Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.2902 Multiple Vulnerabilities have been identified in Cisco IOS XE 27 September 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco IOS XE Publisher: Cisco Systems Operating System: Cisco Impact/Access: Root Compromise -- Existing Account Denial of Service -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-15374 CVE-2018-15372 CVE-2018-15371 CVE-2018-0481 CVE-2018-0480 CVE-2018-0477 CVE-2018-0476 CVE-2018-0472 CVE-2018-0471 CVE-2018-0470 CVE-2018-0469 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-cdp-memleak https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-iosxe-cmdinj https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-digsig https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-errdisable https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-webdos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-macsec https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-sip-alg https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-privesc https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-shell-access https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-webuidos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-ipsec Comment: This bulletin contains eleven (11) Cisco Systems security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Security Advisory Cisco IOS XE Software Cisco Discovery Protocol Memory Leak Vulnerability Priority: High Advisory ID: cisco-sa-20180926-cdp-memleak First Published: 2018 September 26 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvf50648 CVE-2018-0471 CWE-400 CVSS Score: Base 7.4 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary * A vulnerability in the Cisco Discovery Protocol (CDP) module of Cisco IOS XE Software Releases 16.6.1 and 16.6.2 could allow an unauthenticated, adjacent attacker to cause a memory leak that may lead to a denial of service (DoS) condition. The vulnerability is due to incorrect processing of certain CDP packets. An attacker could exploit this vulnerability by sending certain CDP packets to an affected device. A successful exploit could cause an affected device to continuously consume memory and eventually result in a memory allocation failure that leads to a crash, triggering a reload of the affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-cdp-memleak This advisory is part of the September 26, 2018, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 12 Cisco Security Advisories that describe 13 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: September 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Affected Products * Vulnerable Products This vulnerability affects devices that are running Cisco IOS XE Software Release 16.6.1 or 16.6.2 with the CDP feature enabled on at least one interface. The CDP feature is enabled in Cisco IOS XE on all interfaces by default. For information about which Cisco IOS XE Software releases are vulnerable, see the Fixed Software section of this advisory. Determining Whether the CDP Feature Is Enabled To determine whether a device is configured with the CDP feature enabled globally, use the show running-config all | include cdp run privileged EXEC command on the device. The following example shows the output of the show running-config all | include cdp run command on a device that has the CDP feature enabled globally: ios-xe-device#show running-config all | include cdp run cdp run To determine whether a device is configured with the CDP feature enabled on an interface, use the show cdp interface privileged EXEC command on the device. The following example shows the output of the show cdp interface command on a device that has the CDP feature disabled on all interfaces: ios-xe-device#show cdp interface % CDP is not enabled Determining the Cisco IOS XE Software Release To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text. The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M: ios-xe-device# show version Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Sun 27-Mar-16 21:47 by mcpre . . . For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco IOS Software, Cisco IOS XR Software, or Cisco NX-OS Software. Indicators of Compromise * On successful exploitation of the vulnerability described in this advisory, logs will show a %SYS-2-MALLOCFAIL message referencing the CDP Protocol process, which indicates a memory allocation failure. Exploitation of this vulnerability can cause an affected device to reload and generate a crashinfo file. Contact the Cisco Technical Assistance Center (TAC) to review the output of the show tech-support CLI command and the crashinfo file to determine whether the device has been compromised by exploitation of this vulnerability. Workarounds * There are no workarounds that address this vulnerability. Administrators who do not use the CDP feature in their environment can disable the CDP feature by using the no cdp run command in global configuration mode to prevent exploitation of this vulnerability. Administrators who do use the CDP feature but want to limit the attack surface can disable the CDP feature on interfaces that do not require this feature by using the no cdp enable command in interface configuration mode. Fixed Software * Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker, that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory (?First Fixed?). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified (?Combined First Fixed?). Customers can use this tool to perform the following tasks: + Initiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse + Enter the output of the show version command for the tool to parse + Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS Software or Cisco IOS XE Software release?for example, 15.1(4)M2 or 3.13.8S?in the following field: [ ] [Check] By default, the Cisco IOS Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, use the Cisco IOS Software Checker on Cisco.com and check the Medium check box in the Impact Rating drop-down list. For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the Cisco IOS XE Software release. Exploitation and Public Announcements * The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source * This vulnerability was found during the resolution of a Cisco TAC support case. Cisco Security Vulnerability Policy * To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Subscribe to Cisco Security Notifications * Subscribe Related to This Advisory * Cisco Event Response: September 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication Cisco Security Blog: Cisco IOS and IOS XE Software Bundled Publication September 2018 URL * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-cdp-memleak Revision History +----------------------------------------------------------------------------+ | Version | Description | Section | Status | Date | |---------+--------------------------+---------+--------+--------------------| | 1.0 | Initial public release. | ? | Final | 2018-September-26 | +----------------------------------------------------------------------------+ Legal Disclaimer * THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products. - ------------------------------------------------------------------------------- Cisco Security Advisory Cisco IOS XE Software Command Injection Vulnerabilities Priority: High Advisory ID: cisco-sa-20180926-iosxe-cmdinj First Published: 2018 September 26 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvh02919, CSCvh54202 CVE-2018-0477 CVE-2018-0481 CWE-77 CVSS Score: Base 6.7 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary * Multiple vulnerabilities in the CLI parser of Cisco IOS XE Software could allow an authenticated, local attacker to execute commands on the underlying Linux shell of an affected device with root privileges. The vulnerabilities exist because the affected software improperly sanitizes command arguments, failing to prevent access to certain internal data structures on an affected device. An attacker who has privileged EXEC mode (privilege level 15) access to an affected device could exploit these vulnerabilities on the device by executing CLI commands that contain custom arguments. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the affected device. