Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1026 Cisco IOS multiple vulnerabilities 28 March 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco IOS Publisher: Cisco Systems Operating System: Cisco Impact/Access: Root Compromise -- Existing Account Execute Arbitrary Code/Commands -- Existing Account Modify Arbitrary Files -- Existing Account Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Read-only Data Access -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-1762 CVE-2019-1761 CVE-2019-1760 CVE-2019-1759 CVE-2019-1758 CVE-2019-1757 CVE-2019-1756 CVE-2019-1755 CVE-2019-1754 CVE-2019-1753 CVE-2019-1752 CVE-2019-1751 CVE-2019-1750 CVE-2019-1749 CVE-2019-1748 CVE-2019-1747 CVE-2019-1746 CVE-2019-1745 CVE-2019-1743 CVE-2019-1742 CVE-2019-1741 CVE-2019-1740 CVE-2019-1739 CVE-2019-1738 CVE-2019-1737 Reference: ESB-2019.0371 ESB-2019.0061 ESB-2019.0372.2 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-call-home-cert https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-evss https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-afu https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-nat64 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-c6500 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-rsp3-ospf https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-sms-dos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-nbar https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-pnp-cert https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-info https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-isdn https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-ipsla-dos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-ios-infoleak https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-cmp-dos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-iosxe-pe https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-iosxe-privesc https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-pfrv3 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-xeid https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-mgmtacl https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-eta-dos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-iosxe-cmdinj https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-iosxe-cmdinject https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-xecmd Comment: This bulletin contains twenty-three (23) advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco IOS and IOS XE Software Smart Call Home Certificate Validation Vulnerability Priority: Medium Advisory ID: cisco-sa-20190327-call-home-cert First Published: 2019 March 27 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvg83741 CVE-2019-1757 CWE-295 CVSS Score: 5.9 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X Summary o A vulnerability in the Cisco Smart Call Home feature of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to gain unauthorized read access to sensitive data using an invalid certificate. The vulnerability is due to insufficient certificate validation by the affected software. An attacker could exploit this vulnerability by supplying a crafted certificate to an affected device. A successful exploit could allow the attacker to conduct man-in-the-middle attacks to decrypt confidential information on user connections to the affected software. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-call-home-cert Affected Products o Vulnerable Products This vulnerability affects devices that are running a vulnerable release of Cisco IOS or IOS XE Software with the Smart Call Home feature enabled. For information about which Cisco IOS and IOS XE Software releases are vulnerable, see the Fixed Software section of this advisory. Determining Whether Smart Call Home is Enabled To determine whether the Smart Call Home feature has been configured, administrators can use the show running-config | section call-home command in the CLI. For a device to be vulnerable, the Call Home service has to be enabled and at least one Call Home profile has to be active. The following example shows the output of the show running-config | section call-home command for a device that has the Smart Call Home feature enabled. service call-home call-home contact-email-addr support@example.com profile "CiscoTAC-1" active destination transport-method http no destination transport-method email Determining the Cisco IOS Software Release To determine which Cisco IOS Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS Software, the system banner displays text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The banner also displays the installed image name in parentheses, followed by the Cisco IOS Software release number and release name. Some Cisco devices do not support the show version command or may provide different output. The following example shows the output of the command for a device that is running Cisco IOS Software Release 15.5(2)T1 and has an installed image name of C2951-UNIVERSALK9-M: Router> show version Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2015 by Cisco Systems, Inc. Compiled Mon 22-Jun-15 09:32 by prod_rel_team For information about the naming and numbering conventions for Cisco IOS Software releases, see the Cisco IOS and NX-OS Software Reference Guide. Determining the Cisco IOS XE Software Release To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text. The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M: ios-xe-device# show version Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Sun 27-Mar-16 21:47 by mcpre For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco IOS XR Software or Cisco NX-OS Software. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o For detailed information about affected and fixed software releases, consult the Cisco IOS Software Checker. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker , that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified ("Combined First Fixed"). Customers can use this tool to perform the following tasks: Initiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse Enter the output of the show version command for the tool to parse Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in the following field: By default, the Cisco IOS Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, use the Cisco IOS Software Checker on Cisco.com and check the Medium check box in the Impact Rating drop-down list. For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the Cisco IOS XE Software release. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-call-home-cert Revision History o +----------+---------------------------+----------+---------+----------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+---------+----------------+ | 1.0 | Initial public release. | -- | Final | 2019-March-27 | +----------+---------------------------+----------+---------+----------------+ ================================================================================ Cisco IOS and IOS XE Software Short Message Service Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-20190327-sms-dos First Published: 2019 March 27 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvm07801 CVE-2019-1747 CWE-20 CVSS Score: 8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the implementation of the Short Message Service (SMS) handling functionality of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a denial of service (DoS) condition on an affected device. The vulnerability is due to improper processing of SMS protocol data units (PDUs) that are encoded with a special character set. An attacker could exploit this vulnerability by sending a malicious SMS message to an affected device. A successful exploit could allow the attacker to cause the wireless WAN (WWAN) cellular interface module on an affected device to crash, resulting in a DoS condition that would require manual intervention to restore normal operating conditions. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-sms-dos This advisory is part of the March 27, 2019, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 17 Cisco Security Advisories that describe 19 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Affected Products o Vulnerable Products This vulnerability affects Cisco routers that have a Sierra Wireless WWAN cellular interface module installed and that are running either Cisco IOS Software Release 15.8(3)M or Cisco IOS XE Software Release 16.10.1. The SMS handling functionality is enabled by default only when an active subscriber identity module (SIM) card is installed on a Sierra Wireless WWAN cellular interface module. For information about which Cisco IOS and IOS XE Software releases are vulnerable, see the Fixed Software section of this advisory. Determining Whether a Device Is Using an Embedded Sierra Wireless WWAN Cellular Interface Module To determine whether a Cisco router is using a Sierra Wireless WWAN cellular interface module, use the show inventory | include Sierra Wireless privileged EXEC command on the device. The following example shows the output of the show inventory | include Sierra Wireless command on a router with a Sierra Wireless MC7750 WWAN cellular interface module. Router#show inventory | include Sierra Wireless NAME: "Modem 0 on Cellular0", DESCR: "Sierra Wireless MC7750 4G-V" The modem slot number, the cellular interface number, and the description differ depending on the platform and the model of the WWAN cellular interface module installed. However, if this command does not exist, or it does not produce any output, the device is not affected by the vulnerability described in this advisory. Determining the Cisco IOS Software Release To determine which Cisco IOS Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS Software, the system banner displays text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The banner also displays the installed image name in parentheses, followed by the Cisco IOS Software release number and release name. Some Cisco devices do not support the show version command or may provide different output. The following example shows the output of the command for a device that is running Cisco IOS Software Release 15.5(2)T1 and has an installed image name of C2951-UNIVERSALK9-M: Router> show version Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2015 by Cisco Systems, Inc. Compiled Mon 22-Jun-15 09:32 by prod_rel_team For information about the naming and numbering conventions for Cisco IOS Software releases, see the Cisco IOS and NX-OS Software Reference Guide. Determining the Cisco IOS XE Software Release To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text. The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M: ios-xe-device# show version Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Sun 27-Mar-16 21:47 by mcpre For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco IOS XR Software or Cisco NX-OS Software. Details o Successful exploitation of this vulnerability will cause the WWAN cellular interface module on an affected device to crash. The crashed state is localized within the WWAN cellular interface module and does not extend to other modules or processes that are running on the device. Customers whose devices have been affected by successful exploitation of this vulnerability are advised to contact the Cisco Technical Assistance Center (TAC) or their Customer Experience (CX) representative for assistance in recovering the WWAN functionality. Indicators of Compromise o Exploitation of this vulnerability could cause the affected device to repeatedly generate an error message similar to the following: %Router-2-MODEM_DOWN: Cellular0 modem is now DOWN Customers are advised to contact their support organization to review the error message and determine whether the device has been affected by exploitation of this vulnerability. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/ tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker , that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified ("Combined First Fixed"). Customers can use this tool to perform the following tasks: Initiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse Enter the output of the show version command for the tool to parse Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in the following field: By default, the Cisco IOS Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, use the Cisco IOS Software Checker on Cisco.com and check the Medium check box in the Impact Rating drop-down list. For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the Cisco IOS XE Software release. Note: Starting with Cisco IOS XE Software Release 16.9.1, any upgrade will require Smart Licensing. Customers who plan to upgrade Cisco IOS XE to Release 16.9.1 or later are advised to consider the Smart Licensing requirement. The following documentation provides additional information: Smart Licensing. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the resolution of a Cisco TAC support case. Related to This Advisory o Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-sms-dos Revision History o +----------+---------------------------+----------+---------+----------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+---------+----------------+ | 1.0 | Initial public release. | -- | Final | 2019-March-27 | +----------+---------------------------+----------+---------+----------------+ ================================================================================ Cisco IOS and IOS XE Software Network-Based Application Recognition Denial of Service Vulnerabilities Priority: High Advisory ID: cisco-sa-20190327-nbar First Published: 2019 March 27 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvb51688 CSCvc94856 CSCvc99155 CSCvf01501 CVE-2019-1738 CVE-2019-1739 CVE-2019-1740 CWE-20 CVSS Score: 8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary o Multiple vulnerabilities in the Network-Based Application Recognition (NBAR) feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload. These vulnerabilities are due to a parsing issue on DNS packets. An attacker could exploit these vulnerabilities by sending crafted DNS packets through routers that are running an affected version and have NBAR enabled. