From xforce@iss.net Thu Mar 25 00:35:56 1999 From: X-Force To: alert@iss.net Cc: X-Force Date: Wed, 24 Mar 1999 10:58:36 -0500 (EST) Subject: ISSalert: ISS Security Advisory: Remote Denial of Service Vulnerability in Cisco Catalyst Series Ethernet Switches TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- ISS Security Advisory March 24, 1999 Remote Denial of Service Vulnerability in Cisco Catalyst Series Ethernet Switches Internet Security Systems (ISS) X-Force has discovered several vulnerabilities in Cisco Catalyst Series Ethernet Switches running the Cisco fixed configuration switch software. Cisco Catalyst switches are commonly used in high volume production environments supporting high-end servers and "virtual LAN" configurations. Affected Models: Catalyst 1200, 2900, 5000, and 5500 series switches are affected. The Catalyst 2900XL and Catalyst 2926 are not affected. Vulnerable Software Versions: Catalyst 1200 family supervisor software versions up to and including 4.29 are vulnerable. Catalyst 2900 family supervisor software revisions up to and including 2.1(5) are vulnerable. Catalyst 5000 and 5500 family supervisor software revisions up to and including 2.1(5) are vulnerable. For the 2900, 5000, and 5500 series, minor revisions 2.1(501) and 2.1(502) are also vulnerable. Recommendations: Upgrade your switch to the most recent version of the Catalyst switch software, or any version that is not vulnerable. All affected users are urged to review the "For More Information" section of this advisory. Free fixes are available from Cisco Systems. Service contract customers can download new versions of switch software at: http://www.cisco.com/kobayashi/sw-center/sw-switching.shtml Non-contract customers should contact the Cisco Technical Assistance Center (TAC). TAC contacts are: * +1 800 553 2447 (toll-free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) e-mail: tac@cisco.com An immediate workaround involves removing the IP address from the vulnerable switch hardware. This workaround has the negative effect of disabling remote management of the switch. ISS X-Force recommends that border routers and firewalls are configured to block all traffic to the vulnerable switches from untrusted sources. Description: The Cisco Catalyst 5000 Series Ethernet Switches run fixed configuration switch software. This software operates an undocumented TCP service. Sending a carriage return character to this port causes the switch to immediately reset. An attacker may repeat this action indefinitely, causing a denial of network services. The switch software does not provide any IP filtering options to prevent this type of attack. Credits: These vulnerabilities were primarily researched by Josh Sierles and Chris Stach of the ISS X-Force. ISS appreciates the assistance of the individuals at Cisco Systems. For more information: Cisco's public advisory including detailed fix and support information is located at: http://www.cisco.com/warp/public/770/cat7161-pub.shtml Documentation on Cisco Catalyst switches is available at: http://www.cisco.com/univercd/cc/td/doc/product/lan/index.htm ___________ Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of X-Force. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html, as well as on MIT's PGP key server and PGP.com's key server. X-Force Vulnerability and Threat Database: http://www.iss.net/xforce Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBNvkLHjRfJiV99eG9AQFuHQP/TfumLTSwGdkog2q15aWvV7ilcRBolfmD 2zuM8clvNRRkr2GXKHp1z80IlSI6C1F+3XTPSoBiRXOR7uD2IV0SkFzvr0WC2tMx UmL5k9EUBBGhHtmQUm5UM2JcSnGEHrTR7WWoX7Xac1EThjbQqPrj91MairHhumT0 qJWuMRUvr9Y= =4KdT -----END PGP SIGNATURE-----