Date: 18 May 1998
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-98.073 -- Cisco field notice
Cisco Web Cache Control Protocol Router Vulnerability
18 May 1998
===========================================================================
Cisco Systems has released the following advisory concerning a vulnerability
in their Web Cache Control Protocol. This vulnerability may allow users
to divert some or all HTTP (WWW) traffic to any host they choose.
The following security bulletin is provided as a service to AusCERT's
members. As AusCERT did not write this document, AusCERT has had no
control over its content. As such, the decision to use any or all of this
information is the responsibility of each user or organisation, and should
be done so in accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It will
not be updated when the original bulletin is. If downloading at a later
date, it is recommended that the bulletin is retrieved from the original
authors to ensure that the information is still current.
Contact information for Cisco is included in the Security Bulletin below.
If you have any questions or need further information, please contact them
directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Field Notice:
Cisco Web Cache Control Protocol Router Vulnerability
May 13, 1998
Summary
=======
Cisco's Cisco Cache Engine product provides transparent caching for
world-wide web pages retrieved via HTTP. The Cache Engine uses a Cisco
proprietary protocol called the Web Cache Control Protocol (WCCP) to
communicate with a properly-configured Cisco router and register as a cache
service provider. The router then diverts HTTP traffic to the Cache Engine.
Although this process is not enabled by default, and takes place only if a
user specifically configures the router to enable WCCP, there is no
authentication in WCCP itself. A router configured to support Cache Engines
will treat any host that sends it valid WCCP hello packets as a cache
engine, and may divert HTTP traffic to that host. This means that it is
possible for malicious users to divert web traffic passing through such a
router, even though they may not have either physical or configuration
access to the router.
This attack can be avoided by using access lists to prevent WCCP traffic
from untrusted hosts from reaching the router. Cisco will be modifying WCCP
to include hash-based authentication in a future release.
Who Is Affected
===============
All users of the Cisco Cache Engine and WCCP who have not configured
filtering access lists to prevent WCCP access by unauthorized hosts are
affected by this attack.
Users who have not specifically configured their routers to enable WCCP are
not affected by this attack. If the character string "wccp" does not appear
in your router configuration file, you are not affected.
Impact
======
Attackers can cause a router configured for WCCP to divert some or all HTTP
traffic to any host they choose, anywhere on the Internet. Once having done
this, attackers are able to:
* intercept confidential information, including site access passwords
* substitute data of their own choosing for the actual content of web
pages
* disrupt web service for connections passing through the targeted router
In order to do this, the attacker would either need a Cisco Cache Engine or
software capable of generating WCCP traffic. Cisco sells Cache Engines to
the general public, although a relatively small number have been shipped
thus far. The WCCP protococol specification is unpublished, but the protocol
is not immune to reverse engineering.
Details
=======
This vulnerability has been assigned Cisco bug ID CSCdk07174. If you are a
registered CCO user and you have logged in, you can view bug details.
Affected Software Versions
- - ------------------------
This vulnerability affects all versions of Cisco IOS software that support
WCCP that have been released as of the date of this notice. This includes
Cisco IOS 11.2(P) releases beginning with 11.2(10)P, 11.1CA releases
beginning with 11.1(14)CA, and 11.1 releases derived from 11.1(14)CA,
including 11.1CC.
Planned Software Fixes
- - --------------------
Cisco plans to release software that supports authentication for WCCP. This
will involve a modification to the WCCP protocol. In order to take advantage
of the authentication features, customers will need to upgrade the software
in both routers and Cache Engines, and will need to make some minor
configuration changes on both devices. Release of the improved software is
tentatively scheduled for September, 1998, but this schedule is subject to
change. Cisco believes that the workaround described below will adequately
protect Cache Engine users until the new software is ready.
Cisco is considering making an interim fix involving an explicit command to
apply an access list to all incoming WCCP traffic. This would be largely
equivalent to the workaround discussed below, but might be easier for some
users to configure. No decision has been made on when or whether to offer
this interim fix. If an interim fix is created, this notice will be updated
to reflect that fact.
Workaround
- - --------
WCCP runs over UDP at port 2048. By blocking unauthorized UDP traffic
destined to port 2048 on the router running WCCP, attackers can be prevented
from sending WCCP traffic to the router, and therefore from diverting any
actual traffic. For proper security, it's important to block all traffic
destined for port 2048 at any address assigned to the router, as well as at
all broadcast addresses for networks on which the router may be attached,
and all multicast addresses to which the router may be listening. The
blocking can be configured either using inbound access lists on the WCCP
router itself, or using access lists or other filtering on surrounding
devices.