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a denial of service (DoS) condition. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-nbar This advisory is part of the March 27, 2019, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 17 Cisco Security Advisories that describe 19 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Affected Products o Vulnerable Products These vulnerabilities affect routers that are running vulnerable releases of Cisco IOS or IOS XE Software and have been configured for NBAR operations. For information about which Cisco IOS and IOS XE Software releases are vulnerable, see the Fixed Software section of this advisory. Determining the NBAR Configuration Administrators can verify whether NBAR is in use on a device by verifying that the "show ip nbar control-plane | include NBAR state" CLI command reports the state as "ACTIVATED". If that command does not produce output, or it reports the state as "DEACTIVATED" then NBAR operation is not configured. Here is an example of a device on which NBAR is enabled: Router#show ip nbar control-plane | include NBAR state NBAR state is ACTIVATED NBAR state: ACTIVATED Here is an example of a device on which NBAR is disabled: Router#show ip nbar control-plane | include NBAR state NBAR state is DEACTIVATED NBAR state: DEACTIVATED Determining the Cisco IOS Software Release To determine which Cisco IOS Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS Software, the system banner displays text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The banner also displays the installed image name in parentheses, followed by the Cisco IOS Software release number and release name. Some Cisco devices do not support the show version command or may provide different output. The following example shows the output of the command for a device that is running Cisco IOS Software Release 15.5(2)T1 and has an installed image name of C2951-UNIVERSALK9-M: Router> show version Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2015 by Cisco Systems, Inc. Compiled Mon 22-Jun-15 09:32 by prod_rel_team For information about the naming and numbering conventions for Cisco IOS Software releases, see the Cisco IOS and NX-OS Software Reference Guide. Determining the Cisco IOS XE Software Release To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text. The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M: ios-xe-device# show version Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Sun 27-Mar-16 21:47 by mcpre For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities. Cisco has confirmed that these vulnerabilities does not affect Cisco IOS XR Software or Cisco NX-OS Software. Indicators of Compromise o A successful exploit of these vulnerabilities will cause an affected device to reload and generate a crashinfo file. A successful exploit of these vulnerabilities may be confirmed by decoding the stack trace for the device and determining whether the stack trace correlates with these vulnerabilities. Contact the Cisco Technical Assistance Center (TAC) to review the crashinfo file and determine whether the device has been compromised by exploitation of these vulnerabilities. Workarounds o There are no workarounds that address these vulnerabilities. However, administrators can mitigate these vulnerabilities by disabling the NBAR feature for an affected device until the device is upgraded to a software release that addresses these vulnerabilities. Fixed Software o Cisco has released free software updates that address the vulnerabilities described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/ tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker , that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified ("Combined First Fixed"). Customers can use this tool to perform the following tasks: Initiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse Enter the output of the show version command for the tool to parse Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in the following field: By default, the Cisco IOS Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, use the Cisco IOS Software Checker on Cisco.com and check the Medium check box in the Impact Rating drop-down list. For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the Cisco IOS XE Software release. Note: Starting with Cisco IOS XE Software Release 16.9.1, any upgrade will require Smart Licensing. Customers who plan to upgrade Cisco IOS XE to Release 16.9.1 or later are advised to consider the Smart Licensing requirement. The following documentation provides additional information: Smart Licensing. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. Source o This vulnerabilities were discovered during the resolution of a support case. Related to This Advisory o Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-nbar Revision History o +----------+---------------------------+----------+---------+----------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+---------+----------------+ | 1.0 | Initial public release. | -- | Final | 2019-March-27 | +----------+---------------------------+----------+---------+----------------+ ================================================================================ Cisco IOS and IOS XE Software Network Plug-and-Play Agent Certificate Validation Vulnerability Priority: High Advisory ID: cisco-sa-20190327-pnp-cert First Published: 2019 March 27 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvf36269 CSCvg01089 CVE-2019-1748 CWE-295 CVSS Score: 7.4 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:X/RL:X/RC:X Summary o A vulnerability in the Cisco Network Plug-and-Play (PnP) agent of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to gain unauthorized access to sensitive data. The vulnerability exists because the affected software insufficiently validates certificates. An attacker could exploit this vulnerability by supplying a crafted certificate to an affected device. A successful exploit could allow the attacker to conduct man-in-the-middle attacks to decrypt and modify confidential information on user connections to the affected software. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-pnp-cert This advisory is part of the March 27, 2019, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 17 Cisco Security Advisories that describe 19 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Affected Products o Vulnerable Products This vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS or IOS XE Software with the Cisco Plug-and-Play (PnP) agent enabled and initiated. The PnP agent is enabled on all Cisco IOS and IOS XE Software platforms by default, but it is initiated only under one of the following conditions: The startup configuration is absent. A PnP profile has been configured and activated through the CLI. For information about which Cisco IOS and IOS XE Software releases are vulnerable, see the Fixed Software section of this advisory. Determining Whether a PnP Profile Has Been Configured To determine whether a PnP profile has been configured, administrators can use the show pnp profile command in the CLI. The following example shows the output of the show pnp profile command with a PnP profile named test configured and activated: Device# show pnp profile Initiator Profile test: 0 open connections: 0 closing connections Encap: xmpp11 WSSE header is not required. Configured authorization level is 1 Countdown: Security Unlock 0, Service Lock: 0, Service Req Wait: 0, Prxoy Req Wait 0, Service Resp Ack: 0 Max message (RX) is 50 Kbytes XEP Faults are sent Idle timeout infinite Keepalive not configured Reconnect time 60 seconds Primary transport: xmpp socket to host 172.19.193.60, port 5222 Not connected, next reconnect attempt in 52 seconds Device# An empty output of this command indicates that no PnP profile has been configured. In some releases of Cisco IOS and IOS XE Software, the output of the show pnp profile command is different. The following example shows the output of the show pnp profile command in these releases with a PnP profile named pnp-zero-touch configured and activated: Device#show pnp profile PnP Profiles: Active:1, Created:1, Deleted:0, Hidden:0 Name CBType Node Primary-Path Primary-Trans Backup-Trans pnp-zero-touch User visible pnp/WORK-REQUEST HTTPS none Initiator Profile pnp-zero-touch: 0 open connections: 0 closing connections Encap: pnp WSSE header is not required. Configured authorization level is 1 Max message (RX) is 50 Kbytes XEP Faults are sent Idle timeout infinite Keepalive not configured DNS Resolution: default Reconnect time 60 seconds Primary Transport:https to Host:-, IP:10.201.237.169, Port:443, Src-Intf:-, VRF:-, URL pnp/WORK-REQUEST Not connected, next reconnect attempt in 30 seconds In these releases, an output containing Active:0 indicates that no active PnP profile has been configured. Determining the Cisco IOS Software Release To determine which Cisco IOS Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS Software, the system banner displays text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The banner also displays the installed image name in parentheses, followed by the Cisco IOS Software release number and release name. Some Cisco devices do not support the show version command or may provide different output. The following example shows the output of the command for a device that is running Cisco IOS Software Release 15.5(2)T1 and has an installed image name of C2951-UNIVERSALK9-M: Router> show version Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2015 by Cisco Systems, Inc. Compiled Mon 22-Jun-15 09:32 by prod_rel_team For information about the naming and numbering conventions for Cisco IOS Software releases, see the Cisco IOS and NX-OS Software Reference Guide. Determining the Cisco IOS XE Software Release To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text. The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M: ios-xe-device# show version Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Sun 27-Mar-16 21:47 by mcpre For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco IOS XR Software or Cisco NX-OS Software. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/ tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker , that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified ("Combined First Fixed"). Customers can use this tool to perform the following tasks: Initiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse Enter the output of the show version command for the tool to parse Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in the following field: By default, the Cisco IOS Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, use the Cisco IOS Software Checker on Cisco.com and check the Medium check box in the Impact Rating drop-down list. For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the Cisco IOS XE Software release. Note: Starting with Cisco IOS XE Software Release 16.9.1, any upgrade will require Smart Licensing. Customers who plan to upgrade Cisco IOS XE to Release 16.9.1 or later are advised to consider the Smart Licensing requirement. The following documentation provides additional information: Smart Licensing. Note: Releases of Cisco IOS and IOS XE Software that contain the fix for this vulnerability require that the PnP server-provided certificate contains a valid Subject Alternative Name (SAN) field to verify the sever identity. The software compares the SAN field of this certificate to the PnP server DNS name or IP address that is configured in the PnP profile on the Cisco IOS or IOS XE device. Customers using an on-premises Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM) or Cisco Digital Network Architecture (DNA) Center as a PnP server must ensure that the PnP server certificate contains a valid SAN field. If it does not contain a valid SAN field, the administrator must generate a certificate signing request (CSR) that includes the appropriate SAN field, have the new certificate signed by their certificate authority (CA), and then install it on the PnP server. Further details on how to obtain a CA-signed certificate for the Cisco APIC-EM are available in the Securing the Cisco APIC-EM chapter of the Cisco Application Policy Infrastructure Controller Enterprise Module Administrator Guide. Further details for Cisco DNA Center can be found in the Configure System Settings chapter of the Cisco Digital Network Architecture Center Administrator Guide. Customers who require assistance to configure a self-signed certificate with a valid SAN field are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Related to This Advisory o Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-pnp-cert Revision History o +----------+---------------------------+----------+---------+----------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+---------+----------------+ | 1.0 | Initial public release. | -- | Final | 2019-March-27 | +----------+---------------------------+----------+---------+----------------+ ================================================================================ Cisco IOS and IOS XE Software Information Disclosure Vulnerability Priority: Medium Advisory ID: cisco-sa-20190327-info First Published: 2019 March 27 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvg97571 CSCvi66418 CVE-2019-1762 CWE-200 CVSS Score: 4.4 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X Summary o A vulnerability in the Secure Storage feature of Cisco IOS and IOS XE Software could allow an authenticated, local attacker to access sensitive system information on an affected device. The vulnerability is due to improper memory operations performed at encryption time, when affected software handles configuration updates. An attacker could exploit this vulnerability by retrieving the contents of specific memory locations of an affected device. A successful exploit could result in the disclosure of keying materials that are part of the device configuration, which can be used to recover critical system information. