Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2018.2902
Multiple Vulnerabilities have been identified in Cisco IOS XE
27 September 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco IOS XE
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Root Compromise -- Existing Account
Denial of Service -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2018-15374 CVE-2018-15372 CVE-2018-15371
CVE-2018-0481 CVE-2018-0480 CVE-2018-0477
CVE-2018-0476 CVE-2018-0472 CVE-2018-0471
CVE-2018-0470 CVE-2018-0469
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-cdp-memleak
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-iosxe-cmdinj
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-digsig
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-errdisable
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-webdos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-macsec
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-sip-alg
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-privesc
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-shell-access
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-webuidos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-ipsec
Comment: This bulletin contains eleven (11) Cisco Systems security
advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Security Advisory
Cisco IOS XE Software Cisco Discovery Protocol Memory Leak Vulnerability
Priority: High
Advisory ID: cisco-sa-20180926-cdp-memleak
First Published: 2018 September 26 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvf50648
CVE-2018-0471
CWE-400
CVSS Score: Base 7.4
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Summary
* A vulnerability in the Cisco Discovery Protocol (CDP) module of Cisco IOS
XE Software Releases 16.6.1 and 16.6.2 could allow an unauthenticated,
adjacent attacker to cause a memory leak that may lead to a denial of
service (DoS) condition.
The vulnerability is due to incorrect processing of certain CDP packets. An
attacker could exploit this vulnerability by sending certain CDP packets to
an affected device. A successful exploit could cause an affected device to
continuously consume memory and eventually result in a memory allocation
failure that leads to a crash, triggering a reload of the affected device.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-cdp-memleak
This advisory is part of the September 26, 2018, release of the Cisco IOS
and IOS XE Software Security Advisory Bundled Publication, which includes
12 Cisco Security Advisories that describe 13 vulnerabilities. For a
complete list of the advisories and links to them, see Cisco Event
Response: September 2018 Semiannual Cisco IOS and IOS XE Software Security
Advisory Bundled Publication.
Affected Products
* Vulnerable Products
This vulnerability affects devices that are running Cisco IOS XE Software
Release 16.6.1 or 16.6.2 with the CDP feature enabled on at least one
interface. The CDP feature is enabled in Cisco IOS XE on all interfaces by
default.
For information about which Cisco IOS XE Software releases are vulnerable,
see the Fixed Software section of this advisory.
Determining Whether the CDP Feature Is Enabled
To determine whether a device is configured with the CDP feature enabled
globally, use the show running-config all | include cdp run privileged EXEC
command on the device. The following example shows the output of the show
running-config all | include cdp run command on a device that has the CDP
feature enabled globally:
ios-xe-device#show running-config all | include cdp run
cdp run
To determine whether a device is configured with the CDP feature enabled on
an interface, use the show cdp interface privileged EXEC command on the
device. The following example shows the output of the show cdp interface
command on a device that has the CDP feature disabled on all interfaces:
ios-xe-device#show cdp interface
% CDP is not enabled
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device is
running Cisco IOS XE Software, the system banner displays Cisco IOS
Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is
running Cisco IOS XE Software Release 16.2.1 and has an installed image
name of CAT3K_CAA-UNIVERSALK9-M:
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
.
.
.
For information about the naming and numbering conventions for Cisco IOS XE
Software releases, see the Cisco IOS and NX-OS Software Reference Guide.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco IOS
Software, Cisco IOS XR Software, or Cisco NX-OS Software.
Indicators of Compromise
* On successful exploitation of the vulnerability described in this advisory,
logs will show a %SYS-2-MALLOCFAIL message referencing the CDP Protocol
process, which indicates a memory allocation failure. Exploitation of this
vulnerability can cause an affected device to reload and generate a
crashinfo file.
Contact the Cisco Technical Assistance Center (TAC) to review the output of
the show tech-support CLI command and the crashinfo file to determine
whether the device has been compromised by exploitation of this
vulnerability.
Workarounds
* There are no workarounds that address this vulnerability.
Administrators who do not use the CDP feature in their environment can
disable the CDP feature by using the no cdp run command in global
configuration mode to prevent exploitation of this vulnerability.
Administrators who do use the CDP feature but want to limit the attack
surface can disable the CDP feature on interfaces that do not require this
feature by using the no cdp enable command in interface configuration mode.
Fixed Software
* Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker,
that identifies any Cisco Security Advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
described in each advisory (?First Fixed?). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified (?Combined First Fixed?).
Customers can use this tool to perform the following tasks:
+ Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
+ Enter the output of the show version command for the tool to parse
+ Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the most
recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
Cisco IOS Software or Cisco IOS XE Software release?for example, 15.1(4)M2
or 3.13.8S?in the following field:
[ ] [Check]
By default, the Cisco IOS Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, use the Cisco IOS
Software Checker on Cisco.com and check the Medium check box in the Impact
Rating drop-down list.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the
Cisco IOS XE Software release.
Exploitation and Public Announcements
* The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
* This vulnerability was found during the resolution of a Cisco TAC support
case.
Cisco Security Vulnerability Policy
* To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy. This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Subscribe to Cisco Security Notifications
* Subscribe
Related to This Advisory
* Cisco Event Response: September 2018 Semiannual Cisco IOS and IOS XE
Software Security Advisory Bundled Publication
Cisco Security Blog: Cisco IOS and IOS XE Software Bundled Publication
September 2018
URL
* https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-cdp-memleak
Revision History
+----------------------------------------------------------------------------+
| Version | Description | Section | Status | Date |
|---------+--------------------------+---------+--------+--------------------|
| 1.0 | Initial public release. | ? | Final | 2018-September-26 |
+----------------------------------------------------------------------------+
Legal Disclaimer
* THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the
distribution URL is an uncontrolled copy and may lack important information
or contain factual errors. The information in this document is intended for
end users of Cisco products.
- -------------------------------------------------------------------------------
Cisco Security Advisory
Cisco IOS XE Software Command Injection Vulnerabilities
Priority: High
Advisory ID: cisco-sa-20180926-iosxe-cmdinj
First Published: 2018 September 26 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvh02919, CSCvh54202
CVE-2018-0477
CVE-2018-0481
CWE-77
CVSS Score: Base 6.7
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Summary
* Multiple vulnerabilities in the CLI parser of Cisco IOS XE Software could
allow an authenticated, local attacker to execute commands on the
underlying Linux shell of an affected device with root privileges.
The vulnerabilities exist because the affected software improperly
sanitizes command arguments, failing to prevent access to certain internal
data structures on an affected device. An attacker who has privileged EXEC
mode (privilege level 15) access to an affected device could exploit these
vulnerabilities on the device by executing CLI commands that contain custom
arguments. A successful exploit could allow the attacker to execute
arbitrary commands with root privileges on the affected device.
Cisco has released software updates that address these vulnerabilities.
There are no workarounds that address these vulnerabilities.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-iosxe-cmdinj
This advisory is part of the September 26, 2018, release of the Cisco IOS
and IOS XE Software Security Advisory Bundled Publication, which includes
12 Cisco Security Advisories that describe 13 vulnerabilities. For a
complete list of the advisories and links to them, see Cisco Event
Response: September 2018 Semiannual Cisco IOS and IOS XE Software Security
Advisory Bundled Publication.
