From ciac@rumpole.llnl.gov Wed Jan 13 18:30:17 1999 From: CIAC Mail User To: ciac-bulletin@rumpole.llnl.gov Date: Tue, 12 Jan 1999 14:00:36 -0800 (PST) Subject: CIAC Bulletin J-023: Cisco IOS Syslog Denial-of-Service Vulnerability [ For Public Release ] -----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Cisco IOS Syslog Denial-of-Service Vulnerability January 12, 1999 18:00 GMT Number J-023 ______________________________________________________________________________ PROBLEM: Cisco has identified a vulnerability in certain versions of their IOS software when invalid user datagram protocol (UDP) packets are sent to their "syslog" port (port) 514. PLATFORM: Devices running Cisco IOS software versions 11.3AA, 11.3DB and all 12.0. DAMAGE: If exploited, an attacker may cause the system to crash or hang. SOLUTION: Apply software fixes or workarounds. ______________________________________________________________________________ VULNERABILITY Risk is high. Exploit details involving this vulnerability have ASSESSMENT: been made publicly available. ______________________________________________________________________________ [ Start Cisco Advisory ] Field Notice: Cisco IOS Syslog Crash ================================================================== Revision 1.1 For release 08:00 US/Pacific, Monday, January 11, 1999 For Cisco internal use only until release date Summary ======= Certain versions of Cisco IOS software may crash or hang when they receive invalid user datagram protocol (UDP) packets sent to their "syslog" ports (port 514). At least one commonly-used Internet scanning tool generates packets which can cause such crashes and hangs. This fact has been announced on public Internet mailing lists which are widely read both by security professionals and by security "crackers", and should be considered public information. This vulnerability affects devices running Cisco IOS software version 11.3AA, version 11.3DB, or any 12.0-based version (including 12.0 mainline, 12.0S, 12.0T, and any other regular released version whose number starts with "12.0"). The vulnerability has been corrected in certain special releases, and will be corrected in maintenance and interim releases which will be issued in the future; see the section on "Software Versions and Fixes" for details on which versions are affected, and on which versions are, or will be, fixed. Cisco intends to provide fixes for all affected IOS variants. There is a configuration workaround for this vulnerability. Who is Affected =============== All Cisco devices which are running classic Cisco IOS software with any of the versions listed as affected under "Software Versions and Fixes" are vulnerable to attack. This includes 11.3AA, 11.3DB, and all 12.0 versions, up to the repaired releases listed in the table. No particular configuration is needed to make a Cisco IOS device vulnerable. It is possible to filter out the attack traffic using access lists; see "Workarounds" in this document. However, except at Internet firewalls, the appropriate filters are not common in customer configurations. You should carefully evaluate your configuration before assuming that any filtering you have already configured protects you against this attack. Affected Devices - - -------------- It is impossible to list all Cisco products in this notice; the lists below include only the most commonly used or most asked-about products. If you are unsure whether your device is running classic Cisco IOS software, log into the device and issue the command "show version". Classic Cisco IOS software will identify itself simply as "IOS" or "Internetwork Operating System Software". Other Cisco devices either will not have the "show version" command, or will give different output. Cisco devices that run classic Cisco IOS software include: * Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 8xx, ubr9xx, 1xxx, 25xx, 26xx, 30xx, 36xx, 38xx, 40xx, 45xx, 47xx, AS52xx, AS53xx, AS58xx, 64xx, 70xx, 72xx (including the ubr72xx), 75xx, and 12xxx series. * Most recent versions of the LS1010 ATM switch. * Some versions of the Catalyst 2900XL LAN switch. * The Cisco DistributedDirector. The affected software versions are relatively new, and are not necessarily available on every device listed above. If you are not running classic Cisco IOS software, then you are not affected by this vulnerability. Cisco devices which do not run classic Cisco IOS software, and are not affected by this vulnerability, include the following: * 7xx dialup routers (750, 760, and 770 series) are not affected. * Catalyst 19xx, 28xx, 29xx, 3xxx, and 5xxx LAN switches are not affected, except for some versions of the Catalyst 2900XL. However, optional router