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-info Affected Products o Vulnerable Products This vulnerability affects Cisco devices with the Secure Storage feature enabled that are running a vulnerable release of Cisco IOS or IOS XE Software. There are two bugs linked to this advisory that both address the same vulnerability: Cisco bug CSCvg97571 was raised to address the code changes in Cisco IOS Software Release 15.6(3) M1 or subsequent releases. Cisco bug CSCvi66418 was raised to address the code changes in Cisco IOS XE Software Release 16.6.1 or subsequent releases. For information about which Cisco IOS and IOS XE Software releases are vulnerable, see the Fixed Software section of this advisory. Determining Whether Secure Storage is Enabled There are two methods for determining whether the Secure Storage feature is enabled on a device: Option 1: Using the show running-config all | include service private-config-encryption Command. To determine whether a device is configured with the Secure Storage feature enabled, use the show running-config all | include service private-config-encryption privileged EXEC command on the device. The following example shows the output of the show running-config all | include service private-config-encryption command on a Cisco device that has the Secure Storage feature enabled. Router# show running-config all | include service private-config-encryption service private-config-encryption If this command does not exist, or if it produces any other output, the device is not affected by the vulnerability described in this advisory. Option 2: Using the show parser encrypt file status | include Feature Command. To determine whether the Secure Storage feature is enabled on a device, use the show parser encrypt file status | include Feature privileged EXEC command on the device. The following example shows the output of the show parser encrypt file status | include Feature command on a Cisco device that has the Secure Storage feature enabled. Router# show parser encrypt file status | include Feature Feature: Enabled If this command does not exist, or if it produces any other output, the device is not affected by the vulnerability described in this advisory. Determining the Cisco IOS Software Release To determine which Cisco IOS Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS Software, the system banner displays text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The banner also displays the installed image name in parentheses, followed by the Cisco IOS Software release number and release name. Some Cisco devices do not support the show version command or may provide different output. The following example shows the output of the command for a device that is running Cisco IOS Software Release 15.5(2)T1 and has an installed image name of C2951-UNIVERSALK9-M: Router> show version Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2015 by Cisco Systems, Inc. Compiled Mon 22-Jun-15 09:32 by prod_rel_team For information about the naming and numbering conventions for Cisco IOS Software releases, see the Cisco IOS and NX-OS Software Reference Guide. Determining the Cisco IOS XE Software Release To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text. The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M: ios-xe-device# show version Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Sun 27-Mar-16 21:47 by mcpre For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco IOS XR Software or Cisco NX-OS Software. Details o The Cisco IOS and IOS XE Software Secure Storage feature allows administrators to secure critical configuration information by storing it in an encrypted form. An affected software release may not perform a complete encryption buffer cleanup, which may result in the storage of an unencrypted version of the configuration file together with the encrypted version. An attacker can take advantage of this vulnerability by retrieving the contents of specific memory locations mapped to a storage device that is used to store the device configuration. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o For detailed information about affected and fixed software releases, consult the Cisco IOS Software Checker. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker , that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified ("Combined First Fixed"). Customers can use this tool to perform the following tasks: Initiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse Enter the output of the show version command for the tool to parse Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in the following field: By default, the Cisco IOS Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, use the Cisco IOS Software Checker on Cisco.com and check the Medium check box in the Impact Rating drop-down list. For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the Cisco IOS XE Software release. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the resolution of a Cisco TAC support case. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-info Revision History o +----------+---------------------------+----------+---------+----------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+---------+----------------+ | 1.0 | Initial public release. | -- | Final | 2019-March-27 | +----------+---------------------------+----------+---------+----------------+ ================================================================================ Cisco IOS and IOS XE Software ISDN Interface Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-20190327-isdn First Published: 2019 March 27 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCuz74957 CSCvk01977 CVE-2019-1752 CWE-20 CVSS Score: 8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the ISDN functions of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause the device to reload. The vulnerability is due to incorrect processing of specific values in the Q.931 information elements. An attacker could exploit this vulnerability by calling the affected device with specific Q.931 information elements being present. An exploit could allow the attacker to cause the device to reload, resulting in a denial of service (DoS) condition on an affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-isdn This advisory is part of the March 27, 2019, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 17 Cisco Security Advisories that describe 19 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Affected Products o Vulnerable Products This vulnerability affects devices that are running a vulnerable version of Cisco IOS or IOS XE Software and are configured with an ISDN interface. For more information about which Cisco IOS and IOS XE Software releases are vulnerable, see the Fixed Software section of this advisory. Determining the ISDN Interface Administrators can identify devices that have an ISDN interface by using the show running config | include isdn switch-type command in the CLI. The following example shows the output of the command on a device with an ISDN interface: Router#show running-config | include isdn switch-type isdn switch-type primary-net5 isdn switch-type primary-net5 Router# The switch type is irrelevant to the vulnerability and could be any value, as shown in the previous example. Determining the Cisco IOS Software Release To determine which Cisco IOS Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS Software, the system banner displays text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The banner also displays the installed image name in parentheses, followed by the Cisco IOS Software release number and release name. Some Cisco devices do not support the show version command or may provide different output. The following example shows the output of the command for a device that is running Cisco IOS Software Release 15.5(2)T1 and has an installed image name of C2951-UNIVERSALK9-M: Router> show version Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2015 by Cisco Systems, Inc. Compiled Mon 22-Jun-15 09:32 by prod_rel_team For information about the naming and numbering conventions for Cisco IOS Software releases, see the Cisco IOS and NX-OS Software Reference Guide. Determining the Cisco IOS XE Software Release To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text. The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M: ios-xe-device# show version Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Sun 27-Mar-16 21:47 by mcpre For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco IOS XR Software or Cisco NX-OS Software. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/ tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker , that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified ("Combined First Fixed"). Customers can use this tool to perform the following tasks: Initiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse Enter the output of the show version command for the tool to parse Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in the following field: By default, the Cisco IOS Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, use the Cisco IOS Software Checker on Cisco.com and check the Medium check box in the Impact Rating drop-down list. For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the Cisco IOS XE Software release. Note: Starting with Cisco IOS XE Software Release 16.9.1, any upgrade will require Smart Licensing. Customers who plan to upgrade Cisco IOS XE to Release 16.9.1 or later are advised to consider the Smart Licensing requirement. The following documentation provides additional information: Smart Licensing. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the resolution of a Cisco TAC support case. Related to This Advisory o Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-isdn Revision History o +----------+---------------------------+----------+---------+----------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+---------+----------------+ | 1.0 | Initial public release. | -- | Final | 2019-March-27 | +----------+---------------------------+----------+---------+----------------+ ================================================================================ Cisco IOS and IOS XE Software IP Service Level Agreement Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-20190327-ipsla-dos First Published: 2019 March 27 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvf37838 CVE-2019-1737 CWE-400 CVSS Score: 8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the processing of IP Service Level Agreement (SLA) packets by Cisco IOS Software and Cisco IOS XE software could allow an unauthenticated, remote attacker to cause an interface wedge and an eventual denial of service (DoS) condition on the affected device. The vulnerability is due to improper socket resources handling in the IP SLA responder application code. An attacker could exploit this vulnerability by sending crafted IP SLA packets to an affected device. An exploit could allow the attacker to cause an interface to become wedged, resulting in an eventual denial of service (DoS) condition on the affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-ipsla-dos This advisory is part of the March 27, 2019, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 17 Cisco Security Advisories that describe 19 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Affected Products o Vulnerable Products This vulnerability affects routers that are running vulnerable releases of Cisco IOS and IOS XE Software and have been configured for IP SLA Responder operations. For information about which Cisco IOS and IOS XE Software releases are vulnerable, see the Fixed Software section of this advisory. Determining the IP SLA Configuration Administrators can verify whether IP SLA Responder is in use on a device by verifying that it is reported as "Enabled" in the output of the show ip sla responder CLI command. Here is an example of the output of that command on a router configured for IP SLA Responder operations: Router#show ip sla responder General IP SLA Responder on Control port 1967 General IP SLA Responder on Control V2 port 1167 General IP SLA Responder is: Enabled Determining the Cisco IOS Software Release To determine which Cisco IOS Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS Software, the system banner displays text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The banner also displays the installed image name in parentheses, followed by the Cisco IOS Software release number and release name. Some Cisco devices do not support the show version command or may provide different output. The following example shows the output of the command for a device that is running Cisco IOS Software Release 15.5(2)T1 and has an installed image name of C2951-UNIVERSALK9-M: Router> show version Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2015 by Cisco Systems, Inc. Compiled Mon 22-Jun-15 09:32 by prod_rel_team For information about the naming and numbering conventions for Cisco IOS Software releases, see the Cisco IOS and NX-OS Software Reference Guide. Determining the Cisco IOS XE Software Release To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text. The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M: ios-xe-device# show version Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Sun 27-Mar-16 21:47 by mcpre For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco IOS XR Software or Cisco NX-OS Software. Details o Queue wedges occur when certain packets are received and queued by a Cisco IOS or IOS-XE router or switch but, due to a processing error, are never removed from the queue. Consult the Workarounds section of this advisory for more information about queue wedges and some detection mechanisms that may be used to identify a blocked interface in Cisco IOS Software. Also see the Cisco Security Blog Cisco IOS Queue Wedges Explained. Indicators of Compromise o On devices where this vulnerability is exploited, crafted IP SLA packets will get stuck in the ingress input queue of the receiving interface and eventually wedge the queue. Once this interface is wedged, it will stop receiving traffic until the router is reloaded. Workarounds o There are no workarounds that address this vulnerability. The following identification mechanisms exist for this vulnerability: Embedded Event Manager A Cisco IOS Embedded Event Manager (EEM) policy that is based on Tool Command Language (Tcl) can be used on vulnerable Cisco IOS devices to identify and detect an interface queue wedge that is caused by this vulnerability. The policy allows administrators to monitor the interfaces for Cisco IOS device and detect when the interface input queues are full. When Cisco IOS EEM detects potential exploitation of this vulnerability, the policy can trigger a response by sending an alert to the network administrator, who could then decide to implement an upgrade, implement suitable mitigations or reload the device to clear the input queue. The Tcl script is available for download at the "Cisco Beyond: Embedded Event Manager (EEM) Scripting Community" at the following link: https:// supportforums.cisco.com/docs/DOC-19337 For additional information, see the Cisco Security Blog Cisco IOS Queue Wedges Explained. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/ tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker , that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified ("Combined First Fixed"). Customers can use this tool to perform the following tasks: Initiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse Enter the output of the show version command for the tool to parse Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in the following field: By default, the Cisco IOS Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, use the Cisco IOS Software Checker on Cisco.com and check the Medium check box in the Impact Rating drop-down list. For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the Cisco IOS XE Software release. Note: Starting with Cisco IOS XE Software Release 16.9.1, any upgrade will require Smart Licensing. Customers who plan to upgrade Cisco IOS XE to Release 16.9.1 or later are advised to consider the Smart Licensing requirement. The following documentation provides additional information: Smart Licensing. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the resolution of a Cisco TAC support case. Related to This Advisory o Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-ipsla-dos Revision History o +----------+---------------------------+----------+---------+----------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+---------+----------------+ | 1.0 | Initial public release. | -- | Final | 2019-March-27 | +----------+---------------------------+----------+---------+----------------+ ================================================================================ Cisco IOS and IOS XE Software Hot Standby Router Protocol Information Leak Vulnerability Priority: Medium Advisory ID: cisco-sa-20190327-ios-infoleak First Published: 2019 March 27 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvj98575 CVE-2019-1761 CWE-665 CVSS Score: 4.3 AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X Summary o A vulnerability in the Hot Standby Router Protocol (HSRP) subsystem of Cisco IOS and IOS XE Software could allow an unauthenticated, adjacent attacker to receive potentially sensitive information from an affected device. The vulnerability is due to insufficient memory initialization. An attacker could exploit this vulnerability by receiving HSRPv2 traffic from an adjacent HSRP member. A successful exploit could allow the attacker to receive potentially sensitive information from the adjacent device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-ios-infoleak Affected Products o Vulnerable Products This vulnerability affects Cisco IOS and IOS XE Software. For information about which software releases are vulnerable, see the Fixed Software section of this advisory. Determining the Cisco IOS Software Release To determine which Cisco IOS Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS Software, the system banner displays text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The banner also displays the installed image name in parentheses, followed by the Cisco IOS Software release number and release name. Some Cisco devices do not support the show version command or may provide different output. The following example shows the output of the command for a device that is running Cisco IOS Software Release 15.5(2)T1 and has an installed image name of C2951-UNIVERSALK9-M: Router> show version Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2015 by Cisco Systems, Inc. Compiled Mon 22-Jun-15 09:32 by prod_rel_team For information about the naming and numbering conventions for Cisco IOS Software releases, see the Cisco IOS and NX-OS Software Reference Guide. Determining the Cisco IOS XE Software Release To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text. The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M: ios-xe-device# show version Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Sun 27-Mar-16 21:47 by mcpre For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o For detailed information about affected and fixed software releases, consult the Cisco IOS Software Checker. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker , that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified ("Combined First Fixed"). Customers can use this tool to perform the following tasks: Initiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse Enter the output of the show version command for the tool to parse Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in the following field: By default, the Cisco IOS Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, use the Cisco IOS Software Checker on Cisco.com and check the Medium check box in the Impact Rating drop-down list. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the resolution of a Cisco TAC support case. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-ios-infoleak Revision History o +----------+---------------------------+----------+---------+----------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+---------+----------------+ | 1.0 | Initial public release. | -- | Final | 2019-March-27 | +----------+---------------------------+----------+---------+----------------+ ================================================================================ Cisco IOS and IOS XE Software Cluster Management Protocol Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-20190327-cmp-dos First Published: 2019 March 27 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvj25068 CSCvj25124 CVE-2019-1746 CWE-20 CVSS Score: 7.4 AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the Cluster Management Protocol (CMP) processing code in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to trigger a denial of service (DoS) condition on an affected device. The vulnerability is due to insufficient input validation when processing CMP management packets. An attacker could exploit this vulnerability by sending malicious CMP management packets to an affected device. A successful exploit could cause the switch to crash, resulting in a DoS condition. The switch will reload automatically. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-cmp-dos This advisory is part of the March 27, 2019, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 17 Cisco Security Advisories that describe 19 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Affected Products o Vulnerable Products This vulnerability affects Cisco Catalyst Switches that are running a vulnerable release of Cisco IOS or IOS XE Software when the switch meets all the following conditions: CMP is enabled. On some platforms, CMP is enabled by default. The switch is configured to be part of a cluster domain. The switch has a role of command switch or member switch. For information about which Cisco IOS and IOS XE Software releases are vulnerable, see the Fixed Software section of this advisory. Determining Whether the Switch Has a Vulnerable Configuration There are two methods for determining whether the switch has a vulnerable configuration. Option 1: Using the show cluster | include cluster Command To determine the status of CMP on a device and verify that is configured to be part of a cluster domain, use the show cluster | include cluster privileged EXEC command on the device. The following example shows the output of the show cluster | include cluster command on a Cisco Catalyst Switch that has CMP enabled and that is also part of a cluster domain. SWITCH#show cluster | include cluster <ROLE> for cluster <CLUSTER_NAME> If this command does not exist, or if it produces any other output, the device is not affected by the vulnerability described in this advisory. Option 2: Using the show running-config [all] Command To determine whether a device is configured with CMP enabled, use the show running-config all | include cluster run privileged EXEC command on the device. The following example shows the output of the show running-config all | include cluster run command on a switch that has CMP enabled: SWITCH#show running-config all | include cluster run cluster run To determine whether a device has been configured to be part of a cluster domain either as a command switch or as a member switch, use the show running-config | include cluster commander|cluster member privileged EXEC command. On a switch that is not a part of a cluster domain, this command will result in empty output. The following example shows the output of the show running-config | include cluster commander|cluster member command on a device that is configured to be part of cluster domain with a role of command switch. SWITCH#show running-config | include cluster commander|cluster member cluster member <NUMBER> mac-address <MAC-ADDRESS> The following example shows the output of the show running-config | include cluster commander|cluster member command on a device that is configured to be part of cluster domain with a role of member switch. SWITCH#show running-config | include cluster commander|cluster member cluster commander-address <MAC-ADDRESS> <CLUSTER-INFORMATION> When Option 2 is used to assess the device, it is affected by the vulnerability described in this advisory only if both the following conditions are true: The output of the show running-config all | include cluster run command includes the following exact string: cluster run The show running-config | include cluster commander|cluster member command does not result in empty output. Determining the Cisco IOS Software Release To determine which Cisco IOS Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS Software, the system banner displays text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The banner also displays the installed image name in parentheses, followed by the Cisco IOS Software release number and release name. Some Cisco devices do not support the show version command or may provide different output. The following example shows the output of the command for a device that is running Cisco IOS Software Release 15.5(2)T1 and has an installed image name of C2951-UNIVERSALK9-M: Router> show version Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2015 by Cisco Systems, Inc. Compiled Mon 22-Jun-15 09:32 by prod_rel_team For information about the naming and numbering conventions for Cisco IOS Software releases, see the Cisco IOS and NX-OS Software Reference Guide. Determining the Cisco IOS XE Software Release To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text. The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M: ios-xe-device# show version Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Sun 27-Mar-16 21:47 by mcpre For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco IOS XR Software or Cisco NX-OS Software. Details o CMP is a collection of underlying technologies that facilitate the management of a group of switches with use of a single IP address. In each cluster, there is a master switch called the command switch, and the rest of the switches serve as member switches. The command switch provides the primary management interface for the entire cluster. Switches within a cluster domain use CMP to perform all signaling and configuration operations. CMP uses encapsulated Ethernet frames that contain a Subnetwork Access Protocol (SNAP) header with the Cisco Organizationally Unique Identifier (OUI) and CMP protocol identifier. The vulnerability is due to insufficient input validation when processing CMP management packets. Due to the Layer 2 nature of CMP, only an attacker with access to the local network segment on which the targeted device resides could exploit the vulnerability described in this advisory. A successful exploit could cause the switch to crash, resulting in a DoS condition. The switch will reload automatically. Indicators of Compromise o Exploitation of this vulnerability could cause the affected switch to generate error messages similar to the following: Mar 22 2019 10:18:29.180 EST: %DATACORRUPTION-CLUSTER_MEMBER_2-1-DATAINCONSISTENCY: copy error, -PC= 0x2A9E20z -Traceback= 463F74z 486D64z 2B8F2D8z 2A9E20z 2A7C74z 2A7EE8z 297DD08z 297A088z Mar 22 2019 10:18:33.385 EST: %SYS-CLUSTER_MEMBER_2-3-TIMERNEG: Cannot start timer (0x48D3988) with negative offset (-805296368). -Process= "Cluster Base", ipl= 0, pid= 281 -Traceback= 463F74z 1F22304z 2A17DCz 297DD08z 297A088z Unexpected exception to CPU vector 1 (undefined instruction), PC = 2 -Traceback= 0x2z 0x31EC60z 0x1655CF4z The values printed after the -Traceback= text are version dependent. Customers are advised to contact their support organization to review the error messages and determine whether the device has been compromised by exploitation of this vulnerability. Workarounds o There are no workarounds that address this vulnerability. Disabling CMP would eliminate the exploit vector. Administrators can disable CMP by using the no cluster run command in global configuration mode. This action may be a suitable mitigation until switches that are affected by this vulnerability can be upgraded. