ESB-2018.2902 - [Cisco] Cisco IOS XE: Multiple vulnerabilities 2018-09-27

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2902
       Multiple Vulnerabilities have been identified in Cisco IOS XE
                             27 September 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco IOS XE
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Root Compromise     -- Existing Account      
                   Denial of Service   -- Remote/Unauthenticated
                   Unauthorised Access -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-15374 CVE-2018-15372 CVE-2018-15371
                   CVE-2018-0481 CVE-2018-0480 CVE-2018-0477
                   CVE-2018-0476 CVE-2018-0472 CVE-2018-0471
                   CVE-2018-0470 CVE-2018-0469 

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-cdp-memleak
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-iosxe-cmdinj
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-digsig
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-errdisable
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-webdos
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-macsec
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-sip-alg
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-privesc
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-shell-access
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-webuidos
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-ipsec

Comment: This bulletin contains eleven (11) Cisco Systems security 
         advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Security Advisory

Cisco IOS XE Software Cisco Discovery Protocol Memory Leak Vulnerability

Priority:	    High
Advisory ID:        cisco-sa-20180926-cdp-memleak
First Published:    2018 September 26 16:00 GMT
Version 1.0:        Final
Workarounds:        No workarounds available
Cisco Bug IDs:      CSCvf50648
 
CVE-2018-0471
CWE-400
 
CVSS Score:         Base 7.4
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

  * A vulnerability in the Cisco Discovery Protocol (CDP) module of Cisco IOS
    XE Software Releases 16.6.1 and 16.6.2 could allow an unauthenticated,
    adjacent attacker to cause a memory leak that may lead to a denial of
    service (DoS) condition.

    The vulnerability is due to incorrect processing of certain CDP packets. An
    attacker could exploit this vulnerability by sending certain CDP packets to
    an affected device. A successful exploit could cause an affected device to
    continuously consume memory and eventually result in a memory allocation
    failure that leads to a crash, triggering a reload of the affected device.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-cdp-memleak

    This advisory is part of the September 26, 2018, release of the Cisco IOS
    and IOS XE Software Security Advisory Bundled Publication, which includes
    12 Cisco Security Advisories that describe 13 vulnerabilities. For a
    complete list of the advisories and links to them, see Cisco Event
    Response: September 2018 Semiannual Cisco IOS and IOS XE Software Security
    Advisory Bundled Publication.

Affected Products

  * Vulnerable Products

    This vulnerability affects devices that are running Cisco IOS XE Software
    Release 16.6.1 or 16.6.2 with the CDP feature enabled on at least one
    interface. The CDP feature is enabled in Cisco IOS XE on all interfaces by
    default.

    For information about which Cisco IOS XE Software releases are vulnerable,
    see the Fixed Software section of this advisory.

    Determining Whether the CDP Feature Is Enabled

    To determine whether a device is configured with the CDP feature enabled
    globally, use the show running-config all | include cdp run privileged EXEC
    command on the device. The following example shows the output of the show
    running-config all | include cdp run command on a device that has the CDP
    feature enabled globally:

        ios-xe-device#show running-config all | include cdp run
        cdp run

    To determine whether a device is configured with the CDP feature enabled on
    an interface, use the show cdp interface privileged EXEC command on the
    device. The following example shows the output of the show cdp interface
    command on a device that has the CDP feature disabled on all interfaces:

        ios-xe-device#show cdp interface
        % CDP is not enabled

    Determining the Cisco IOS XE Software Release

    To determine which Cisco IOS XE Software release is running on a device,
    administrators can log in to the device, use the show version command in
    the CLI, and then refer to the system banner that appears. If the device is
    running Cisco IOS XE Software, the system banner displays Cisco IOS
    Software, Cisco IOS XE Software, or similar text.

    The following example shows the output of the command for a device that is
    running Cisco IOS XE Software Release 16.2.1 and has an installed image
    name of CAT3K_CAA-UNIVERSALK9-M:

        ios-xe-device# show version

        Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
        Technical Support: http://www.cisco.com/techsupport
        Copyright (c) 1986-2016 by Cisco Systems, Inc.
        Compiled Sun 27-Mar-16 21:47 by mcpre
        .
        .
        .

    For information about the naming and numbering conventions for Cisco IOS XE
    Software releases, see the Cisco IOS and NX-OS Software Reference Guide.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco IOS
    Software, Cisco IOS XR Software, or Cisco NX-OS Software.

Indicators of Compromise

  * On successful exploitation of the vulnerability described in this advisory,
    logs will show a %SYS-2-MALLOCFAIL message referencing the CDP Protocol
    process, which indicates a memory allocation failure. Exploitation of this
    vulnerability can cause an affected device to reload and generate a
    crashinfo file.

    Contact the Cisco Technical Assistance Center (TAC) to review the output of
    the show tech-support CLI command and the crashinfo file to determine
    whether the device has been compromised by exploitation of this
    vulnerability.

Workarounds

  * There are no workarounds that address this vulnerability.

    Administrators who do not use the CDP feature in their environment can
    disable the CDP feature by using the no cdp run command in global
    configuration mode to prevent exploitation of this vulnerability.

    Administrators who do use the CDP feature but want to limit the attack
    surface can disable the CDP feature on interfaces that do not require this
    feature by using the no cdp enable command in interface configuration mode.

Fixed Software

  * Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC:
    https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Cisco IOS and IOS XE Software

    To help customers determine their exposure to vulnerabilities in Cisco IOS
    and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker,
    that identifies any Cisco Security Advisories that impact a specific
    software release and the earliest release that fixes the vulnerabilities
    described in each advisory (?First Fixed?). If applicable, the tool also
    returns the earliest release that fixes all the vulnerabilities described
    in all the advisories identified (?Combined First Fixed?).

    Customers can use this tool to perform the following tasks:

      + Initiate a search by choosing one or more releases from a drop-down
        list or uploading a file from a local system for the tool to parse
      + Enter the output of the show version command for the tool to parse
      + Create a custom search by including all previously published Cisco
        Security Advisories, a specific advisory, or all advisories in the most
        recent bundled publication

    To determine whether a release is affected by any published Cisco Security
    Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
    Cisco IOS Software or Cisco IOS XE Software release?for example, 15.1(4)M2
    or 3.13.8S?in the following field:

    [                    ] [Check]

    By default, the Cisco IOS Software Checker includes results only for
    vulnerabilities that have a Critical or High Security Impact Rating (SIR).
    To include results for Medium SIR vulnerabilities, use the Cisco IOS
    Software Checker on Cisco.com and check the Medium check box in the Impact
    Rating drop-down list.

    For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
    releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
    Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the
    Cisco IOS XE Software release.

Exploitation and Public Announcements

  * The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  * This vulnerability was found during the resolution of a Cisco TAC support
    case.

Cisco Security Vulnerability Policy

  * To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  * Subscribe

Related to This Advisory

  * Cisco Event Response: September 2018 Semiannual Cisco IOS and IOS XE
    Software Security Advisory Bundled Publication
    Cisco Security Blog: Cisco IOS and IOS XE Software Bundled Publication
    September 2018

URL

  * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-cdp-memleak

Revision History

    +----------------------------------------------------------------------------+
    | Version |       Description        | Section | Status |        Date        |
    |---------+--------------------------+---------+--------+--------------------|
    | 1.0     | Initial public release.  | ?       | Final  | 2018-September-26  |
    +----------------------------------------------------------------------------+

Legal Disclaimer

  * THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
    OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
    FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
    OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
    THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

    A standalone copy or paraphrase of the text of this document that omits the
    distribution URL is an uncontrolled copy and may lack important information
    or contain factual errors. The information in this document is intended for
    end users of Cisco products.

- -------------------------------------------------------------------------------

Cisco Security Advisory

Cisco IOS XE Software Command Injection Vulnerabilities

Priority:	    High
Advisory ID:        cisco-sa-20180926-iosxe-cmdinj
First Published:    2018 September 26 16:00 GMT
Version 1.0:        Final
Workarounds:        No workarounds available
Cisco Bug IDs:      CSCvh02919, CSCvh54202
 
CVE-2018-0477
CVE-2018-0481
 
CWE-77
 
CVSS Score:         Base 6.7
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X

Summary

  * Multiple vulnerabilities in the CLI parser of Cisco IOS XE Software could
    allow an authenticated, local attacker to execute commands on the
    underlying Linux shell of an affected device with root privileges.

    The vulnerabilities exist because the affected software improperly
    sanitizes command arguments, failing to prevent access to certain internal
    data structures on an affected device. An attacker who has privileged EXEC
    mode (privilege level 15) access to an affected device could exploit these
    vulnerabilities on the device by executing CLI commands that contain custom
    arguments. A successful exploit could allow the attacker to execute
    arbitrary commands with root privileges on the affected device.

    Cisco has released software updates that address these vulnerabilities.
    There are no workarounds that address these vulnerabilities.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-iosxe-cmdinj

    This advisory is part of the September 26, 2018, release of the Cisco IOS
    and IOS XE Software Security Advisory Bundled Publication, which includes
    12 Cisco Security Advisories that describe 13 vulnerabilities. For a
    complete list of the advisories and links to them, see Cisco Event
    Response: September 2018 Semiannual Cisco IOS and IOS XE Software Security
    Advisory Bundled Publication.

Affected Products

  * Vulnerable Products

    These vulnerabilities affect Cisco devices that are running a vulnerable
    release of Cisco IOS XE Software.

    For information about which Cisco IOS XE Software releases are vulnerable,
    see the Fixed Software section of this advisory.