modules running Cisco IOS software in switch backplanes, such as the RSM module for the Catalyst 5000 and 5500, are affected. * WAN switching products in the IGX and BPX lines are not affected. * The MGX (formerly known as the AXIS shelf) is not affected. * No host-based software is affected. * The Cisco PIX Firewall is not affected. * The Cisco LocalDirector is not affected. * The Cisco Cache Engine is not affected. Impact ====== Attackers can cause Cisco IOS devices to crash and reload. Furthermore, an attacker can repeat the process at will. By striking continuously, an attacker might be able to completely disable a Cisco IOS device until that device was reconfigured by its administrator. Some Cisco IOS devices have been observed to hang instead of crashing when attacked. These devices do not recover until manually restarted by reset or power cycle. This means that it might be necessary for an administrator to physically visit an attacked device in order to recover from the attack, even if the attacker is no longer actively sending any traffic. Some devices have crashed without providing stack traces; devices crashed using this vulnerability may indicate that they were "restarted by power-on", even when that is not actually the case. Workarounds =========== You can work around this vulnerability by preventing any affected Cisco IOS device from receiving or processing UDP datagrams addressed to its port 514. This can be done either using packet filtering on surrounding devices, or by using input access list filtering on the affected IOS device itself. If you use an input access list, that list should be applied to all interfaces to which attackers may be able to send datagrams. This includes not only physical LAN and WAN interfaces, but virtual subinterfaces of those physical interfaces, as well as virtual interfaces and/or interface templates corresponding to GRE, L2TP, L2F, and other tunnelling protocols. The input access list must block traffic destined for UDP port 514 at any of the Cisco IOS device's own IP addresses, as well as at any broadcast or multicast addresses on which the Cisco IOS device may be listening. It's important to remember to block old-style "all-zeroes" broadcasts as well as new-style "all-ones" broadcasts. It is not necessary to block traffic being forwarded to other hosts; only traffic actually addressed to the Cisco IOS device is of interest. There is no single input access list that will work in all configurations. It is very important that you understand the effect of your access list in your specific configuration before you activate the list. The following example shows a possible access list for a three-interface router, along with the configuration commands needed to apply that access list. The example assumes that there is no need for input filtering other than as a workaround for this vulnerability. ! Deny all multicasts, and all unspecified-net broadcasts, to port 514 access-list 101 deny udp any 224.0.0.0 31.255.255.255 eq 514 ! Deny old-style unspecified-net broadcasts access-list 101 deny udp any host 0.0.0.0 eq 514 ! Deny network-specific broadcasts. This example assumes that all of ! the local interfaces are on the class B network 172.16.0.0, subnetted ! everywhere with mask 255.255.255.0. This will differ from network ! to network. Note that we block both new-style and old-style broadcasts. access-list 101 deny udp any 172.16.0.255 0.0.255.0 eq 514 access-list 101 deny udp any 172.16.0.0 0.0.255.0 eq 514 ! Deny packets sent to the addresses of our own network interfaces. access-list 101 deny udp any host 172.16.1.1 eq 514 access-list 101 deny udp any host 172.16.2.1 eq 514 access-list 101 deny udp any host 172.16.3.3 eq 514 ! Permit all other traffic (default would be to deny) access-list 101 permit ip any any ! Apply the access list to the input side of each interface interface ethernet 0 ip address 172.16.1.1 255.255.255.0 ip access-group 101 in interface ethernet 2 ip address 172.16.2.1 255.255.255.0 ip access-group 101 in interface ethernet 3 ip address 172.16.3.3 255.255.255.0 ip access-group 101 in It can be complicated to list all possible addresses, and especially all possible broadcast addresses, to which attack packets might be sent. If you do not expect to need to forward any legitimate syslog traffic received on an interface, you may wish to simply block all syslog traffic arriving on that interface. Remember that this will affect traffic routed through the Cisco IOS device as well as traffic destined to the device; if the IOS device is expected to forward syslog packets, you will have to do the detailed filtering. Input access lists have an impact on system performance, and should be