqDAtbwYtvmb+6/9IGkHks2hox5ltJZ5v2c4lbReEpmLweDSf
enojuPPoPug8zRS/xa1uHzSZ3XKQwLWfjwZwGMzTTHOAiMWo6wlbhNnR4LlN/upv
uIkARgQQEQIABgUCOFDzRAAKCRBwkpqcbcMYIVfZAJ4z5xm+IJuj+byK+gNsNY7X
FK4THgCfS0n95c/Gxvu9tOvRFH+uwQh2dgGJAHUDBRA4UPNs3nAfbKMmz4kBAejY
AvoD771l0JZWwf5XmoCWLL0ChzbdFJqTsnd2zG4jGr1J91dkES4YDir4itqyWVRA
VFzalYCYouNPhOJZKLXUphQnAQ7x74cDznEw+MYT9eavbYcSeKkBZNEdjE3vf67x
4fSJAJUDBRA4UP5XwAV6rQ+eJbkBAX2CA/9GPlvk9EWTS54M6uTJCtC/6Bcx7phz
InAUYEX7gjlBmNF7MdIy1UdUsNL2rTdR26peB6VwzT6uXRG+RbhpGVvfHdEmJ2ec
brKaUmFisrVWB7Ho9NOo72xTru7GeJxGHb0xRcsDMCIYfyOCMvbr6lxMMAcD9zx3
nMx4VDJ7RfSStrRQQ2lzY28gU3lzdGVtcyBQcm9kdWN0IFNlY3VyaXR5IEluY2lk
ZW50IFJlc3BvbnNlIFRlYW0gPHNlY3VyaXR5LWFsZXJ0QGNpc2NvLmNvbT6JARUD
BRA4UPL6aI3cFF0XGRsBAdYKCACIhd2yDPXITE2pQzukNo+jxrMeSnqvl4DUoP6f
Ai64KLGYAqo+ZWuyFd1JLT5CtsaWuLXEBvt/9SevI/qbN18c9eSBko3wNcO49C+T
s0uttahHplxMgArqTK8y1u35C7QUz0T9xRLPaKvXYARw3/wFdaPQYehrVWBThbxk
KxJuamT3OT5uB7NgtkHK1nHpxuATj39EnvZSUTWe45ZBVulduGMG7grYRCQJ1jrG
2Ei0FO/adFKZU6DxSygwjWCM9Fdh/dncs00G7tXW8fpfIRmdsVZuYIQ7HPkoiUJF
87Hw+mdkZHiTAhPMuNO9AamZsIF65QcD4vera/zOXwU+MUcaiQBGBBARAgAGBQI4
UPNYAAoJEHCSmpxtwxghi9gAn12vk1AazXrc9GVCdXC5oFpi1TmlAJ9BsHkWwGUr
mLSAE3OE70LjxHHhDokAdQMFEDhQ84DecB9soybPiQEB2NoC/jSF5glFC5jfYjAp
VMiZHgGZDA49lcf/VZDz7ZeJAkOtZZHzlycVAlCukLl0sXfIhgygmWj6WQPPIF2z
COEjVgR625CRbYhrqC0H9ieWYJ3fu7GILoEb200GbSgUZifvq4kAlQMFEDhQ/mvA
BXqtD54luQEBWzAD/31F6aic5ZV/u6HY/ChORildURolK8LfNTwwsmwN32ZcJOUb
gSsU5cafE5XGaWvgVrPVKwAH9DFcviElBK+n7fhw+SRS5x+Ar8tZMKEgP5I9yIZX
DHwNZmFdpmk95xoK4TvCd3iyj23HcaoAGroRtuVrv5UtBG9P+FDMxScgO/cR
=sJ3p
-----END PGP PUBLIC KEY BLOCK-----
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:22 EDT