Affected Products
* Vulnerable Products
These vulnerabilities affect Cisco devices that are running a vulnerable
release of Cisco IOS XE Software.
For information about which Cisco IOS XE Software releases are vulnerable,
see the Fixed Software section of this advisory.
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device is
running Cisco IOS XE Software, the system banner displays Cisco IOS
Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is
running Cisco IOS XE Software Release 16.2.1 and has an installed image
name of CAT3K_CAA-UNIVERSALK9-M:
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
.
.
.
For information about the naming and numbering conventions for Cisco IOS XE
Software releases, see the Cisco IOS and NX-OS Software Reference Guide.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by these vulnerabilities.
Cisco has confirmed that these vulnerabilities do not affect Cisco IOS
Software, Cisco IOS XR Software, or Cisco NX-OS Software.
Workarounds
* There are no workarounds that address these vulnerabilities.
Fixed Software
* Cisco has released free software updates that address the vulnerabilities
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker,
that identifies any Cisco Security Advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
described in each advisory (?First Fixed?). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified (?Combined First Fixed?).
Customers can use this tool to perform the following tasks:
+ Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
+ Enter the output of the show version command for the tool to parse
+ Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the most
recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
Cisco IOS Software or Cisco IOS XE Software release?for example, 15.1(4)M2
or 3.13.8S?in the following field:
[ ] [Check]
By default, the Cisco IOS Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, use the Cisco IOS
Software Checker on Cisco.com and check the Medium check box in the Impact
Rating drop-down list.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the
Cisco IOS XE Software release.
Exploitation and Public Announcements
* The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerabilities that are
described in this advisory.
Source
* These vulnerabilities were found during internal security testing.
Cisco Security Vulnerability Policy
* To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy. This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Subscribe to Cisco Security Notifications
* Subscribe
Related to This Advisory
* Cisco Event Response: September 2018 Semiannual Cisco IOS and IOS XE
Software Security Advisory Bundled Publication
Cisco Security Blog: Cisco IOS and IOS XE Software Bundled Publication
September 2018
URL
* https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-iosxe-cmdinj
Revision History
+----------------------------------------------------------------------------+
| Version | Description | Section | Status | Date |
|---------+--------------------------+---------+--------+--------------------|
| 1.0 | Initial public release. | | Final | 2018-September-26 |
+----------------------------------------------------------------------------+
Legal Disclaimer
* THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the
distribution URL is an uncontrolled copy and may lack important information
or contain factual errors. The information in this document is intended for
end users of Cisco products.
- -------------------------------------------------------------------------------
Cisco Security Advisory
Cisco IOS XE Software Digital Signature Verification Bypass Vulnerability
Priority: Medium
Advisory ID: cisco-sa-20180926-digsig
First Published: 2018 September 26 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvh15737
CVE-2018-15374
CWE-347
CVSS Score: Base 6.7
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
CVE-2018-15374
Summary
* A vulnerability in the Image Verification feature of Cisco IOS XE Software
could allow an authenticated, local attacker to install a malicious
software image or file on an affected device.
The vulnerability is due to the affected software improperly verifying
digital signatures for software images and files that are uploaded to a
device. An attacker could exploit this vulnerability by uploading a
malicious software image or file to an affected device. A successful
exploit could allow the attacker to bypass digital signature verification
checks for software images and files and install a malicious software image
or file on the affected device.
There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-digsig
Affected Products
* Vulnerable Products
This vulnerability affects Cisco devices that are running a vulnerable
release of Cisco IOS XE Software.
For information about which Cisco IOS XE Software releases are vulnerable,
see the Fixed Software section of this advisory.
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device is
running Cisco IOS XE Software, the system banner displays Cisco IOS
Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is
running Cisco IOS XE Software Release 16.2.1 and has an installed image
name of CAT3K_CAA-UNIVERSALK9-M:
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
.
.
.
For information about the naming and numbering conventions for Cisco IOS XE
Software releases, see the Cisco IOS and NX-OS Software Reference Guide.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco IOS
Software, Cisco IOS XR Software, or Cisco NX-OS Software.
Workarounds
* There are no workarounds that address this vulnerability.
Fixed Software
* For detailed information about affected and fixed software releases,
consult the Cisco IOS Software Checker.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker,
that identifies any Cisco Security Advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
described in each advisory (?First Fixed?). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified (?Combined First Fixed?).
Customers can use this tool to perform the following tasks:
+ Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
+ Enter the output of the show version command for the tool to parse
+ Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the most
recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
Cisco IOS Software or Cisco IOS XE Software release?for example, 15.1(4)M2
or 3.13.8S?in the following field:
[ ] [Check]
By default, the Cisco IOS Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, use the Cisco IOS
Software Checker on Cisco.com and check the Medium check box in the Impact
Rating drop-down list.
Exploitation and Public Announcements
* The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
* This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
* To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy. This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Subscribe to Cisco Security Notifications
* Subscribe
URL
* https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-digsig
Revision History
+----------------------------------------------------------------------------+
| Version | Description | Section | Status | Date |
|---------+--------------------------+---------+--------+--------------------|
| 1.0 | Initial public release. | | Final | 2018-September-26 |
+----------------------------------------------------------------------------+
Legal Disclaimer
* THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the
distribution URL is an uncontrolled copy and may lack important information
or contain factual errors. The information in this document is intended for
end users of Cisco products.
- -------------------------------------------------------------------------------
Cisco Security Advisory
Cisco IOS XE Software Errdisable Denial of Service Vulnerability
Priority: High
Advisory ID: cisco-sa-20180926-errdisable
First Published: 2018 September 26 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvh13611
CVE-2018-0480
CWE-362
CVSS Score: Base 7.4
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Summary
* A vulnerability in the errdisable per VLAN feature of Cisco IOS XE Software
could allow an unauthenticated, adjacent attacker to cause the device to
crash, leading to a denial of service (DoS) condition.
The vulnerability is due to a race condition that occurs when the VLAN and
port enter an errdisabled state, resulting in an incorrect state in the
software. An attacker could exploit this vulnerability by sending frames
that trigger the errdisable condition. A successful exploit could allow the
attacker to cause the affected device to crash, leading to a DoS condition.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20180926-errdisable
This advisory is part of the September 26, 2018, release of the Cisco IOS
and IOS XE Software Security Advisory Bundled Publication, which includes
12 Cisco Security Advisories that describe 13 vulnerabilities. For a
complete list of the advisories and links to them, see Cisco Event
Response: September 2018 Semiannual Cisco IOS and IOS XE Software Security
Advisory Bundled Publication.
Affected Products
* Vulnerable Products
This vulnerability affects Cisco Catalyst 3650, 3850, and 4500E Series
Switches that are running a vulnerable release of Cisco IOS XE Software and
have the errdisable feature enabled for a feature at both the VLAN and port
level.
For information about which Cisco IOS XE Software releases are vulnerable,
see the Fixed Software section of this advisory.
Determining Whether a Device Is Running an Affected Configuration
To determine whether a device is running an affected configuration at both
the VLAN and port level, perform both of the following steps:
Step 1: VLAN Level
There are two options for completing Step 1.
