Date: 25 March 1999
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-1999.040 -- Cisco security notice
Cisco Catalyst Supervisor Remote Reload vulnerability
25 March 1999
===========================================================================
Cisco Systems, Inc. has released the following advisory concerning a
software bug (Cisco bug ID CSCdi74333) which may allow remote users to cause
reloads of Cisco Catalyst LAN switches running Catalyst 5000 supervisor
software.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Cisco Catalyst Supervisor Remote Reload
Revision 1.2
For release Wednesday, March 24, 1999, 12:00 PM US/Pacific
Cisco internal use only until release
=================================================================
Summary
=======
A software bug (Cisco bug ID CSCdi74333) allows remote TCP/IP users to cause
reloads of Cisco Catalyst LAN switches running Catalyst 5000 supervisor
software versions from 1.0 through 2.1(5). The affected software was last
shipped with new units in early 1997. In addition to the Catalyst 5xxx
series, some, but not all, Catalyst 29xx family switches may run the
affected software; see "Who is Affected" for more information.
A similar bug, Cisco bug ID CSCdj71684, exists in the supervisor software
for the older, and now discontinued, Catalyst 12xx family, up through
software version 4.29.
Fixes are available for both bugs. The fixes have been in the field for some
time. Most Catalyst switch users have probably already installed the fixes.
Who Is Affected
===============
The following Cisco Catalyst LAN switch models are affected by this
vulnerability--
* The Catalyst 12xx family, running supervisor software versions up to
and including 4.29.
* The Catalyst 29xx family (but not the Catalyst 2900XL), running
supervisor software versions up to and including 2.1(5), 2.1(501), and
2.1(502). This includes the Catalyst 2901, 2902, and 2903 switches.
Catalyst 2926 switches are not affected, because the Catalyst 2926 was
not released until after the software fix was made. Catalyst 2900XL
switches run unrelated software, and are not affected by this
vulnerability.
* The Catalyst 5xxx series (including the Catalyst 55xx family), running
supervisor software versions up to and including 2.1(5), 2.1(501), and
2.1(502).
Catalyst 5xxx and 29xx switches running versions 2.1(6) and later are not
affected. Catalyst 12xx switches running versions 4.30 and later are not
affected. Some Cisco Catalyst switches include intelligent modules that run
software independent of the supervisor software. These modules, which
include a variety of media controllers as well as the route switch module
(RSM), are not affected.
Fixed software for the Catalyst 5xxx and Catalyst 29xx series began shipping
with new switches in mid-1997. Sales of the Catalyst 12xx family were
stopped before the release of software version 4.30; if you have not
upgraded your software since installing your Catalyst 12xx switch, you are
affected by this vulnerability.
The affected Cisco Catalyst LAN switches are rack-mountable units typically
found in data centers and cable closets.
Impact
======
A remote attacker who knows how to exploit this vulnerability, and who can
make a connection to TCP port 7161 on an affected switch, can cause the
supervisor module of that switch to reload. While the supervisor is
reloading, the switch will not forward traffic, and the attack will
therefore deny service to the equipment attached to the switch. The switch
will recover automatically, but repeated attacks can extend the denial of
service indefinitely.
Software Details
================
For the Catalyst 29xx and Catalyst 5xxx switches, this vulnerability has
Cisco bug ID CSCdi74333. The bug is present in all supervisor software
versions through 2.1(5), including the spot fix releases 2.1(501) and
2.1(502). The bug is fixed in 2.1(6) and later versions, including all 2.2,
2.3, and 2.4 versions, and all 3.x, 4.x, and later versions.
For the Catalyst 1200, this vulnerability has Cisco bug ID CSCdj71684. The
bug is present in all software versions through 4.29, and is fixed in 4.30
and later versions.
Getting Fixed Software
- - --------------------
Cisco is offering free software upgrades to remedy this vulnerability for
all vulnerable Catalyst 5xxx, Catalyst 29xx, and Catalyst 12xx customers,
regardless of contract status. Customers with service contracts may upgrade
to any software version. Catalyst 5xxx and Catalyst 29xx customers without
contracts may upgrade either to any 2.1 version from 2.1(6) onward; 2.1(12)
is suggested. Catalyst 12xx customers without contracts may upgrade to
version 4.30.
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades should
be obtained via the Software Center on Cisco's Worldwide Web site at
http://www.cisco.com.
Customers without contracts should get their upgrades by contacting the
Cisco Technical Assistance Center (TAC). TAC contacts are as follows:
* +1 800 553 2447 (toll-free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Give the URL of this notice as evidence of your entitlement to a free
upgrade. Free upgrades for non-contract customers must be requested through
the TAC. Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.