    Determining the Cisco IOS XE Software Release

    To determine which Cisco IOS XE Software release is running on a device,
    administrators can log in to the device, use the show version command in
    the CLI, and then refer to the system banner that appears. If the device is
    running Cisco IOS XE Software, the system banner displays Cisco IOS
    Software, Cisco IOS XE Software, or similar text.

    The following example shows the output of the command for a device that is
    running Cisco IOS XE Software Release 16.2.1 and has an installed image
    name of CAT3K_CAA-UNIVERSALK9-M:

        ios-xe-device# show version

        Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
        Technical Support: http://www.cisco.com/techsupport
        Copyright (c) 1986-2016 by Cisco Systems, Inc.
        Compiled Sun 27-Mar-16 21:47 by mcpre
        .
        .
        .

    For information about the naming and numbering conventions for Cisco IOS XE
    Software releases, see the Cisco IOS and NX-OS Software Reference Guide.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by these vulnerabilities.

    Cisco has confirmed that these vulnerabilities do not affect Cisco IOS
    Software, Cisco IOS XR Software, or Cisco NX-OS Software.

Workarounds

  * There are no workarounds that address these vulnerabilities.

Fixed Software
 
  * Cisco has released free software updates that address the vulnerabilities
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC:
    https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Cisco IOS and IOS XE Software

    To help customers determine their exposure to vulnerabilities in Cisco IOS
    and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker,
    that identifies any Cisco Security Advisories that impact a specific
    software release and the earliest release that fixes the vulnerabilities
    described in each advisory (?First Fixed?). If applicable, the tool also
    returns the earliest release that fixes all the vulnerabilities described
    in all the advisories identified (?Combined First Fixed?).

    Customers can use this tool to perform the following tasks:

      + Initiate a search by choosing one or more releases from a drop-down
        list or uploading a file from a local system for the tool to parse
      + Enter the output of the show version command for the tool to parse
      + Create a custom search by including all previously published Cisco
        Security Advisories, a specific advisory, or all advisories in the most
        recent bundled publication

    To determine whether a release is affected by any published Cisco Security
    Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
    Cisco IOS Software or Cisco IOS XE Software release?for example, 15.1(4)M2
    or 3.13.8S?in the following field:

    [                    ] [Check]

    By default, the Cisco IOS Software Checker includes results only for
    vulnerabilities that have a Critical or High Security Impact Rating (SIR).
    To include results for Medium SIR vulnerabilities, use the Cisco IOS
    Software Checker on Cisco.com and check the Medium check box in the Impact
    Rating drop-down list.

    For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
    releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
    Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the
    Cisco IOS XE Software release.

Exploitation and Public Announcements

  * The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerabilities that are
    described in this advisory.

Source

  * These vulnerabilities were found during internal security testing.

Cisco Security Vulnerability Policy

  * To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  * Subscribe

Related to This Advisory

  * Cisco Event Response: September 2018 Semiannual Cisco IOS and IOS XE
    Software Security Advisory Bundled Publication
    Cisco Security Blog: Cisco IOS and IOS XE Software Bundled Publication
    September 2018

URL

  * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-iosxe-cmdinj

Revision History

    +----------------------------------------------------------------------------+
    | Version |       Description        | Section | Status |        Date        |
    |---------+--------------------------+---------+--------+--------------------|
    | 1.0     | Initial public release.  |         | Final  | 2018-September-26  |
    +----------------------------------------------------------------------------+

Legal Disclaimer

  * THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
    OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
    FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
    OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
    THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

    A standalone copy or paraphrase of the text of this document that omits the
    distribution URL is an uncontrolled copy and may lack important information
    or contain factual errors. The information in this document is intended for
    end users of Cisco products.

- -------------------------------------------------------------------------------

Cisco Security Advisory

Cisco IOS XE Software Digital Signature Verification Bypass Vulnerability

Priority:	    Medium
Advisory ID:        cisco-sa-20180926-digsig
First Published:    2018 September 26 16:00 GMT
Version 1.0:        Final
Workarounds:        No workarounds available
Cisco Bug IDs:      CSCvh15737
CVE-2018-15374
CWE-347
 
CVSS Score:         Base 6.7
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
CVE-2018-15374
 
Summary

  * A vulnerability in the Image Verification feature of Cisco IOS XE Software
    could allow an authenticated, local attacker to install a malicious
    software image or file on an affected device.

    The vulnerability is due to the affected software improperly verifying
    digital signatures for software images and files that are uploaded to a
    device. An attacker could exploit this vulnerability by uploading a
    malicious software image or file to an affected device. A successful
    exploit could allow the attacker to bypass digital signature verification
    checks for software images and files and install a malicious software image
    or file on the affected device.

    There are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-digsig

Affected Products

  * Vulnerable Products

    This vulnerability affects Cisco devices that are running a vulnerable
    release of Cisco IOS XE Software.

    For information about which Cisco IOS XE Software releases are vulnerable,
    see the Fixed Software section of this advisory.

    Determining the Cisco IOS XE Software Release

    To determine which Cisco IOS XE Software release is running on a device,
    administrators can log in to the device, use the show version command in
    the CLI, and then refer to the system banner that appears. If the device is
    running Cisco IOS XE Software, the system banner displays Cisco IOS
    Software, Cisco IOS XE Software, or similar text.

    The following example shows the output of the command for a device that is
    running Cisco IOS XE Software Release 16.2.1 and has an installed image
    name of CAT3K_CAA-UNIVERSALK9-M:

        ios-xe-device# show version

        Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
        Technical Support: http://www.cisco.com/techsupport
        Copyright (c) 1986-2016 by Cisco Systems, Inc.
        Compiled Sun 27-Mar-16 21:47 by mcpre
        .
        .
        .

    For information about the naming and numbering conventions for Cisco IOS XE
    Software releases, see the Cisco IOS and NX-OS Software Reference Guide.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco IOS
    Software, Cisco IOS XR Software, or Cisco NX-OS Software.

Workarounds

  * There are no workarounds that address this vulnerability.

Fixed Software

  * For detailed information about affected and fixed software releases,
    consult the Cisco IOS Software Checker.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Cisco IOS and IOS XE Software

    To help customers determine their exposure to vulnerabilities in Cisco IOS
    and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker,
    that identifies any Cisco Security Advisories that impact a specific
    software release and the earliest release that fixes the vulnerabilities
    described in each advisory (?First Fixed?). If applicable, the tool also
    returns the earliest release that fixes all the vulnerabilities described
    in all the advisories identified (?Combined First Fixed?).

    Customers can use this tool to perform the following tasks:

      + Initiate a search by choosing one or more releases from a drop-down
        list or uploading a file from a local system for the tool to parse
      + Enter the output of the show version command for the tool to parse
      + Create a custom search by including all previously published Cisco
        Security Advisories, a specific advisory, or all advisories in the most
        recent bundled publication

    To determine whether a release is affected by any published Cisco Security
    Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
    Cisco IOS Software or Cisco IOS XE Software release?for example, 15.1(4)M2
    or 3.13.8S?in the following field:

    [                    ] [Check]

    By default, the Cisco IOS Software Checker includes results only for
    vulnerabilities that have a Critical or High Security Impact Rating (SIR).
    To include results for Medium SIR vulnerabilities, use the Cisco IOS
    Software Checker on Cisco.com and check the Medium check box in the Impact
    Rating drop-down list.

Exploitation and Public Announcements

  * The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  * This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

  * To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  * Subscribe

URL

  * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-digsig

Revision History

    +----------------------------------------------------------------------------+
    | Version |       Description        | Section | Status |        Date        |
    |---------+--------------------------+---------+--------+--------------------|
    | 1.0     | Initial public release.  |         | Final  | 2018-September-26  |
    +----------------------------------------------------------------------------+

Legal Disclaimer

  * THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
    OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
    FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
    OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
    THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

    A standalone copy or paraphrase of the text of this document that omits the
    distribution URL is an uncontrolled copy and may lack important information
    or contain factual errors. The information in this document is intended for
    end users of Cisco products.

- -------------------------------------------------------------------------------

Cisco Security Advisory

Cisco IOS XE Software Errdisable Denial of Service Vulnerability

Priority:	    High
Advisory ID:        cisco-sa-20180926-errdisable
First Published:    2018 September 26 16:00 GMT
Version 1.0:        Final
Workarounds:        No workarounds available
Cisco Bug IDs:      CSCvh13611
 
CVE-2018-0480
CWE-362
 
CVSS Score:         Base 7.4
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

  * A vulnerability in the errdisable per VLAN feature of Cisco IOS XE Software
    could allow an unauthenticated, adjacent attacker to cause the device to
    crash, leading to a denial of service (DoS) condition.

    The vulnerability is due to a race condition that occurs when the VLAN and
    port enter an errdisabled state, resulting in an incorrect state in the
    software. An attacker could exploit this vulnerability by sending frames
    that trigger the errdisable condition. A successful exploit could allow the
    attacker to cause the affected device to crash, leading to a DoS condition.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20180926-errdisable

    This advisory is part of the September 26, 2018, release of the Cisco IOS
    and IOS XE Software Security Advisory Bundled Publication, which includes
    12 Cisco Security Advisories that describe 13 vulnerabilities. For a
    complete list of the advisories and links to them, see Cisco Event
    Response: September 2018 Semiannual Cisco IOS and IOS XE Software Security
    Advisory Bundled Publication.

Affected Products

  * Vulnerable Products

    This vulnerability affects Cisco Catalyst 3650, 3850, and 4500E Series
    Switches that are running a vulnerable release of Cisco IOS XE Software and
    have the errdisable feature enabled for a feature at both the VLAN and port
    level.

    For information about which Cisco IOS XE Software releases are vulnerable,
    see the Fixed Software section of this advisory.