Option A: show errdisable detect
Issue the CLI command show errdisable detect | include vlan. For each VLAN
mode feature that the device lists in the output for this command, perform
the corresponding portion of Step 2. The following example shows a device
that is configured for a VLAN mode errdisable detect for bpduguard (BPDU
guard), psecure-violation (port security violation), and security-violation
(802.1x security violation) on the VLAN:
switch#show errdisable detect | include vlan
bpduguard Enabled vlan
psecure-violation Enabled port/vlan
security-violation Enabled vlan
switch#
Option B: show running-config
To determine whether a device is running an affected configuration at the
VLAN level, issue the show running-config command twice, using two
different include statements:
+ First, issue the CLI command show running-config | include shutdown
vlan. For each VLAN mode feature that the device lists in the output
for this command, perform the corresponding portion of Step 2. The
following example shows a device that is configured for a VLAN mode
errdisable detect for security-violation (802.1x security violation)
and bpduguard (BPDU guard) on the VLAN:
switch#show running-config | include shutdown vlan
errdisable detect cause security-violation shutdown vlan
errdisable detect cause bpduguard shutdown vlan
switch#
+ Second, issue the CLI command show running-config | include switchport
port-security violation shutdown vlan. If the command returns output,
perform the corresponding portion of Step 2. The following example
shows a device that is configured for a VLAN mode errdisable detect for
port security violation on the VLAN :
switch#show running-config | include switchport port-security violation shutdown vlan
switchport port-security violation shutdown vlan
switch#
Step 2: Port Level
For each VLAN mode configured feature revealed in Step 1, do the following
to determine whether the feature is also enabled at the port level:
+ BPDU guard: If errdisable per VLAN for detection cause bpduguard is
enabled, confirm that the device also has BPDU guard configured. If the
configuration contains either of the following, the device is
vulnerable:
spanning-tree portfast bpduguard default
interface <interface-id>
spanning-tree portfast
or
interface <interface-id>
spanning-tree bpduguard enable
+ Port security violation: Errdisable per port/vlan for detection cause
psecure-violation is enabled by default. Confirm that the device also
has port security configured and violation vlan shutdown configured. If
the output of show port-security contains a row with Shutdown Vlan (as
shown in the following example), the device is vulnerable:
switch#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Gi1/0/48 1 1 5 Shutdown Vlan
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 4096
switch#
+ 802.1x security violation: If errdisable per VLAN for detection cause
security-violation is enabled, confirm that the device also has 802.1x
authentication configured and the voice VLAN is configured. If the
configuration contains the following and does not contain
authentication violation {protect|replace|restrict}, the device is
vulnerable:
interface <interface-id>
authentication port-control value
switchport voice vlan value
However, if the following content is also present in the CLI output,
the device is not vulnerable:
authentication violation {protect|replace|restrict}
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device is
running Cisco IOS XE Software, the system banner displays Cisco IOS
Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is
running Cisco IOS XE Software Release 16.2.1 and has an installed image
name of CAT3K_CAA-UNIVERSALK9-M:
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
.
.
.
For information about the naming and numbering conventions for Cisco IOS XE
Software releases, see the Cisco IOS and NX-OS Software Reference Guide.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco IOS
Software, Cisco IOS XR Software, or Cisco NX-OS Software.
Workarounds
* There are no workarounds that address this vulnerability.
For customers who can remove errdisable per VLAN detection and use the
corresponding errdisable per port detection, this action may be a suitable
mitigation until switches that are affected by this vulnerability can be
upgraded.
Fixed Software
* Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker,
that identifies any Cisco Security Advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
described in each advisory (?First Fixed?). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified (?Combined First Fixed?).
Customers can use this tool to perform the following tasks:
+ Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
+ Enter the output of the show version command for the tool to parse
+ Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the most
recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
Cisco IOS Software or Cisco IOS XE Software release?for example, 15.1(4)M2
or 3.13.8S?in the following field:
[ ] [Check]
By default, the Cisco IOS Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, use the Cisco IOS
Software Checker on Cisco.com and check the Medium check box in the Impact
Rating drop-down list.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the
Cisco IOS XE Software release.
Exploitation and Public Announcements
* The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
* This vulnerability was found during the resolution of a Cisco TAC support
case.
Cisco Security Vulnerability Policy
* To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy. This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Subscribe to Cisco Security Notifications
* Subscribe
Related to This Advisory
* Cisco Event Response: September 2018 Semiannual Cisco IOS and IOS XE
Software Security Advisory Bundled Publication
Cisco Security Blog: Cisco IOS and IOS XE Software Bundled Publication
September 2018
URL
* https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-errdisable
Revision History
+----------------------------------------------------------------------------+
| Version | Description | Section | Status | Date |
|---------+--------------------------+---------+--------+--------------------|
| 1.0 | Initial public release. | | Final | 2018-September-26 |
+----------------------------------------------------------------------------+
Legal Disclaimer
* THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the
distribution URL is an uncontrolled copy and may lack important information
or contain factual errors. The information in this document is intended for
end users of Cisco products.
- -------------------------------------------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-webdos
Cisco Security Advisory
Cisco IOS XE Software HTTP Denial of Service Vulnerability
Priority: High
Advisory ID: cisco-sa-20180926-webdos
First Published: 2018 September 26 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvb22618
CVE-2018-0470
CWE-399
CVSS Score: Base 8.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Summary
* A vulnerability in the web framework of Cisco IOS XE Software could allow
an unauthenticated, remote attacker to cause a buffer overflow condition on
an affected device, resulting in a denial of service (DoS) condition.
The vulnerability is due to the affected software improperly parsing
malformed HTTP packets that are destined to a device. An attacker could
exploit this vulnerability by sending a malformed HTTP packet to an
affected device for processing. A successful exploit could allow the
attacker to cause a buffer overflow condition on the affected device,
resulting in a DoS condition.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-webdos
This advisory is part of the September 26, 2018, release of the Cisco IOS
and IOS XE Software Security Advisory Bundled Publication, which includes
12 Cisco Security Advisories that describe 13 vulnerabilities. For a
complete list of the advisories and links to them, see Cisco Event
Response: September 2018 Semiannual Cisco IOS and IOS XE Software Security
Advisory Bundled Publication.
Affected Products
* Vulnerable Products
This vulnerability affects Cisco devices that are running a vulnerable
release of Cisco IOS XE Software, if the HTTP Server feature is enabled.
The default state of the HTTP Server feature is version-dependent.
For information about which Cisco IOS XE Software releases are vulnerable,
see the Fixed Software section of this advisory.
Assessing the HTTP Server Configuration
To determine whether the HTTP Server feature is enabled for a device,
administrators can log in to the device and use the show running-config |
include http (secure|server) command in the CLI to check for the presence
of the ip http server command or the ip http secure-server command in the
global configuration. If either command is present and configured, the HTTP
Server feature is enabled for the device.
The following example shows the output of the show running-config | include
http (secure|server) command for a router that has the HTTP Server feature
enabled:
Router# show running-config | include http (secure|server)
ip http server
ip http secure-server
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device is
running Cisco IOS XE Software, the system banner displays Cisco IOS
Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is
running Cisco IOS XE Software Release 16.2.1 and has an installed image
name of CAT3K_CAA-UNIVERSALK9-M:
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
.
.
.
For information about the naming and numbering conventions for Cisco IOS XE
Software releases, see the Cisco IOS and NX-OS Software Reference Guide.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco IOS
Software, Cisco IOS XR Software, or Cisco NX-OS Software.
Workarounds
* There are no workarounds that address this vulnerability.
