Tag Archives: cisco

Biannual Cisco Patch Day: IOS Security Updates Patch Many DoS Flaws

March 28, 2012 by Corey Nachreiner 2 Comments

Summary:

  • These vulnerabilities affect: Many devices running Cisco IOS
  • How an attacker exploits them: Multiple vectors of attack; including sending specially crafted network packets
  • Impact: In the most common case, an attacker can cause your IOS device to reload, and can repeatedly exploit these flaws to cause a Denial of Service (DoS) condition
  • What to do: Administrators who manage Cisco IOS devices should download, test, and deploy the appropriate Cisco updates as soon as possible

Exposure:

Over a year ago, Cisco implemented a twice-yearly patch cycle that falls on the fourth Wednesday of March and September. During today’s biannual patch day, Cisco released nine security advisories that affect devices running Cisco’s Internetwork Operating System (IOS) software. IOS is the operating system that runs on most Cisco routers and switches.

Though Cisco’s nine IOS advisories differ technically, and affect different IOS components, most of them share the same general scope and impact. By sending specially crafted network traffic to (or through) your IOS device, an attacker can exploit most of these issues to cause that device to reload. By repeatedly exploiting these vulnerabilities, an attacker could cause a Denial of Service (DoS) condition on your router or switch.

For a complete list of today’s IOS alerts, check out Cisco’s Security Advisories and Responses page. However, we summarize three of the IOS advisories below to give you a general idea of the impact of these flaws:

Advisory ID cisco-sa-20120328-ssh: Reverse SSH DoS Vulnerability

Cisco’s Secure Shell (SSH) component suffers from a DoS vulnerability involving how it handles reverse SSH connections. By attempting a reverse SSH login using a specially crafted username, an unauthenticated attacker can exploit this flaw to cause your IOS device to reload. By repeatedly exploiting this issue, an attacker could knock your IOS device (such as your gateway router) offline.
Base CVSS Score: 7.8 (10 being the most severe)

Advisory ID cisco-sa-20120328-nat: NAT DoS Vulnerability

Cisco IOS’s Network Address Translation (NAT) component suffers from a vulnerability involving how it handles Session Initiation Protocol (SIP) traffic. By sending specially crafted SIP traffic through your IOS device, an attacker could exploit this vulnerability to exhaust memory on your IOS device, potentially forcing it to reload. If you use a Cisco IOS router to get to the Internet, an attacker could repeatedly exploit this vulnerability to knock your network off the Internet.
Average CVSS Score: 7.8

Advisory ID cisco-sa-20120328-ike: IKE DoS Vulnerability

Internet Key Exchange (IKE) is a protocol developed to negotiate the cryptographic attributes needed to build IPSec VPN tunnels. Cisco IOS’s IKE component suffers from an unspecified vulnerability, which an attacker can leverage to force your IOS device to reload. By sending specially crafted IKE traffic to an IOS device, and attacker could repeatedly exploit this flaw to cause a DoS condition.
Base CVSS Score: 7.8

Many of the remaining IOS advisories also fix DoS flaws just as severe as the ones described above. One also fixes a command authorization bypass vulnerability. If you’d like more details on these individual advisories, refer to the links in the References section of this alert.

Solution Path:

Cisco has released patches to fix these vulnerabilities. If you manage a Cisco device running IOS software, you should consult the “Software Versions and Fixes” and “Obtaining Fixed Software” sections in each of Cisco’s advisories to learn which fixes apply to your devices, and how to obtain them. You will find links to each individual advisory in the Reference section below.

For All Users:

Since these vulnerabilities can affect your router, which is typically in front of your firewall, you should apply the Cisco updates as soon as possible.

Status:

Cisco has made fixes available.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Security Updates
,

Potential Zero Day Cisco IOS DoS Vulnerabilities

May 5, 2011 by Corey Nachreiner 0 Comments

According to posts on the Bugtraq mailing list [ 1 / 2 ], Cisco’s popular router and switch operating system — IOS — suffers from two zero day Denial of Service (DoS) vulnerabilities. These advisories come from the penetration test team Of NCNIPC (China).

The advisories share minimal technical details about the two supposed flaws. They do say, attackers can trigger one DoS with a UDP packet flood and the other with SNMP packet sent to improper ports. In either case, the attack can put your IOS devices in a non-responsive state, requiring a reboot. By carrying out this sort of attach against your gateway router, and attacker can failry easily knock you offline

Cisco has since replied to these vulnerability allegations, saying they are researching the situations. However, they did not confirm or deny the DoS flaws, nor have they had time to release patches. Until they do, you can mitigate the risk of one of the flaws by disabling SNMP on your IOS device.