    Determining Whether a Device Is Running an Affected Configuration

    To determine whether a device is running an affected configuration at both
    the VLAN and port level, perform both of the following steps:

    Step 1: VLAN Level

    There are two options for completing Step 1.

    Option A: show errdisable detect

    Issue the CLI command show errdisable detect | include vlan. For each VLAN
    mode feature that the device lists in the output for this command, perform
    the corresponding portion of Step 2. The following example shows a device
    that is configured for a VLAN mode errdisable detect for bpduguard (BPDU
    guard), psecure-violation (port security violation), and security-violation
    (802.1x security violation) on the VLAN:

        switch#show errdisable detect | include vlan
          bpduguard                    Enabled          vlan
          psecure-violation            Enabled          port/vlan
          security-violation           Enabled          vlan
          switch#

    Option B: show running-config

    To determine whether a device is running an affected configuration at the
    VLAN level, issue the show running-config command twice, using two
    different include statements:

      + First, issue the CLI command show running-config | include shutdown
        vlan. For each VLAN mode feature that the device lists in the output
        for this command, perform the corresponding portion of Step 2. The
        following example shows a device that is configured for a VLAN mode
        errdisable detect for security-violation (802.1x security violation)
        and bpduguard (BPDU guard) on the VLAN:

            switch#show running-config | include shutdown vlan
                  errdisable detect cause security-violation shutdown vlan
                  errdisable detect cause bpduguard shutdown vlan
                  switch#

      + Second, issue the CLI command show running-config | include switchport
        port-security violation shutdown vlan. If the command returns output,
        perform the corresponding portion of Step 2. The following example
        shows a device that is configured for a VLAN mode errdisable detect for
        port security violation on the VLAN :

            switch#show running-config | include switchport port-security violation shutdown vlan
                  switchport port-security violation shutdown vlan
                  switch#

    Step 2: Port Level

    For each VLAN mode configured feature revealed in Step 1, do the following
    to determine whether the feature is also enabled at the port level:

      + BPDU guard: If errdisable per VLAN for detection cause bpduguard is
        enabled, confirm that the device also has BPDU guard configured. If the
        configuration contains either of the following, the device is
        vulnerable:

            spanning-tree  portfast bpduguard default
              interface  <interface-id>
              spanning-tree portfast

        or

            interface  <interface-id>
              spanning-tree bpduguard enable

      + Port security violation: Errdisable per port/vlan for detection cause
        psecure-violation is enabled by default. Confirm that the device also
        has port security configured and violation vlan shutdown configured. If
        the output of show port-security contains a row with Shutdown Vlan (as
        shown in the following example), the device is vulnerable:

            switch#show port-security
            Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                            (Count)       (Count)          (Count)
            ---------------------------------------------------------------------------
               Gi1/0/48              1            1                  5    Shutdown Vlan
            ---------------------------------------------------------------------------
            Total Addresses in System (excluding one mac per port)     : 0
            Max Addresses limit in System (excluding one mac per port) : 4096
            switch#

      + 802.1x security violation: If errdisable per VLAN for detection cause
        security-violation is enabled, confirm that the device also has 802.1x
        authentication configured and the voice VLAN is configured. If the
        configuration contains the following and does not contain
        authentication violation {protect|replace|restrict}, the device is
        vulnerable:

            interface  <interface-id>
              authentication port-control value
              switchport voice vlan value

        However, if the following content is also present in the CLI output,
        the device is not vulnerable:

            authentication violation {protect|replace|restrict}

    Determining the Cisco IOS XE Software Release

    To determine which Cisco IOS XE Software release is running on a device,
    administrators can log in to the device, use the show version command in
    the CLI, and then refer to the system banner that appears. If the device is
    running Cisco IOS XE Software, the system banner displays Cisco IOS
    Software, Cisco IOS XE Software, or similar text.

    The following example shows the output of the command for a device that is
    running Cisco IOS XE Software Release 16.2.1 and has an installed image
    name of CAT3K_CAA-UNIVERSALK9-M:

        ios-xe-device# show version

        Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
        Technical Support: http://www.cisco.com/techsupport
        Copyright (c) 1986-2016 by Cisco Systems, Inc.
        Compiled Sun 27-Mar-16 21:47 by mcpre
        .
        .
        .

    For information about the naming and numbering conventions for Cisco IOS XE
    Software releases, see the Cisco IOS and NX-OS Software Reference Guide.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco IOS
    Software, Cisco IOS XR Software, or Cisco NX-OS Software.

Workarounds

  * There are no workarounds that address this vulnerability.

    For customers who can remove errdisable per VLAN detection and use the
    corresponding errdisable per port detection, this action may be a suitable
    mitigation until switches that are affected by this vulnerability can be
    upgraded.

Fixed Software

  * Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC:
    https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Cisco IOS and IOS XE Software

    To help customers determine their exposure to vulnerabilities in Cisco IOS
    and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker,
    that identifies any Cisco Security Advisories that impact a specific
    software release and the earliest release that fixes the vulnerabilities
    described in each advisory (?First Fixed?). If applicable, the tool also
    returns the earliest release that fixes all the vulnerabilities described
    in all the advisories identified (?Combined First Fixed?).

    Customers can use this tool to perform the following tasks:

      + Initiate a search by choosing one or more releases from a drop-down
        list or uploading a file from a local system for the tool to parse
      + Enter the output of the show version command for the tool to parse
      + Create a custom search by including all previously published Cisco
        Security Advisories, a specific advisory, or all advisories in the most
        recent bundled publication

    To determine whether a release is affected by any published Cisco Security
    Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
    Cisco IOS Software or Cisco IOS XE Software release?for example, 15.1(4)M2
    or 3.13.8S?in the following field:

    [                    ] [Check]

    By default, the Cisco IOS Software Checker includes results only for
    vulnerabilities that have a Critical or High Security Impact Rating (SIR).
    To include results for Medium SIR vulnerabilities, use the Cisco IOS
    Software Checker on Cisco.com and check the Medium check box in the Impact
    Rating drop-down list.

    For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
    releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
    Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the
    Cisco IOS XE Software release.

Exploitation and Public Announcements

  * The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  * This vulnerability was found during the resolution of a Cisco TAC support
    case.

Cisco Security Vulnerability Policy

  * To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  * Subscribe

Related to This Advisory

  * Cisco Event Response: September 2018 Semiannual Cisco IOS and IOS XE
    Software Security Advisory Bundled Publication
    Cisco Security Blog: Cisco IOS and IOS XE Software Bundled Publication
    September 2018

URL

  * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-errdisable

Revision History

    +----------------------------------------------------------------------------+
    | Version |       Description        | Section | Status |        Date        |
    |---------+--------------------------+---------+--------+--------------------|
    | 1.0     | Initial public release.  |         | Final  | 2018-September-26  |
    +----------------------------------------------------------------------------+

Legal Disclaimer

  * THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
    OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
    FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
    OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
    THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

    A standalone copy or paraphrase of the text of this document that omits the
    distribution URL is an uncontrolled copy and may lack important information
    or contain factual errors. The information in this document is intended for
    end users of Cisco products.

- -------------------------------------------------------------------------------

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-webdos

Cisco Security Advisory

Cisco IOS XE Software HTTP Denial of Service Vulnerability

Priority:	    High
Advisory ID:        cisco-sa-20180926-webdos
First Published:    2018 September 26 16:00 GMT
Version 1.0:        Final
Workarounds:        No workarounds available
Cisco Bug IDs:      CSCvb22618
 
CVE-2018-0470 
CWE-399
 
CVSS Score:         Base 8.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

  * A vulnerability in the web framework of Cisco IOS XE Software could allow
    an unauthenticated, remote attacker to cause a buffer overflow condition on
    an affected device, resulting in a denial of service (DoS) condition.

    The vulnerability is due to the affected software improperly parsing
    malformed HTTP packets that are destined to a device. An attacker could
    exploit this vulnerability by sending a malformed HTTP packet to an
    affected device for processing. A successful exploit could allow the
    attacker to cause a buffer overflow condition on the affected device,
    resulting in a DoS condition.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-webdos

    This advisory is part of the September 26, 2018, release of the Cisco IOS
    and IOS XE Software Security Advisory Bundled Publication, which includes
    12 Cisco Security Advisories that describe 13 vulnerabilities. For a
    complete list of the advisories and links to them, see Cisco Event
    Response: September 2018 Semiannual Cisco IOS and IOS XE Software Security
    Advisory Bundled Publication.

Affected Products

  * Vulnerable Products

    This vulnerability affects Cisco devices that are running a vulnerable
    release of Cisco IOS XE Software, if the HTTP Server feature is enabled.
    The default state of the HTTP Server feature is version-dependent.

    For information about which Cisco IOS XE Software releases are vulnerable,
    see the Fixed Software section of this advisory.

    Assessing the HTTP Server Configuration

    To determine whether the HTTP Server feature is enabled for a device,
    administrators can log in to the device and use the show running-config |
    include http (secure|server) command in the CLI to check for the presence
    of the ip http server command or the ip http secure-server command in the
    global configuration. If either command is present and configured, the HTTP
    Server feature is enabled for the device.

    The following example shows the output of the show running-config | include
    http (secure|server) command for a router that has the HTTP Server feature
    enabled:

        Router# show running-config | include http (secure|server)

        ip http server
        ip http secure-server

    Determining the Cisco IOS XE Software Release

    To determine which Cisco IOS XE Software release is running on a device,
    administrators can log in to the device, use the show version command in
    the CLI, and then refer to the system banner that appears. If the device is
    running Cisco IOS XE Software, the system banner displays Cisco IOS
    Software, Cisco IOS XE Software, or similar text.