Administrators who do not use the web UI can mitigate this vulnerability by
disabling the HTTP Server feature on an affected device. To disable the
feature, use the no ip http server and no ip http secure-server commands in
the CLI.
Fixed Software
* Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker,
that identifies any Cisco Security Advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
described in each advisory (?First Fixed?). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified (?Combined First Fixed?).
Customers can use this tool to perform the following tasks:
+ Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
+ Enter the output of the show version command for the tool to parse
+ Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the most
recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
Cisco IOS Software or Cisco IOS XE Software release?for example, 15.1(4)M2
or 3.13.8S?in the following field:
[ ] [Check]
By default, the Cisco IOS Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, use the Cisco IOS
Software Checker on Cisco.com and check the Medium check box in the Impact
Rating drop-down list.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the
Cisco IOS XE Software release.
Exploitation and Public Announcements
* The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
* This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
* To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy. This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Subscribe to Cisco Security Notifications
* Subscribe
Related to This Advisory
* Cisco Event Response: September 2018 Semiannual Cisco IOS and IOS XE
Software Security Advisory Bundled Publication
Cisco Security Blog: Cisco IOS and IOS XE Software Bundled Publication
September 2018
URL
* https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-webdos
Revision History
+----------------------------------------------------------------------------+
| Version | Description | Section | Status | Date |
|---------+--------------------------+---------+--------+--------------------|
| 1.0 | Initial public release. | | Final | 2018-September-26 |
+----------------------------------------------------------------------------+
Legal Disclaimer
* THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the
distribution URL is an uncontrolled copy and may lack important information
or contain factual errors. The information in this document is intended for
end users of Cisco products.
- -------------------------------------------------------------------------------
Cisco Security Advisory
Cisco IOS XE Software MACsec MKA Using EAP-TLS Authentication Bypass
Vulnerability
Priority: Medium
Advisory ID: cisco-sa-20180926-macsec
First Published: 2018 September 26 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvh09411
CVE-2018-15372
CWE-284
CVSS Score: Base 6.5
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:X/RL:X/RC:X
Summary
* A vulnerability in the MACsec Key Agreement (MKA) using Extensible
Authentication Protocol-Transport Layer Security (EAP-TLS) functionality of
Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to
bypass authentication and pass traffic through a Layer 3 interface of an
affected device.
The vulnerability is due to a logic error in the affected software. An
attacker could exploit this vulnerability by connecting to and passing
traffic through a Layer 3 interface of an affected device, if the interface
is configured for MACsec MKA using EAP-TLS and is running in access-session
closed mode. A successful exploit could allow the attacker to bypass 802.1x
network access controls and gain access to the network.
There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-macsec
Affected Products
* Vulnerable Products
This vulnerability affects Cisco devices that are running a vulnerable
Cisco IOS XE Software 16.x Release and have a Layer 3 interface that is
configured for MACsec MKA using EAP-TLS and is running in access-session
closed mode.
For more information about which Cisco IOS XE Software releases are
vulnerable, see the Fixed Software section of this advisory.
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device is
running Cisco IOS XE Software, the system banner displays Cisco IOS
Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is
running Cisco IOS XE Software Release 16.2.1 and has an installed image
name of CAT3K_CAA-UNIVERSALK9-M:
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
.
.
.
For information about the naming and numbering conventions for Cisco IOS XE
Software releases, see the Cisco IOS and NX-OS Software Reference Guide.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco IOS
Software, Cisco IOS XR Software, or Cisco NX-OS Software.
Workarounds
* There are no workarounds that address this vulnerability.
Fixed Software
* For detailed information about affected and fixed software releases,
consult the Cisco IOS Software Checker.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker,
that identifies any Cisco Security Advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
described in each advisory (?First Fixed?). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified (?Combined First Fixed?).
Customers can use this tool to perform the following tasks:
+ Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
+ Enter the output of the show version command for the tool to parse
+ Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the most
recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
Cisco IOS Software or Cisco IOS XE Software release?for example, 15.1(4)M2
or 3.13.8S?in the following field:
[ ] [Check]
By default, the Cisco IOS Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, use the Cisco IOS
Software Checker on Cisco.com and check the Medium check box in the Impact
Rating drop-down list.
Exploitation and Public Announcements
* The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
* This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
* To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy. This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Subscribe to Cisco Security Notifications
* Subscribe
URL
* https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-macsec
Revision History
+----------------------------------------------------------------------------+
| Version | Description | Section | Status | Date |
|---------+--------------------------+---------+--------+--------------------|
| 1.0 | Initial public release. | | Final | 2018-September-26 |
+----------------------------------------------------------------------------+
Legal Disclaimer
* THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the
distribution URL is an uncontrolled copy and may lack important information
or contain factual errors. The information in this document is intended for
end users of Cisco products.
- -------------------------------------------------------------------------------
Cisco Security Advisory
Cisco IOS XE Software NAT Session Initiation Protocol Application Layer Gateway
Denial of Service Vulnerability
Priority: High
Advisory ID: cisco-sa-20180926-sip-alg
First Published: 2018 September 26 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvg89036
CVE-2018-0476
CWE-399
CVSS Score: Base 8.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Summary
* A vulnerability in the Network Address Translation (NAT) Session Initiation
Protocol (SIP) Application Layer Gateway (ALG) of Cisco IOS XE Software
could allow an unauthenticated, remote attacker to cause an affected device
to reload.
The vulnerability is due to improper processing of SIP packets in transit
while NAT is performed on an affected device. An unauthenticated, remote
attacker could exploit this vulnerability by sending crafted SIP packets
via UDP port 5060 through an affected device that is performing NAT for SIP
packets. A successful exploit could allow an attacker to cause the device
to reload, resulting in a denial of service (DoS) condition.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20180926-sip-alg
This advisory is part of the September 26, 2018, release of the Cisco IOS
and IOS XE Software Security Advisory Bundled Publication, which includes
12 Cisco Security Advisories that describe 13 vulnerabilities. For a
complete list of the advisories and links to them, see Cisco Event
Response: September 2018 Semiannual Cisco IOS and IOS XE Software Security
Advisory Bundled Publication.
Affected Products
* Vulnerable Products
This vulnerability affects devices that are running Cisco IOS XE Software
configured for NAT operation. The SIP ALG feature is enabled as soon as NAT
is configured on the device.
For information about which Cisco IOS XE Software releases are vulnerable,
see the Fixed Software section of this advisory.
Assessing the NAT Configuration
To determine whether NAT has been enabled in the Cisco IOS XE Software
configuration, the ip nat inside or ip nat outside commands must be on
different interfaces and at least one ip nat global configuration command
must be in the configuration. Alternatively, in the case of the NAT Virtual
Interface, the ip nat enable interface command will be present.
The show running-config | include ip nat command can be used to determine
whether NAT is in the configuration, as illustrated in the following
example of a vulnerable configuration:
Router#show running-config | include ip nat
ip nat inside
ip nat outside
ip nat inside source static 192.0.2.100 10.0.0.1
To determine whether the SIP ALG is disabled in the NAT configuration, use
the show running-config | include ip nat privileged EXEC command. The
presence of no ip nat service in the output of show running-config |
include ip nat indicates that the SIP ALG is disabled in the NAT
configuration.