installed with a degree of caution, especially on systems that are running very near their capacity limits. Software Versions and Fixes =========================== This vulnerability has Cisco bug ID CSCdk77426. Many Cisco software images have been or will be specially reissued to correct this vulnerability. For example, regular released version 12.0(2) is vulnerable, as are interim versions 12.0(2.1) through 12.0(2.3) The first fixed interim version of 12.0 mainline software is 12.0(2.4). However, a special release, 12.0(2a), contains only the fix for this vulnerability, and does not include any of the other bug fixes from later 12.0 interim releases. If you were running 12.0(2), and wanted to upgrade to fix this problem, without taking the risk of instability presented by installing the 12.0(2.4) interim release, you could upgrade to 12.0(2a). 12.0(2a) represents a "code branch" from the 12.0(2) base, which merges back into the 12.0 mainline at 12.0(2.4). In every case, these special releases are one-time spot fixes, and will not be maintained. The upgrade path from, say, 12.0(2a), is to 12.0(3). See the following table for information about affected and repaired software versions. All dates in the table are tentative and subject to change. +----------+-------------+---------------+---------------+-----------------+ | | | Special | First fixed | | | | | one-time spot | interim | First fixed | | Cisco IOS| | fix release; | release** (fix| regular | | Major | Description | most stable | will carry | maintenance | | Release | | immediate | forward into |release (or other| | | | upgrade path | all later |long term upgrade| | | | (see above) | versions) | path) | +----------+-------------+---------------+---------------+-----------------+ | Unaffected releases | +----------+-------------+---------------+---------------+-----------------+ |11.2 and |Unaffected | | | | |earlier, |early | | | | |all |releases (no |Unaffected |Unaffected |Unaffected | |variants |syslog | | | | | |server) | | | | +----------+-------------+---------------+---------------+-----------------+ |11.3, | | | | | |11.3T, | | | | | |11.3DA, |11.3 releases| | | | |11.3MA, |without |Unaffected |Unaffected |Unaffected | |11.3NA, |syslog | | | | |11.3WA, |servers | | | | |11.3(2)XA | | | | | | | | | | | +----------+-------------+---------------+---------------+-----------------+ | 11.3-based releases | +----------+-------------+---------------+---------------+-----------------+ | |11.3 early | | | | |11.3AA |deployment |11.3(7)AA2, |11.3(7.2)AA |11.3(8)AA, | | |for AS58xx |8-JAN-1999* | |15-FEB-1999* | +----------+-------------+---------------+---------------+-----------------+ | |11.3 for | | | | | |Cisco NRP | | | | |11.3DB |routing blade| - | - |11.3(7)DB2, | | |in Cisco 6400| | |18-JAN-1999* | | |xDSL DSLAM | | | | +----------+-------------+---------------+---------------+-----------------+ | 12.0-based releases | +----------+-------------+---------------+---------------+-----------------+ |12.0 |12.0 mainline|12.0(2a), |12.0(2.4) |12.0(3), | | | |8-JAN-1999* | |1-FEB-1999* | +----------+-------------+---------------+---------------+-----------------+ | |12.0 new | | | | |12.0T |technology |12.0(2a)T1, |12.0(2.4)T |12.0(3)T, | | |early |11-JAN-1999* | |15-FEB-1999* | | |deployment | | | | +----------+-------------+---------------+---------------+-----------------+ | |ISP support: | | | | |12.0S |7200, RSP, | - |12.0(2.3)S |12.0(2)S***, | | |GSR | |27-DEC-1998 |18-JAN-1999* | +----------+-------------+---------------+---------------+-----------------+ | |12.0 for | | | | | |Cisco 6400 | | | | | |universal | | | | |12.0DB |access | - | - |12.0(2)DB, | | |concentrator | | |18-JAN-1999* | | |node switch | | | | | |processor | | | | | |(lab use) | | | | +----------+-------------+---------------+---------------+-----------------+ | | |12.0(1)W5(5a) | |12.0(1)W5(6) | | |12.0 for |and | |(platform support| |12.0(1)W |Catalyst 8500|12.0(1a)W5(5b) |12.0(1)W5(5.15)|for Catalyst | | |and LS1010 |(LS1010 | |8540M will be in | | | |platform only) | |12.0(1)W5(7)) | +----------+-------------+---------------+---------------+-----------------+ | |One-time | | | | | |early | | | | | |deployment | | |Unaffected; | | |for CH-OC12 |Unaffected; | |general upgrade | |12.0(0.6) |in Catalyst |one-time |Unaffected |path is via | |W5 |8500 series |release | |12.0(1)W5 | | |switches | | |releases. | | | | | | | | | | | | | +----------+-------------+---------------+---------------+-----------------+ | |Short-life | | | | | |release; | | |Upgrade to | |12.0(1)XA3|merged to |Obsolete |Merged |12.0(2a)T1and/or | | |12.0T at | | |to 12.0(3)T | | |12.0(2)T | | | | +----------+-------------+---------------+---------------+-----------------+ | |Short-life | | | | | |release for | | | | | |Cisco 800 | | | | |12.0(1)XB |series; |12.0(1)XB1 |Merged |Upgrade to | | |merged to | | |12.0(3)T | | |12.0T at | | | | | |12.0(3)T | | | | +----------+-------------+---------------+---------------+-----------------+ | |Short-life | | | | | |release for | | | | | |new features | | | | | |in Cisco | | | | | |2600, Cisco | | | | |12.0(2)XC |3600, |12.0(2)XC1, |Merged |Upgrade to | | |ubr7200, |7-JAN-1999* | |12.0(3)T | | |ubr900 | | | | | |series; | | | | | |merged to | | | | | |12.0T at | | | | | |12.0(3)T | | | | +----------+-------------+---------------+---------------+-----------------+ | |Short-life | | | | | |release for | | | | | |ISDN voice | | | | |12.0(2)XD |features; |12.0(2)XD1, |Merged |Upgrade to | | |merged to |18-JAN-1999* | |12.0(3)T | | |12.0T at | | | | | |12.0(3)T. | | | | +----------+-------------+---------------+---------------+-----------------+ |12.0(1)XE |Short-life |12.0(2)XE, |Merged |Upgrade to | | |release |18-JAN-1999* | |12.0(3)T | +----------+-------------+---------------+---------------+-----------------+ * All projected dates are estimates, and are subject to change ** Interim releases are subjected to less rigorous testing than regular maintenance releases, and may have serious bugs. *** The vulnerability is fixed in 12.0(2)S. The 12.0(2.3)S interim release is available to the field before the 12.0(2)S regular release because of internal process considerations. This entry is not a misprint. Getting Fixed Software - - -------------------- Cisco is offering free software updates to correct this vulnerability for all vulnerable customers, regardless of contract status. Note, however, that because information about this vulnerability has been disseminated by third parties, Cisco has been forced to release this notice before updates are available for all software versions. The projected fix dates in the table above are subject to change, but represent Cisco's best estimate of the dates on which fixes will be available. As with any software change, you should check to make sure that your hardware can support the new software before installing it. The most common problem is inadequate RAM. While this is seldom a problem when upgrading within a major release (say, from 11.2(11)P to 11.2(17)P), it is often an issue when upgrading between major releases (say, from 11.2P to 11.3T). Because fixes will be made available for all affected releases, this vulnerability will rarely, if ever, require an upgrade to a new major release. Cisco recommends very careful planning for any upgrade between major releases. When upgrading between major releases, you must be especially careful to make certain that no known bugs will prevent the new software from working properly in your environment. Further upgrade planning assistance is available on Cisco's Worldwide Web site at http://www.cisco.com. Customers with service contracts should obtain new software through their regular update channels (generally via Cisco's Worldwide Web site). Customers with service contracts may upgrade to any software release, but must, as always, remain within the boundaries of the feature sets they have purchased.. Customers without service contracts may upgrade only to obtain the bug fixes; they are not offered upgrades to versions newer than required to resolve the defects. In general, customers without service contracts will be restricted to upgrading within a single row of the table above, except when no upgrade within the same row is available in a timely manner. Customers without service contracts should get their updates by contacting the Cisco TAC. TAC contacts are as follows: * +1 800 553 2447 (toll-free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * tac@cisco.com Give the URL of this notice as evidence of your entitlement to a free update. Free updates for non-contract customers must be requested through the TAC. Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software updates. Exploitation and Public Announcements ===================================== A third party announced this vulnerability on the "bugtraq@netspace.org" electronic mailing list on December 22, 1998. The third party's announcement included sufficient information to allow any computer-literate person with a moderate interest in security to exploit the vulnerability. On that same day, Cisco sent an informal acknowledgement and a description of the workaround both to the "bugtraq" list and to some other Internet discussion forums, as well as to all Cisco customers who had requested security updates by subscribing to the "cust-security-announce@cisco.com" mailing list. Cisco has seen the information