AusCERT - ESB-98.197 -- Cisco Security Issue Update -- Update on Cisco IOS 12.0 security bug

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
ESB-98.197 -- Cisco Security Issue Update -- Update on Cisco IOS 12.0 security bug
Date: 23 December 1998

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
              AUSCERT External Security Bulletin Redistribution
                             
                  ESB-98.197 -- Cisco Security Issue Update
                    Update on Cisco IOS 12.0 security bug
                              23 December 1998

===========================================================================

Cisco Systems, Inc. has released the following update concerning a security 
bug in Cisco IOS.  This vulnerability may allow remote users to use nmap 
UDP scans to crash Cisco routers running some versions of Cisco IOS software 
including version 12.0.

The following included message from Cisco's John Bashinski is self-contained, 
and even though it mentions a previous posting, all of the original information
is included in this version of the message.

PLEASE NOTE: AusCERT has verified that the URL mentioned at the end of 
the included bulletin, contains an error.  The correct URL should read:

http://www.cisco.com/warp/public/791/sec_incident_response.shtml


- --------------------------BEGIN INCLUDED TEXT------------------

- -----BEGIN PGP SIGNED MESSAGE-----

This is an update for a message I sent about 5 hours ago.

Changes from the earlier message:

  1. We've found more affected versions. In addition to all 12.0 variants,
     11.3AA and 11.3DB are affected. Plain old 11.3 is *not* affected.
     Neither is, 11.3T, or any of the other 11.3 variants we've
     looked at. We now know where the bug was introduced, and it's
     unlikely that that code has made its way into any releases other
     than 11.3AA, 11.3DB, and the 12.0 variants. When our Sydney office
     wakes up, we'll be able to make some final checks.

  2. I left out the bug ID in the last message. It's CSCdk77426.

  3. The workaround text mentions broadcast addresses.

We still don't have fix dates; it can take some time to get fixes
through the release process. When we have fix dates, we'll do
a formal notice.

Amended message follows--

We've had a report of nmap UDP scans crashing Cisco routers running
Cisco IOS software version 12.0. This was mentioned on BUGTRAQ, which
has a very wide distribution. It would be very easy to exploit.
Administrators should be on the lookout for potential exploitation of
this bug.

We've verified that the problem does exist. We believe that it affects
all Cisco routers running any variant of 12.0 (including 12.0T, 12.0S,
etc.). 11.3AA and 11.3DB are also affected. Mainline 11.3 and 11.3T are
not affected. None of the other 11.3 variants that we've checked are
affected. Because of where the problem was introduced, we think that
11.3AA and 11.3DB are almost certainly the only affected 11.3
variants. We will continue to check other 11.3 variants, and will issue
another update if any turn up affected.

The problem appears to be caused by packets sent to the router's syslog
port (UDP port 514). A tested workaround is to use an access list to
block incoming syslog traffic. You'd do this with something like this:

    ! Deny all multicasts to port 514
    access-list 101 deny udp any 224.0.0.0 31.255.255.255 eq 514
    ! Deny old-style broadcasts
    access-list 101 deny udp any host 0.0.0.0 eq 514
    ! Deny network-specific broadcasts (*example*; depends on local netmasks)
    access-list 101 deny udp any 192.31.7.255 eq 514
    ! Deny router's own addresses
    access-list 101 deny udp any host <router-addr-1> eq 514
    access-list 101 deny udp any host <router-addr-2> eq 514
    access-list 101 deny udp any host <router-addr-3> eq 514
    ... etc ...
    access-list 101 permit ip any any

    interface <interface-1>
    ip access-group 101 in

    interface <interface-2>
    ip access-group 101 in

    ... etc ...

The access list needs to block syslog traffic destined for any of the
router's own IP addresses, or for any broadcast or multicast address on
which the router may be listening. Don't forget to block all-zeroes
broadcasts as well as all-ones broadcasts. It should be applied on
all interfaces running IP, including virtual interfaces and
subinterfaces (but not loopback interfaces).

This workaround *does* have a performance impact that may be significant
for some users. The impact isn't usually extreme, but it may make a
difference on a router that's already heavily loaded. Install it with
care if you install it.

This bug may cause different router platforms to crash differently.
Some routers have been observed to reboot and claim that they
were "restarted by power-on"; you won't necessarily get a stack
trace from one of these crashes.

Since this is still not completely characterized, and since we do not
yet have any reports of exploitation, you may choose to hold the
workaround in reserve and apply it only if you believe you are being
attacked. We should have a formal notice with full details within the
next few days. We cannot yet make any estimate of when a fix will be
available; we should have more information by the time the formal notice
comes out.

If you find that you are actually attacked with this, please report
the attack to Cisco at "security-alert@cisco.com".

For more information on Cisco security procedures, see

   http://www.cisco.com/warp/customer/791/sec_incident_response.shtml

                                        -- J. Bashinski
                                           Cisco Systems

- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3in
Charset: noconv

iQEVAwUBNoARckZi51ggEbh5AQEVlwf9EKP5iPzwfp4UpxsN1nnqLscyrLYYKXIs
ce/EMcQP7znbkmse6cSFz5nOIKQpRl+c+rxLg8V3oeGTEriIyOA/jR0oVeU2Nn4N
rS6daaorZU1ngGhZ4zTRYNoGbGOU4EjwnU/wJV1yrrIuLA3EAHz+67kT90qSRJy7
R8ny+0tbtu7ZFdHI9Ccokal59HOz+Gbt29ep5/Ft0REVFoRqJCphJP06bT2HLIXZ
qLXPBErmVc9fP0wqdf11tbc3zaiytBbVn6is9sFdqod14KeiBblOC99vfM7OG1KY
rh3pLqSeLs76sw4RZycXAQWdLiY3Xgx3ZFwhB0YrpzUJnXGEDbcb7Q==
=Xp1o
- -----END PGP SIGNATURE-----


- --------------------------END INCLUDED TEXT--------------------

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It will
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBNpZE/Sh9+71yA2DNAQHRYwQAjJ9ml8MlE10mD9/wO/i9CZTApD7OFOpK
C2O6ghjFBAtzpBPx6f6A0Rf0RavjUFh6Ybn1GWPrYBbXdI2q5E9XlXTJ8bZMbcrk
TIr6qt2h5wLNNEhuoBFdJfmMnbb/FVBEXCAwRRpwBnLEtqV8+9/PpsX9XdsLl2P2
563E/gFnBes=
=cD61
-----END PGP SIGNATURE-----