ESB-2018.2629.3 - UPDATE [Cisco] Cisco Products: Denial of service - Remote/unauthenticated 2018-11-07

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.2629.3
        Linux and FreeBSD Kernels TCP Reassembly Denial of Service
                 Vulnerabilities Affecting Cisco Products
                              7 November 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Products
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-6922 CVE-2018-5390 

Reference:         ESB-2018.2623
                   ESB-2018.2612
                   ESB-2018.2277
                   ESB-2018.2271

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180824-linux-tcp

Revision History:  November   7 2018: Updated information about fixed release
                                      availability. Removed references to
				      ongoing investigation.
                   September 14 2018: Vendor updated lists of products under
		                      investigation, vulnerable and not
				      vulnerable, and fixed release availability
                   September  5 2018: Initial Release


- --------------------------BEGIN INCLUDED TEXT--------------------

Linux and FreeBSD Kernels TCP Reassembly Denial of Service Vulnerabilities
Affecting Cisco Products: August 2018

Priority: High
Advisory ID: cisco-sa-20180824-linux-tcp
First Published: 2018 August 24 21:30 GMT
Last Updated: 2018 November 6 18:09 GMT
Version 1.7: Final
Workarounds: No workarounds available

Summary

  * On August 6, 2018, the Vulnerability Coordination team of the National
    Cyber Security Centre of Finland (NCSC-FI) and the CERT Coordination Center
    (CERT/CC) disclosed vulnerabilities in the TCP stacks that are used by the
    Linux and FreeBSD kernels. These vulnerabilities are publicly known as
    SegmentSmack.

    The vulnerabilities could allow an unauthenticated, remote attacker to
    cause a denial of service (DoS) condition on an affected device. An attack
    could be executed by using low transfer rates of TCP packets, unlike
    typical distributed denial of service (DDoS) attacks.

    The vulnerabilities are due to inefficient TCP reassembly algorithms in the
    TCP stacks that are used by the affected kernels. Linux Kernel Versions 4.9
    and later and all supported versions of the FreeBSD kernel are known to be
    affected by these vulnerabilities.

    An attacker could exploit these vulnerabilities by sending a stream of
    packets that are designed to trigger the issue in an established TCP
    session with an affected device. A sustained DoS condition requires the
    attacker to maintain a continuous stream of malicious traffic. Due to the
    required use of an established session, an attack cannot be performed using
    spoofed IP addresses.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20180824-linux-tcp

Affected Products

  * Cisco investigated its product line to determine which products and
    services may be affected by these vulnerabilities.

    The "Vulnerable Products" section of this advisory includes Cisco bug IDs
    for each affected product or service. The bugs are accessible through the
    Cisco Bug Search Tool and contain additional platform-specific information,
    including workarounds (if available) and fixed software releases.

    Any product or service not listed in the "Vulnerable Products" section of
    this advisory is to be considered not vulnerable.

    Vulnerable Products

    The following table lists Cisco products that are affected by the Linux
    Kernel vulnerability that is described in this advisory:

                 Product              Cisco Bug    Fixed Release Availability
                                          ID
                       Network and Content Security Devices
    Cisco Threat Grid Appliance M5    CSCvk69486 2.5 (Oct-2018)
              Routing and Switching - Enterprise and Service Provider
    Cisco DNA Center                  CSCvm34581 1.3 (Apr-2019)
    Cisco Network Assurance Engine    CSCvm34702 3.0(0) (Nov-2018)
                     Voice and Unified Communications Devices
    Cisco Webex Hybrid Data Security  CSCvm49456 Cisco will update affected
    Node                                         systems (Nov-2018)
    Cisco Webex Video Mesh Node       CSCvm48163 Cisco will update affected
                                                 systems (Nov-2018)
              Video, Streaming, TelePresence, and Transcoding Devices
    Cisco Expressway Series           CSCvk74922 x12.5 (Jan-2019)
    Cisco Meeting Management          CSCvk69487 1.1.0.27 (Sept-2018)
    Cisco TelePresence Conductor      CSCvk75754 4.3.4 MR (Nov-2018)
    Cisco TelePresence Video          CSCvk74922 x12.5 (Jan-2019)
    Communication Server (VCS)