The following is the output of show running-config | include ip nat in
Cisco IOS XE Software that has the SIP ALG disabled in the NAT
configuration:
Router#show running-config | include ip nat
ip nat inside
ip nat outside
ip nat inside source static 192.0.2.100 10.0.0.1 vrf sip
no ip nat service sip udp port 5060
If no ip nat service does not appear in the output of show running-config |
include ip nat, and the device runs an affected version of Cisco IOS XE
Software with NAT enabled, that configuration is vulnerable.
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device is
running Cisco IOS XE Software, the system banner displays Cisco IOS
Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is
running Cisco IOS XE Software Release 16.2.1 and has an installed image
name of CAT3K_CAA-UNIVERSALK9-M:
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
.
.
.
For information about the naming and numbering conventions for Cisco IOS XE
Software releases, see the Cisco IOS and NX-OS Software Reference Guide.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco IOS
Software, Cisco IOS XR Software, or Cisco NX-OS Software.
Indicators of Compromise
* A successful exploit of this vulnerability will cause an affected device to
reload and generate a crashinfo file.
A successful exploit of this vulnerability may be confirmed by decoding the
stack trace for the device and determining whether the stack trace
correlates with this vulnerability.
Contact the Cisco Technical Assistance Center (TAC) to review the crashinfo
file and determine whether the device has been compromised by exploitation
of this vulnerability.
Workarounds
* There are no workarounds that address this vulnerability.
Administrators can mitigate the vulnerability by disabling the SIP ALG by
configuring the following on the affected device until an upgrade is
possible:
no ip nat service sip udp port 5060
Fixed Software
* Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker,
that identifies any Cisco Security Advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
described in each advisory (?First Fixed?). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified (?Combined First Fixed?).
Customers can use this tool to perform the following tasks:
+ Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
+ Enter the output of the show version command for the tool to parse
+ Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the most
recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
Cisco IOS Software or Cisco IOS XE Software release?for example, 15.1(4)M2
or 3.13.8S?in the following field:
[ ] [Check]
By default, the Cisco IOS Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, use the Cisco IOS
Software Checker on Cisco.com and check the Medium check box in the Impact
Rating drop-down list.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the
Cisco IOS XE Software release.
Exploitation and Public Announcements
* The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
* This vulnerability was found during the resolution of a Cisco TAC support
case.
Cisco Security Vulnerability Policy
* To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy. This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
* Cisco Event Response: September 2018 Semiannual Cisco IOS and IOS XE
Software Security Advisory Bundled Publication
Cisco Security Blog: Cisco IOS and IOS XE Software Bundled Publication
September 2018
URL
* https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-sip-alg
Revision History
+----------------------------------------------------------------------------+
| Version | Description | Section | Status | Date |
|---------+--------------------------+---------+--------+--------------------|
| 1.0 | Initial public release. | | Final | 2018-September-26 |
+----------------------------------------------------------------------------+
- -------------------------------------------------------------------------------
Cisco Security Advisory
Cisco IOS XE Software Privileged EXEC Mode Root Shell Access Vulnerability
Priority: Medium
Advisory ID: cisco-sa-20180926-privesc
First Published: 2018 September 26 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCuw45594
CVSS Score: Base 6.7
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Summary
* A vulnerability in the CLI parser of Cisco IOS XE Software could allow an
authenticated, local attacker to gain access to the underlying Linux shell
of an affected device and execute arbitrary commands with root privileges
on the device.
The vulnerability is due to the affected software improperly sanitizing
command arguments to prevent modifications to the underlying Linux
filesystem on a device. An attacker who has privileged EXEC mode (privilege
level 15) access to an affected device could exploit this vulnerability on
the device by executing CLI commands that contain crafted arguments. A
successful exploit could allow the attacker to gain access to the
underlying Linux shell of the affected device and execute arbitrary
commands with root privileges on the device.
There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-privesc
Affected Products
* Vulnerable Products
This vulnerability affects Cisco devices that are running a vulnerable
release of Cisco IOS XE Software.
For information about which Cisco IOS XE Software releases are vulnerable,
see the Fixed Software section of this advisory.
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device is
running Cisco IOS XE Software, the system banner displays Cisco IOS
Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is
running Cisco IOS XE Software Release 16.2.1 and has an installed image
name of CAT3K_CAA-UNIVERSALK9-M:
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
.
.
.
For information about the naming and numbering conventions for Cisco IOS XE
Software releases, see the Cisco IOS and NX-OS Software Reference Guide.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco IOS
Software, Cisco IOS XR Software, or Cisco NX-OS Software.
Workarounds
* There are no workarounds that address this vulnerability.
Fixed Software
* For detailed information about affected and fixed software releases,
consult the Cisco IOS Software Checker.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker,
that identifies any Cisco Security Advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
described in each advisory (?First Fixed?). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified (?Combined First Fixed?).
Customers can use this tool to perform the following tasks:
+ Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
+ Enter the output of the show version command for the tool to parse
+ Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the most
recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
Cisco IOS Software or Cisco IOS XE Software release?for example, 15.1(4)M2
or 3.13.8S?in the following field:
[ ] [Check]
By default, the Cisco IOS Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, use the Cisco IOS
Software Checker on Cisco.com and check the Medium check box in the Impact
Rating drop-down list.
Exploitation and Public Announcements
* The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
* This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
* To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy. This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Subscribe to Cisco Security Notifications
* Subscribe
URL
* https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-privesc
Revision History
+----------------------------------------------------------------------------+
| Version | Description | Section | Status | Date |
|---------+--------------------------+---------+--------+--------------------|
| 1.0 | Initial public release. | | Final | 2018-September-26 |
+----------------------------------------------------------------------------+
Legal Disclaimer
* THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the
distribution URL is an uncontrolled copy and may lack important information
or contain factual errors. The information in this document is intended for
end users of Cisco products.
- -------------------------------------------------------------------------------
Cisco Security Advisory
Cisco IOS XE Software Shell Access Authentication Bypass Vulnerability
Priority: Medium
Advisory ID: cisco-sa-20180926-shell-access
First Published: 2018 September 26 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvb79289
CVE-2018-15371
CWE-284
CVSS Score:
Base 6.7
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
CVE-2018-15371
CWE-284
Summary
* A vulnerability in the shell access request mechanism of Cisco IOS XE
Software could allow an authenticated, local attacker to bypass
authentication and gain unrestricted access to the root shell of an
affected device.
The vulnerability exists because the affected software has insufficient
authentication mechanisms for certain commands. An attacker could exploit
this vulnerability by requesting access to the root shell of an affected
device, after the shell access feature has been enabled. A successful
exploit could allow the attacker to bypass authentication and gain
unrestricted access to the root shell of the affected device.
There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-shell-access
Affected Products
* Vulnerable Products
This vulnerability affects the following Cisco devices if they are running
a vulnerable release of Cisco IOS XE Software and have the Smart Licensing
feature enabled:
+ 4000 Series Integrated Services Routers
+ ASR 900 Series Aggregation Services Routers
+ ASR 1000 Series Aggregation Services Routers
+ Cloud Services Router 1000V Series
+ Integrated Services Virtual Router
For information about which Cisco IOS XE Software releases are vulnerable,
see the Fixed Software section of this advisory.