We’ll let you know more as soon as Cisco shares more complete details about these flaws. In the meantime, keep your eyes out for UDP floods. — Corey Nachreiner, CISSP

Security Updates
, , ,

Cisco Biannual Patch Day: IOS Teeming with DoS Vulnerabilities

September 23, 2010 by WatchGuard Technologies 0 Comments

Summary:

  • These vulnerabilities affect: Many devices running Cisco IOS
  • How an attacker exploits them: Multiple vectors of attack; in the most common, the attacker sends specially crafted network packets
  • Impact: An attacker can cause your IOS device to reload and can repeatedly exploit these flaws to cause a Denial of Service (DoS) situation
  • What to do: Administrators who manage Cisco IOS devices should download, test, and deploy the appropriate Cisco updates as soon as possible

Exposure:

Over a year ago, Cisco implemented a twice-yearly patch cycle that falls on the fourth Wednesday of March and September. Yesterday marked another Cisco biannual patch day, for which they released six security advisories. Five of these advisories cover security vulnerabilities that affect devices running Cisco’s Internetwork Operating System (IOS) software. IOS is the operating system that runs on most Cisco routers and switches. The remaining advisory covers a flaw in Unified Communications Manager.

While Cisco’s IOS advisories differ in technical ways, all of them cover vulnerabilities that attackers could exploit in Denial of Service (DoS) attacks. For a complete list of today’s IOS alerts, check out the Cisco’s Bundled Advisory for September 22nd. However, we summarize three of the IOS advisories below:

Cisco Document ID 112028: Three NAT-related DoS vulnerabilities.

Cisco’s Network Address Translation (NAT) component suffers from three different DoS vulnerabilities. More specifically, the three DoS vulnerabilities have to do with how IOS NAT translates SIP, H.323, and H.225.0 traffic.  Though these flaw differ technically, they essentially share the same scope and impact. By sending specially crafted packets, an unauthenticated attacker can exploit any of these flaws to cause your IOS device to reload. Furthermore, if you use a Cisco IOS router as your Internet gateway, an attacker could repeatedly exploit these vulnerabilities to knock your network offline.
Base CVSS Score: 7.8 (10 being the most severe)

Cisco Document ID 112022: IOS SIP DoS vulnerabilities.

The Session Initiation Protocol (SIP) is a popular signaling standard used by many Voice over IP (VoIP) products. Unfortunately, IOS’s SIP handling implementation suffers from three unspecified DoS vulnerabilities. By sending a specially crafted SIP message to your IOS device, an attacker could exploit this vulnerability to reload your IOS device. If you use a Cisco IOS router to get to the Internet, an attacker could repeatedly exploit these vulnerabilities to knock your network offline. This vulnerability only affects IOS devices with SIP voice services enabled. This issue may sound similar to the flaws described above. However, this flaw actually lies within IOS’s SIP component, while the flaws above lie within IOS’s NAT component.
Average CVSS Score: 7.8

Cisco Document ID 112021: IOS H.323 DoS vulnerability.

H.323 is a standard that defines various protocols used to pass audio-visual communications across packet networks. Similar to the SIP issue above, IOS’s H.323 component suffers from two unspecified DoS vulnerabilities. By sending a specially crafted H.323 packets to your IOS device, an attacker can remotely cause a DoS condition on your IOS device.
Average CVSS Score: 7.8

The remaining two IOS advisories also fix DoS flaws just as severe as the ones described above. For greater detail on all of Cisco’s September vulnerabilities, check out the individual advisories in the References section of this alert, or refer to Cisco’s bundled security advisory for September 2010. Also, if you happen to use Cisco’s Unified Communications Manager, you should check out Cisco’s advisory describing a DoS flaw in it as well.

Solution Path:

Cisco has released patches to fix these vulnerabilities. If you use any Cisco device running IOS software, you should immediately consult the “Software Versions and Fixes” and “Obtaining Fixed Software” section of Cisco’s bundled security advisory for September 2010 to learn which fixes apply to your devices, and how to obtain them. You can also refer to the “Software Versions and Fixes” and “Obtaining Fixed Software” section of each of the individual alerts linked below.

For All Users:

Since these vulnerabilities can affect your router, which is typically in front of your firewall, the solutions above are your primary recourse.

