Date: 19 February 2002
References: ESB-2002.065 ESB-2002.067 ESB-2002.080
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2002.081 -- Cisco Security Advisory
Malformed SNMP Message-Handling Vulnerabilities for Cisco Non-IOS Products
19 February 2002
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Multiple Non-IOS Cisco products implementing the
Simple Network Management Protocol (SNMP)
Vendor: Cisco Systems
Impact: Denial of Service
Access Required: Remote
Ref: AL-2002.02
ESB-2002.065
ESB-2002.067
ESB-2002.080
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Cisco Security Advisory: Malformed SNMP Message-Handling Vulnerabilities for
Cisco Non-IOS Products
Revision 1.1
For Public Release 2002 February 11 23:00 GMT
Last Updated 2002 February 13 12:00 GMT
- - -------------------------------------------------------------------------------
Summary
Multiple Cisco products contain vulnerabilities in the processing of Simple
Network Management Protocol (SNMP) messages. The vulnerabilities can be
repeatedly exploited to produce a denial of service. In most cases, workarounds
are available that may mitigate the impact. These vulnerabilities are
identified by various groups as VU#617947, VU#107186, OUSPG #0100,
CAN-2002-0012, and CAN-2002-0013.
This advisory is available at http://www.cisco.com/warp/public/707/
cisco-malformed-snmp-msgs-pub.shtml.
This document details information on Cisco non-IOS products.
This notice is part of "Cisco Security Advisory: Malformed SNMP
Message-Handling Vulnerabilities" and cannot be used on its own without the
primary advisory. It is available at http://www.cisco.com/warp/public/707/
cisco-malformed-snmp-msgs-non-ios-pub.shtml.
Software Versions and Fixes
Cisco Software - Non IOS
Each row of the software table (below) describes a product platform set, and
the first available fixed release.
In all cases, customers should exercise caution to confirm that the devices to
be upgraded contain sufficient memory and that current hardware and software
configurations will continue to be supported properly by the new software
release. If the information is not clear, contact the Cisco TAC for assistance
as shown in the "Obtaining Fixed Software" section.
This information will be updated as more releases become available.
+---------------------------------------------------------+
| CatOS Product | Defect ID | Availability |
| | | of Fixed Releases |
|-------------------+---------------+---------------------|
| Catalyst 4000, | CSCdw67458 | 7.1(2) | | |
|Catalyst 5000, | |---------------+--+--|
| Catalyst 6000 | | 6.3(5) | | |
|Family | |---------------+--+--|
| | | 6.2(3a) | | |
| | | (available | | |
| | | soon) | | |
| | |---------------+--+--|
| | | 6.1(4b) | | |
| | |---------------+--+--|
| | | 5.5(13a) | | |
| | |---------------+--+--|
| | | 5.4(4a) | | |
| | | (available | | |
| | | soon) | | |
| | |---------------+--+--|
| | | 4.5(13a) | | |
+---------------------------------------------------------+
Each row of the software table (below) describes a product and the defect
identifier, and if available, the first fixed release.
In all cases, customers should exercise caution to confirm that the devices to
be upgraded contain sufficient memory and that current hardware and software
configurations will continue to be supported properly by the new software
release. If the information is not clear, contact the Cisco TAC for assistance
as shown in the "Obtaining Fixed Software" section.
This information will be updated as more releases become available.
