Date: 01 October 2007
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2007.0729 -- [Cisco]
Cisco Security Response: Catalyst 6500 and Cisco 7600 Series
Devices Accessible via Loopback Address
1 October 2007
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Catalyst 6500 and Cisco 7600 Series Devices
Publisher: Cisco Systems
Operating System: Cisco
Impact: Reduced Security
Access: Remote/Unauthenticated
CVE Names: CVE-2007-5134
Original Bulletin:
http://www.cisco.com/warp/public/707/cisco-sr-20070926-lb.shtml
Comment: According to Cisco's advisory this vulnerability allows the bypass
of ACLs but limited or no further damage resulting from this
bypass:
"An attacker can exploit this behavior to bypass existing access
control lists that do not filter 127.0.0.0/8 address range;
however, an exploit will not allow an attacker to bypass
authentication or authorization."
Revision History: October 1 2007: Added CVE Name
September 27 2007: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Response: Catalyst 6500 and Cisco 7600 Series Devices
Accessible via Loopback Address
http://www.cisco.com/warp/public/707/cisco-sr-20070926-lb.shtml
Revision 1.0
For Public Release 2007 September 26 2200 UTC (GMT)
Cisco Response
==============
This document is the Cisco PSIRT response to an issue regarding Cisco
Catalyst 6500 and Cisco 7600 series devices that was discovered and
reported to Cisco by Lee E. Rian.
The original report has been posted to full-disclosure mailing list.
Cisco PSIRT greatly appreciates the opportunity to work with
researchers on security vulnerabilities, and we welcome the
opportunity to review and assist in product reports.
This vulnerability is documented in Cisco bug ID CSCsg02323.
This Cisco Security Response is available at the following link:
http://www.cisco.com/warp/public/707/cisco-sr-20070926-lb.shtml
Additional Information
======================
Cisco Catalyst 6500 and Cisco 7600 series devices use addresses from
the 127.0.0.0/8 (loopback) range in the Ethernet Out-of-Band Channel
(EOBC) for internal communication.
Addresses from this range that are used in the EOBC on Cisco Catalyst
6500 and Cisco 7600 series devices are accessible from outside of the
system. The Supervisor module, Multilayer Switch Feature Card (MSFC),
or any other intelligent module may receive and process packets that
are destined for the 127.0.0.0/8 network. An attacker can exploit
this behavior to bypass existing access control lists that do not
filter 127.0.0.0/8 address range; however, an exploit will not allow
an attacker to bypass authentication or authorization. Valid
authentication credentials are still required to access the module in
question.
Per RFC 3330, a packet that is sent to an address anywhere within the
127.0.0.0/8 address range should loop back inside the host and should
never reach the physical network. However, some host implementations
send packets to addresses in the 127.0.0.0/8 range outside their
Network Interface Card (NIC) and to the network. Certain
implementations that normally do not send packets to addresses in the
127.0.0.0/8 range may also be configured to do so.
Destination addresses in the 127.0.0.0/8 range are not routed on the
Internet. This factor limits the exposure of this issue.
This issue is applicable to systems that run Hybrid Mode (Catalyst OS
(CatOS) software on the Supervisor Engine and IOS Software on the
MSFC) and Native Mode (IOS Software on both the Supervisor Engine and
the MSFC).
This issue has been documented by the Cisco bug ID CSCsg02323 (
registered customers only) . All software versions that run on Cisco
Catalyst 6500 and Cisco 7600 series devices are affected. A fix is
available in 12.2(33)SXH.
As a workaround, administrators can apply an access control list that
filters packets to the 127.0.0.0/8 address range to interfaces where
attacks may be launched.
ip access-list extended block_loopback
deny ip any 127.0.0.0 0.255.255.255
permit ip any any
interface Vlan x
ip access-group block_loopback in
Control Plane Policing (CoPP) can be used to block traffic with a
destination IP address in the 127.0.0.0/8 address range sent to the
device. Cisco IOS Software releases 12.0S, 12.2SX, 12.2S, 12.3T,
12.4, and 12.4T support the CoPP feature. CoPP may be configured on a
device to protect the management and control planes to minimize the
risk and effectiveness of direct infrastructure attacks. CoPP
protects the management and control planes by explicitly permitting
only authorized traffic that is sent to infrastructure devices in
accordance with existing security policies and configurations.
!-- Permit all traffic with a destination IP
!-- addresses in the 127.0.0.0/8 address range sent to
!-- the affected device so that it will be policed and
!-- dropped by the CoPP feature
!
access-list 111 permit icmp any 127.0.0.0 0.255.255.255
access-list 111 permit udp any 127.0.0.0 0.255.255.255
access-list 111 permit tcp any 127.0.0.0 0.255.255.255
access-list 111 permit ip any 127.0.0.0 0.255.255.255
!
!-- Permit (Police or Drop)/Deny (Allow) all other Layer3
!-- and Layer4 traffic in accordance with existing security
!-- policies and configurations for traffic that is authorized
!-- to be sent to infrastructure devices
!
!-- Create a Class-Map for traffic to be policed by the
!-- CoPP feature
!
class-map match-all drop-127/8-netblock-class
match access-group 111
!
!-- Create a Policy-Map that will be applied to the
!-- Control-Plane of the device.
!
policy-map drop-127/8-netblock-traffic
class drop-127/8-netblock-class
police 32000 1500 1500 conform-action drop exceed-action drop
!
!-- Apply the Policy-Map to the Control-Plane of the
!-- device
!
control-plane
service-policy input drop-127/8-netblock-traffic
!
Additional information on the configuration and use of the CoPP
feature is available at the following links:
http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd804fa16a.shtml
http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a008052446b.html
Infrastructure Access Control Lists (iACLs) are also considered a
network security best practice and should be considered as, long-term
additions to effective network security as well as a workaround for
this specific issue. The white paper entitled "Protecting Your Core:
Infrastructure Protection Access Control Lists" presents guidelines
and recommended deployment techniques for infrastructure protection
ACLs. The white paper is available at the following link:
http://www.cisco.com/warp/public/707/iacl.html
Additional mitigations that can be deployed on Cisco devices within
the network are available in the Cisco Applied Intelligence companion
document for this response:
http://www.cisco.com/warp/public/707/cisco-air-20070926-lb.shtml
Additional Information
======================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
Revision History
================
+-----------------------------------------+
| Revision | | Initial |
| 1.0 | 2007-September-26 | public |
| | | release. |
+-----------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
iD8DBQFG+tis8NUAbBmDaxQRApn2AKCLXskG0SFfsCYARui1Uc5EmdlQKwCgr0DI
V7JrMgq2C5up8UNGOZkCUM8=
=tFEA
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRwAuryh9+71yA2DNAQJBBQP8Cg+XESFr9LKzkuDwrxcMjIRFhICpFCwY
zrXvDTzuqZ/plVH/PXLzDDgbQ3jbjD/mgAxf7GKkCuq1nBIJ3g0gmB6zkuW3O6Ar
aWKCbBiQ+Az169AD3JW6udaxEi7yA+6DZ++lwjFANIrrjiU2TN0YLB7uhFcEnjhW
h8wYw/V4pHU=
=8QAS
-----END PGP SIGNATURE-----
|