Workarounds
===========
This vulnerability may be worked around by assigning no IP addresses to
affected Cisco Catalyst switches. However, this workaround will have the
effect of disabling all remote management of those switches.
Another possible workaround is to use the filtering capabilities of
surrounding routers and/or dedicated firewall devices to prevent untrusted
hosts from making connections to TCP port 7161 on affected switches.
Exploitation and Public Announcements
=====================================
Cisco knows of no public announcements or discussion of this vulnerability
before the date of this notice. Cisco has had no reports of malicious
exploitation of this vulnerability. These bugs were identified and reported
by outside companies conducting laboratory testing.
No special tools, and only the most basic of skills, are needed to exploit
this vulnerability. It would not be difficult for a person with minimal
sophistication to find a way to exploit this vulnerability.
Status of This Notice
=====================
This is a final field notice. Although Cisco cannot guarantee the accuracy
of all statements in this notice, all of the facts have been checked to the
best of our ability. Cisco does not anticipate issuing updated versions of
this notice unless there is some material change in the facts. Should there
be a significant change in the facts, Cisco may update this notice.
Distribution
- - ----------
This notice will be posted on Cisco's Worldwide Web site at
http://www.cisco.com/warp/public/770/cat7161-pub.shtml . In addition to
Worldwide Web posting, the initial version of this notice is being sent to
the following e-mail and Usenet news recipients:
* cust-security-announce@cisco.com
* bugtraq@netspace.org
* first-teams@first.org (includes CERT/CC)
* Various internal Cisco mailing lists
Future updates of this notice, if any, will be placed on Cisco's Worldwide
Web server, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
URL given above for any updates.
Acknowledgements
- - --------------
Cisco thanks the Internet Security Systems (ISS) X-Force, for independently
discovering this matter and bringing it to the attention of Cisco's Product
Security Incident Response Team (PSIRT).
The initial report of CSCdi74333 was received before the establishment of
the PSIRT, from a customer who has neither requested credit nor given
permission to be named in this notice. Cisco security notices do not name or
credit third parties without their specific permission.
Revision History
- - --------------
Revision 1.0, Initial release candidate version
17:45 US/Pacific
22-MAR-1999
Revision 1.1, Cosmetic changes
09:30 US/Pacific
23-MAR-1999
Revision 1.2, Remove erroneous mention of unaffected products.
11:00 US/Pacific
24-MAR-1999
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering to
receive security information from Cisco, is available on Cisco's Worlwide
Web site at http://www.cisco.com/warp/public/791/sec_incident_response.shtml .
This includes instructions for press inquiries regarding Cisco security
notices.
- - ------------------------------------------------------------------------
This notice is copyright 1999 by Cisco Systems, Inc. This notice may be
redistributed freely after the release date given at the top of the text,
provided that redistributed copies are complete and unmodified, including
all date and version information.
- - ------------------------------------------------------------------------
- -----BEGIN PGP SIGNATURE-----
Version: Big secret
iQEVAwUBNvk9/3LSeEveylnrAQHf9wf/U4xZAlW6mX4xI7cbz2Iyc5R5B78hm0NI
i6o2iVMCrrHZN1g+vcEP+QOaDo3ZMxWcbcdSQNi5+f+qsrd+v354kKCpNrr1fhWU
YUny3NINKIkBLjrO9R6QR/nuzVcDrC2XIBin9enGz4njTs9nBGvXdPZBcxy0C685
yKp/ti/mt7t+vH05pBJLFFZKcuMg3EdOHgLHhD70Iz6V6LnzSKl1YHhHW727lsEv
bk/5gHwUnaZHMII32MpM0SDErXNVCd8MyjUN2O/zM9bno9h6yHrNrrgt56tNBpfw
ihip4rk3HepH9zOgSQOQw4QRFoyx4QU4DVI6w9BMDjFpUd1Cd2Eo6g==
=KeRG
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It will
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBNx8IFSh9+71yA2DNAQFJUAP/REdHIzV9yw1rzgR/hmziWLntSiY+IQ8W
Y5/m6cvDv/Pj/WU1gYPjYMpNTjHVzSRmExlUQqXzIsRhWlTy/DRg1E4btDVN7Ayg
nINX4fGdzzVV1/0Rdkj5lm84mH2MF9FasExoRzFtt64mOdKmMZFOiZdn1Os7itZI
hbMZTF1JocQ=
=5mAF
-----END PGP SIGNATURE-----
|