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-iosxe-cmdinj This advisory is part of the September 26, 2018, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 12 Cisco Security Advisories that describe 13 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: September 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Affected Products * Vulnerable Products These vulnerabilities affect Cisco devices that are running a vulnerable release of Cisco IOS XE Software. For information about which Cisco IOS XE Software releases are vulnerable, see the Fixed Software section of this advisory. Determining the Cisco IOS XE Software Release To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text. The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M: ios-xe-device# show version Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Sun 27-Mar-16 21:47 by mcpre . . . For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities. Cisco has confirmed that these vulnerabilities do not affect Cisco IOS Software, Cisco IOS XR Software, or Cisco NX-OS Software. Workarounds * There are no workarounds that address these vulnerabilities. Fixed Software * Cisco has released free software updates that address the vulnerabilities described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker, that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory (?First Fixed?). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified (?Combined First Fixed?). Customers can use this tool to perform the following tasks: + Initiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse + Enter the output of the show version command for the tool to parse + Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS Software or Cisco IOS XE Software release?for example, 15.1(4)M2 or 3.13.8S?in the following field: [ ] [Check] By default, the Cisco IOS Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, use the Cisco IOS Software Checker on Cisco.com and check the Medium check box in the Impact Rating drop-down list. For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the Cisco IOS XE Software release. Exploitation and Public Announcements * The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. Source * These vulnerabilities were found during internal security testing. Cisco Security Vulnerability Policy * To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Subscribe to Cisco Security Notifications * Subscribe Related to This Advisory * Cisco Event Response: September 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication Cisco Security Blog: Cisco IOS and IOS XE Software Bundled Publication September 2018 URL * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-iosxe-cmdinj Revision History +----------------------------------------------------------------------------+ | Version | Description | Section | Status | Date | |---------+--------------------------+---------+--------+--------------------| | 1.0 | Initial public release. | | Final | 2018-September-26 | +----------------------------------------------------------------------------+ Legal Disclaimer * THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products. - ------------------------------------------------------------------------------- Cisco Security Advisory Cisco IOS XE Software Digital Signature Verification Bypass Vulnerability Priority: Medium Advisory ID: cisco-sa-20180926-digsig First Published: 2018 September 26 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvh15737 CVE-2018-15374 CWE-347 CVSS Score: Base 6.7 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X CVE-2018-15374 Summary * A vulnerability in the Image Verification feature of Cisco IOS XE Software could allow an authenticated, local attacker to install a malicious software image or file on an affected device. The vulnerability is due to the affected software improperly verifying digital signatures for software images and files that are uploaded to a device. An attacker could exploit this vulnerability by uploading a malicious software image or file to an affected device. A successful exploit could allow the attacker to bypass digital signature verification checks for software images and files and install a malicious software image or file on the affected device. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-digsig Affected Products * Vulnerable Products This vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS XE Software. For information about which Cisco IOS XE Software releases are vulnerable, see the Fixed Software section of this advisory. Determining the Cisco IOS XE Software Release To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text. The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M: ios-xe-device# show version Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Sun 27-Mar-16 21:47 by mcpre . . . For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco IOS Software, Cisco IOS XR Software, or Cisco NX-OS Software. Workarounds * There are no workarounds that address this vulnerability. Fixed Software * For detailed information about affected and fixed software releases, consult the Cisco IOS Software Checker. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker, that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory (?First Fixed?). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified (?Combined First Fixed?). Customers can use this tool to perform the following tasks: + Initiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse + Enter the output of the show version command for the tool to parse + Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS Software or Cisco IOS XE Software release?for example, 15.1(4)M2 or 3.13.8S?in the following field: [ ] [Check] By default, the Cisco IOS Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, use the Cisco IOS Software Checker on Cisco.com and check the Medium check box in the Impact Rating drop-down list. Exploitation and Public Announcements * The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source * This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy * To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Subscribe to Cisco Security Notifications * Subscribe URL * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-digsig Revision History +----------------------------------------------------------------------------+ | Version | Description | Section | Status | Date | |---------+--------------------------+---------+--------+--------------------| | 1.0 | Initial public release. | | Final | 2018-September-26 | +----------------------------------------------------------------------------+ Legal Disclaimer * THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products. - ------------------------------------------------------------------------------- Cisco Security Advisory Cisco IOS XE Software Errdisable Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-20180926-errdisable First Published: 2018 September 26 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvh13611 CVE-2018-0480 CWE-362 CVSS Score: Base 7.4 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary * A vulnerability in the errdisable per VLAN feature of Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to cause the device to crash, leading to a denial of service (DoS) condition. The vulnerability is due to a race condition that occurs when the VLAN and port enter an errdisabled state, resulting in an incorrect state in the software. An attacker could exploit this vulnerability by sending frames that trigger the errdisable condition. A successful exploit could allow the attacker to cause the affected device to crash, leading to a DoS condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20180926-errdisable This advisory is part of the September 26, 2018, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 12 Cisco Security Advisories that describe 13 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: September 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Affected Products * Vulnerable Products This vulnerability affects Cisco Catalyst 3650, 3850, and 4500E Series Switches that are running a vulnerable release of Cisco IOS XE Software and have the errdisable feature enabled for a feature at both the VLAN and port level. For information about which Cisco IOS XE Software releases are