+---------------------------------------------------------+
| Product | Defect ID | Intended First Fixed |
| | | Releases* |
|---------------------------------------------------------|
| Content Networking | | |
|---------------------------------------------------+--+--|
| Arrowpoint | | 4.01.053s, | | |
| CS11000 | CSCdw64236 | 5.01.013s, | | |
| | | 5.02.005s | | |
|------------------+--------------+-----------------+--+--|
| Cache Engine 505 | | | | |
| /570 | CSCdw65996 | | | |
| Content 507/560/ | | | | |
| 590/7320 | | | | |
|------------------+--------------+-----------------+--+--|
| Internet CDN | CSCdw69634 | 2.1.1 | | |
|------------------+--------------+-----------------+--+--|
| Local Director | CSCdw64918 | | | |
|---------------------------------------------------+--+--|
| Desktop Switching | | |
|---------------------------------------------------+--+--|
| MicroHub 1500 | CSCdw67327 | | | |
|------------------+--------------+-----------------+--+--|
| Catalyst 3900 | CSCdw71510 | | | |
| Series | | | | |
|---------------------------------------------------+--+--|
| Consumer DSL | | |
|---------------------------------------------------+--+--|
| CBOS | CSCdw65068 | | | |
|---------------------------------------------------+--+--|
| Network Management | | |
|---------------------------------------------------+--+--|
| Cat6k NAM | CSCdw61011 | 1.2(3), 2.1(2) | | |
|------------------+--------------+-----------------+--+--|
| CiscoWorks | CSCdw64558 | | | |
| Windows/WUG | | | | |
|------------------+--------------+-----------------+--+--|
| Hosting Solution | CSCdw60969 | | | |
| Engine | | | | |
|------------------+--------------+-----------------+--+--|
| SNMPc | CSCdw64713 | | | |
|------------------+--------------+-----------------+--+--|
| Switch Probe | CSCdw62257 | | | |
|------------------+--------------+-----------------+--+--|
| Traffic Director | CSCdw64528 | | | |
|------------------+--------------+-----------------+--+--|
| User | | | | |
| Registration | CSCdw61176 | | | |
| Tool - VLAN | | | | |
| Policy Server | | | | |
|------------------+--------------+-----------------+--+--|
| Access Registrar | CSCdw35595 | | | |
|------------------+--------------+-----------------+--+--|
| Cisco Info | CSCdw62590 | | | |
| Center | | | | |
|---------------------------------------------------+--+--|
| Voice Products | | |
|---------------------------------------------------+--+--|
| WS-X6608 | CSCdw62862 | 003.002 | | |
| | | (000.147) | | |
|------------------+--------------+-----------------+--+--|
| WS-X6624 | CSCdw62863 | 003.002 | | |
| | | (000.147) | | |
|---------------------------------------------------+--+--|
| Carrier Class Products | | |
|---------------------------------------------------+--+--|
| BPX/IGX | CSCdw58704 | 9.2.41, 9.3.36 | | |
|------------------+--------------+-----------------+--+--|
| Cisco WAN | CSCdw69753, | 10.4.10 Patch | | |
| Manager | CSCdw69736, | 2.1, 10.5.10 | | |
| | CSCdw69954 | Patch 1 | | |
|------------------+--------------+-----------------+--+--|
| MGX-8220 | CSCdw63646 | 5.0.18 | | |
|------------------+--------------+-----------------+--+--|
| MGX-8230, | | | | |
| MGX-8250, | CSCdw56886 | 1.2.01, 1.1.32a | | |
| MGX-8850 R1 | | | | |
|------------------+--------------+-----------------+--+--|
| MGX-8850 R2 | CSCdw56907 | 2.1.75 | | |
|------------------+--------------+-----------------+--+--|
| Service | CSCdw56907 | 1.0.16 | | |
| Expansion Shelf | | | | |
|---------------------------------------------------+--+--|
| Wireless Products | | |
|---------------------------------------------------+--+--|
| | | 11.05a, 11.06a, | | |
| AP340 Series, | CSCdw63011 | 11.07a, | | |
| AP352 | | 11.08T1, | | |
| | | 11.10T1 | | |
|------------------+--------------+-----------------+--+--|
| | | 11.05a, 11.06a, | | |
| AP352 | CSCdw63031 | 11.07a, | | |
| | | 11.08T1, | | |
| | | 11.10T1 | | |
|------------------+--------------+-----------------+--+--|
| BR340 Series, | CSCdw63248 | 8.24_2, 8.55_2, | | |
| BR352 | | 8.65_2 | | |