Status:

Cisco has made fixes available.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Security Updates
,

Cisco Biannual Patch Day: Seven DoS Advisories Primarily Affect IOS

March 25, 2010 by WatchGuard Technologies 0 Comments

Summary:

  • These vulnerabilities affect: Devices running Cisco IOS and Cisco UCM
  • How an attacker exploits them: Multiple vectors of attack; in the most common, the attacker sends specially crafted network packets
  • Impact: Various Denial of Service (DoS) issues, can force a Cisco device to crash, reload, or halt. One may also allow an attacker to execute code
  • What to do: Administrators who manage Cisco IOS or UCM devices should download, test, and deploy the appropriate Cisco updates as soon as possible

Exposure:

Yesterday, Cisco released seven security advisories as part of their biannual patch day, which falls on the fourth Wednesday of March and September. All of these advisories cover Denial of Service (DoS) security vulnerabilities that primarily affect devices running Cisco’s Internetwork Operating System (IOS) software. IOS is the operating system that runs on most Cisco routers. That said, attackers could potentially leverage one of the IOS DoS flaws to execute code on your IOS device, potentially gaining control of it. Finally, one of the advisories also covers a DoS in Unified Communications Manager (UCM), which is Cisco’s enterprise-level, IP telephony call-processing system.

While Cisco’s IOS advisories differ technically, all of them cover vulnerabilities that attackers could exploit in DoS attacks. For a complete list of today’s Cisco advisories, check out Cisco’s Bundled Advisory for March 24th or their Security Advisories page. We summarize three of the IOS advisories below:

Cisco Document ID 111448: IOS SIP DoS and code execution vulnerabilities.

The Session Initiation Protocol (SIP) is a multimedia communication standard used to make voice and video calls over an IP network. IOS’s SIP implementation suffers from three unspecified vulnerabilities involving the way it handles SIP Messages. By sending specially crafted SIP packets, a remote attacker could exploit these vulnerabilities to either reload your IOS device, or to potentially execute code on your IOS device. If you use a Cisco IOS router to get to the Internet, an attacker could repeatedly exploit the DoS vulnerabilities to knock your network offline. In the case of code execution, the attacker could potentially gain complete control of your IOS device.
Base CVSS Score: 10

Cisco Document ID 111265: IOS H.323 DoS vulnerabilities.

H.323 is a protocol designed to stream multimedia over a network, and often used in video conferencing. IOS’s H.323 implementation suffers from two unspecified vulnerabilities involving the way it handles H.323 traffic. By sending specially crafted H.323 packets, a remote attacker could exploit these vulnerabilities to reload your IOS device. If you use a Cisco IOS router to get to the Internet, an attacker could repeatedly exploit these vulnerabilities to knock your network offline.
Base CVSS Score: 7.8 (10 being the most severe)

Cisco Document ID 111266: IOS IPsec DoS vulnerability.

IPsec is a VPN standard designed to allow you to securely tunnel private communications over the Internet. IOS’s IPsec implementation suffers from a flaw in the way it handles specially crafted IPsec IKE packets. By sending specially crafted IKE packets to your Cisco device, a remote attacker could exploit this vulnerability to reload your IOS device. If you use a Cisco IOS router to get to the Internet, an attacker could repeatedly exploit these vulnerabilities to knock your network offline.
Base CVSS Score: 7.8

The remaining advisories also fix DoS flaws just as severe as the ones described above. For greater detail on all of Cisco’s March vulnerabilities, check out the individual advisories in the References section of this alert, or refer to Cisco’s bundled security advisory for March 2010.

Cisco also published an advisory describing a DoS vulnerability in their Unified Communications Manager (UCM). If you use Cisco UCM, be sure to apply these patches as well.

Solution Path:

Cisco has released patches to fix these vulnerabilities. If you use any Cisco device running IOS software or Cisco’s Unified Communications Manager (UCM), you should immediately consult the “Software Versions and Fixes” and “Obtaining Fixed Software” sections of the advisories listed in Cisco’s bundled security advisory for March 2010 to learn which fixes apply to your devices, and how to obtain them. You can also refer to the “Software Versions and Fixes” and “Obtaining Fixed Software” section of each of the individual alerts linked below.

For All WatchGuard Users:

Since these vulnerabilities can affect your router, which is typically in front of your WatchGuard firewall, the solutions above are your primary recourse.

Status:

Cisco has made fixes available.

References:

Security Updates
, ,

Follow

Get every new post delivered to your Inbox.

Join 6,939 other followers