[c-nsp] Cisco Security Advisory: Cisco Firewall Services Module Skinny Client Control Protocol Inspection Denial of Service Vulnerability

Cisco Systems Product Security Incident Response Team psirt at cisco.com
Wed Feb 17 11:51:25 EST 2010

Hash: SHA1

Cisco Security Advisory: Cisco Firewall Services Module Skinny Client
Control Protocol Inspection Denial of Service Vulnerability

Advisory ID: cisco-sa-20100217-fwsm


Revision 1.0

For Public Release 2010 February 17 1600 UTC (GMT)



A vulnerability exists in the Cisco Firewall Services Module (FWSM) for
the Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
that may cause the Cisco FWSM to reload after processing a malformed
Skinny Client Control Protocol (SCCP) message. The vulnerability exists
when SCCP inspection is enabled.

Cisco has released free software updates that address this

This advisory is posted at

Affected Products

Vulnerable Products

All non-fixed 4.x versions of Cisco FWSM Software are affected by this
vulnerability if SCCP inspection is enabled. SCCP inspection is enabled
by default.

To check if SCCP inspection is enabled, issue the "show service-policy
| include skinny" command and confirm that the command returns output.
Example output follows:

    fwsm#show service-policy | include skinny
          Inspect: skinny , packet 0, drop 0, reset-drop 0

Alternatively, a device that has SCCP inspection enabled has a
configuration similar to the following:

    class-map inspection_default
     match default-inspection-traffic
    policy-map global_policy
     class inspection_default
      inspect skinny
    service-policy global_policy global

To determine the version of Cisco FWSM Software that is running, issue
the "show module" command-line interface (CLI) command from Cisco IOS
Software or Cisco Catalyst Operating System Software to identify what
modules and sub modules are installed on the system.

The following example shows a system with a Cisco FWSM (WS-SVC-FWM-1)
installed in slot 2:

    switch>show module
    Mod Ports Card Type                              Model              Serial No.
    --- ----- -------------------------------------- ------------------ -----------
      1   16  SFM-capable 16 port 1000mb GBIC        WS-X6516-GBIC      SAL06334NS9
      2    6  Firewall Module                        WS-SVC-FWM-1       SAD10360485
      3    8  Intrusion Detection System             WS-SVC-IDSM-2      SAD0932089Z
      4    4  SLB Application Processor Complex      WS-X6066-SLB-APC   SAD093004BD
      5    2  Supervisor Engine 720 (Active)         WS-SUP720-3B       SAL0934888E

    Mod MAC addresses                       Hw    Fw           Sw           Status
    --- ---------------------------------- ------ ------------ ------------ -------
      1  0009.11e3.ade8 to 0009.11e3.adf7   5.1   6.3(1)       8.5(0.46)RFW Ok
      2  0018.ba41.5092 to 0018.ba41.5099   4.0   7.2(1)       3.2(2)10     Ok
      3  0014.a90c.9956 to 0014.a90c.995d   5.0   7.2(1)       5.1(6)E1     Ok
      4  0014.a90c.66e6 to 0014.a90c.66ed   1.7                4.2(3)       Ok
      5  0013.c42e.7fe0 to 0013.c42e.7fe3   4.4   8.1(3)       12.2(18)SXF1 Ok


After locating the correct slot, issue the "show module <slot number>"
command to identify the software version that is running. Example output

    switch>show module 2
    Mod Ports Card Type                              Model              Serial No.
    --- ----- -------------------------------------- ------------------ -----------
      2    6  Firewall Module                        WS-SVC-FWM-1       SAD10360485

    Mod MAC addresses                       Hw    Fw           Sw           Status
    --- ---------------------------------- ------ ------------ ------------ -------
      2  0018.ba41.5092 to 0018.ba41.5099   4.0   7.2(1)       3.2(2)10     Ok


The preceding example shows that the FWSM is running software version
3.2(2)10 as indicated by the column under "Sw."

Note: Recent versions of Cisco IOS Software will show the software
version of each module in the output from the "show module" command;
therefore, executing the "show module <slot number>" command is not

If a Virtual Switching System (VSS) is used to allow two physical Cisco
Catalyst 6500 Series Switches to operate as a single logical virtual
switch, the "show module switch all" command can display the software
version of all FWSMs that belong to switch 1 and switch 2. The output
from this command will be similar to the output from the "show module
<slot number>" but will include module information for the modules in
each switch in the VSS.

Alternatively, version information can be obtained directly from the
FWSM through the "show version" command. Example output follows:

    FWSM> show version

    FWSM Firewall Version 3.2(2)10


Customers who use the Cisco Adaptive Security Device Manager (ASDM) to
manage their devices can find the version of the software displayed in
the table in the login window or in the upper left corner of the ASDM
window. The version notation is similar to the following example.