from "bugtraq" reposted on several Worldwide Web sites catering to those interested in computer security. All of the Worldwide Web sites in question, and all of the discussion forums, including the "bugtraq" mailing list, are open to the public, and many of them are widely read by people interested in computer and network security. Customers should assume that any potential attacker is likely to know that this vulnerability exists, and furthermore is likely to know how to exploit the vulnerability. This vulnerability can be exploited using tools available to the public on the Internet; an attacker would not need to write any software to exploit the vulnerability. Minimal skill is required. No special equipment is required. Despite specifically inviting such reports, Cisco has received no actual reports of malicious exploitation of this vulnerability. Status of This Notice ===================== This is a final field notice. Although Cisco cannot guarantee the accuracy of all statements in this notice, all the facts have been checked to the best of our ability. Cisco does not anticipate issuing updated versions of this notice unless there is some material change in the facts. Should there be a significant change in the facts, Cisco may update this notice. Distribution - - ---------- This notice will be posted on Cisco's Worldwide Web site at http://www.cisco.com/warp/public/770/iossyslog-pub.shtml . In addition to Worldwide Web posting, the initial version of this notice is being sent to the following e-mail and Usenet news recipients: * cust-security-announce@cisco.com * bugtraq@netspace.org * first-teams@first.org (includes CERT/CC) * first-info@first.org * cisco@spot.colorado.edu * comp.dcom.sys.cisco * nanog@merit.edu * Various internal Cisco mailing lists Future updates of this notice, if any, will be placed on Cisco's Worldwide Web server, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the URL given above for any updates. Revision History - - ---------------- Revision 1.0, First release candidate version. 22:00 US/Pacific, 9-JAN-1999 Revision 1.1, Correct upgrade path for 12.0XE 09:45 US/Pacific, 10-JAN-1999 Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's Worlwide Web site at http://www.cisco.com/warp/public/791/sec_incident_response.shtml. This includes instructions for press inquiries regarding Cisco security notices. ================================================================== This notice is copyright 1999 by Cisco Systems, Inc. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including this copyright notice and all date and version information. ================================================================== [ End Cisco Advisory ] ______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Cisco Systems, Inc. for the information contained in this bulletin. ______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the CIAC voice number 925-422-8193 and leave a message, or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC duty person, and the secondary PIN number, 8550074 is for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 3. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called Majordomo, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting ciac-bulletin, spi-announce OR spi-notes for list-name: E-mail to ciac-listproc@llnl.gov or majordomo@rumpole.llnl.gov: subscribe list-name e.g., subscribe ciac-bulletin You will receive an acknowledgment email immediately with a confirmation that you will need to mail back to the addresses above, as per the instructions in the email. This is a partial protection to make sure you are really the one who asked to be signed up for the list in question. If you include the word 'help' in the body of an email to the above address, it will also send back an information file on how to subscribe/unsubscribe, get past issues of CIAC bulletins via email, etc. PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) J-013: SGI IRIX autofsd Vulnerability J-014: IBM AIX automountd Vulnerability J-015: HP SharedX Denial-of-Service Vulnerability J-016: Cisco IOS DFS Access List Leakage Vulnerabilities J-017: HP-UX vacation Security Vulnerability J-018: HTML Viruses J-019: Intelligent Peripherals Create Security Risk J-020: SGI IRIX fcagent daemon Vulnerability J-021: Sun Solaris Vulnerabilities ( dtmail, passwd ) J-022: HP-UX Vulnerabilities ( snmp, sendmail, remote network command ) -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAwUBNpu9B7nzJzdsy3QZAQGMmAQArFYuTXoYulaBa4MlDEDs4XZvw3eG0TNq F2T8vY9XztsjzkyBM7ReMSuBuWPLU91HQptV2y/KCmivjw4nYGFM5agqTgFBKl+v wA0Emq0c8d+rDZXW6bRfxmpC2eiT6we75hDmOJ3FjB78ku6XK8wfZT5H7StKLffT ggrHmXOpb2Y= =VIRe -----END PGP SIGNATURE-----