Exploitation and Public Announcements
=====================================
Cisco has had no reports of malicious exploitation of this vulnerability.
Cisco knows of no public announcements of this vulnerability before the date
of this notice. However, the vulnerability has been independently identified
by several people both inside and outside of Cisco, and should be considered
to be public knowledge.
Status of This Notice
=====================
This is a final field notice. Although Cisco cannot guarantee the accuracy
of all statements in this notice, all the facts have been checked to the
best of our ability. Cisco does not anticipate issuing updated versions of
this notice unless there is some material change in the facts. Should there
be a significant change in the facts, Cisco may update this notice.
Distribution
- - ----------
In addition to this CCO version of the field notice, the initial version of
this notice is also being sent via e-mail to the following recipients:
* cust-security-announce@cisco.com
* Identified Cisco Cache Engine customers. Cisco does not guarantee its
ability to identify every person or organization that may be in
possesssion of a Cache Engine, nor to exclude every person or
organization that does not have a Cache Engine.
* bugtraq@netspace.org
* first-teams@first.org (includes CERT/CC)
* Internal Cisco mailing lists
Future updates of this notice, if any, will be documented in this CCO
version of the field notice, but will not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged to
check this URL for updates.
Revision History
- - --------------
Revision 1.0, Initial released version
08:00 AM
US/Pacific,
13-MAY-1998
Cisco Security Procedures
=========================
Please report security issues with Cisco products, and/or sensitive security
intrusion emergencies involving Cisco products, to security-alert@cisco.com.
Reports may be encrypted using PGP; public RSA and DSS keys for
"security-alert@cisco.com" are on the public PGP keyservers.
The alias "security-alert@cisco.com" is used only for reports incoming to
Cisco. Mail sent to the list goes only to a very small group of users within
Cisco. Neither outside users nor unauthorized Cisco employees may subscribe
to "security-alert@cisco.com".
Please do not use "security-alert@cisco.com" for configuration questions,
for security intrusions that you do not consider to be sensitive
emergencies, or for general, non-security-related support requests. We do
not have the capacity to handle such requests through this channel, and will
refer them to Cisco's Technical Assistance Center (TAC), delaying response
to your questions. We advise contacting the TAC directly with these
requests:
* (800) 553-24HR
* (408) 526-7209
* e-mail: tac@cisco.com
All formal public security notices generated by Cisco are sent to the public
mailing list "cust-security-announce@cisco.com". For information on
subscribing to this mailing list, send a message containing the single line
"info cust-security-announce" to "majordomo@cisco.com". An analogous list,
"cust-security-discuss@cisco.com", is available for public discussion of the
notices and of other Cisco security issues.
This notice is copyright 1998 by Cisco Systems, Inc. This notice may be
redistributed freely provided that redistributed copies are complete and
unmodified, including all date and version information.
- -----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQEVAwUBNVzLPAyPsuGbHvEpAQEdgQf+IqBIee3dogVddsqNduZF17pkuAbCWxt8
HBKJMD3isiIgcIHsnUXPuDzeQPaRf9hoxP2DY/htxqQkAUolfrQbw/bQaYVv1I2g
Txc7B+0ZjGBxGovuOWmMnpKBXvCYusRkmzvLIHGiw+FB//gRAM4RJjcCdKKZVOBm
CVDOPuWgzY5WTQsIt/g/Sqe4KoyR4/9hm3sbzXuqeJZ4xxLrJv6t3n3BUQgv7V0n
KdkUU8SfGMG6py0PBVkPTiA8UdCCfdc9/gDVCHtpo4xwFKheEeBTkTsokYz7/lat
53MYCO5EEvqXpBRrjOz7znLTrugmhBLkS713jqFTe4DLfSlNSo5ehA==
=1LfV
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBNWWV5Sh9+71yA2DNAQGsqgQAknBJv9MP/4fnbDTWdQ/BoGt93O/T8eMa
Tx+2zRnzNjxctLHJHLRwsK026UZO8NjsHIQruWtsK3Ho4mi9b9OGDDOD9XtMm82y
ayPVrmBZDlUP9xgnAELXOMoDfcKRZ7n9Zq2qaZeqt6TJQ7shuVlSAApqMQOoEwJY
1BvPFk8dDCE=
=i/IS
-----END PGP SIGNATURE-----
|