    FWSM Version: 3.2(2)10

Products Confirmed Not Vulnerable

The Cisco ASA 5500 Series Adaptive Security Appliances are affected
by the vulnerability in this advisory. A separate Cisco Security
Advisory has been published to disclose this and other
vulnerabilities that affect the Cisco ASA 5500 Series Adaptive
Security Appliances. The advisory is available at:


With the exception of Cisco ASA 5500 Series Adaptive Security
Appliances, no other Cisco products are currently known to be affected
by this vulnerability.


The Cisco FWSM is a high-speed, integrated firewall module for Cisco
Catalyst 6500 Series Switches and Cisco 7600 Series Routers. The FWSM
offers firewall services with stateful packet filtering and deep packet

The Cisco FWSM is affected by a vulnerability that may cause the device
to reload during the processing of a malformed SCCP message when SCCP
inspection is enabled.

This vulnerability is only triggered by transit traffic; traffic that is
destined to the device does not trigger this vulnerability.

This issue is documented in Cisco bug ID CSCtb60485 and has been
assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-0151.

Vulnerability Scoring Details

Cisco has provided scores for the vulnerability in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding CVSS


Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:


* CSCtb60485 ("Traceback in 'skinny' Thread with Skinny Inspection Enabled")

CVSS Base Score - 7.8
    Access Vector -            Network
    Access Complexity -        Low
    Authentication -           None
    Confidentiality Impact -   None
    Integrity Impact -         None
    Availability Impact -      Complete

CVSS Temporal Score - 6.4
    Exploitability -           Functional
    Remediation Level -        Official-Fix
    Report Confidence -        Confirmed


Successful exploitation of this vulnerability may cause a reload of
the affected device. Repeated exploitation could result in a sustained
denial of service condition.

Software Versions and Fixes

When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.

Each row of the Cisco FWSM Software table below describes a major Cisco
FWSM Software train and the earliest possible release within that train
that contains the fix (the "First Fixed Release") and the anticipated
date of availability (if not currently available) in the "First Fixed
Release" column. A device running a release that is earlier than the
release in a specific column (less than the First Fixed Release) is
known to be vulnerable. The release should be upgraded at least to the
indicated release or a later version (greater than or equal to the First
Fixed Release label).

| Major Release  | First Fixed Release  |
| 3.1            | Not affected         |
| 3.2            | Not affected         |
| 4.0            | 4.0(8)               |

Fixed Cisco FWSM Software can be downloaded from the Software Center on
Cisco.com by visiting http://www.cisco.com/cisco/web/download/index.html
and navigating to "Security > Cisco Catalyst 6500 Series Firewall
Services Module > Firewall Services Module (FWSM) Software".


If SCCP inspection is not required, this vulnerability can be mitigated
by disabling it. Administrators can disable SCCP inspection by issuing
the "no inspect skinny" command in class configuration sub-mode within
the policy map configuration. If SCCP inspection is required, there are
no workarounds.

Obtaining Fixed Software

Cisco has released free software updates that address this
vulnerability. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
or as otherwise set forth at Cisco.com Downloads at

Do not contact psirt at cisco.com or security-alert at cisco.com for software

Customers with Service Contracts

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.

Customers using Third Party Support Organizations

Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is

Customers without Service Contracts

Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale
should acquire upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows.

  * +1 800 553 2447 (toll free from within North America)
  * +1 408 526 7209 (toll call from anywhere in the world)
  * e-mail: tac at cisco.com

Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be requested
through the TAC.

Refer to
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various

Exploitation and Public Announcements

The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.

This vulnerability was discovered during the resolution of customer
service requests.

Status of this Notice: FINAL


A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.


This advisory is posted on Cisco's worldwide website at:


In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.

  * cust-security-announce at cisco.com
  * first-bulletins at lists.first.org
  * bugtraq at securityfocus.com
  * vulnwatch at vulnwatch.org
  * cisco at spot.colorado.edu
  * cisco-nsp at puck.nether.net
  * full-disclosure at lists.grok.org.uk
  * comp.dcom.sys.cisco at newsgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.

Revision History

| Revision 1.0 | 2010-February-17 | Initial public release.  |

Cisco Security Procedures

Complete information on reporting security vulnerabilities
in Cisco products, obtaining assistance with security
incidents, and registering to receive security information
from Cisco, is available on Cisco's worldwide website at
This includes instructions for press inquiries regarding
Cisco security notices. All Cisco security advisories are available at

Copyright 2008-2010 Cisco Systems, Inc. All rights reserved.

Updated: Feb 17, 2010                             Document ID: 111553
Version: GnuPG v1.4.9 (GNU/Linux)


More information about the cisco-nsp mailing list