    The following example shows the output of the command for a device that is
    running Cisco IOS XE Software Release 16.2.1 and has an installed image
    name of CAT3K_CAA-UNIVERSALK9-M:

        ios-xe-device# show version

        Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
        Technical Support: http://www.cisco.com/techsupport
        Copyright (c) 1986-2016 by Cisco Systems, Inc.
        Compiled Sun 27-Mar-16 21:47 by mcpre
        .
        .
        .

    For information about the naming and numbering conventions for Cisco IOS XE
    Software releases, see the Cisco IOS and NX-OS Software Reference Guide.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco IOS
    Software, Cisco IOS XR Software, or Cisco NX-OS Software.

Workarounds

  * There are no workarounds that address this vulnerability.

    Administrators who do not use the web UI can mitigate this vulnerability by
    disabling the HTTP Server feature on an affected device. To disable the
    feature, use the no ip http server and no ip http secure-server commands in
    the CLI.

Fixed Software

  * Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC:
    https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Cisco IOS and IOS XE Software

    To help customers determine their exposure to vulnerabilities in Cisco IOS
    and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker,
    that identifies any Cisco Security Advisories that impact a specific
    software release and the earliest release that fixes the vulnerabilities
    described in each advisory (?First Fixed?). If applicable, the tool also
    returns the earliest release that fixes all the vulnerabilities described
    in all the advisories identified (?Combined First Fixed?).

    Customers can use this tool to perform the following tasks:

      + Initiate a search by choosing one or more releases from a drop-down
        list or uploading a file from a local system for the tool to parse
      + Enter the output of the show version command for the tool to parse
      + Create a custom search by including all previously published Cisco
        Security Advisories, a specific advisory, or all advisories in the most
        recent bundled publication

    To determine whether a release is affected by any published Cisco Security
    Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
    Cisco IOS Software or Cisco IOS XE Software release?for example, 15.1(4)M2
    or 3.13.8S?in the following field:

    [                    ] [Check]

    By default, the Cisco IOS Software Checker includes results only for
    vulnerabilities that have a Critical or High Security Impact Rating (SIR).
    To include results for Medium SIR vulnerabilities, use the Cisco IOS
    Software Checker on Cisco.com and check the Medium check box in the Impact
    Rating drop-down list.

    For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
    releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
    Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the
    Cisco IOS XE Software release.

Exploitation and Public Announcements

  * The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  * This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

  * To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  * Subscribe

Related to This Advisory

  * Cisco Event Response: September 2018 Semiannual Cisco IOS and IOS XE
    Software Security Advisory Bundled Publication
    Cisco Security Blog: Cisco IOS and IOS XE Software Bundled Publication
    September 2018

URL

  * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-webdos

Revision History

    +----------------------------------------------------------------------------+
    | Version |       Description        | Section | Status |        Date        |
    |---------+--------------------------+---------+--------+--------------------|
    | 1.0     | Initial public release.  |         | Final  | 2018-September-26  |
    +----------------------------------------------------------------------------+

Legal Disclaimer

  * THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
    OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
    FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
    OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
    THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

    A standalone copy or paraphrase of the text of this document that omits the
    distribution URL is an uncontrolled copy and may lack important information
    or contain factual errors. The information in this document is intended for
    end users of Cisco products.

- -------------------------------------------------------------------------------

Cisco Security Advisory

Cisco IOS XE Software MACsec MKA Using EAP-TLS Authentication Bypass
Vulnerability

Priority:	    	Medium
Advisory ID:		cisco-sa-20180926-macsec
First Published:	2018 September 26 16:00 GMT
Version 1.0:		Final
Workarounds:		No workarounds available
Cisco Bug IDs:		CSCvh09411
 
CVE-2018-15372
CWE-284
 
CVSS Score:		Base 6.5
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:X/RL:X/RC:X

Summary

  * A vulnerability in the MACsec Key Agreement (MKA) using Extensible
    Authentication Protocol-Transport Layer Security (EAP-TLS) functionality of
    Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to
    bypass authentication and pass traffic through a Layer 3 interface of an
    affected device.

    The vulnerability is due to a logic error in the affected software. An
    attacker could exploit this vulnerability by connecting to and passing
    traffic through a Layer 3 interface of an affected device, if the interface
    is configured for MACsec MKA using EAP-TLS and is running in access-session
    closed mode. A successful exploit could allow the attacker to bypass 802.1x
    network access controls and gain access to the network.

    There are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-macsec

Affected Products

  * Vulnerable Products

    This vulnerability affects Cisco devices that are running a vulnerable
    Cisco IOS XE Software 16.x Release and have a Layer 3 interface that is
    configured for MACsec MKA using EAP-TLS and is running in access-session
    closed mode.

    For more information about which Cisco IOS XE Software releases are
    vulnerable, see the Fixed Software section of this advisory.

    Determining the Cisco IOS XE Software Release

    To determine which Cisco IOS XE Software release is running on a device,
    administrators can log in to the device, use the show version command in
    the CLI, and then refer to the system banner that appears. If the device is
    running Cisco IOS XE Software, the system banner displays Cisco IOS
    Software, Cisco IOS XE Software, or similar text.

    The following example shows the output of the command for a device that is
    running Cisco IOS XE Software Release 16.2.1 and has an installed image
    name of CAT3K_CAA-UNIVERSALK9-M:

        ios-xe-device# show version

        Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
        Technical Support: http://www.cisco.com/techsupport
        Copyright (c) 1986-2016 by Cisco Systems, Inc.
        Compiled Sun 27-Mar-16 21:47 by mcpre
        .
        .
        .

    For information about the naming and numbering conventions for Cisco IOS XE
    Software releases, see the Cisco IOS and NX-OS Software Reference Guide.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco IOS
    Software, Cisco IOS XR Software, or Cisco NX-OS Software.

Workarounds

  * There are no workarounds that address this vulnerability.

Fixed Software

  * For detailed information about affected and fixed software releases,
    consult the Cisco IOS Software Checker.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Cisco IOS and IOS XE Software

    To help customers determine their exposure to vulnerabilities in Cisco IOS
    and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker,
    that identifies any Cisco Security Advisories that impact a specific
    software release and the earliest release that fixes the vulnerabilities
    described in each advisory (?First Fixed?). If applicable, the tool also
    returns the earliest release that fixes all the vulnerabilities described
    in all the advisories identified (?Combined First Fixed?).

    Customers can use this tool to perform the following tasks:

      + Initiate a search by choosing one or more releases from a drop-down
        list or uploading a file from a local system for the tool to parse
      + Enter the output of the show version command for the tool to parse
      + Create a custom search by including all previously published Cisco
        Security Advisories, a specific advisory, or all advisories in the most
        recent bundled publication

    To determine whether a release is affected by any published Cisco Security
    Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
    Cisco IOS Software or Cisco IOS XE Software release?for example, 15.1(4)M2
    or 3.13.8S?in the following field:

    [                    ] [Check]

    By default, the Cisco IOS Software Checker includes results only for
    vulnerabilities that have a Critical or High Security Impact Rating (SIR).
    To include results for Medium SIR vulnerabilities, use the Cisco IOS
    Software Checker on Cisco.com and check the Medium check box in the Impact
    Rating drop-down list.

Exploitation and Public Announcements

  * The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  * This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

  * To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  * Subscribe

URL

  * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-macsec

Revision History

    +----------------------------------------------------------------------------+
    | Version |       Description        | Section | Status |        Date        |
    |---------+--------------------------+---------+--------+--------------------|
    | 1.0     | Initial public release.  |         | Final  | 2018-September-26  |
    +----------------------------------------------------------------------------+

Legal Disclaimer

  * THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
    OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
    FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
    OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
    THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

    A standalone copy or paraphrase of the text of this document that omits the
    distribution URL is an uncontrolled copy and may lack important information
    or contain factual errors. The information in this document is intended for
    end users of Cisco products.

- -------------------------------------------------------------------------------

Cisco Security Advisory

Cisco IOS XE Software NAT Session Initiation Protocol Application Layer Gateway
Denial of Service Vulnerability

Priority:	    High
Advisory ID:        cisco-sa-20180926-sip-alg
First Published:    2018 September 26 16:00 GMT
Version 1.0:        Final
Workarounds:        No workarounds available
Cisco Bug IDs:      CSCvg89036
 
CVE-2018-0476
CWE-399
 
CVSS Score:         Base 8.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

  * A vulnerability in the Network Address Translation (NAT) Session Initiation
    Protocol (SIP) Application Layer Gateway (ALG) of Cisco IOS XE Software
    could allow an unauthenticated, remote attacker to cause an affected device
    to reload.

    The vulnerability is due to improper processing of SIP packets in transit
    while NAT is performed on an affected device. An unauthenticated, remote
    attacker could exploit this vulnerability by sending crafted SIP packets
    via UDP port 5060 through an affected device that is performing NAT for SIP
    packets. A successful exploit could allow an attacker to cause the device
    to reload, resulting in a denial of service (DoS) condition.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20180926-sip-alg

    This advisory is part of the September 26, 2018, release of the Cisco IOS
    and IOS XE Software Security Advisory Bundled Publication, which includes
    12 Cisco Security Advisories that describe 13 vulnerabilities. For a
    complete list of the advisories and links to them, see Cisco Event
    Response: September 2018 Semiannual Cisco IOS and IOS XE Software Security
    Advisory Bundled Publication.

Affected Products

  * Vulnerable Products

    This vulnerability affects devices that are running Cisco IOS XE Software
    configured for NAT operation. The SIP ALG feature is enabled as soon as NAT
    is configured on the device.