Determining Whether Smart Licensing Is Enabled
To determine whether the Smart Licensing feature is enabled for a device,
administrators can log in to the device and use the show license summary |
include Smart privileged EXEC command in the CLI. The following example
shows the output of the command for a device that has the Smart Licensing
feature enabled:
ios-xe-device# show license summary | include Smart
Smart Licensing is ENABLED
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device is
running Cisco IOS XE Software, the system banner displays Cisco IOS
Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is
running Cisco IOS XE Software Release 16.2.1 and has an installed image
name of CAT3K_CAA-UNIVERSALK9-M:
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
.
.
.
For information about the naming and numbering conventions for Cisco IOS XE
Software releases, see the Cisco IOS and NX-OS Software Reference Guide.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco IOS
Software, Cisco IOS XR Software, or Cisco NX-OS Software.
Workarounds
* There are no workarounds that address this vulnerability.
Fixed Software
* For detailed information about affected and fixed software releases,
consult the Cisco IOS Software Checker.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker,
that identifies any Cisco Security Advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
described in each advisory (?First Fixed?). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified (?Combined First Fixed?).
Customers can use this tool to perform the following tasks:
+ Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
+ Enter the output of the show version command for the tool to parse
+ Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the most
recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
Cisco IOS Software or Cisco IOS XE Software release?for example, 15.1(4)M2
or 3.13.8S?in the following field:
[ ] [Check]
By default, the Cisco IOS Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, use the Cisco IOS
Software Checker on Cisco.com and check the Medium check box in the Impact
Rating drop-down list.
Exploitation and Public Announcements
* The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
* This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
* To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy. This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Subscribe to Cisco Security Notifications
* Subscribe
URL
* https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-shell-access
Revision History
+----------------------------------------------------------------------------+
| Version | Description | Section | Status | Date |
|---------+--------------------------+---------+--------+--------------------|
| 1.0 | Initial public release. | | Final | 2018-September-26 |
+----------------------------------------------------------------------------+
Legal Disclaimer
* THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the
distribution URL is an uncontrolled copy and may lack important information
or contain factual errors. The information in this document is intended for
end users of Cisco products.
- -------------------------------------------------------------------------------
Cisco Security Advisory
Cisco IOS XE Software Web UI Denial of Service Vulnerability
Priority: High
Advisory ID: cisco-sa-20180926-webuidos
First Published: 2018 September 26 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCva31961
CVE-2018-0469
CWE-415
CVSS Score: Base 8.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Summary
* A vulnerability in the web user interface of Cisco IOS XE Software could
allow an unauthenticated, remote attacker to cause an affected device to
reload. The vulnerability is due to a double-free-in-memory handling by the
affected software when specific HTTP requests are processed.
An attacker could exploit this vulnerability by sending specific HTTP
requests to the web user interface of the affected software. A successful
exploit could allow the attacker to cause the affected device to reload,
resulting in a denial of service (DoS) condition on an affected device. To
exploit this vulnerability, the attacker must have access to the management
interface of the affected software, which is typically connected to a
restricted management network.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-webuidos
This advisory is part of the September 26, 2018, release of the Cisco IOS
and IOS XE Software Security Advisory Bundled Publication, which includes
12 Cisco Security Advisories that describe 13 vulnerabilities. For a
complete list of the advisories and links to them, see Cisco Event
Response: September 2018 Semiannual Cisco IOS and IOS XE Software Security
Advisory Bundled Publication.
Affected Products
* Vulnerable Products
This vulnerability affects Cisco Catalyst 3650 and 3850 Series Switches
that are running a vulnerable release of Cisco IOS XE Software if the HTTP
Server feature is enabled. The default state of the HTTP Server feature is
version dependent.
This vulnerability was introduced in Cisco IOS XE Software Release 16.1.1.
For more information about which Cisco IOS XE Software releases are
vulnerable, see the Fixed Software section of this advisory.
Assessing the HTTP Server Configuration
To determine whether the HTTP Server feature is enabled for a device,
administrators can log in to the device and use the show running-config |
include http (secure|server) command in the CLI to check for the presence
of the ip http server command or the ip http secure-server command in the
global configuration. If either command is present and configured, the HTTP
Server feature is enabled for the device.
The following example shows the output of the show running-config | include
http (secure|server) command for a router that has the HTTP Server feature
enabled:
Router# show running-config | include http (secure|server)
ip http server
ip http secure-server
If the output from the previous command also contains:
ip http active-session-modules none
ip http secure-active-session-modules none
Then the device is not exploitable.
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device is
running Cisco IOS XE Software, the system banner displays Cisco IOS
Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is
running Cisco IOS XE Software Release 16.2.1 and has an installed image
name of CAT3K_CAA-UNIVERSALK9-M:
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
.
.
.
For information about the naming and numbering conventions for Cisco IOS XE
Software releases, see the Cisco IOS and NX-OS Software Reference Guide.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco IOS
Software, Cisco IOS XR Software, or Cisco NX-OS Software.
Details
* This vulnerability has a CVSSv3 score with an authentication vector of ?Not
Required.? Cisco IOS XE releases prior to 16.2.2 did not require
authentication to exploit this vulnerability. Cisco IOS XE Software
Releases 16.2.2 and later require authentication to exploit this
vulnerability.
Indicators of Compromise
* Cisco IOS XE Software Release 16.2.2 syslog should indicate a ?Login
Successful? message for the WebGUI, followed by this syslog message:
%PMAN-3-PROCHOLDDOWN: The process dbm has been helddown (rc 134)
Cisco IOS XE Software releases prior to 16.2.2 would not show the ?Login
Successful? message, just the syslog message shown in the previous message.
Workarounds
* There are no workarounds that address this vulnerability.
Customers who do not require the WebGUI to be enabled can disable it as
shown in the following example:
Switch#configure terminal
Switch(config)#no ip http server
Switch(config)#no ip http secure-server
Switch(config)#exit
Switch#
Fixed Software
* Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker,
that identifies any Cisco Security Advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
described in each advisory (?First Fixed?). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified (?Combined First Fixed?).
Customers can use this tool to perform the following tasks:
+ Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
+ Enter the output of the show version command for the tool to parse
+ Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the most
recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
Cisco IOS Software or Cisco IOS XE Software release?for example, 15.1(4)M2
or 3.13.8S?in the following field:
[ ] [Check]
By default, the Cisco IOS Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, use the Cisco IOS
Software Checker on Cisco.com and check the Medium check box in the Impact
Rating drop-down list.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the
Cisco IOS XE Software release.
Exploitation and Public Announcements
* The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
* This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
* To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy. This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Subscribe to Cisco Security Notifications
* Subscribe
Related to This Advisory
* Cisco Event Response: September 2018 Semiannual Cisco IOS and IOS XE
Software Security Advisory Bundled Publication
Cisco Security Blog: Cisco IOS and IOS XE Software Bundled Publication
September 2018
URL
* https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-webuidos
Revision History
+----------------------------------------------------------------------------+
| Version | Description | Section | Status | Date |
|---------+--------------------------+---------+--------+--------------------|
| 1.0 | Initial public release. | | Final | 2018-September-26 |
+----------------------------------------------------------------------------+
Legal Disclaimer
* THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the
distribution URL is an uncontrolled copy and may lack important information
or contain factual errors. The information in this document is intended for
end users of Cisco products.