vulnerable, see the Fixed Software section of this advisory. Determining Whether a Device Is Running an Affected Configuration To determine whether a device is running an affected configuration at both the VLAN and port level, perform both of the following steps: Step 1: VLAN Level There are two options for completing Step 1. Option A: show errdisable detect Issue the CLI command show errdisable detect | include vlan. For each VLAN mode feature that the device lists in the output for this command, perform the corresponding portion of Step 2. The following example shows a device that is configured for a VLAN mode errdisable detect for bpduguard (BPDU guard), psecure-violation (port security violation), and security-violation (802.1x security violation) on the VLAN: switch#show errdisable detect | include vlan bpduguard Enabled vlan psecure-violation Enabled port/vlan security-violation Enabled vlan switch# Option B: show running-config To determine whether a device is running an affected configuration at the VLAN level, issue the show running-config command twice, using two different include statements: + First, issue the CLI command show running-config | include shutdown vlan. For each VLAN mode feature that the device lists in the output for this command, perform the corresponding portion of Step 2. The following example shows a device that is configured for a VLAN mode errdisable detect for security-violation (802.1x security violation) and bpduguard (BPDU guard) on the VLAN: switch#show running-config | include shutdown vlan errdisable detect cause security-violation shutdown vlan errdisable detect cause bpduguard shutdown vlan switch# + Second, issue the CLI command show running-config | include switchport port-security violation shutdown vlan. If the command returns output, perform the corresponding portion of Step 2. The following example shows a device that is configured for a VLAN mode errdisable detect for port security violation on the VLAN : switch#show running-config | include switchport port-security violation shutdown vlan switchport port-security violation shutdown vlan switch# Step 2: Port Level For each VLAN mode configured feature revealed in Step 1, do the following to determine whether the feature is also enabled at the port level: + BPDU guard: If errdisable per VLAN for detection cause bpduguard is enabled, confirm that the device also has BPDU guard configured. If the configuration contains either of the following, the device is vulnerable: spanning-tree portfast bpduguard default interface <interface-id> spanning-tree portfast or interface <interface-id> spanning-tree bpduguard enable + Port security violation: Errdisable per port/vlan for detection cause psecure-violation is enabled by default. Confirm that the device also has port security configured and violation vlan shutdown configured. If the output of show port-security contains a row with Shutdown Vlan (as shown in the following example), the device is vulnerable: switch#show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------- Gi1/0/48 1 1 5 Shutdown Vlan --------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 4096 switch# + 802.1x security violation: If errdisable per VLAN for detection cause security-violation is enabled, confirm that the device also has 802.1x authentication configured and the voice VLAN is configured. If the configuration contains the following and does not contain authentication violation {protect|replace|restrict}, the device is vulnerable: interface <interface-id> authentication port-control value switchport voice vlan value However, if the following content is also present in the CLI output, the device is not vulnerable: authentication violation {protect|replace|restrict} Determining the Cisco IOS XE Software Release To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text. The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M: ios-xe-device# show version Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Sun 27-Mar-16 21:47 by mcpre . . . For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco IOS Software, Cisco IOS XR Software, or Cisco NX-OS Software. Workarounds * There are no workarounds that address this vulnerability. For customers who can remove errdisable per VLAN detection and use the corresponding errdisable per port detection, this action may be a suitable mitigation until switches that are affected by this vulnerability can be upgraded. Fixed Software * Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker, that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory (?First Fixed?). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified (?Combined First Fixed?). Customers can use this tool to perform the following tasks: + Initiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse + Enter the output of the show version command for the tool to parse + Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS Software or Cisco IOS XE Software release?for example, 15.1(4)M2 or 3.13.8S?in the following field: [ ] [Check] By default, the Cisco IOS Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, use the Cisco IOS Software Checker on Cisco.com and check the Medium check box in the Impact Rating drop-down list. For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the Cisco IOS XE Software release. Exploitation and Public Announcements * The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source * This vulnerability was found during the resolution of a Cisco TAC support case. Cisco Security Vulnerability Policy * To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Subscribe to Cisco Security Notifications * Subscribe Related to This Advisory * Cisco Event Response: September 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication Cisco Security Blog: Cisco IOS and IOS XE Software Bundled Publication September 2018 URL * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-errdisable Revision History +----------------------------------------------------------------------------+ | Version | Description | Section | Status | Date | |---------+--------------------------+---------+--------+--------------------| | 1.0 | Initial public release. | | Final | 2018-September-26 | +----------------------------------------------------------------------------+ Legal Disclaimer * THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products. - ------------------------------------------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-webdos Cisco Security Advisory Cisco IOS XE Software HTTP Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-20180926-webdos First Published: 2018 September 26 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvb22618 CVE-2018-0470 CWE-399 CVSS Score: Base 8.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary * A vulnerability in the web framework of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a buffer overflow condition on an affected device, resulting in a denial of service (DoS) condition. The vulnerability is due to the affected software improperly parsing malformed HTTP packets that are destined to a device. An attacker could exploit this vulnerability by sending a malformed HTTP packet to an affected device for processing. A successful exploit could allow the attacker to cause a buffer overflow condition on the affected device, resulting in a DoS condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-webdos This advisory is part of the September 26, 2018, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 12 Cisco Security Advisories that describe 13 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: September 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Affected Products * Vulnerable Products This vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS XE Software, if the HTTP Server feature is enabled. The default state of the HTTP Server feature is version-dependent. For information about which Cisco IOS XE Software releases are vulnerable, see the Fixed Software section of this advisory. Assessing the HTTP Server Configuration To determine whether the HTTP Server feature is enabled for a device, administrators can log in to the device and use the show running-config | include http (secure|server) command in the CLI to check for the presence of the ip http server command or