    For information about which Cisco IOS XE Software releases are vulnerable,
    see the Fixed Software section of this advisory.

    Assessing the NAT Configuration

    To determine whether NAT has been enabled in the Cisco IOS XE Software
    configuration, the ip nat inside or ip nat outside commands must be on
    different interfaces and at least one ip nat global configuration command
    must be in the configuration. Alternatively, in the case of the NAT Virtual
    Interface, the ip nat enable interface command will be present.

    The show running-config | include ip nat command can be used to determine
    whether NAT is in the configuration, as illustrated in the following
    example of a vulnerable configuration:

        Router#show running-config | include ip nat
         ip nat inside
         ip nat outside
         ip nat inside source static 192.0.2.100 10.0.0.1

    To determine whether the SIP ALG is disabled in the NAT configuration, use
    the show running-config | include ip nat privileged EXEC command. The
    presence of no ip nat service in the output of show running-config |
    include ip nat indicates that the SIP ALG is disabled in the NAT
    configuration.

    The following is the output of show running-config | include ip nat in
    Cisco IOS XE Software that has the SIP ALG disabled in the NAT
    configuration:

        Router#show running-config | include ip nat
         ip nat inside
         ip nat outside
         ip nat inside source static 192.0.2.100 10.0.0.1 vrf sip
         no ip nat service sip udp port 5060

    If no ip nat service does not appear in the output of show running-config |
    include ip nat, and the device runs an affected version of Cisco IOS XE
    Software with NAT enabled, that configuration is vulnerable.

    Determining the Cisco IOS XE Software Release

    To determine which Cisco IOS XE Software release is running on a device,
    administrators can log in to the device, use the show version command in
    the CLI, and then refer to the system banner that appears. If the device is
    running Cisco IOS XE Software, the system banner displays Cisco IOS
    Software, Cisco IOS XE Software, or similar text.

    The following example shows the output of the command for a device that is
    running Cisco IOS XE Software Release 16.2.1 and has an installed image
    name of CAT3K_CAA-UNIVERSALK9-M:

        ios-xe-device# show version

        Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
        Technical Support: http://www.cisco.com/techsupport
        Copyright (c) 1986-2016 by Cisco Systems, Inc.
        Compiled Sun 27-Mar-16 21:47 by mcpre
        .
        .
        .

    For information about the naming and numbering conventions for Cisco IOS XE
    Software releases, see the Cisco IOS and NX-OS Software Reference Guide.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco IOS
    Software, Cisco IOS XR Software, or Cisco NX-OS Software.

Indicators of Compromise

  * A successful exploit of this vulnerability will cause an affected device to
    reload and generate a crashinfo file.

    A successful exploit of this vulnerability may be confirmed by decoding the
    stack trace for the device and determining whether the stack trace
    correlates with this vulnerability.

    Contact the Cisco Technical Assistance Center (TAC) to review the crashinfo
    file and determine whether the device has been compromised by exploitation
    of this vulnerability.

Workarounds

  * There are no workarounds that address this vulnerability.

    Administrators can mitigate the vulnerability by disabling the SIP ALG by
    configuring the following on the affected device until an upgrade is
    possible:

         no ip nat service sip udp port 5060

Fixed Software

  * Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC:
    https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Cisco IOS and IOS XE Software

    To help customers determine their exposure to vulnerabilities in Cisco IOS
    and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker,
    that identifies any Cisco Security Advisories that impact a specific
    software release and the earliest release that fixes the vulnerabilities
    described in each advisory (?First Fixed?). If applicable, the tool also
    returns the earliest release that fixes all the vulnerabilities described
    in all the advisories identified (?Combined First Fixed?).

    Customers can use this tool to perform the following tasks:

      + Initiate a search by choosing one or more releases from a drop-down
        list or uploading a file from a local system for the tool to parse
      + Enter the output of the show version command for the tool to parse
      + Create a custom search by including all previously published Cisco
        Security Advisories, a specific advisory, or all advisories in the most
        recent bundled publication

    To determine whether a release is affected by any published Cisco Security
    Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
    Cisco IOS Software or Cisco IOS XE Software release?for example, 15.1(4)M2
    or 3.13.8S?in the following field:

    [                    ] [Check]

    By default, the Cisco IOS Software Checker includes results only for
    vulnerabilities that have a Critical or High Security Impact Rating (SIR).
    To include results for Medium SIR vulnerabilities, use the Cisco IOS
    Software Checker on Cisco.com and check the Medium check box in the Impact
    Rating drop-down list.

    For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
    releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
    Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the
    Cisco IOS XE Software release.

Exploitation and Public Announcements

  * The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  * This vulnerability was found during the resolution of a Cisco TAC support
    case.

Cisco Security Vulnerability Policy

  * To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Related to This Advisory

  * Cisco Event Response: September 2018 Semiannual Cisco IOS and IOS XE
    Software Security Advisory Bundled Publication
    Cisco Security Blog: Cisco IOS and IOS XE Software Bundled Publication
    September 2018

URL

  * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-sip-alg

Revision History

    +----------------------------------------------------------------------------+
    | Version |       Description        | Section | Status |        Date        |
    |---------+--------------------------+---------+--------+--------------------|
    | 1.0     | Initial public release.  |         | Final  | 2018-September-26  |
    +----------------------------------------------------------------------------+

- -------------------------------------------------------------------------------

Cisco Security Advisory

Cisco IOS XE Software Privileged EXEC Mode Root Shell Access Vulnerability

Priority:	    Medium
Advisory ID:        cisco-sa-20180926-privesc
First Published:    2018 September 26 16:00 GMT
Version 1.0:        Final
Workarounds:        No workarounds available
Cisco Bug IDs:      CSCuw45594
 
CVSS Score:         Base 6.7
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X

Summary

  * A vulnerability in the CLI parser of Cisco IOS XE Software could allow an
    authenticated, local attacker to gain access to the underlying Linux shell
    of an affected device and execute arbitrary commands with root privileges
    on the device.

    The vulnerability is due to the affected software improperly sanitizing
    command arguments to prevent modifications to the underlying Linux
    filesystem on a device. An attacker who has privileged EXEC mode (privilege
    level 15) access to an affected device could exploit this vulnerability on
    the device by executing CLI commands that contain crafted arguments. A
    successful exploit could allow the attacker to gain access to the
    underlying Linux shell of the affected device and execute arbitrary
    commands with root privileges on the device.

    There are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-privesc

Affected Products

  * Vulnerable Products

    This vulnerability affects Cisco devices that are running a vulnerable
    release of Cisco IOS XE Software.

    For information about which Cisco IOS XE Software releases are vulnerable,
    see the Fixed Software section of this advisory.

    Determining the Cisco IOS XE Software Release

    To determine which Cisco IOS XE Software release is running on a device,
    administrators can log in to the device, use the show version command in
    the CLI, and then refer to the system banner that appears. If the device is
    running Cisco IOS XE Software, the system banner displays Cisco IOS
    Software, Cisco IOS XE Software, or similar text.

    The following example shows the output of the command for a device that is
    running Cisco IOS XE Software Release 16.2.1 and has an installed image
    name of CAT3K_CAA-UNIVERSALK9-M:

        ios-xe-device# show version

        Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
        Technical Support: http://www.cisco.com/techsupport
        Copyright (c) 1986-2016 by Cisco Systems, Inc.
        Compiled Sun 27-Mar-16 21:47 by mcpre
        .
        .
        .

    For information about the naming and numbering conventions for Cisco IOS XE
    Software releases, see the Cisco IOS and NX-OS Software Reference Guide.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco IOS
    Software, Cisco IOS XR Software, or Cisco NX-OS Software.

Workarounds

  * There are no workarounds that address this vulnerability.

Fixed Software

  * For detailed information about affected and fixed software releases,
    consult the Cisco IOS Software Checker.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Cisco IOS and IOS XE Software

    To help customers determine their exposure to vulnerabilities in Cisco IOS
    and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker,
    that identifies any Cisco Security Advisories that impact a specific
    software release and the earliest release that fixes the vulnerabilities
    described in each advisory (?First Fixed?). If applicable, the tool also
    returns the earliest release that fixes all the vulnerabilities described
    in all the advisories identified (?Combined First Fixed?).

    Customers can use this tool to perform the following tasks:

      + Initiate a search by choosing one or more releases from a drop-down
        list or uploading a file from a local system for the tool to parse
      + Enter the output of the show version command for the tool to parse
      + Create a custom search by including all previously published Cisco
        Security Advisories, a specific advisory, or all advisories in the most
        recent bundled publication

    To determine whether a release is affected by any published Cisco Security
    Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
    Cisco IOS Software or Cisco IOS XE Software release?for example, 15.1(4)M2
    or 3.13.8S?in the following field:

    [                    ] [Check]

    By default, the Cisco IOS Software Checker includes results only for
    vulnerabilities that have a Critical or High Security Impact Rating (SIR).
    To include results for Medium SIR vulnerabilities, use the Cisco IOS
    Software Checker on Cisco.com and check the Medium check box in the Impact
    Rating drop-down list.

Exploitation and Public Announcements

  * The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  * This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

  * To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  * Subscribe

URL

  * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-privesc

Revision History

    +----------------------------------------------------------------------------+
    | Version |       Description        | Section | Status |        Date        |
    |---------+--------------------------+---------+--------+--------------------|
    | 1.0     | Initial public release.  |         | Final  | 2018-September-26  |
    +----------------------------------------------------------------------------+

Legal Disclaimer

  * THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
    OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
    FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
    OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
    THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

    A standalone copy or paraphrase of the text of this document that omits the
    distribution URL is an uncontrolled copy and may lack important information
    or contain factual errors. The information in this document is intended for
    end users of Cisco products.