|------------------+--------------+-----------------+--+--|
| | | 11.05a, 11.06a, | | |
| BR352 | CSCdw63032 | 11.07a, | | |
| | | 11.08T1, | | |
| | | 11.10T1 | | |
|------------------+--------------+-----------------+--+--|
| WGB340 Series | CSCdw63264 | 8.24_2, 8.55_2, | | |
| | | 8.65_2 | | |
|------------------+--------------+-----------------+--+--|
| WGB352 | CSCdw63264 | 8.55_2, 8.65_2 | | |
|---------------------------------------------------+--+--|
| Security Products | | |
|---------------------------------------------------+--+--|
| NetRanger | CSCdw44477 | 03.0(04)S16 | | |
|------------------+--------------+-----------------+--+--|
| NetRanger Sensor | CSCdw47000 | | | |
|------------------+--------------+-----------------+--+--|
| PIX | CSCdw63021 | | | |
|------------------+--------------+-----------------+--+--|
| VPN 3000 | CSCdw64623 | | | |
+---------------------------------------------------------+
Workarounds for Cisco Non-IOS Products
CAT OS
* Apply IP Permit List for SNMP to enable access to the switch's management
interface only from the network management workstations.
For instructions on how to do this, please refer to http://www.cisco.com/
univercd/cc/td/doc/product/lan/cat5000/rel_6_3/config/ip_perm.htm.
Please note that this will not prevent spoofed IP packets with the source
IP address set to that of the network management station from reaching the
switch's management interface.
Configuration Notes
The following command enables an ip permit list based on SNMP:
set ip permit enable snmp
The following command enables a specific IP addresses to have SNMP access:
set ip permit 192.168.0.100 255.255.255.255 snmp
In CatOS versions prior to 5.4(1), IP permit lists based on port number are not
supported.
The following command enables an ip permit list that affects both Telnet and
SNMP access:
set ip permit enable
or
set ip permit 192.168.0.100 255.255.255.255
* On the Catalyst 6000 series switches, if the Virtual LAN (VLAN) Access
Control List (ACL) (VACL) feature is available in the code base, you can
use VACLs instead of the IP Permit List workaround above.
For instructions on how to do this, please refer to http://www.cisco.com/
univercd/cc/td/doc/product/lan/cat6000/sft_6_1/configgd/acc_list.htm.
Please note that this will not prevent spoofed IP packets with the source
IP address set to that of the network management station from reaching the
switch's management interface.
PIX
SNMP is DISABLED by default, and warnings are displayed to administrator when
SNMP is configured to listen on the OUTSIDE interface.
* Disable SNMP - you can do this by removing all snmp-server host commands.
Example:
vpn-pix506B#show snmp
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
* Change the snmp-server community string to something else other than
"public".
Example:
vpn-pix506B#show snmp
snmp-server host inside 172.18.123.68
no snmp-server location
no snmp-server contact
snmp-server community blahblah
no snmp-server enable traps
* The PIX is not vulnerable if the PROTO test suite is run from a server
whose IP address is not explicitly defined in the snmp-server host command.
* Review the configuration for lines such as the following, with the keyword
"outside", which indicates that the PIX is configured to accept SNMP
queries from the unprotected interface:
snmp-server host outside 172.18.123.68
LocalDirector
SNMP is not on by default. Access lists can and should be applied.
* Disable SNMP, you can do this by removing all snmp-server host commands.
Example:
vpn-pix506B#show snmp
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
* Change the snmp-server community string to something else other than
"public".
Example:
LD#show snmp
snmp-server host 172.18.123.68
no snmp-server location
no snmp-server contact
snmp-server community blahblah
no snmp-server enable traps
* The LocalDirector is not vulnerable if the PROTO test suite is run from a
server whose IP address is not explicitly defined in the snmp-server host
command.
ArrowPoint/CSS11000
snmp community public read-write is the command that is vulnerable to the
suite.