the ip http secure-server command in the global configuration. If either command is present and configured, the HTTP Server feature is enabled for the device. The following example shows the output of the show running-config | include http (secure|server) command for a router that has the HTTP Server feature enabled: Router# show running-config | include http (secure|server) ip http server ip http secure-server Determining the Cisco IOS XE Software Release To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text. The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M: ios-xe-device# show version Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Sun 27-Mar-16 21:47 by mcpre . . . For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco IOS Software, Cisco IOS XR Software, or Cisco NX-OS Software. Workarounds * There are no workarounds that address this vulnerability. Administrators who do not use the web UI can mitigate this vulnerability by disabling the HTTP Server feature on an affected device. To disable the feature, use the no ip http server and no ip http secure-server commands in the CLI. Fixed Software * Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker, that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory (?First Fixed?). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified (?Combined First Fixed?). Customers can use this tool to perform the following tasks: + Initiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse + Enter the output of the show version command for the tool to parse + Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS Software or Cisco IOS XE Software release?for example, 15.1(4)M2 or 3.13.8S?in the following field: [ ] [Check] By default, the Cisco IOS Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, use the Cisco IOS Software Checker on Cisco.com and check the Medium check box in the Impact Rating drop-down list. For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the Cisco IOS XE Software release. Exploitation and Public Announcements * The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source * This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy * To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Subscribe to Cisco Security Notifications * Subscribe Related to This Advisory * Cisco Event Response: September 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication Cisco Security Blog: Cisco IOS and IOS XE Software Bundled Publication September 2018 URL * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-webdos Revision History +----------------------------------------------------------------------------+ | Version | Description | Section | Status | Date | |---------+--------------------------+---------+--------+--------------------| | 1.0 | Initial public release. | | Final | 2018-September-26 | +----------------------------------------------------------------------------+ Legal Disclaimer * THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products. - ------------------------------------------------------------------------------- Cisco Security Advisory Cisco IOS XE Software MACsec MKA Using EAP-TLS Authentication Bypass Vulnerability Priority: Medium Advisory ID: cisco-sa-20180926-macsec First Published: 2018 September 26 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvh09411 CVE-2018-15372 CWE-284 CVSS Score: Base 6.5 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:X/RL:X/RC:X Summary * A vulnerability in the MACsec Key Agreement (MKA) using Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) functionality of Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to bypass authentication and pass traffic through a Layer 3 interface of an affected device. The vulnerability is due to a logic error in the affected software. An attacker could exploit this vulnerability by connecting to and passing traffic through a Layer 3 interface of an affected device, if the interface is configured for MACsec MKA using EAP-TLS and is running in access-session closed mode. A successful exploit could allow the attacker to bypass 802.1x network access controls and gain access to the network. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-macsec Affected Products * Vulnerable Products This vulnerability affects Cisco devices that are running a vulnerable Cisco IOS XE Software 16.x Release and have a Layer 3 interface that is configured for MACsec MKA using EAP-TLS and is running in access-session closed mode. For more information about which Cisco IOS XE Software releases are vulnerable, see the Fixed Software section of this advisory. Determining the Cisco IOS XE Software Release To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text. The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M: ios-xe-device# show version Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Sun 27-Mar-16 21:47 by mcpre . . . For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco IOS Software, Cisco IOS XR Software, or Cisco NX-OS Software. Workarounds * There are no workarounds that address this vulnerability. Fixed Software * For detailed information about affected and fixed software releases, consult the Cisco IOS Software Checker. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker, that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory (?First Fixed?). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified (?Combined First Fixed?). Customers can use this tool to perform the following tasks: + Initiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse + Enter the output of the show version command for the tool to parse + Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS Software or Cisco IOS XE Software release?for example, 15.1(4)M2 or 3.13.8S?in the following field: [ ] [Check] By default, the Cisco IOS Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, use the Cisco IOS Software Checker on Cisco.com and check the Medium check box in the Impact Rating drop-down list. Exploitation and Public Announcements * The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source * This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy * To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Subscribe to Cisco Security Notifications * Subscribe URL * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-macsec Revision History +----------------------------------------------------------------------------+ | Version | Description | Section | Status | Date | |---------+--------------------------+---------+--------+--------------------| | 1.0 | Initial public release. | | Final | 2018-September-26 | +----------------------------------------------------------------------------+ Legal Disclaimer * THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products. - ------------------------------------------------------------------------------- Cisco Security Advisory Cisco IOS XE Software NAT Session Initiation Protocol Application Layer Gateway Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-20180926-sip-alg First Published: 2018 September 26 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvg89036 CVE-2018-0476 CWE-399 CVSS Score: Base 8.