- -------------------------------------------------------------------------------

Cisco Security Advisory

Cisco IOS XE Software Shell Access Authentication Bypass Vulnerability

Priority:	    	Medium
Advisory ID:            cisco-sa-20180926-shell-access
First Published:        2018 September 26 16:00 GMT
Version 1.0:            Final
Workarounds:            No workarounds available
Cisco Bug IDs:          CSCvb79289
 
CVE-2018-15371
CWE-284
 
CVSS Score:
Base 6.7
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
CVE-2018-15371
 
CWE-284

Summary

  * A vulnerability in the shell access request mechanism of Cisco IOS XE
    Software could allow an authenticated, local attacker to bypass
    authentication and gain unrestricted access to the root shell of an
    affected device.

    The vulnerability exists because the affected software has insufficient
    authentication mechanisms for certain commands. An attacker could exploit
    this vulnerability by requesting access to the root shell of an affected
    device, after the shell access feature has been enabled. A successful
    exploit could allow the attacker to bypass authentication and gain
    unrestricted access to the root shell of the affected device.

    There are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-shell-access

Affected Products

  * Vulnerable Products

    This vulnerability affects the following Cisco devices if they are running
    a vulnerable release of Cisco IOS XE Software and have the Smart Licensing
    feature enabled:

      + 4000 Series Integrated Services Routers
      + ASR 900 Series Aggregation Services Routers
      + ASR 1000 Series Aggregation Services Routers
      + Cloud Services Router 1000V Series
      + Integrated Services Virtual Router

    For information about which Cisco IOS XE Software releases are vulnerable,
    see the Fixed Software section of this advisory.

    Determining Whether Smart Licensing Is Enabled

    To determine whether the Smart Licensing feature is enabled for a device,
    administrators can log in to the device and use the show license summary |
    include Smart privileged EXEC command in the CLI. The following example
    shows the output of the command for a device that has the Smart Licensing
    feature enabled:

        ios-xe-device# show license summary | include Smart

        Smart Licensing is ENABLED

    Determining the Cisco IOS XE Software Release

    To determine which Cisco IOS XE Software release is running on a device,
    administrators can log in to the device, use the show version command in
    the CLI, and then refer to the system banner that appears. If the device is
    running Cisco IOS XE Software, the system banner displays Cisco IOS
    Software, Cisco IOS XE Software, or similar text.

    The following example shows the output of the command for a device that is
    running Cisco IOS XE Software Release 16.2.1 and has an installed image
    name of CAT3K_CAA-UNIVERSALK9-M:

        ios-xe-device# show version

        Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
        Technical Support: http://www.cisco.com/techsupport
        Copyright (c) 1986-2016 by Cisco Systems, Inc.
        Compiled Sun 27-Mar-16 21:47 by mcpre
        .
        .
        .

    For information about the naming and numbering conventions for Cisco IOS XE
    Software releases, see the Cisco IOS and NX-OS Software Reference Guide.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco IOS
    Software, Cisco IOS XR Software, or Cisco NX-OS Software.

Workarounds

  * There are no workarounds that address this vulnerability.

Fixed Software

  * For detailed information about affected and fixed software releases,
    consult the Cisco IOS Software Checker.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Cisco IOS and IOS XE Software

    To help customers determine their exposure to vulnerabilities in Cisco IOS
    and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker,
    that identifies any Cisco Security Advisories that impact a specific
    software release and the earliest release that fixes the vulnerabilities
    described in each advisory (?First Fixed?). If applicable, the tool also
    returns the earliest release that fixes all the vulnerabilities described
    in all the advisories identified (?Combined First Fixed?).

    Customers can use this tool to perform the following tasks:

      + Initiate a search by choosing one or more releases from a drop-down
        list or uploading a file from a local system for the tool to parse
      + Enter the output of the show version command for the tool to parse
      + Create a custom search by including all previously published Cisco
        Security Advisories, a specific advisory, or all advisories in the most
        recent bundled publication

    To determine whether a release is affected by any published Cisco Security
    Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
    Cisco IOS Software or Cisco IOS XE Software release?for example, 15.1(4)M2
    or 3.13.8S?in the following field:

    [                    ] [Check]

    By default, the Cisco IOS Software Checker includes results only for
    vulnerabilities that have a Critical or High Security Impact Rating (SIR).
    To include results for Medium SIR vulnerabilities, use the Cisco IOS
    Software Checker on Cisco.com and check the Medium check box in the Impact
    Rating drop-down list.

Exploitation and Public Announcements

  * The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  * This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

  * To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  * Subscribe

URL

  * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-shell-access

Revision History

    +----------------------------------------------------------------------------+
    | Version |       Description        | Section | Status |        Date        |
    |---------+--------------------------+---------+--------+--------------------|
    | 1.0     | Initial public release.  |         | Final  | 2018-September-26  |
    +----------------------------------------------------------------------------+

Legal Disclaimer

  * THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
    OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
    FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
    OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
    THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

    A standalone copy or paraphrase of the text of this document that omits the
    distribution URL is an uncontrolled copy and may lack important information
    or contain factual errors. The information in this document is intended for
    end users of Cisco products.

- -------------------------------------------------------------------------------
Cisco Security Advisory

Cisco IOS XE Software Web UI Denial of Service Vulnerability

Priority:	    High
Advisory ID:        cisco-sa-20180926-webuidos
First Published:    2018 September 26 16:00 GMT
Version 1.0:        Final
Workarounds:        No workarounds available
Cisco Bug IDs:      CSCva31961
 
CVE-2018-0469
CWE-415
 
CVSS Score:         Base 8.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

  * A vulnerability in the web user interface of Cisco IOS XE Software could
    allow an unauthenticated, remote attacker to cause an affected device to
    reload. The vulnerability is due to a double-free-in-memory handling by the
    affected software when specific HTTP requests are processed.

    An attacker could exploit this vulnerability by sending specific HTTP
    requests to the web user interface of the affected software. A successful
    exploit could allow the attacker to cause the affected device to reload,
    resulting in a denial of service (DoS) condition on an affected device. To
    exploit this vulnerability, the attacker must have access to the management
    interface of the affected software, which is typically connected to a
    restricted management network.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-webuidos

    This advisory is part of the September 26, 2018, release of the Cisco IOS
    and IOS XE Software Security Advisory Bundled Publication, which includes
    12 Cisco Security Advisories that describe 13 vulnerabilities. For a
    complete list of the advisories and links to them, see Cisco Event
    Response: September 2018 Semiannual Cisco IOS and IOS XE Software Security
    Advisory Bundled Publication.

Affected Products

  * Vulnerable Products

    This vulnerability affects Cisco Catalyst 3650 and 3850 Series Switches
    that are running a vulnerable release of Cisco IOS XE Software if the HTTP
    Server feature is enabled. The default state of the HTTP Server feature is
    version dependent.

    This vulnerability was introduced in Cisco IOS XE Software Release 16.1.1.
    For more information about which Cisco IOS XE Software releases are
    vulnerable, see the Fixed Software section of this advisory.

    Assessing the HTTP Server Configuration

    To determine whether the HTTP Server feature is enabled for a device,
    administrators can log in to the device and use the show running-config |
    include http (secure|server) command in the CLI to check for the presence
    of the ip http server command or the ip http secure-server command in the
    global configuration. If either command is present and configured, the HTTP
    Server feature is enabled for the device.

    The following example shows the output of the show running-config | include
    http (secure|server) command for a router that has the HTTP Server feature
    enabled:

        Router# show running-config | include http (secure|server)

        ip http server
        ip http secure-server

    If the output from the previous command also contains:

        ip http active-session-modules none
        ip http secure-active-session-modules none

    Then the device is not exploitable.

    Determining the Cisco IOS XE Software Release

    To determine which Cisco IOS XE Software release is running on a device,
    administrators can log in to the device, use the show version command in
    the CLI, and then refer to the system banner that appears. If the device is
    running Cisco IOS XE Software, the system banner displays Cisco IOS
    Software, Cisco IOS XE Software, or similar text.

    The following example shows the output of the command for a device that is
    running Cisco IOS XE Software Release 16.2.1 and has an installed image
    name of CAT3K_CAA-UNIVERSALK9-M:

        ios-xe-device# show version

        Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
        Technical Support: http://www.cisco.com/techsupport
        Copyright (c) 1986-2016 by Cisco Systems, Inc.
        Compiled Sun 27-Mar-16 21:47 by mcpre
        .
        .
        .

    For information about the naming and numbering conventions for Cisco IOS XE
    Software releases, see the Cisco IOS and NX-OS Software Reference Guide.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco IOS
    Software, Cisco IOS XR Software, or Cisco NX-OS Software.

Details

  * This vulnerability has a CVSSv3 score with an authentication vector of ?Not
    Required.? Cisco IOS XE releases prior to 16.2.2 did not require
    authentication to exploit this vulnerability. Cisco IOS XE Software
    Releases 16.2.2 and later require authentication to exploit this
    vulnerability.

Indicators of Compromise

  * Cisco IOS XE Software Release 16.2.2 syslog should indicate a ?Login
    Successful? message for the WebGUI, followed by this syslog message:

        %PMAN-3-PROCHOLDDOWN: The process dbm has been helddown (rc 134)

    Cisco IOS XE Software releases prior to 16.2.2 would not show the ?Login
    Successful? message, just the syslog message shown in the previous message.

Workarounds

  * There are no workarounds that address this vulnerability.