- -------------------------------------------------------------------------------
Cisco Security Advisory
Cisco IOS XE Software and Cisco ASA 5500-X Series Adaptive Security Appliance
IPsec Denial of Service Vulnerability
Priority: High
Advisory ID: cisco-sa-20180926-ipsec
First Published: 2018 September 26 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvf73114, CSCvg37952, CSCvh04189,CSCvf73114,
CSCvg37952,CSCvh04189,CSCvh04591,CSCvi30496
CVE-2018-0472
CWE-20
CVSS Score: Base 8.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Summary
* A vulnerability in the IPsec driver code of multiple Cisco IOS XE Software
platforms and the Cisco ASA 5500-X Series Adaptive Security Appliance (ASA)
could allow an unauthenticated, remote attacker to cause the device to
reload.
The vulnerability is due to improper processing of malformed IPsec
Authentication Header (AH) or Encapsulating Security Payload (ESP) packets.
An attacker could exploit this vulnerability by sending malformed IPsec
packets to be processed by an affected device. An exploit could allow the
attacker to cause a reload of the affected device.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-ipsec
This advisory is part of the September 26, 2018, release of the Cisco IOS
and IOS XE Software Security Advisory Bundled Publication, which includes
12 Cisco Security Advisories that describe 13 vulnerabilities. For a
complete list of the advisories and links to them, see Cisco Event
Response: September 2018 Semiannual Cisco IOS and IOS XE Software Security
Advisory Bundled Publication.
Affected Products
* This vulnerability affects multiple platforms running Cisco IOS XE Software
and certain Cisco 5500-X Series Adaptive Security Appliances (ASA) running
either Cisco ASA Software or Cisco Firepower Threat Defense (FTD) Software.
See the following sections for details:
+ Cisco IOS XE Software
+ Cisco ASA Software and Cisco ASA 5500-X Series with Firepower Threat
Defense Software
Vulnerable Products
Cisco IOS XE Software
This vulnerability affects Cisco IOS XE Software running on the following
products. No other models are affected.
+ Cisco ASR 1000 Series Aggregation Services Routers:
o ASR 1001-X
o ASR 1001-HX
o ASR 1002-X
o ASR 1002-HX
o Cisco ASR 1000 Series 100-Gbps Embedded Service Processor
(ASR1000-ESP100)
o Cisco ASR 1000 Series 200-Gbps Embedded Service Processor
(ASR1000-ESP200)
+ Cisco 4000 Series Integrated Services Routers:
o ISR 4431
o ISR 4451-X
Cisco IOS XE Software is affected by this vulnerability if the system is
configured to terminate IPsec VPN connections. This includes the following:
+ LAN-to-LAN VPN
+ Remote-access VPN, excluding SSL VPN
+ Dynamic Multipoint VPN (DMVPN)
+ FlexVPN
+ Group Encrypted Transport VPN (GET VPN)
+ IPsec virtual tunnel interfaces (VTIs)
+ Open Shortest Path First Version 3 (OSPFv3) Authentication Support with
IPsec
If a device that is running Cisco IOS XE Software is configured to
terminate IPsec VPN connections, either a crypto map must be configured for
at least one interface or the device must be configured with IPsec VTIs.
Administrators should use the show running-config command and verify that
the returned output contains a crypto map configured under at least one
active interface. The following example shows a crypto map named map-group1
configured on the GigabitEthernet 0/0/0 interface:
Router# show running-config
<!-- Output Omitted -->
interface GigabitEthernet0/0/0
crypto map map-group1
Administrators should use the show running-config command and verify that
the returned output contains tunnel protection ipsec profile configured
under at least one tunnel interface. The following example shows a VTI
interface:
Router# show running-config
interface tunnel 0
tunnel mode ipsec ipv4
tunnel protection ipsec profile PROF1
Note: IPsec VPN is not configured by default.
If a device that is running Cisco IOS XE Software is configured to support
OSPFv3 Authentication Support with IPsec, the running configuration
contains one of the following:
+ ipv6 ospf encryption
+ ipv6 ospf authentication
+ ospfv3 authentication ipsec
+ ospfv3 encryption ipsec
+ area <area-id> authentication ipsec
+ area <area-id> encryption ipsec
+ area <area-id> virtual-link <router-id> authentication ipsec spi
+ area <area-id> virtual-link <router-id> encryption ipsec spi
The following example shows a device configured for OSPFv3 Authentication
Support with IPsec:
Router# show running-config
interface GigabitEthernet0/1
ospfv3 authentication ipsec spi 256 md5 01020304050607080910010203040506
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device is
running Cisco IOS XE Software, the system banner displays Cisco IOS
Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is
running Cisco IOS XE Software Release 16.2.1 and has an installed image
name of CAT3K_CAA-UNIVERSALK9-M:
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
.
.
.
For information about the naming and numbering conventions for Cisco IOS XE
Software releases, see the Cisco IOS and NX-OS Software Reference Guide.
Cisco ASA Software and Cisco ASA 5500-X Series with Firepower Threat
Defense Software
This vulnerability affects Cisco ASA Software or Cisco FTD Software running
on the following products. No other models are affected.
+ Cisco ASA 5500-X Series Adaptive Security Appliances:
o ASA 5506-X Series
o ASA 5508-X Series
o ASA 5516-X Series
Refer to the Fixed Software section of this security advisory for more
information about affected releases.
Cisco ASA Software is affected by this vulnerability if the system is
configured to terminate IPsec VPN connections. This includes the following:
+ LAN-to-LAN IPsec VPN
+ Remote-access VPN using the IPsec VPN client
+ Layer 2 Tunneling Protocol (L2TP)-over-IPsec VPN connections
Cisco FTD Software is affected by this vulnerability if the system is
configured to terminate IPsec VPN connections. This includes the following:
+ Site-to-site IPsec VPN
+ Remote-access VPN using the IPsec VPN client
Cisco ASA Software or Cisco FTD Software is not affected by this
vulnerability if the system is configured to terminate only the following
VPN connections:
+ Clientless SSL
+ AnyConnect SSL
If an appliance running Cisco ASA Software is configured to terminate IPsec
VPN connections, a crypto map must be configured for at least one
interface. Administrators should use the show running-config crypto map |
include interface command and verify that it returns output. The following
example shows a crypto map named outside_map configured on the outside
interface:
ciscoasa# show running-config crypto map | include interface
crypto map outside_map interface outside
Note: IPsec VPN is not configured by default.
To determine whether an appliance that is running Cisco FTD is configured
with site-to-site VPN connections or remote-access VPN connections that use
the IPsec VPN client, administrators should use the show running-config
command. In the following table, the left column lists the vulnerable
Cisco FTD features. The right column indicates the vulnerable configuration
from the show running-config command.
Cisco FTD Feature Vulnerable Configuration
crypto ikev2 enable <interface_name>
AnyConnect IKEv2 Remote Access client-services port <port #>
(with client services)^1,2 webvpn
anyconnect enable
AnyConnect IKEv2 Remote Access crypto ikev2 enable <interface_name>
(without client services)^1,2 webvpn
anyconnect enable
Site-to-site VPN connections^3 crypto map <crypto_map_name> interface
<interface_name>
^1 Remote-access VPN features are enabled via Devices > VPN > Remote Access in
the Cisco FMC or via Device > Remote Access VPN in Cisco Firepower Device
Manager (FDM).
^2 Remote-access VPN features are first supported as of Cisco FTD Software
Release 6.2.2.