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary * A vulnerability in the Network Address Translation (NAT) Session Initiation Protocol (SIP) Application Layer Gateway (ALG) of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to improper processing of SIP packets in transit while NAT is performed on an affected device. An unauthenticated, remote attacker could exploit this vulnerability by sending crafted SIP packets via UDP port 5060 through an affected device that is performing NAT for SIP packets. A successful exploit could allow an attacker to cause the device to reload, resulting in a denial of service (DoS) condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20180926-sip-alg This advisory is part of the September 26, 2018, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 12 Cisco Security Advisories that describe 13 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: September 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Affected Products * Vulnerable Products This vulnerability affects devices that are running Cisco IOS XE Software configured for NAT operation. The SIP ALG feature is enabled as soon as NAT is configured on the device. For information about which Cisco IOS XE Software releases are vulnerable, see the Fixed Software section of this advisory. Assessing the NAT Configuration To determine whether NAT has been enabled in the Cisco IOS XE Software configuration, the ip nat inside or ip nat outside commands must be on different interfaces and at least one ip nat global configuration command must be in the configuration. Alternatively, in the case of the NAT Virtual Interface, the ip nat enable interface command will be present. The show running-config | include ip nat command can be used to determine whether NAT is in the configuration, as illustrated in the following example of a vulnerable configuration: Router#show running-config | include ip nat ip nat inside ip nat outside ip nat inside source static 192.0.2.100 10.0.0.1 To determine whether the SIP ALG is disabled in the NAT configuration, use the show running-config | include ip nat privileged EXEC command. The presence of no ip nat service in the output of show running-config | include ip nat indicates that the SIP ALG is disabled in the NAT configuration. The following is the output of show running-config | include ip nat in Cisco IOS XE Software that has the SIP ALG disabled in the NAT configuration: Router#show running-config | include ip nat ip nat inside ip nat outside ip nat inside source static 192.0.2.100 10.0.0.1 vrf sip no ip nat service sip udp port 5060 If no ip nat service does not appear in the output of show running-config | include ip nat, and the device runs an affected version of Cisco IOS XE Software with NAT enabled, that configuration is vulnerable. Determining the Cisco IOS XE Software Release To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text. The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M: ios-xe-device# show version Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Sun 27-Mar-16 21:47 by mcpre . . . For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco IOS Software, Cisco IOS XR Software, or Cisco NX-OS Software. Indicators of Compromise * A successful exploit of this vulnerability will cause an affected device to reload and generate a crashinfo file. A successful exploit of this vulnerability may be confirmed by decoding the stack trace for the device and determining whether the stack trace correlates with this vulnerability. Contact the Cisco Technical Assistance Center (TAC) to review the crashinfo file and determine whether the device has been compromised by exploitation of this vulnerability. Workarounds * There are no workarounds that address this vulnerability. Administrators can mitigate the vulnerability by disabling the SIP ALG by configuring the following on the affected device until an upgrade is possible: no ip nat service sip udp port 5060 Fixed Software * Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker, that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory (?First Fixed?). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified (?Combined First Fixed?). Customers can use this tool to perform the following tasks: + Initiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse + Enter the output of the show version command for the tool to parse + Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS Software or Cisco IOS XE Software release?for example, 15.1(4)M2 or 3.13.8S?in the following field: [ ] [Check] By default, the Cisco IOS Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, use the Cisco IOS Software Checker on Cisco.com and check the Medium check box in the Impact Rating drop-down list. For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the Cisco IOS XE Software release. Exploitation and Public Announcements * The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source * This vulnerability was found during the resolution of a Cisco TAC support case. Cisco Security Vulnerability Policy * To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory * Cisco Event Response: September 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication Cisco Security Blog: Cisco IOS and IOS XE Software Bundled Publication September 2018 URL * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-sip-alg Revision History +----------------------------------------------------------------------------+ | Version | Description | Section | Status | Date | |---------+--------------------------+---------+--------+--------------------| | 1.0 | Initial public release. | | Final | 2018-September-26 | +----------------------------------------------------------------------------+ - ------------------------------------------------------------------------------- Cisco Security Advisory Cisco IOS XE Software Privileged EXEC Mode Root Shell Access Vulnerability Priority: Medium Advisory ID: cisco-sa-20180926-privesc First Published: 2018 September 26 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCuw45594 CVSS Score: Base 6.7 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary * A vulnerability in the CLI parser of Cisco IOS XE Software could allow an authenticated, local attacker to gain access to the underlying Linux shell of an affected device and execute arbitrary commands with root privileges on the device. The vulnerability is due to the affected software improperly sanitizing command arguments to prevent modifications to the underlying Linux filesystem on a device. An attacker who has privileged EXEC mode (privilege level 15) access to an affected device could exploit this vulnerability on the device by executing CLI commands that contain crafted arguments. A successful exploit could allow the attacker to gain access to the underlying Linux shell of the affected device and execute arbitrary commands with root privileges on the device. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-privesc Affected Products * Vulnerable Products This vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS XE Software. For information about which Cisco IOS XE Software releases are vulnerable, see the Fixed Software section of this advisory. Determining the Cisco IOS XE Software Release To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text. The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M: ios-xe-device# show version Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Sun 27-Mar-16 21:47 by mcpre . . . For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco IOS Software, Cisco IOS XR Software, or Cisco NX-OS Software. Workarounds * There are no workarounds that address this vulnerability. Fixed Software * For detailed information about affected and fixed software releases, consult the Cisco IOS Software Checker. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker, that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory (?First Fixed?). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified (?Combined First Fixed?). Customers can use this tool to perform the following tasks: + Initiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse + Enter the output of the show version command for the tool to parse + Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS Software or Cisco IOS XE Software release?for example, 15.1(4)M2 or 3.13.8S?in the following field: [ ] [Check] By default, the Cisco IOS Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, use the Cisco IOS Software Checker on Cisco.com and check the Medium check box in the Impact Rating drop-down list. Exploitation and Public Announcements * The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source * This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy * To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Subscribe to Cisco Security Notifications * Subscribe URL * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-privesc Revision History +----------------------------------------------------------------------------+ | Version | Description | Section | Status | Date | |---------+--------------------------+---------+--------+--------------------| | 1.0 | Initial public release. | | Final | 2018-September-26 | +----------------------------------------------------------------------------+ Legal Disclaimer * THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products. - ------------------------------------------------------------------------------- Cisco Security Advisory Cisco IOS XE Software Shell Access Authentication Bypass Vulnerability Priority: Medium Advisory ID: cisco-sa-20180926-shell-access First Published: 2018 September 26 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvb79289 CVE-2018-15371 CWE-284 CVSS Score: Base 6.7 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X CVE-2018-15371 CWE-284 Summary * A vulnerability in the shell access request mechanism of Cisco IOS XE Software could allow an authenticated, local attacker to bypass authentication and gain unrestricted access to the root shell of an affected device. The vulnerability exists because the affected software has insufficient authentication mechanisms for certain commands. An attacker could exploit this vulnerability by requesting access to the root shell of an affected device, after the shell access feature has been enabled. A successful exploit could allow the attacker to bypass authentication and gain unrestricted access to the root shell of the affected device. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-shell-access Affected Products * Vulnerable Products This vulnerability affects the following Cisco devices if they are running a vulnerable release of Cisco IOS XE Software and have the Smart Licensing feature enabled: + 4000 Series Integrated Services Routers + ASR 900 Series Aggregation Services Routers + ASR 1000 Series Aggregation Services Routers + Cloud Services Router 1000V Series + Integrated Services Virtual Router For information about which Cisco IOS XE Software releases are vulnerable, see the Fixed Software section of this advisory. Determining Whether Smart Licensing Is Enabled To determine whether the Smart Licensing feature is enabled for a device, administrators can log in to the device and use the show license summary | include Smart privileged EXEC command in the CLI. The following example shows the output of the command for a device that has the Smart Licensing feature enabled: ios-xe-device# show license summary | include Smart Smart Licensing is ENABLED Determining the Cisco IOS XE Software Release To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text. The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M: ios-xe-device# show version Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Sun 27-Mar-16 21:47 by mcpre . . . For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco IOS Software, Cisco IOS XR Software, or Cisco NX-OS Software. Workarounds * There are no workarounds that address this vulnerability. Fixed Software * For detailed information about affected and fixed software releases, consult the Cisco IOS Software Checker. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker, that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory (?First Fixed?). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified (?Combined First Fixed?). Customers can use this tool to perform the following tasks: + Initiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse + Enter the output of the show version command for the tool to parse + Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS Software or Cisco IOS XE Software release?for example, 15.1(4)M2 or 3.13.8S?in the following field: [ ] [Check] By default, the Cisco IOS Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, use the Cisco IOS Software Checker on Cisco.com and check the Medium check box in the Impact Rating drop-down list. Exploitation and Public Announcements * The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source * This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy * To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Subscribe to Cisco Security Notifications * Subscribe URL * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-shell-access Revision History +----------------------------------------------------------------------------+ | Version | Description | Section | Status | Date | |---------+--------------------------+---------+--------+--------------------| | 1.0 | Initial public release. | | Final | 2018-September-26 | +----------------------------------------------------------------------------+ Legal Disclaimer * THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products. - ------------------------------------------------------------------------------- Cisco Security Advisory Cisco IOS XE Software Web UI Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-20180926-webuidos First Published: 2018 September 26 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCva31961 CVE-2018-0469 CWE-415 CVSS Score: Base 8.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary * A vulnerability in the web user interface of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to a double-free-in-memory handling by the affected software when specific HTTP requests are processed. An attacker could exploit this vulnerability by sending specific HTTP requests to the web user interface of the affected software. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a denial of service (DoS) condition on an affected device. To exploit this vulnerability, the attacker must have access to the management interface of the affected software, which is typically connected to a restricted management network. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-webuidos This advisory is part of the September 26, 2018, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 12 Cisco Security Advisories that describe 13 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: September 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Affected Products * Vulnerable Products This vulnerability affects Cisco Catalyst 3650 and 3850 Series Switches that are running a vulnerable release of Cisco IOS XE Software if the HTTP Server feature is enabled. The default state of the HTTP Server feature is version dependent. This vulnerability was introduced in Cisco IOS XE Software Release 16.1.1. For more information about which Cisco IOS XE Software releases are vulnerable, see the Fixed Software section of this advisory. Assessing the HTTP Server Configuration To determine whether the HTTP Server feature is enabled for a device, administrators can log in to the device and use the show running-config | include http (secure|server) command in the CLI to check for the presence of the ip http server command or the ip http secure-server command in the global configuration. If either command is present and configured, the HTTP Server feature is enabled for the device. The following example shows the output of the show running-config | include http (secure|server) command for a router that has the HTTP Server feature enabled: Router# show running-config | include http (secure|server) ip http server ip http secure-server If the output from the previous command also contains: ip http active-session-modules none ip http secure-active-session-modules none Then the device is not exploitable. Determining the Cisco IOS XE Software Release To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text. The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M: ios-xe-device# show version Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Sun 27-Mar-16 21:47 by mcpre . . . For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco IOS Software, Cisco IOS XR Software, or Cisco NX-OS Software. Details * This vulnerability has a CVSSv3 score with an authentication vector of ?Not Required.? Cisco IOS XE releases prior to 16.2.2 did not require authentication to exploit this vulnerability. Cisco IOS XE Software Releases 16.2.2 and later require authentication to exploit this vulnerability. Indicators of Compromise * Cisco IOS XE Software Release 16.2.2 syslog should indicate a ?Login Successful? message for the WebGUI, followed by this syslog message: %PMAN-3-PROCHOLDDOWN: The process dbm has been helddown (rc 134) Cisco IOS XE Software releases prior to 16.2.2 would not show the ?Login Successful? message, just the syslog message shown in the previous message. Workarounds * There are no workarounds that address this vulnerability. Customers who do not require the WebGUI to be enabled can disable it as shown in the following example: Switch#configure terminal Switch(config)#no ip http server Switch(config)#no ip http secure-server Switch(config)#exit Switch# Fixed Software * Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker, that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory (?First Fixed?). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified (?Combined First Fixed?). Customers can use this tool to perform the following tasks: + Initiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse + Enter the output of the show version command for the tool to parse + Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS Software or Cisco IOS XE Software release?for example, 15.1(4)M2 or 3.13.8S?in the following field: [ ] [Check] By default, the Cisco IOS Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, use the Cisco IOS Software Checker on Cisco.com and check the Medium check box in the Impact Rating drop-down list. For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the Cisco IOS XE Software release. Exploitation and Public Announcements * The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source * This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy * To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Subscribe to Cisco Security Notifications * Subscribe Related to This Advisory * Cisco Event Response: September 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication Cisco Security Blog: Cisco IOS and IOS XE Software Bundled Publication September 2018 URL * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-webuidos Revision History +----------------------------------------------------------------------------+ | Version | Description | Section | Status | Date | |---------+--------------------------+---------+--------+--------------------| | 1.0 | Initial public release. | | Final | 2018-September-26 | +----------------------------------------------------------------------------+ Legal Disclaimer * THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products. - ------------------------------------------------------------------------------- Cisco Security Advisory Cisco IOS XE Software and Cisco ASA 5500-X Series Adaptive Security Appliance IPsec Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-20180926-ipsec First Published: 2018 September 26 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvf73114, CSCvg37952, CSCvh04189,CSCvf73114, CSCvg37952,CSCvh04189,CSCvh04591,CSCvi30496 CVE-2018-0472 CWE-20 CVSS Score: Base 8.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary * A vulnerability in the IPsec driver code of multiple Cisco IOS XE Software platforms and the Cisco ASA 5500-X Series Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause the device to reload. The vulnerability is due to improper processing of malformed IPsec Authentication Header (AH) or Encapsulating Security Payload (ESP) packets. An attacker could exploit this vulnerability by sending malformed IPsec packets to be processed by an affected device. An exploit could allow the attacker to cause a reload of the affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-ipsec This advisory is part of the September 26, 2018, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 12 Cisco Security Advisories that describe 13 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: September 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Affected Products * This vulnerability affects multiple platforms running Cisco IOS XE Software and certain Cisco 5500-X Series Adaptive Security Appliances (ASA) running either Cisco ASA Software or Cisco Firepower Threat Defense (FTD) Software. See the following sections for details: + Cisco IOS XE Software + Cisco ASA Software and Cisco ASA 5500-X Series with Firepower Threat Defense Software Vulnerable Products Cisco IOS XE Software This vulnerability affects Cisco IOS XE Software running on the following products. No other models are affected. + Cisco ASR 1000 Series Aggregation Services Routers: o ASR 1001-X o ASR 1001-HX o ASR 1002-X o ASR 1002-HX o Cisco ASR 1000 Series 100-Gbps Embedded Service Processor (ASR1000-ESP100) o Cisco ASR 1000 Series 200-Gbps Embedded Service Processor (ASR1000-ESP200) + Cisco 4000 Series Integrated Services Routers: o ISR 4431 o ISR 4451-X Cisco IOS XE Software is affected by this vulnerability if the system is configured to terminate IPsec VPN connections. This includes the following: + LAN-to-LAN VPN + Remote-access VPN, excluding SSL VPN + Dynamic Multipoint VPN (DMVPN) + FlexVPN + Group Encrypted Transport VPN (GET VPN) + IPsec virtual tunnel interfaces (VTIs) + Open Shortest Path First Version 3 (OSPFv3) Authentication Support with IPsec If a device that is running Cisco IOS XE Software is configured to terminate IPsec VPN connections, either a crypto map must be configured for at least one interface or the device must be configured with IPsec VTIs. Administrators should use the show running-config command and verify that the returned output contains a crypto map configured under at least one active interface. The following example shows a crypto map named map-group1 configured on the GigabitEthernet 0/0/0 interface: Router# show running-config <!-- Output Omitted --> interface GigabitEthernet0/0/0 crypto map map-group1 Administrators should use the show running-config command and verify that the returned output contains tunnel protection ipsec profile configured under at least one tunnel interface. The following example shows a VTI interface: Router# show running-config interface tunnel 0 tunnel mode ipsec ipv4 tunnel protection ipsec profile PROF1 Note: IPsec VPN is not configured by default. If a device that is running Cisco IOS XE Software is configured to support OSPFv3 Authentication Support with IPsec, the running configuration contains one of the following: + ipv6 ospf encryption + ipv6 ospf authentication + ospfv3 authentication ipsec + ospfv3 encryption ipsec + area <area-id> authentication ipsec + area <area-id> encryption ipsec + area <area-id> virtual-link <router-id> authentication ipsec spi + area <area-id> virtual-link <router-id> encryption ipsec spi The following example shows a device configured for OSPFv3 Authentication Support with IPsec: Router# show running-config interface GigabitEthernet0/1 ospfv3 authentication ipsec spi 256 md5 01020304050607080910010203040506 Determining the Cisco IOS XE Software Release To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text. The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M: ios-xe-device# show version Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Sun 27-Mar-16 21:47 by mcpre . . . For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide. Cisco ASA Software and Cisco ASA 5500-X Series with Firepower Threat Defense Software This vulnerability affects Cisco ASA Software or Cisco FTD Software running on the following products. No other models are affected. + Cisco ASA 5500-X Series Adaptive Security Appliances: o ASA 5506-X Series o ASA 5508-X Series o ASA 5516-X Series Refer to the Fixed Software section of this security advisory for more information about affected releases. Cisco ASA Software is affected by this vulnerability if the system is configured to terminate IPsec VPN connections. This includes the following: + LAN-to-LAN IPsec VPN + Remote-access VPN using the IPsec VPN client + Layer 2 Tunneling Protocol (L2TP)-over-IPsec VPN connections Cisco FTD Software is affected by this vulnerability if the system is configured to terminate IPsec VPN connections. This includes the following: + Site-to-site IPsec VPN + Remote-access VPN using the IPsec VPN client Cisco ASA Software or Cisco FTD Software is not affected by this vulnerability if the system is configured to terminate only the following VPN connections: + Clientless SSL + AnyConnect SSL If an appliance running Cisco ASA Software is configured to terminate IPsec VPN connections, a crypto map must be configured for at least one interface. Administrators should use the show running-config crypto map | include interface command and verify that it returns output. The following example shows a crypto map named outside_map configured on the outside interface: ciscoasa# show running-config crypto map | include interface crypto map outside_map interface outside Note: IPsec VPN is not configured by default. To determine whether an appliance that is running Cisco FTD is configured with site-to-site VPN connections or remote-access VPN connections that