    Customers who do not require the WebGUI to be enabled can disable it as
    shown in the following example:

        Switch#configure terminal
        Switch(config)#no ip http server
        Switch(config)#no ip http secure-server
        Switch(config)#exit
        Switch#

Fixed Software

  * Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC:
    https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Cisco IOS and IOS XE Software

    To help customers determine their exposure to vulnerabilities in Cisco IOS
    and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker,
    that identifies any Cisco Security Advisories that impact a specific
    software release and the earliest release that fixes the vulnerabilities
    described in each advisory (?First Fixed?). If applicable, the tool also
    returns the earliest release that fixes all the vulnerabilities described
    in all the advisories identified (?Combined First Fixed?).

    Customers can use this tool to perform the following tasks:

      + Initiate a search by choosing one or more releases from a drop-down
        list or uploading a file from a local system for the tool to parse
      + Enter the output of the show version command for the tool to parse
      + Create a custom search by including all previously published Cisco
        Security Advisories, a specific advisory, or all advisories in the most
        recent bundled publication

    To determine whether a release is affected by any published Cisco Security
    Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
    Cisco IOS Software or Cisco IOS XE Software release?for example, 15.1(4)M2
    or 3.13.8S?in the following field:

    [                    ] [Check]

    By default, the Cisco IOS Software Checker includes results only for
    vulnerabilities that have a Critical or High Security Impact Rating (SIR).
    To include results for Medium SIR vulnerabilities, use the Cisco IOS
    Software Checker on Cisco.com and check the Medium check box in the Impact
    Rating drop-down list.

    For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
    releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
    Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the
    Cisco IOS XE Software release.

Exploitation and Public Announcements

  * The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  * This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

  * To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  * Subscribe

Related to This Advisory

  * Cisco Event Response: September 2018 Semiannual Cisco IOS and IOS XE
    Software Security Advisory Bundled Publication
    Cisco Security Blog: Cisco IOS and IOS XE Software Bundled Publication
    September 2018

URL

  * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-webuidos

Revision History

    +----------------------------------------------------------------------------+
    | Version |       Description        | Section | Status |        Date        |
    |---------+--------------------------+---------+--------+--------------------|
    | 1.0     | Initial public release.  |         | Final  | 2018-September-26  |
    +----------------------------------------------------------------------------+

Legal Disclaimer

  * THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
    OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
    FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
    OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
    THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

    A standalone copy or paraphrase of the text of this document that omits the
    distribution URL is an uncontrolled copy and may lack important information
    or contain factual errors. The information in this document is intended for
    end users of Cisco products.

- -------------------------------------------------------------------------------

Cisco Security Advisory

Cisco IOS XE Software and Cisco ASA 5500-X Series Adaptive Security Appliance
IPsec Denial of Service Vulnerability

Priority:	 	High
Advisory ID:            cisco-sa-20180926-ipsec
First Published:        2018 September 26 16:00 GMT
Version 1.0:            Final
Workarounds:            No workarounds available
Cisco Bug IDs:          CSCvf73114, CSCvg37952, CSCvh04189,CSCvf73114,
			CSCvg37952,CSCvh04189,CSCvh04591,CSCvi30496

CVE-2018-0472
CWE-20
 
CVSS Score:             Base 8.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

  * A vulnerability in the IPsec driver code of multiple Cisco IOS XE Software
    platforms and the Cisco ASA 5500-X Series Adaptive Security Appliance (ASA)
    could allow an unauthenticated, remote attacker to cause the device to
    reload.

    The vulnerability is due to improper processing of malformed IPsec
    Authentication Header (AH) or Encapsulating Security Payload (ESP) packets.
    An attacker could exploit this vulnerability by sending malformed IPsec
    packets to be processed by an affected device. An exploit could allow the
    attacker to cause a reload of the affected device.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-ipsec

    This advisory is part of the September 26, 2018, release of the Cisco IOS
    and IOS XE Software Security Advisory Bundled Publication, which includes
    12 Cisco Security Advisories that describe 13 vulnerabilities. For a
    complete list of the advisories and links to them, see Cisco Event
    Response: September 2018 Semiannual Cisco IOS and IOS XE Software Security
    Advisory Bundled Publication.

Affected Products

  * This vulnerability affects multiple platforms running Cisco IOS XE Software
    and certain Cisco 5500-X Series Adaptive Security Appliances (ASA) running
    either Cisco ASA Software or Cisco Firepower Threat Defense (FTD) Software.
    See the following sections for details:

      + Cisco IOS XE Software
      + Cisco ASA Software and Cisco ASA 5500-X Series with Firepower Threat
        Defense Software
   
    Vulnerable Products

    Cisco IOS XE Software

    This vulnerability affects Cisco IOS XE Software running on the following
    products. No other models are affected.

      + Cisco ASR 1000 Series Aggregation Services Routers:
          o ASR 1001-X
          o ASR 1001-HX
          o ASR 1002-X
          o ASR 1002-HX
          o Cisco ASR 1000 Series 100-Gbps Embedded Service Processor
            (ASR1000-ESP100)
          o Cisco ASR 1000 Series 200-Gbps Embedded Service Processor
            (ASR1000-ESP200)

      + Cisco 4000 Series Integrated Services Routers:
          o ISR 4431
          o ISR 4451-X

    Cisco IOS XE Software is affected by this vulnerability if the system is
    configured to terminate IPsec VPN connections. This includes the following:

      + LAN-to-LAN VPN
      + Remote-access VPN, excluding SSL VPN
      + Dynamic Multipoint VPN (DMVPN) 
      + FlexVPN
      + Group Encrypted Transport VPN (GET VPN)
      + IPsec virtual tunnel interfaces (VTIs)
      + Open Shortest Path First Version 3 (OSPFv3) Authentication Support with
        IPsec

    If a device that is running Cisco IOS XE Software is configured to
    terminate IPsec VPN connections, either a crypto map must be configured for
    at least one interface or the device must be configured with IPsec VTIs.

    Administrators should use the show running-config command and verify that
    the returned output contains a crypto map configured under at least one
    active interface. The following example shows a crypto map named map-group1
    configured on the GigabitEthernet 0/0/0 interface:

        Router# show running-config
        <!-- Output Omitted -->
        interface GigabitEthernet0/0/0
         crypto map map-group1

    Administrators should use the show running-config command and verify that
    the returned output contains tunnel protection ipsec profile configured
    under at least one tunnel interface. The following example shows a VTI
    interface:

        Router# show running-config
        interface tunnel 0
        tunnel mode ipsec ipv4
        tunnel protection ipsec profile PROF1

    Note: IPsec VPN is not configured by default.

    If a device that is running Cisco IOS XE Software is configured to support
    OSPFv3 Authentication Support with IPsec, the running configuration
    contains one of the following:

      + ipv6 ospf encryption
      + ipv6 ospf authentication
      + ospfv3 authentication ipsec
      + ospfv3 encryption ipsec
      + area <area-id> authentication ipsec
      + area <area-id> encryption ipsec
      + area <area-id> virtual-link <router-id> authentication ipsec spi
      + area <area-id> virtual-link <router-id> encryption ipsec spi

    The following example shows a device configured for OSPFv3 Authentication
    Support with IPsec:

        Router# show running-config
        interface GigabitEthernet0/1
        ospfv3 authentication ipsec spi 256 md5 01020304050607080910010203040506

    Determining the Cisco IOS XE Software Release

    To determine which Cisco IOS XE Software release is running on a device,
    administrators can log in to the device, use the show version command in
    the CLI, and then refer to the system banner that appears. If the device is
    running Cisco IOS XE Software, the system banner displays Cisco IOS
    Software, Cisco IOS XE Software, or similar text.

    The following example shows the output of the command for a device that is
    running Cisco IOS XE Software Release 16.2.1 and has an installed image
    name of CAT3K_CAA-UNIVERSALK9-M:

        ios-xe-device# show version

        Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
        Technical Support: http://www.cisco.com/techsupport
        Copyright (c) 1986-2016 by Cisco Systems, Inc.
        Compiled Sun 27-Mar-16 21:47 by mcpre
        .
        .
        .

    For information about the naming and numbering conventions for Cisco IOS XE
    Software releases, see the Cisco IOS and NX-OS Software Reference Guide.

    Cisco ASA Software and Cisco ASA 5500-X Series with Firepower Threat
    Defense Software

    This vulnerability affects Cisco ASA Software or Cisco FTD Software running
    on the following products. No other models are affected.

      + Cisco ASA 5500-X Series Adaptive Security Appliances:
          o ASA 5506-X Series
          o ASA 5508-X Series
          o ASA 5516-X Series

    Refer to the Fixed Software section of this security advisory for more
    information about affected releases.

    Cisco ASA Software is affected by this vulnerability if the system is
    configured to terminate IPsec VPN connections. This includes the following:

      + LAN-to-LAN IPsec VPN
      + Remote-access VPN using the IPsec VPN client
      + Layer 2 Tunneling Protocol (L2TP)-over-IPsec VPN connections

    Cisco FTD Software is affected by this vulnerability if the system is
    configured to terminate IPsec VPN connections. This includes the following:

      + Site-to-site IPsec VPN
      + Remote-access VPN using the IPsec VPN client

    Cisco ASA Software or Cisco FTD Software is not affected by this
    vulnerability if the system is configured to terminate only the following
    VPN connections:

      + Clientless SSL 
      + AnyConnect SSL

    If an appliance running Cisco ASA Software is configured to terminate IPsec
    VPN connections, a crypto map must be configured for at least one
    interface. Administrators should use the show running-config crypto map |
    include interface command and verify that it returns output. The following
    example shows a crypto map named outside_map configured on the outside
    interface:

        ciscoasa# show running-config crypto map | include interface
        crypto map outside_map interface outside

    Note: IPsec VPN is not configured by default.