^3 Site-to-site VPN features are first supported as of Cisco FTD Software
Release 6.2.0.
Determining the Cisco ASA Software Release
To determine whether a vulnerable release of Cisco ASA Software is running
on an appliance, administrators can use the show version command. The
following example shows the results of the show version command on an
appliance running Cisco ASA Software Release 9.2(1):
ciscoasa# show version | include Version
Cisco Adaptive Security Appliance Software Version 9.2(1)
Device Manager Version 7.4(1)
Determining the Cisco FTD Software Release
Administrators can use the show version command in the CLI to determine the
Cisco FTD Software release. In this example, the device is running Release
6.2.2:
> show version
---------------------[ ftd ]---------------------
Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.2 (Build 362)
UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c
Rules update version : 2017-03-15-001-vrt
VDB version : 279
----------------------------------------------------
Customers who use Cisco Adaptive Security Device Manager (ASDM) to manage
devices can locate the software release in the table that appears in the
login window or the upper-left corner of the Cisco ASDM window.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco IOS
Software, Cisco IOS XR Software, or Cisco NX-OS Software.
Details
* For this vulnerability to be exploited, the IPsec security associations
(SAs) must first be established.
An attacker can exploit this vulnerability by using a crafted ESP or AH
packet that meets several other conditions, such as matching the IPsec SA
SPI and being within the correct sequence window.
Workarounds
* There are no workarounds that address this vulnerability.
Fixed Software
* Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker,
that identifies any Cisco Security Advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
described in each advisory (?First Fixed?). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified (?Combined First Fixed?).
Customers can use this tool to perform the following tasks:
+ Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
+ Enter the output of the show version command for the tool to parse
+ Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the most
recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
Cisco IOS Software or Cisco IOS XE Software release?for example, 15.1(4)M2
or 3.13.8S?in the following field:
[ ] [Check]
By default, the Cisco IOS Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, use the Cisco IOS
Software Checker on Cisco.com and check the Medium check box in the Impact
Rating drop-down list.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the
Cisco IOS XE Software release.
Cisco ASA Software
In the following table, the left column lists major releases of Cisco ASA
Software. The right column indicates whether a major release is affected by
the vulnerability described in this advisory and the first release that
includes the fix for this vulnerability. Customers should upgrade to an
appropriate release as indicated in this section.
+---------------------------------------------------------------------+
| Cisco ASA Major | First Fixed Release for This |
| Release | Vulnerability |
|-------------------------+-------------------------------------------|
| 9.3^1 | Affected; migrate to Release 9.4 |
|-------------------------+-------------------------------------------|
| 9.4 | 9.4.4.18 |
|-------------------------+-------------------------------------------|
| 9.5^1 | Affected; migrate to Release 9.6 |
|-------------------------+-------------------------------------------|
| 9.6 | 9.6.4.8 |
|-------------------------+-------------------------------------------|
| 9.7 | Affected; migrate to Release 9.8 |
|-------------------------+-------------------------------------------|
| 9.8 | 9.8.2.26 |
|-------------------------+-------------------------------------------|
| 9.9 | 9.9.2.2 |
+---------------------------------------------------------------------+
^1 Cisco ASA Software Releases 9.3 and 9.5 have reached
end-of-software-maintenance status. Customers should migrate to a supported
release.
Customers can download the software from the Software Center on Cisco.com
by clicking Browse all and navigating to Security > Firewalls > Adaptive
Security Appliances (ASA) > ASA 5500-X Series Firewalls, where there is a
list of ASA hardware platforms.
Cisco FTD Software
In the following table, the left column lists major releases of Cisco FTD
Software. The right column indicates whether a major release is affected by
the vulnerability described in this advisory and the first release that
includes the fix for this vulnerability. Customers should upgrade to an
appropriate release as indicated in this section.
+-------------------------------------------------------------------------+
| Cisco FTD Software | First Fixed Release for This Vulnerability |
| Release | |
|-----------------------+-------------------------------------------------|
| 6.2.0 | Affected; migrate to Release 6.2.2.3 or 6.2.3.1 |
| | or later. |
|-----------------------+-------------------------------------------------|
| 6.2.1 | Affected; migrate to Release 6.2.2.3 or 6.2.3.1 |
| | or later. |
|-----------------------+-------------------------------------------------|
| 6.2.2 | 6.2.2.3 |
|-----------------------+-------------------------------------------------|
| 6.2.3 | 6.2.3.1 |
+-------------------------------------------------------------------------+
Customers can download the software from the Software Center on Cisco.com
by clicking Browse all and navigating to Security > Firewalls >
Next-Generation Firewalls (NGFW), where there is a list of Cisco FTD
hardware platforms.
Exploitation and Public Announcements
* The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
* This vulnerability was found during the resolution of a Cisco TAC support
case.
Cisco Security Vulnerability Policy
* To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy. This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Subscribe to Cisco Security Notifications
* Subscribe
Related to This Advisory
* Cisco Event Response: September 2018 Semiannual Cisco IOS and IOS XE
Software Security Advisory Bundled Publication
Cisco Security Blog: Cisco IOS and IOS XE Software Bundled Publication
September 2018
URL
* https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-ipsec
Revision History
+----------------------------------------------------------------------------+
| Version | Description | Section | Status | Date |
|---------+--------------------------+---------+--------+--------------------|
| 1.0 | Initial public release. | | Final | 2018-September-26 |
+----------------------------------------------------------------------------+
Legal Disclaimer
* THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the
distribution URL is an uncontrolled copy and may lack important information
or contain factual errors. The information in this document is intended for
end users of Cisco products.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBW6wXHWaOgq3Tt24GAQjTOg//dHkdXW+FKAfM0mYQjc2BCydrjA4ZeIfU
rrbP3VXhimukhP43k2R4/eFYTI8WzZTjmgVWYRMtYpoYz735LJl7S1fcj36j94Mj
EaFFdbp9SfsmNKPAXSh00VOf/qAu/K0cvN28yCdFaaLGKPzZGazQIS6HyhxL8a2C
DnsChl/bZtZWMTiVV67IUr57Hl+b0mfX7yxkTOqajoB1MSSC1L9sMrSJSJSdL7cW
oXVzIG0aBZwgYh5BR7oofsDx5ig8B1KAvPRLRUwOnXp8+22914nX1MzFXv0ncQjf
FZ8b2E4FulHlbjMsE/357tTgs/ypX340jVNxHeYIiwwNl9IOLftNZ0bieZplt6Su
2uKd3z+wo2MxHx7TLNp2YQbGmG2xrzjO8TAUo2ZgNMxw/Aq4MQEDSvHPXooa8y4S
4dX24+FzWkNSsOz2hsvpw+Vb/kEHXA3dGlzVuliISTiG4d43p0TkPNnQru4uURQ+
Zgem6JdPEs1m4VP/tc8vHWpiBS9gYoll1cU6hcyU9dTVc5sB9NZPeIfpkj/DdOCd
DPXxxRUx4heJLK4kiwfmgGafc1+PGrfOg2oyMYH8Z9SyPDVyNK+oF+mj82UfHXk7
qViz7TsitQI5iFjeGmRs2z7NEgC+icUTD9OEZJTevkKDitY4t0ihY0+y3UYpi6qM
Xih1ixuykHc=
=wNzq
-----END PGP SIGNATURE-----