use the IPsec VPN client, administrators should use the show running-config command. In the following table, the left column lists the vulnerable Cisco FTD features. The right column indicates the vulnerable configuration from the show running-config command. Cisco FTD Feature Vulnerable Configuration crypto ikev2 enable <interface_name> AnyConnect IKEv2 Remote Access client-services port <port #> (with client services)^1,2 webvpn anyconnect enable AnyConnect IKEv2 Remote Access crypto ikev2 enable <interface_name> (without client services)^1,2 webvpn anyconnect enable Site-to-site VPN connections^3 crypto map <crypto_map_name> interface <interface_name> ^1 Remote-access VPN features are enabled via Devices > VPN > Remote Access in the Cisco FMC or via Device > Remote Access VPN in Cisco Firepower Device Manager (FDM). ^2 Remote-access VPN features are first supported as of Cisco FTD Software Release 6.2.2. ^3 Site-to-site VPN features are first supported as of Cisco FTD Software Release 6.2.0. Determining the Cisco ASA Software Release To determine whether a vulnerable release of Cisco ASA Software is running on an appliance, administrators can use the show version command. The following example shows the results of the show version command on an appliance running Cisco ASA Software Release 9.2(1): ciscoasa# show version | include Version Cisco Adaptive Security Appliance Software Version 9.2(1) Device Manager Version 7.4(1) Determining the Cisco FTD Software Release Administrators can use the show version command in the CLI to determine the Cisco FTD Software release. In this example, the device is running Release 6.2.2: > show version ---------------------[ ftd ]--------------------- Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.2 (Build 362) UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c Rules update version : 2017-03-15-001-vrt VDB version : 279 ---------------------------------------------------- Customers who use Cisco Adaptive Security Device Manager (ASDM) to manage devices can locate the software release in the table that appears in the login window or the upper-left corner of the Cisco ASDM window. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco IOS Software, Cisco IOS XR Software, or Cisco NX-OS Software. Details * For this vulnerability to be exploited, the IPsec security associations (SAs) must first be established. An attacker can exploit this vulnerability by using a crafted ESP or AH packet that meets several other conditions, such as matching the IPsec SA SPI and being within the correct sequence window. Workarounds * There are no workarounds that address this vulnerability. Fixed Software * Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker, that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory (?First Fixed?). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified (?Combined First Fixed?). Customers can use this tool to perform the following tasks: + Initiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse + Enter the output of the show version command for the tool to parse + Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS Software or Cisco IOS XE Software release?for example, 15.1(4)M2 or 3.13.8S?in the following field: [ ] [Check] By default, the Cisco IOS Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, use the Cisco IOS Software Checker on Cisco.com and check the Medium check box in the Impact Rating drop-down list. For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the Cisco IOS XE Software release. Cisco ASA Software In the following table, the left column lists major releases of Cisco ASA Software. The right column indicates whether a major release is affected by the vulnerability described in this advisory and the first release that includes the fix for this vulnerability. Customers should upgrade to an appropriate release as indicated in this section. +---------------------------------------------------------------------+ | Cisco ASA Major | First Fixed Release for This | | Release | Vulnerability | |-------------------------+-------------------------------------------| | 9.3^1 | Affected; migrate to Release 9.4 | |-------------------------+-------------------------------------------| | 9.4 | 9.4.4.18 | |-------------------------+-------------------------------------------| | 9.5^1 | Affected; migrate to Release 9.6 | |-------------------------+-------------------------------------------| | 9.6 | 9.6.4.8 | |-------------------------+-------------------------------------------| | 9.7 | Affected; migrate to Release 9.8 | |-------------------------+-------------------------------------------| | 9.8 | 9.8.2.26 | |-------------------------+-------------------------------------------| | 9.9 | 9.9.2.2 | +---------------------------------------------------------------------+ ^1 Cisco ASA Software Releases 9.3 and 9.5 have reached end-of-software-maintenance status. Customers should migrate to a supported release. Customers can download the software from the Software Center on Cisco.com by clicking Browse all and navigating to Security > Firewalls > Adaptive Security Appliances (ASA) > ASA 5500-X Series Firewalls, where there is a list of ASA hardware platforms. Cisco FTD Software In the following table, the left column lists major releases of Cisco FTD Software. The right column indicates whether a major release is affected by the vulnerability described in this advisory and the first release that includes the fix for this vulnerability. Customers should upgrade to an appropriate release as indicated in this section. +-------------------------------------------------------------------------+ | Cisco FTD Software | First Fixed Release for This Vulnerability | | Release | | |-----------------------+-------------------------------------------------| | 6.2.0 | Affected; migrate to Release 6.2.2.3 or 6.2.3.1 | | | or later. | |-----------------------+-------------------------------------------------| | 6.2.1 | Affected; migrate to Release 6.2.2.3 or 6.2.3.1 | | | or later. | |-----------------------+-------------------------------------------------| | 6.2.2 | 6.2.2.3 | |-----------------------+-------------------------------------------------| | 6.2.3 | 6.2.3.1 | +-------------------------------------------------------------------------+ Customers can download the software from the Software Center on Cisco.com by clicking Browse all and navigating to Security > Firewalls > Next-Generation Firewalls (NGFW), where there is a list of Cisco FTD hardware platforms. Exploitation and Public Announcements * The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source * This vulnerability was found during the resolution of a Cisco TAC support case. Cisco Security Vulnerability Policy * To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Subscribe to Cisco Security Notifications * Subscribe Related to This Advisory * Cisco Event Response: September 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication Cisco Security Blog: Cisco IOS and IOS XE Software Bundled Publication September 2018 URL * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-ipsec Revision History +----------------------------------------------------------------------------+ | Version | Description | Section | Status | Date | |---------+--------------------------+---------+--------+--------------------| | 1.0 | Initial public release. | | Final | 2018-September-26 | +----------------------------------------------------------------------------+ Legal Disclaimer * THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW6wXHWaOgq3Tt24GAQjTOg//dHkdXW+FKAfM0mYQjc2BCydrjA4ZeIfU rrbP3VXhimukhP43k2R4/eFYTI8WzZTjmgVWYRMtYpoYz735LJl7S1fcj36j94Mj EaFFdbp9SfsmNKPAXSh00VOf/qAu/K0cvN28yCdFaaLGKPzZGazQIS6HyhxL8a2C DnsChl/bZtZWMTiVV67IUr57Hl+b0mfX7yxkTOqajoB1MSSC1L9sMrSJSJSdL7cW oXVzIG0aBZwgYh5BR7oofsDx5ig8B1KAvPRLRUwOnXp8+22914nX1MzFXv0ncQjf FZ8b2E4FulHlbjMsE/357tTgs/ypX340jVNxHeYIiwwNl9IOLftNZ0bieZplt6Su 2uKd3z+wo2MxHx7TLNp2YQbGmG2xrzjO8TAUo2ZgNMxw/Aq4MQEDSvHPXooa8y4S 4dX24+FzWkNSsOz2hsvpw+Vb/kEHXA3dGlzVuliISTiG4d43p0TkPNnQru4uURQ+ Zgem6JdPEs1m4VP/tc8vHWpiBS9gYoll1cU6hcyU9dTVc5sB9NZPeIfpkj/DdOCd DPXxxRUx4heJLK4kiwfmgGafc1+PGrfOg2oyMYH8Z9SyPDVyNK+oF+mj82UfHXk7 qViz7TsitQI5iFjeGmRs2z7NEgC+icUTD9OEZJTevkKDitY4t0ihY0+y3UYpi6qM Xih1ixuykHc= =wNzq -----END PGP SIGNATURE-----