    To determine whether an appliance that is running Cisco FTD is configured
    with site-to-site VPN connections or remote-access VPN connections that use
    the IPsec VPN client, administrators should use the show running-config
    command. In the following table, the left column lists the vulnerable
    Cisco FTD features. The right column indicates the vulnerable configuration
    from the show running-config command.

             Cisco FTD Feature                 Vulnerable Configuration
                                        crypto ikev2 enable <interface_name>
    AnyConnect IKEv2 Remote Access      client-services port <port #>
    (with client services)^1,2          webvpn
                                          anyconnect enable
    AnyConnect IKEv2 Remote Access      crypto ikev2 enable <interface_name>
    (without client services)^1,2       webvpn
                                          anyconnect enable
    Site-to-site VPN connections^3      crypto map <crypto_map_name> interface
                                        <interface_name>

^1 Remote-access VPN features are enabled via Devices > VPN > Remote Access in
    the Cisco FMC or via Device > Remote Access VPN in Cisco Firepower Device
    Manager (FDM).
    ^2 Remote-access VPN features are first supported as of Cisco FTD Software
    Release 6.2.2.
    ^3 Site-to-site VPN features are first supported as of Cisco FTD Software
    Release 6.2.0.

    Determining the Cisco ASA Software Release

    To determine whether a vulnerable release of Cisco ASA Software is running
    on an appliance, administrators can use the show version command. The
    following example shows the results of the show version command on an
    appliance running Cisco ASA Software Release 9.2(1):

        ciscoasa# show version | include Version
        Cisco Adaptive Security Appliance Software Version 9.2(1)
        Device Manager Version 7.4(1)

    Determining the Cisco FTD Software Release

    Administrators can use the show version command in the CLI to determine the
    Cisco FTD Software release. In this example, the device is running Release
    6.2.2:

        > show version
        ---------------------[ ftd ]---------------------
        Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.2 (Build 362)
        UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c
        Rules update version : 2017-03-15-001-vrt
        VDB version : 279
        ----------------------------------------------------

    Customers who use Cisco Adaptive Security Device Manager (ASDM) to manage
    devices can locate the software release in the table that appears in the
    login window or the upper-left corner of the Cisco ASDM window.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco IOS
    Software, Cisco IOS XR Software, or Cisco NX-OS Software.

Details

  * For this vulnerability to be exploited, the IPsec security associations
    (SAs) must first be established. 

    An attacker can exploit this vulnerability by using a crafted ESP or AH
    packet that meets several other conditions, such as matching the IPsec SA
    SPI and being within the correct sequence window.

Workarounds

  * There are no workarounds that address this vulnerability.

Fixed Software

  * Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC:
    https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Cisco IOS and IOS XE Software

    To help customers determine their exposure to vulnerabilities in Cisco IOS
    and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker,
    that identifies any Cisco Security Advisories that impact a specific
    software release and the earliest release that fixes the vulnerabilities
    described in each advisory (?First Fixed?). If applicable, the tool also
    returns the earliest release that fixes all the vulnerabilities described
    in all the advisories identified (?Combined First Fixed?).

    Customers can use this tool to perform the following tasks:

      + Initiate a search by choosing one or more releases from a drop-down
        list or uploading a file from a local system for the tool to parse
      + Enter the output of the show version command for the tool to parse
      + Create a custom search by including all previously published Cisco
        Security Advisories, a specific advisory, or all advisories in the most
        recent bundled publication

    To determine whether a release is affected by any published Cisco Security
    Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
    Cisco IOS Software or Cisco IOS XE Software release?for example, 15.1(4)M2
    or 3.13.8S?in the following field:

    [                    ] [Check]

    By default, the Cisco IOS Software Checker includes results only for
    vulnerabilities that have a Critical or High Security Impact Rating (SIR).
    To include results for Medium SIR vulnerabilities, use the Cisco IOS
    Software Checker on Cisco.com and check the Medium check box in the Impact
    Rating drop-down list.

    For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
    releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
    Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the
    Cisco IOS XE Software release.

    Cisco ASA Software

    In the following table, the left column lists major releases of Cisco ASA
    Software. The right column indicates whether a major release is affected by
    the vulnerability described in this advisory and the first release that
    includes the fix for this vulnerability. Customers should upgrade to an
    appropriate release as indicated in this section.

    +---------------------------------------------------------------------+
    | Cisco ASA Major         | First Fixed Release for This              |
    | Release                 | Vulnerability                             |
    |-------------------------+-------------------------------------------|
    | 9.3^1                   | Affected; migrate to Release 9.4          |
    |-------------------------+-------------------------------------------|
    | 9.4                     | 9.4.4.18                                  |
    |-------------------------+-------------------------------------------|
    | 9.5^1                   | Affected; migrate to Release 9.6          |
    |-------------------------+-------------------------------------------|
    | 9.6                     | 9.6.4.8                                   |
    |-------------------------+-------------------------------------------|
    | 9.7                     | Affected; migrate to Release 9.8          |
    |-------------------------+-------------------------------------------|
    | 9.8                     | 9.8.2.26                                  |
    |-------------------------+-------------------------------------------|
    | 9.9                     | 9.9.2.2                                   |
    +---------------------------------------------------------------------+

    ^1 Cisco ASA Software Releases 9.3 and 9.5 have reached
    end-of-software-maintenance status. Customers should migrate to a supported
    release.

    Customers can download the software from the Software Center on Cisco.com
    by clicking Browse all and navigating to Security > Firewalls > Adaptive
    Security Appliances (ASA) > ASA 5500-X Series Firewalls, where there is a
    list of ASA hardware platforms.

    Cisco FTD Software

    In the following table, the left column lists major releases of Cisco FTD
    Software. The right column indicates whether a major release is affected by
    the vulnerability described in this advisory and the first release that
    includes the fix for this vulnerability. Customers should upgrade to an
    appropriate release as indicated in this section.

    +-------------------------------------------------------------------------+
    | Cisco FTD Software    | First Fixed Release for This Vulnerability      |
    | Release               |                                                 |
    |-----------------------+-------------------------------------------------|
    | 6.2.0                 | Affected; migrate to Release 6.2.2.3 or 6.2.3.1 |
    |                       | or later.                                       |
    |-----------------------+-------------------------------------------------|
    | 6.2.1                 | Affected; migrate to Release 6.2.2.3 or 6.2.3.1 |
    |                       | or later.                                       |
    |-----------------------+-------------------------------------------------|
    | 6.2.2                 | 6.2.2.3                                         |
    |-----------------------+-------------------------------------------------|
    | 6.2.3                 | 6.2.3.1                                         |
    +-------------------------------------------------------------------------+

    Customers can download the software from the Software Center on Cisco.com
    by clicking Browse all and navigating to Security > Firewalls >
    Next-Generation Firewalls (NGFW), where there is a list of Cisco FTD
    hardware platforms.

Exploitation and Public Announcements

  * The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  * This vulnerability was found during the resolution of a Cisco TAC support
    case.

Cisco Security Vulnerability Policy

  * To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  * Subscribe

Related to This Advisory

  * Cisco Event Response: September 2018 Semiannual Cisco IOS and IOS XE
    Software Security Advisory Bundled Publication
    Cisco Security Blog: Cisco IOS and IOS XE Software Bundled Publication
    September 2018

URL

  * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-ipsec

Revision History

    +----------------------------------------------------------------------------+
    | Version |       Description        | Section | Status |        Date        |
    |---------+--------------------------+---------+--------+--------------------|
    | 1.0     | Initial public release.  |         | Final  | 2018-September-26  |
    +----------------------------------------------------------------------------+

Legal Disclaimer

  * THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
    OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
    FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
    OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
    THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

    A standalone copy or paraphrase of the text of this document that omits the
    distribution URL is an uncontrolled copy and may lack important information
    or contain factual errors. The information in this document is intended for
    end users of Cisco products.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW6wXHWaOgq3Tt24GAQjTOg//dHkdXW+FKAfM0mYQjc2BCydrjA4ZeIfU
rrbP3VXhimukhP43k2R4/eFYTI8WzZTjmgVWYRMtYpoYz735LJl7S1fcj36j94Mj
EaFFdbp9SfsmNKPAXSh00VOf/qAu/K0cvN28yCdFaaLGKPzZGazQIS6HyhxL8a2C
DnsChl/bZtZWMTiVV67IUr57Hl+b0mfX7yxkTOqajoB1MSSC1L9sMrSJSJSdL7cW
oXVzIG0aBZwgYh5BR7oofsDx5ig8B1KAvPRLRUwOnXp8+22914nX1MzFXv0ncQjf
FZ8b2E4FulHlbjMsE/357tTgs/ypX340jVNxHeYIiwwNl9IOLftNZ0bieZplt6Su
2uKd3z+wo2MxHx7TLNp2YQbGmG2xrzjO8TAUo2ZgNMxw/Aq4MQEDSvHPXooa8y4S
4dX24+FzWkNSsOz2hsvpw+Vb/kEHXA3dGlzVuliISTiG4d43p0TkPNnQru4uURQ+
Zgem6JdPEs1m4VP/tc8vHWpiBS9gYoll1cU6hcyU9dTVc5sB9NZPeIfpkj/DdOCd
DPXxxRUx4heJLK4kiwfmgGafc1+PGrfOg2oyMYH8Z9SyPDVyNK+oF+mj82UfHXk7
qViz7TsitQI5iFjeGmRs2z7NEgC+icUTD9OEZJTevkKDitY4t0ihY0+y3UYpi6qM
Xih1ixuykHc=
=wNzq
-----END PGP SIGNATURE-----

« Back to bulletins