By issuing the show run global command, you can search for "read-write" to
determine if the CSS is vulnerable.
Configure STRONG community string for read-write, and use access lists on the
box for additional control.
Cisco Cache Engine
Disable SNMP with the following command:
no snmp-server host
Status of This Notice: Interim
This is an interim Security Advisory notice. Cisco anticipates issuing updated
versions of this notice at irregular intervals as there are material changes in
the facts, and will continue to update this notice as necessary.
The reader is warned that this notice may contain inaccurate or incomplete
information. Although Cisco cannot guarantee the accuracy of all statements in
this notice, all of the facts have been checked to the best of our ability.
Cisco anticipates weekly updates of this notice until it reaches final status.
A standalone copy or paraphrase of the text of this Security Advisory that
omits the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
This notice is part of "Cisco Security Advisory: Malformed SNMP
Message-Handling Vulnerabilities" and cannot be used on its own without the
primary advisory.
Distribution
This notice will be posted on Cisco's Worldwide Web site at http://
www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-non-ios-pub.shtml. In
addition to Worldwide Web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail
and Usenet news recipients:
* cust-security-announce@cisco.com
* bugtraq@securityfocus.com
* first-teams@first.org (includes CERT/CC)
* cisco@spot.colorado.edu
* comp.dcom.sys.cisco
* firewalls@lists.gnac.com
* Various internal Cisco mailing lists
Future updates of this notice, if any, will be placed on Cisco's Worldwide Web
server, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the URL
given above for any updates.
Revision History
+------------------------------------------------+
|Revision |2002-Feb-13 |Table updates |
|Number 1.1|12:00 GMT | |
|----------+--------------+----------------------|
|Revision |2002-Feb-12 |Initial public release|
|Number 1.0|23:00 GMT | |
+------------------------------------------------+
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco products,
obtaining assistance with security incidents, and registering to receive
security information from Cisco, is available on Cisco's Worldwide Web site at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This includes
instructions for press inquiries regarding Cisco security notices. All Cisco
Security Advisories are available at http://www.cisco.com/go/psirt.
- - -------------------------------------------------------------------------------
This notice is Copyright 2002 by Cisco Systems, Inc. This notice may be
redistributed freely after the release date given at the top of the text,
provided that redistributed copies are complete and unmodified, and include all
date and version information.
- - -------------------------------------------------------------------------------
- -----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Signed by Sharad Ahlawat, Cisco Systems PSIRT
iQEVAwUBPGxkxw/VLJ+budTTAQG+zAgArJHNgXu9sqPnyge8KS5jmnI+6aOxb4wA
Q15y0k5JdOvu1VKRceeSVqG4mKjEurjT2Y6NHS5ytd4vp6UFzHdQ8od5Ah0jFuwp
JMVtTmKRUmCBvzwbMOTjF/KZK4u6fEBwGDqKww/2O5e3P3uti7WDE6C6PaAB7wsr
wrCtmccSIE0N1BnL53eTa23T0dwpvhBUjdBlhA4mGV0nvSOU/OTwexEkpy6k0x0u
/YWyyqZ55AB/7eLHw+qX8UURRV/rLm6oC4KkO0qUgLaWXPlLwiwyVeASKyN9uMgH
I5WelD1ZksTyS+LDK69xzOE8iDCnGQy9xk+NxdSyOxYg11VSw1EiIg==
=kdvb
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBPHI0VCh9+71yA2DNAQGQYwP/aHONZ4D94FOJNnCE0nmtRDmr5bwuXCIh
GUIIDO8xyzME/N8fo5yT355YYSthW+tqx0qJowSJribts9rNXSvIQtiiBphC14j5
kBGB8JHy2XzR4fXpHLaXU+x4BJ1Jalqc0b/1xBkdRIlWVWeEfSgADtbaN5/5Yvs5
63KiakgA7CU=
=560R
-----END PGP SIGNATURE-----
|