The following table lists Cisco products that are affected by the FreeBSD
    vulnerability that is described in this advisory:

                      Product                   Cisco Bug     Fixed Release
                                                    ID         Availability
                       Network and Content Security Devices
    Cisco Content Security Management Appliance CSCvk74266 12.0.0 (Nov-2018)
    (SMA)
    Cisco Email Security Appliance (ESA)        CSCvk74109 11.0.3 (Oct-2018)
                                                           12.0.0 (Nov-2018)
                                                           10.1.4 (Sept-2018)
    Cisco Web Security Appliance (WSA)          CSCvk74112 10.5.3 (Oct-2018)
                                                           11.5.2 (Nov-2018)
              Video, Streaming, TelePresence, and Transcoding Devices
    Cisco TelePresence MCU 5300 Series, MSE     CSCvk74254 4.5(1.98) (Oct-2018)
    8510
    Cisco TelePresence MCU MSE 8420             CSCvk74254 No fix expected -
                                                           End of life
    Cisco TelePresence Server 7010 and MSE 8710 CSCvk74256 4.4(1.27) (Dec-2018)
    Cisco TelePresence Server on Multiparty     CSCvk74256 4.4(1.27) (Dec-2018)
    Media 310, 320 and 820


    Products Confirmed Not Vulnerable

    Only products and services listed in the "Vulnerable Products" section of
    this advisory are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect the following
    products and services:

    Network and Content Security Devices
      + Cisco Firepower Management Center

    Video, Streaming, TelePresence, and Transcoding Devices
      + Cisco TelePresence MCU 4200 Series and 4500 Series
      + Cisco TelePresence Advanced Media Gateway Series

Workarounds

  * Any workarounds will be documented in the product-specific Cisco bugs,
    which are identified in the "Vulnerable Products" section of this advisory.

    It is important to note that exploitation of these vulnerabilities requires
    an attacker to establish a TCP three-way handshake with an open TCP port on
    an affected device. Customers are therefore advised to use an external
    firewall to allow only explicitly trusted source IP addresses to connect to
    open TCP ports on affected devices.

Fixed Software

  * For information about fixed software releases, consult the Cisco bugs
    identified in the "Vulnerable Products" section of this advisory.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    TAC or their contracted maintenance providers.

Exploitation and Public Announcements

  * The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any malicious use of the vulnerabilities that are described in this
    advisory.

Source

  * These vulnerabilities were reported by Juha-Matti Tilli, of the Aalto
    University Department of Communications and Networking, and Nokia Bell
    Labs.

URL

  * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180824-linux-tcp

Revision History

  * 
    +-----------------------------------------------------------------------------+
    | Version |      Description       |  Section   | Status  |       Date        |
    |---------+------------------------+------------+---------+-------------------|
    |         | Updated information    | Summary,   |         |                   |
    |         | about fixed release    | Affected   |         |                   |
    | 1.7     | availability. Removed  | Products,  | Final   | 2018-November-06  |
    |         | references to ongoing  | Vulnerable |         |                   |
    |         | investigation.         | Products   |         |                   |
    |---------+------------------------+------------+---------+-------------------|
    |         | Updated the lists of   | Affected   |         |                   |
    | 1.6     | products under         | Products,  | Interim | 2018-September-17 |
    |         | investigation and      | Vulnerable |         |                   |
    |         | vulnerable products.   | Products   |         |                   |
    |---------+------------------------+------------+---------+-------------------|
    |         | Updated the lists of   |            |         |                   |
    |         | products under         |            |         |                   |
    |         | investigation. Moved   | Affected   |         |                   |
    |         | Firepower Management   | Products,  |         |                   |
    |         | Center to the products | Vulnerable |         |                   |
    | 1.5     | confirmed not          | Products,  | Interim | 2018-September-13 |
    |         | vulnerable as after    | Products   |         |                   |
    |         | further evaluation, no | Confirmed  |         |                   |
    |         | publicly available     | Not        |         |                   |
    |         | software releases were | Vulnerable |         |                   |
    |         | found to be            |            |         |                   |
    |         | vulnerable.            |            |         |                   |
    |---------+------------------------+------------+---------+-------------------|
    |         | Updated the lists of   |            |         |                   |
    |         | products under         | Affected   |         |                   |
    |         | investigation and      | Products,  |         |                   |
    | 1.4     | vulnerable products.   | Vulnerable | Interim | 2018-September-06 |
    |         | Updated information    | Products   |         |                   |
    |         | about fixed release    |            |         |                   |
    |         | availability.          |            |         |                   |
    |---------+------------------------+------------+---------+-------------------|
    |         | Updated the lists of   | Affected   |         |                   |
    |         | products under         | Products,  |         |                   |
    |         | investigation,         | Vulnerable |         |                   |
    |         | vulnerable products,   | Products,  |         |                   |
    | 1.3     | and products confirmed | Products   | Interim | 2018-September-04 |
    |         | not vulnerable.        | Confirmed  |         |                   |
    |         | Updated information    | Not        |         |                   |
    |         | about fixed release    | Vulnerable |         |                   |
    |         | availability.          |            |         |                   |
    |---------+------------------------+------------+---------+-------------------|
    |         | Updated information    | Vulnerable |         |                   |
    | 1.2     | about fixed release    | Products   | Interim | 2018-August-30    |
    |         | availability.          |            |         |                   |
    |---------+------------------------+------------+---------+-------------------|
    |         | Updated the lists of   | Affected   |         |                   |
    |         | products under         | Products,  |         |                   |
    |         | investigation and      | Vulnerable |         |                   |
    | 1.1     | products confirmed not | Products,  | Interim | 2018-August-29    |
    |         | vulnerable. Updated    | Products   |         |                   |
    |         | information about      | Confirmed  |         |                   |
    |         | fixed release          | Not        |         |                   |
    |         | availability.          | Vulnerable |         |                   |
    |---------+------------------------+------------+---------+-------------------|
    | 1.0     | Initial public         | -          | Interim | 2018-August-24    |
    |         | release.               |            |         |                   |
    +-----------------------------------------------------------------------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW+IoHWaOgq3Tt24GAQg11A//cC/oy3Ducm5JBeyOlx4otQW4sR0C8l2I
smXXNKTD5sTIcNM3QvHKjSbvJxmQnF9/kl8pfO22CTmfCJN3qc7LED6vSDjOLHXh
IF9FBjAAZ1cXK/k5VH7gCdxLE7wLZzyx8yZnnKEPWqf9urRFuFR68VTBAq8NVIXk
lXBPgJZxOddDzTLQFm2rD2EvUQQGdWBiDEu6atw0tSUmN+VKnt2S97YpvLshLJfT
RmUHTTjazkKSfvudmUpb+4AuE48rEeOQL5z19cJ1vzGFW5yN6KCOCwZPc6roKtaU
ereFhp6X+7PUCeKmFzYFBPuPUogs9NiQwRwozu+C7+zDIcmSy3OAJCJ5nlRKoxxG
gVAk8qDjywLIhHYZAefOVTcJ5nq20DHq5XBBG1FBchVjD30BKV8UTIeH09I71KvD
0OXEwTeCnA7AZmPDV3/8lEjfp5+v3m6Wh2VpLD804O+am4O5gzL2Prv8BJ/IBj1U
xyt59vHnojokgaJMT0PyR9YlU585WrJEkpGb/Sp2gdjZdREOjVxrS3Gp+Pa5e/oN
Rj67bGSfMtnQnBXo6G9OVFjUZQ2/jQzGLHEaaUIpksKwTakQQK0TECmtMZToqx1I
wgc+fRdM03FE1qLE3AOkmB8XN7uhpS8xe06Yxe8xC/4GU4MXZZv1ciOgiEUvOqMt
tVN29L3X4pY=
=nebw
-----END PGP SIGNATURE-----

« Back to bulletins