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/ tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker , that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified ("Combined First Fixed"). Customers can use this tool to perform the following tasks: Initiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse Enter the output of the show version command for the tool to parse Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in the following field: By default, the Cisco IOS Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, use the Cisco IOS Software Checker on Cisco.com and check the Medium check box in the Impact Rating drop-down list. For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the Cisco IOS XE Software release. Note: Starting with Cisco IOS XE Software Release 16.9.1, any upgrade will require Smart Licensing. Customers who plan to upgrade Cisco IOS XE to Release 16.9.1 or later are advised to consider the Smart Licensing requirement. The following documentation provides additional information: Smart Licensing. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the resolution of a Cisco TAC support case. Related to This Advisory o Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-cmp-dos Revision History o +----------+---------------------------+----------+---------+----------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+---------+----------------+ | 1.0 | Initial public release. | -- | Final | 2019-March-27 | +----------+---------------------------+----------+---------+----------------+ ================================================================================ Cisco IOS XE Software Privilege Escalation Vulnerability Priority: High Advisory ID: cisco-sa-20190327-iosxe-pe First Published: 2019 March 27 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvi42203 CVE-2019-1753 CWE-20 CVSS Score: 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated but unprivileged (level 1), remote attacker to run privileged Cisco IOS commands by using the web UI. The vulnerability is due to a failure to validate and sanitize input in Web Services Management Agent (WSMA) functions. An attacker could exploit this vulnerability by submitting a malicious payload to the affected device's web UI. A successful exploit could allow the lower-privileged attacker to execute arbitrary commands with higher privileges on the affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-iosxe-pe This advisory is part of the March 27, 2019, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 17 Cisco Security Advisories that describe 19 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Affected Products o Vulnerable Products This vulnerability affects Cisco devices that are running an affected release of Cisco IOS XE Software with the web server feature enabled. For information about which Cisco IOS XE Software releases are vulnerable, see the Fixed Software section of this advisory. Assessing the HTTP Server Configuration To determine whether the HTTP Server feature is enabled for a device, administrators can log in to the device and use the show running-config | include http (secure|server) command in the CLI to check for the presence of the ip http server command or the ip http secure-server command in the global configuration. If either command is present and configured, the HTTP Server feature is enabled for the device. The following example shows the output of the show running-config | include http (secure|server) command for a router that has the HTTP Server feature enabled: Router# show running-config | include http (secure|server) ip http server ip http secure-server Determining the Cisco IOS XE Software Release To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text. The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M: ios-xe-device# show version Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Sun 27-Mar-16 21:47 by mcpre For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco IOS Software, Cisco IOS XR Software, or Cisco NX-OS Software. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/ tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker , that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified ("Combined First Fixed"). Customers can use this tool to perform the following tasks: Initiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse Enter the output of the show version command for the tool to parse Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in the following field: By default, the Cisco IOS Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, use the Cisco IOS Software Checker on Cisco.com and check the Medium check box in the Impact Rating drop-down list. For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the Cisco IOS XE Software release. Note: Starting with Cisco IOS XE Software Release 16.9.1, any upgrade will require Smart Licensing. Customers who plan to upgrade Cisco IOS XE to Release 16.9.1 or later are advised to consider the Smart Licensing requirement. The following documentation provides additional information: Smart Licensing. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Related to This Advisory o Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-iosxe-pe Revision History o +----------+---------------------------+----------+---------+----------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+---------+----------------+ | 1.0 | Initial public release. | -- | Final | 2019-March-27 | +----------+---------------------------+----------+---------+----------------+ ================================================================================ Cisco IOS XE Software Privilege Escalation Vulnerability Priority: High Advisory ID: cisco-sa-20190327-iosxe-privesc First Published: 2019 March 27 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvi36813 CVE-2019-1754 CWE-20 CVSS Score: 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the authorization subsystem of Cisco IOS XE Software could allow an authenticated but unprivileged (level 1), remote attacker to run privileged Cisco IOS commands by using the web UI. The vulnerability is due to improper validation of user privileges of web UI users. An attacker could exploit this vulnerability by submitting a malicious payload to a specific endpoint in the web UI. A successful exploit could allow the lower-privileged attacker to execute arbitrary commands with higher privileges on the affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-iosxe-privesc This advisory is part of the March 27, 2019, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 17 Cisco Security Advisories that describe 19 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Affected Products o Vulnerable Products This vulnerability affects Cisco devices that are running an affected release of Cisco IOS XE Software with the web server feature enabled. For information about which Cisco IOS XE Software releases are vulnerable, see the Fixed Software section of this advisory. Assessing the HTTP Server Configuration To determine whether the HTTP Server feature is enabled for a device, administrators can log in to the device and use the show running-config | include http (secure|server) command in the CLI to check for the presence of the ip http server command or the ip http secure-server command in the global configuration. If either command is present and configured, the HTTP Server feature is enabled for the device. The following example shows the output of the show running-config | include http (secure|server) command for a router that has the HTTP Server feature enabled: Router# show running-config | include http (secure|server) ip http server ip http secure-server Determining the Cisco IOS XE Software Release To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text. The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M: ios-xe-device# show version Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Sun 27-Mar-16 21:47 by mcpre For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide Determining the Cisco IOS XE Software Release To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text. The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M: ios-xe-device# show version Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Sun 27-Mar-16 21:47 by mcpre For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco IOS Software, Cisco IOS XR Software, or Cisco NX-OS Software. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/ tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker , that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified ("Combined First Fixed"). Customers can use this tool to perform the following tasks: Initiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse Enter the output of the show version command for the tool to parse Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in the following field: By default, the Cisco IOS Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, use the Cisco IOS Software Checker on Cisco.com and check the Medium check box in the Impact Rating drop-down list. For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the Cisco IOS XE Software release. Note: Starting with Cisco IOS XE Software Release 16.9.1, any upgrade will require Smart Licensing. Customers who plan to upgrade Cisco IOS XE to Release 16.9.1 or later are advised to consider the Smart Licensing requirement. The following documentation provides additional information: Smart Licensing. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Related to This Advisory o Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-iosxe-privesc Revision History o +----------+---------------------------+----------+---------+----------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+---------+----------------+ | 1.0 | Initial public release. | -- | Final | 2019-March-27 | +----------+---------------------------+----------+---------+----------------+ ================================================================================ Cisco IOS XE Software Performance Routing Version 3 Denial of Service Vulnerability Priority: Medium Advisory ID: cisco-sa-20190327-pfrv3 First Published: 2019 March 27 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvj55896 CVE-2019-1760 CWE-20 CVSS Score: 6.8 AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary o A vulnerability in Performance Routing Version 3 (PfRv3) of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause the affected device to reload. The vulnerability is due to the processing of malformed smart probe packets. An attacker could exploit this vulnerability by sending specially crafted smart probe packets at the affected device. A successful exploit could allow the attacker to reload the device, resulting in a denial of service (DoS) attack on an affected system. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-pfrv3 Affected Products o Vulnerable Products This vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS XE Software if the performance routing version 3 (PfRv3) feature is enabled. For information about which software releases are vulnerable, see the Fixed Software section of this advisory. Assessing the PfRv3 Configuration To determine whether the PfRv3 feature is enabled for a device, administrators can log in to the device and use the show running-config | include ^domain command in the CLI to check for the presence of the domain <domain-name> command in the global configuration. The following example shows the output of the show running-config | include ^domain command for a router that has the PfRv3 feature enabled: IWAN_Router#show run | include ^domain domain iwan IWAN_Router# Determining the Cisco IOS XE Software Release To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text. The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M: ios-xe-device# show version Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Sun 27-Mar-16 21:47 by mcpre For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco IOS Software, Cisco IOS XR Software, or Cisco NX-OS Software. Details o Although the exploit is triggered with a crafted smart probe packet, it is recommended that administrators deploy PfRv3 with tunnel protection enabled, which makes it difficult to inject the smart probe packet into the network to achieve exploitation. This vulnerability is caused by a software regression that only affects Cisco IOS XE Software. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o For detailed information about affected and fixed software releases, consult the Cisco IOS Software Checker. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker , that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified ("Combined First Fixed"). Customers can use this tool to perform the following tasks: Initiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse Enter the output of the show version command for the tool to parse Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in the following field: By default, the Cisco IOS Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, use the Cisco IOS Software Checker on Cisco.com and check the Medium check box in the Impact Rating drop-down list. For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the Cisco IOS XE Software release. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the resolution of a Cisco TAC support case. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-pfrv3 Revision History o +----------+---------------------------+----------+---------+----------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+---------+----------------+ | 1.0 | Initial public release. | -- | Final | 2019-March-27 | +----------+---------------------------+----------+---------+----------------+ ================================================================================ Cisco IOS XE Software Information Disclosure Vulnerability Priority: High Advisory ID: cisco-sa-20190327-xeid First Published: 2019 March 27 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvi36797 CVE-2019-1742 CWE-16 CVSS Score: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X Summary o A vulnerability in the web UI of Cisco IOS XE Software could allow an unauthenticated, remote attacker to access sensitive configuration information. The vulnerability is due to improper access control to files within the web UI. An attacker could exploit this vulnerability by sending a malicious request to an affected device. A successful exploit could allow the attacker to gain access to sensitive configuration information. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-xeid This advisory is part of the March 27, 2019, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 17 Cisco Security Advisories that describe 19 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Affected Products o Vulnerable Products This vulnerability affects Cisco devices that are running an affected release of Cisco IOS XE Software with the web server feature enabled. For information about which Cisco IOS XE Software releases are vulnerable, see the Fixed Software section of this advisory. Assessing the HTTP Server Configuration To determine whether the HTTP Server feature is enabled for a device, administrators can log in to the device and use the show running-config | include http (secure|server) command in the CLI to check for the presence of the ip http server command or the ip http secure-server command in the global configuration. If either command is present and configured, the HTTP Server feature is enabled for the device. The following example shows the output of the show running-config | include http (secure|server) command for a router that has the HTTP Server feature enabled: Router# show running-config | include http (secure|server) ip http sjavascript:void(0);erver ip http secure-server Determining the Cisco IOS XE Software Release To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text. The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M: ios-xe-device# show version Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Sun 27-Mar-16 21:47 by mcpre For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco IOS Software, Cisco IOS XR Software, or Cisco NX-OS Software. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/ tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker , that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified ("Combined First Fixed"). Customers can use this tool to perform the following tasks: Initiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse Enter the output of the show version command for the tool to parse Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in the following field: By default, the Cisco IOS Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, use the Cisco IOS Software Checker on Cisco.com and check the Medium check box in the Impact Rating drop-down list. For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the Cisco IOS XE Software release. Note: Starting with Cisco IOS XE Software Release 16.9.1, any upgrade will require Smart Licensing. Customers who plan to upgrade Cisco IOS XE to Release 16.9.1 or later are advised to consider the Smart Licensing requirement. The following documentation provides additional information: Smart Licensing. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Related to This Advisory o Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-xeid Revision History o +----------+---------------------------+----------+---------+----------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+---------+----------------+ | 1.0 | Initial public release. | -- | Final | 2019-March-27 | +----------+---------------------------+----------+---------+----------------+ ================================================================================ Cisco IOS XE Software Gigabit Ethernet Management Interface Access Control List Bypass Vulnerability Priority: Medium Advisory ID: cisco-sa-20190327-mgmtacl First Published: 2019 March 27 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvk47405 CSCvm97704 CVE-2019-1759 CWE-284 CVSS Score: 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X Summary o A vulnerability in access control list (ACL) functionality of the Gigabit Ethernet Management interface of Cisco IOS XE Software could allow an unauthenticated, remote attacker to reach the configured IP addresses on the Gigabit Ethernet Management interface. The vulnerability is due to a logic error that was introduced in the Cisco IOS XE Software 16.1.1 Release, which prevents the ACL from working when applied against the management interface. An attacker could exploit this issue by attempting to access the device via the management interface. Cisco has released software updates that address this vulnerability. There are partial workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-mgmtacl Affected Products o Vulnerable Products This vulnerability affects Cisco devices that are running a vulnerable 16.x release of Cisco IOS XE Software and are configured with an access control list (ACL) on the Gigabit Ethernet Management interface. This vulnerability was introduced in Cisco IOS XE Software Release 16.1.1. For information about which software releases are vulnerable, see the Fixed Software section of this advisory. Assessing the Gigabit Ethernet Management Interface To determine whether the Gigabit Ethernet Management interface configuration is affected, administrators can log in to the device and use the show running-config | section interface GigabitEthernet0$ command in the CLI to check for the presence of the ip access-group command or the ipv6 traffic-filter command. If either command is present and configured, the device has an affected configuration. The following example shows the output of the show running-config | section interface GigabitEthernet0$ command for a router that has an affected configuration: Router# sh running-config | section interface GigabitEthernet0$ interface GigabitEthernet0 vrf forwarding Mgmt-intf ip address 192.168.1.1 255.255.255.0 ip access-group 100 in Determining the Cisco IOS XE Software Release To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text. The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M: ios-xe-device# show version Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Sun 27-Mar-16 21:47 by mcpre For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco IOS Software, Cisco IOS XR Software, or Cisco NX-OS Software. Details o If an access list is applied to the Gigabit Ethernet Management interface, it is not evaluated from Cisco IOS XE Software Release 16.1.1 until the first fix, resulting in the ACL being bypassed. All platforms are addressed under Cisco Bug ID CSCvk47405 with the exception of Cisco Catalyst 9200 Series Switches, which are addressed under Cisco Bug ID CSCvm97704. Workarounds o For features that leverage the TTYs, administrators can apply an access control list to all VTY lines, which will mitigate this vulnerability for those applications as shown in the following example: ! ! Create the Access Control List ! ip access-list standard Mgmt-Int-ACL remark *** Allow Trusted Hosts *** permit 192.168.0.1 remark *** Deny all Others *** deny any ! ! Applied the ACL to the VTY lines ! line vty 0 4 access-class Mgmt-Int-ACL in ! ! Applied to the http server (if enabled) ! ip http access-class ipv4 Mgmt-Int-ACL Applications that are accessible on the device but do not use the TTYs application-specific ACLs (where supported) would have to be configured. One example is if the HTTP server is enabled. To apply an HTTP server ACL, see the following example: ! ! Create the Access Control List ! ip access-list standard Mgmt-Int-ACL remark *** Allow Trusted Hosts *** permit 192.168.0.1 remark *** Deny all Others *** deny any ! ! Applied to the http server (if enabled) ! ip http access-class ipv4 Mgmt-Int-ACL Applications that are accessible on the device that do not require a TTY to be allocated and do not support application-specific ACLs are still exposed. Two examples are TFTP and FTP. Fixed Software o For detailed information about affected and fixed software releases, consult the Cisco IOS Software Checker. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker , that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified ("Combined First Fixed"). Customers can use this tool to perform the following tasks: Initiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse Enter the output of the show version command for the tool to parse Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in the following field: By default, the Cisco IOS Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, use the Cisco IOS Software Checker on Cisco.com and check the Medium check box in the Impact Rating drop-down list. For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the Cisco IOS XE Software release. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the resolution of a Cisco TAC support case. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-mgmtacl Revision History o +----------+---------------------------+----------+---------+----------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+---------+----------------+ | 1.0 | Initial public release. | -- | Final | 2019-March-27 | +----------+---------------------------+----------+---------+----------------+ ================================================================================ Cisco IOS XE Software Encrypted Traffic Analytics Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-20190327-eta-dos First Published: 2019 March 27 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvi77889 CVE-2019-1741 CWE-20 CVSS Score: 8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the Cisco Encrypted Traffic Analytics (ETA) feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to a logic error that exists when handling a malformed incoming packet, leading to access to an internal data structure after it has been freed. An attacker could exploit this vulnerability by sending crafted, malformed IP packets to an affected device. A successful exploit could allow the attacker to cause an affected device to reload, resulting in a DoS condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-eta-dos This advisory is part of the March 27, 2019, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 17 Cisco Security Advisories that describe 19 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Affected Products o Vulnerable Products This vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS XE Software and are configured to use the Cisco ETA feature. For information about which Cisco IOS XE Software releases are vulnerable, see the Fixed Software section of this advisory. Assessing the Cisco Encrypted Traffic Analytics Configuration Administrators can verify if a device is configured for ETA operation by using the show platform software et-analytics global CLI command. If the operations are configured, that command will list the configured interfaces in its output. Here is an example of a device where ETA operation has been configured on the GigabitEthernet0/0/0 interface: bsns-4331-4#show platform software et-analytics global ET-Analytics Global state ========================= All Interfaces : Off IP Flow-record Destination: 192.0.2.2: 2055 Inactive timer: 15 ET-Analytics interfaces ========================= GigabitEthernet0/0/0 Determining the Cisco IOS XE Software Release To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text. The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M: ios-xe-device# show version Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Sun 27-Mar-16 21:47 by mcpre For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco IOS Software, Cisco IOS XR Software, or Cisco NX-OS Software. Details o A vulnerability exists in the logic that is used by the Cisco ETA feature when processing malformed inbound packets on an interface configured for Cisco ETA operations. The logic error could cause an internal data structure to be freed while processing the packet. When the processing requires accessing the freed structure, an error occurs, and the device reloads. Indicators of Compromise o Exploitation of this vulnerability will cause an affected device to reload and generate a core file. Contact the Cisco Technical Assistance Center (TAC) to review the core file and determine whether the device has been compromised by exploitation of this vulnerability. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/ tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker , that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified ("Combined First Fixed"). Customers can use this tool to perform the following tasks: Initiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse Enter the output of the show version command for the tool to parse Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in the following field: By default, the Cisco IOS Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, use the Cisco IOS Software Checker on Cisco.com and check the Medium check box in the Impact Rating drop-down list. For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the Cisco IOS XE Software release. Note: Starting with Cisco IOS XE Software Release 16.9.1, any upgrade will require Smart Licensing. Customers who plan to upgrade Cisco IOS XE to Release 16.9.1 or later are advised to consider the Smart Licensing requirement. The following documentation provides additional information: Smart Licensing. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Related to This Advisory o Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-eta-dos Revision History o +----------+---------------------------+----------+---------+----------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+---------+----------------+ | 1.0 | Initial public release. | -- | Final | 2019-March-27 | +----------+---------------------------+----------+---------+----------------+ ================================================================================ Cisco IOS XE Software Command Injection Vulnerability Priority: High Advisory ID: cisco-sa-20190327-iosxe-cmdinj First Published: 2019 March 27 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvi36824 CVE-2019-1755 CWE-20 CVSS Score: 6.5 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the Web Services Management Agent (WSMA) function of Cisco IOS XE Software could allow an authenticated, remote attacker to execute arbitrary Cisco IOS commands as a privilege level 15 user. The vulnerability occurs because the affected software improperly sanitizes user-supplied input. An attacker could exploit this vulnerability by submitting crafted HTTP requests to the targeted application. A successful exploit could allow the attacker to execute arbitrary commands on the affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-iosxe-cmdinj This advisory is part of the March 27, 2019, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 17 Cisco Security Advisories that describe 19 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Affected Products o Vulnerable Products This vulnerability affects Cisco devices that are running an affected release of Cisco IOS XE Software with the web server feature enabled. For information about which Cisco IOS XE Software releases are vulnerable, see the Fixed Software section of this advisory. Assessing the HTTP Server Configuration To determine whether the HTTP Server feature is enabled for a device, administrators can log in to the device and use the show running-config | include http (secure|server) command in the CLI to check for the presence of the ip http server command or the ip http secure-server command in the global configuration. If either command is present and configured, the HTTP Server feature is enabled for the device. The following example shows the output of the show running-config | include http (secure|server) command for a router that has the HTTP Server feature enabled: Router# show running-config | include http (secure|server) ip http server ip http secure-server Determining the Cisco IOS XE Software Release To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text. The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M: ios-xe-device# show version Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Sun 27-Mar-16 21:47 by mcpre For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco IOS Software, Cisco IOS XR Software, or Cisco NX-OS Software. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/ tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker , that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified ("Combined First Fixed"). Customers can use this tool to perform the following tasks: Initiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse Enter the output of the show version command for the tool to parse Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in the following field: By default, the Cisco IOS Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, use the Cisco IOS Software Checker on Cisco.com and check the Medium check box in the Impact Rating drop-down list. For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the Cisco IOS XE Software release. Note: Starting with Cisco IOS XE Software Release 16.9.1, any upgrade will require Smart Licensing. Customers who plan to upgrade Cisco IOS XE to Release 16.9.1 or later are advised to consider the Smart Licensing requirement. The following documentation provides additional information: Smart Licensing. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Related to This Advisory o Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-iosxe-cmdinj Revision History o +----------+---------------------------+----------+---------+----------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+---------+----------------+ | 1.0 | Initial public release. | -- | Final | 2019-March-27 | +----------+---------------------------+----------+---------+----------------+ ================================================================================ Cisco IOS XE Software Command Injection Vulnerability Priority: High Advisory ID: cisco-sa-20190327-iosxe-cmdinject First Published: 2019 March 27 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvi36805 CVE-2019-1756 CWE-20 CVSS Score: 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o A vulnerability in Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands on the underlying Linux shell of an affected device with root privileges. The vulnerability occurs because the affected software improperly sanitizes user-supplied input. An attacker who has valid administrator access to an affected device could exploit this vulnerability by supplying a username with a malicious payload in the web UI and subsequently making a request to a specific endpoint in the web UI. A successful exploit could allow the attacker to run arbitrary commands as the root user, allowing complete compromise of the system. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-iosxe-cmdinject This advisory is part of the March 27, 2019, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 17 Cisco Security Advisories that describe 19 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Affected Products o Vulnerable Products This vulnerability affects Cisco devices that are running an affected release of Cisco IOS XE Software with the web server feature enabled. For information about which Cisco IOS XE Software releases are vulnerable, see the Fixed Software section of this advisory. Assessing the HTTP Server Configuration To determine whether the HTTP Server feature is enabled for a device, administrators can log in to the device and use the show running-config | include http (secure|server) command in the CLI to check for the presence of the ip http server command or the ip http secure-server command in the global configuration. If either command is present and configured, the HTTP Server feature is enabled for the device. The following example shows the output of the show running-config | include http (secure|server) command for a router that has the HTTP Server feature enabled: Router# show running-config | include http (secure|server) ip http server ip http secure-server Determining the Cisco IOS XE Software Release To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text. The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M: ios-xe-device# show version Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Sun 27-Mar-16 21:47 by mcpre For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco IOS Software, Cisco IOS XR Software, or Cisco NX-OS Software. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/ tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker , that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified ("Combined First Fixed"). Customers can use this tool to perform the following tasks: Initiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse Enter the output of the show version command for the tool to parse Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in the following field: By default, the Cisco IOS Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, use the Cisco IOS Software Checker on Cisco.com and check the Medium check box in the Impact Rating drop-down list. For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the Cisco IOS XE Software release. Note: Starting with Cisco IOS XE Software Release 16.9.1, any upgrade will require Smart Licensing. Customers who plan to upgrade Cisco IOS XE to Release 16.9.1 or later are advised to consider the Smart Licensing requirement. The following documentation provides additional information: Smart Licensing. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Related to This Advisory o Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-iosxe-cmdinject Revision History o +----------+---------------------------+----------+---------+----------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+---------+----------------+ | 1.0 | Initial public release. | -- | Final | 2019-March-27 | +----------+---------------------------+----------+---------+----------------+ ================================================================================ Cisco IOS XE Software Command Injection Vulnerability Priority: High Advisory ID: cisco-sa-20190327-xecmd First Published: 2019 March 27 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvj61307 CVE-2019-1745 CWE-78 CVSS Score: 8.8 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o A vulnerability in Cisco IOS XE Software could allow an authenticated, local attacker to inject arbitrary commands that are executed with elevated privileges. The vulnerability is due to insufficient input validation of commands supplied by the user. An attacker could exploit this vulnerability by authenticating to a device and submitting crafted input to the affected commands. An exploit could allow the attacker to gain root privileges on the affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-xecmd This advisory is part of the March 27, 2019, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 17 Cisco Security Advisories that describe 19 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Affected Products o Vulnerable Products This vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS XE Software. For information about which Cisco IOS XE Software releases are vulnerable, see the Fixed Software section of this advisory. Determining the Cisco IOS XE Software Release To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text. The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M: ios-xe-device# show version Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Sun 27-Mar-16 21:47 by mcpre For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco IOS Software, Cisco IOS XR Software, or Cisco NX-OS Software. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/ tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker , that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified ("Combined First Fixed"). Customers can use this tool to perform the following tasks: Initiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse Enter the output of the show version command for the tool to parse Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in the following field: By default, the Cisco IOS Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, use the Cisco IOS Software Checker on Cisco.com and check the Medium check box in the Impact Rating drop-down list. For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the Cisco IOS XE Software release. Note: Starting with Cisco IOS XE Software Release 16.9.1, any upgrade will require Smart Licensing. Customers who plan to upgrade Cisco IOS XE to Release 16.9.1 or later are advised to consider the Smart Licensing requirement. The following documentation provides additional information: Smart Licensing. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Related to This Advisory o Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-xecmd Revision History o +----------+---------------------------+----------+---------+----------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+---------+----------------+ | 1.0 | Initial public release. | -- | Final | 2019-March-27 | +----------+---------------------------+----------+---------+----------------+ ================================================================================ Cisco IOS XE Software Catalyst 4500 Cisco Discovery Protocol Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-20190327-evss First Published: 2019 March 27 16:00 GMT Version 1.0: Final Workarounds: Yes Cisco Bug IDs: CSCvk24566 CVE-2019-1750 CWE-20 CVSS Score: 7.4 AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the Easy Virtual Switching System (VSS) of Cisco IOS XE Software on Catalyst 4500 Series Switches could allow an unauthenticated, adjacent attacker to cause the switches to reload. The vulnerability is due to incomplete error handling when processing Cisco Discovery Protocol (CDP) packets used with the Easy Virtual Switching System. An attacker could exploit this vulnerability by sending a specially crafted CDP packet. An exploit could allow the attacker to cause the device to reload, resulting in a denial of service (DoS) condition. Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-evss This advisory is part of the March 27, 2019, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 17 Cisco Security Advisories that describe 19 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Affected Products o Vulnerable Products This vulnerability affects Cisco Catalyst 4500/4500X Series Switches that are running a vulnerable release of Cisco IOS XE Software and have CDP enabled. For information about which software releases are vulnerable, see the Fixed Software section of this advisory. There are two different configurations where the switch is vulnerable: 1. Cisco Catalyst 4500/4500X Series device has CDP enabled with CDP Application TLVs. 2. When an admin is converting the switches' configuration from standalone mode to virtual switch mode using easy virtual switching. Determining if CDP Is Enabled To determine whether use of the Cisco Discovery Protocol is enabled for a device, administrators can use the show cdp command in the device CLI. The output of the command displays global Cisco Discovery Protocol information or, if the protocol is disabled, indicates that use of the protocol is not enabled. Examples of both are shown as follows: Switch#show cdp Global CDP information: Sending CDP packets every 60 seconds Sending a holdtime value of 180 seconds Sending CDPv2 advertisements is enabled Switch# Switch#show cdp % CDP is not enabled Switch# Determining if CDP Application TLVs Are Enabled By default, CDP Application TLV processing is enabled. To determine if CDP Application TLVs are disabled, administrators can issue the show running-config | include no cdp tlv app CLI command. If the output returns nothing, then processing of CDP Application TLVs is enabled. If it returns output, it will indicate which interfaces have the CDP Application TLVs processing disabled, as shown in the following example: Switch#show running-config | include no cdp tlv app no cdp tlv app no cdp tlv app no cdp tlv app Switch# Determining if Admin Is Converting the Switches' Configuration From Standalone Mode to Virtual Switch Mode Using Easy Virtual Switching When an admin issues the switch convert mode easy-virtual-switch exec command on a device, it commences configuring the switches to operate as a VSS. Once the configuration has completed, the switches will reload. Part of this process is that UDP port 5500 is opened until the switches reload. During this period, it is possible to remotely exploit this vulnerability. Once the system reloads as a VSS, only the adjacent vector is available. Determining the Cisco IOS XE Software Release To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text. The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M: ios-xe-device# show version Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Sun 27-Mar-16 21:47 by mcpre For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco IOS Software, Cisco IOS XR Software, or Cisco NX-OS Software. Details o While the attack vector is network during the admin converting the switches configuration from standalone mode to virtual switch mode using easy virtual switching, the attack complexity also increases to high, resulting in a lower CVSSv3 score than would be assigned with the attack vector being adjacent and the attack complexity being low. Indicators of Compromise o The traceback generated with the crash will indicate that the system crashed in the process vss bringup, as shown in the following example: IOSD-EXT-SIGNAL: Segmentation fault(11), Process = vss bringup Customers experiencing a crash with this traceback should raise a case with their support organization to confirm they are hitting this vulnerability. Workarounds o Disabling CDP Application Type, Length, Value (TLV) By default, CDP Application TLVs are enabled. Disabling CDP Application TLVs will mitigate this vulnerability. To disable use of CDP Application TLVs globally for a device, use the no cdp tlv app command in the global configuration CLI. To disable use of CDP Application TLVs for a specific interface of a device, use the no cdp tlv app command in the interface configuration CLI. To see if CDP Application TLVs are in use on the device before disabling them, use the command show cdp tlv app. If the command returns output, then it is advisable not to disable the CDP TLV App globally. Disabling CDP If CDP is not required, administrators may disable use of the Cisco Discovery Protocol by a device. To disable use of the protocol globally for a device, use the no cdp run command in the global configuration CLI. To disable use of the protocol for a specific interface of a device, use the no cdp enable command in the interface configuration CLI. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/ tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker , that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified ("Combined First Fixed"). Customers can use this tool to perform the following tasks: Initiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse Enter the output of the show version command for the tool to parse Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in the following field: By default, the Cisco IOS Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, use the Cisco IOS Software Checker on Cisco.com and check the Medium check box in the Impact Rating drop-down list. For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the Cisco IOS XE Software release. Note: Starting with Cisco IOS XE Software Release 16.9.1, any upgrade will require Smart Licensing. Customers who plan to upgrade Cisco IOS XE to Release 16.9.1 or later are advised to consider the Smart Licensing requirement. The following documentation provides additional information: Smart Licensing. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the resolution of a Cisco TAC support case. Related to This Advisory o Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-evss Revision History o +----------+---------------------------+----------+---------+----------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+---------+----------------+ | 1.0 | Initial public release. | -- | Final | 2019-March-27 | +----------+---------------------------+----------+---------+----------------+ ================================================================================ Cisco IOS XE Software Arbitrary File Upload Vulnerability Priority: High Advisory ID: cisco-sa-20190327-afu First Published: 2019 March 27 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvi48984 CVE-2019-1743 CWE-20 CVSS Score: 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the web UI framework of Cisco IOS XE Software could allow an authenticated, remote attacker to make unauthorized changes to the filesystem of the affected device. The vulnerability is due to improper input validation. An attacker could exploit this vulnerability by crafting a malicious file and uploading it to the device. An exploit could allow the attacker to gain elevated privileges on the affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-afu This advisory is part of the March 27, 2019, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 17 Cisco Security Advisories that describe 19 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Affected Products o Vulnerable Products This vulnerability affects Cisco devices that are running an affected release of Cisco IOS XE Software with the web server feature enabled. For information about which Cisco IOS XE Software releases are vulnerable, see the Fixed Software section of this advisory. Assessing the HTTP Server Configuration To determine whether the HTTP Server feature is enabled for a device, administrators can log in to the device and use the show running-config | include http (secure|server) command in the CLI to check for the presence of the ip http server command or the ip http secure-server command in the global configuration. If either command is present and configured, the HTTP Server feature is enabled for the device. The following example shows the output of the show running-config | include http (secure|server) command for a router that has the HTTP Server feature enabled: Router# show running-config | include http (secure|server) ip http server ip http secure-server Determining the Cisco IOS XE Software Release To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text. The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M: ios-xe-device# show version Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Sun 27-Mar-16 21:47 by mcpre For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco IOS Software, Cisco IOS XR Software, or Cisco NX-OS Software. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/ tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker , that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified ("Combined First Fixed"). Customers can use this tool to perform the following tasks: Initiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse Enter the output of the show version command for the tool to parse Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in the following field: By default, the Cisco IOS Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, use the Cisco IOS Software Checker on Cisco.com and check the Medium check box in the Impact Rating drop-down list. For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the Cisco IOS XE Software release. Note: Starting with Cisco IOS XE Software Release 16.9.1, any upgrade will require Smart Licensing. Customers who plan to upgrade Cisco IOS XE to Release 16.9.1 or later are advised to consider the Smart Licensing requirement. The following documentation provides additional information: Smart Licensing. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Related to This Advisory o Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-afu Revision History o +----------+---------------------------+----------+---------+----------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+---------+----------------+ | 1.0 | Initial public release. | -- | Final | 2019-March-27 | +----------+---------------------------+----------+---------+----------------+ ================================================================================ Cisco IOS Software NAT64 Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-20190327-nat64 First Published: 2019 March 27 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvk61580 CVE-2019-1751 CWE-20 CVSS Score: 8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the Network Address Translation 64 (NAT64) functions of Cisco IOS Software could allow an unauthenticated, remote attacker to cause either an interface queue wedge or a device reload. The vulnerability is due to the incorrect handling of certain IPv4 packet streams that are sent through the device. An attacker could exploit this vulnerability by sending specific IPv4 packet streams through the device. An exploit could allow the attacker to either cause an interface queue wedge or a device reload, resulting in a denial of service (DoS) condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-nat64 This advisory is part of the March 27, 2019, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 17 Cisco Security Advisories that describe 19 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Affected Products o Vulnerable Products This vulnerability affects devices that are running a vulnerable release of Cisco IOS Software and are configured with either NAT64 (Stateless or Stateful), Mapping of Address and Port Using Translation (MAP-T), or Mapping of Address and Port Using Encapsulation (MAP-E). For more information about which Cisco IOS Software releases are vulnerable, see the Fixed Software section of this advisory. Determining the NAT64 Configuration Administrators can identify devices that have either NAT64 (Stateless or Stateful), MAP-T, or MAP-E by using the show running-config | include nat64 enable|nat64 map-t|nat64 map-e command in the CLI. If the command returns output with nat64 in it, the device is vulnerable. The following example shows the output of the command on a device with NAT64 enabled: Router#show running-config | include nat64 enable|nat64 map-t|nat64 map-e nat64 enable nat64 enable nat64 prefix stateless 2001:DB9:0:1::/96 nat64 route 192.1.1.0/24 GigabitEthernet0/1 Router# Determining the Cisco IOS Software Release To determine which Cisco IOS Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS Software, the system banner displays text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The banner also displays the installed image name in parentheses, followed by the Cisco IOS Software release number and release name. Some Cisco devices do not support the show version command or may provide different output. The following example shows the output of the command for a device that is running Cisco IOS Software Release 15.5(2)T1 and has an installed image name of C2951-UNIVERSALK9-M: Router> show version Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2015 by Cisco Systems, Inc. Compiled Mon 22-Jun-15 09:32 by prod_rel_team For information about the naming and numbering conventions for Cisco IOS Software releases, see the Cisco IOS and NX-OS Software Reference Guide. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco IOS XE Software, Cisco IOS XR Software, or Cisco NX-OS Software. Details o Queue wedges occur when certain packets are received and queued by a Cisco IOS or IOS XE router or switch but, due to a processing error, are never removed from the queue. Consult the Workarounds section of this advisory for more information about queue wedges and some detection mechanisms that may be used to identify a blocked interface in Cisco IOS Software. See also the Cisco Security Blog Cisco IOS Queue Wedges Explained. In the event of exploitation, if the source of the exploit traffic is identified and subsequently blocked so that this traffic doesn't continue to reach the vulnerable device, administrators can increase the hold queue via the interface CLI configuration command hold-queue <number> in until they can reload the router, as shown in the following example: Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#inte gigabitEthernet 1 Router(config-if)#hold Router(config-if)#hold-queue 350 in Router(config-if)#end Router# Indicators of Compromise o If the device is exploited and results in a queue wedge, the output of the show interface command will show an interface with the size of the input queue being greater than the max, as shown in the following example: Router#show interface | include Input queue: Input queue: 76/75/180/0 (size/max/drops/flushes); Total output drops: 0 Workarounds o There are no workarounds that address this vulnerability. The following identification mechanisms exist for the queue wedge exploit for this vulnerability: Embedded Event Manager A Cisco IOS Embedded Event Manager (EEM) policy that is based on Tool Command Language (Tcl) can be used on vulnerable Cisco IOS devices to identify and detect an interface queue wedge that is caused by this vulnerability. The policy allows administrators to monitor the interfaces for Cisco IOS device and detect when the interface input queues are full. When Cisco IOS EEM detects potential exploitation of this vulnerability, the policy can trigger a response by sending an alert to the network administrator, who could then decide to implement an upgrade, implement suitable mitigations, or reload the device to clear the input queue. The Tcl script is available for download from the Cisco Beyond: Embedded Event Manager (EEM) Scripting Community at the following link: https:// supportforums.cisco.com/docs/DOC-19337 For additional information, see the Cisco Security Blog Cisco IOS Queue Wedges Explained. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/ tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco IOS Software To help customers determine their exposure to vulnerabilities in Cisco IOS Software, Cisco provides a tool, the Cisco IOS Software Checker, that identifies any Cisco Security Advisories that impact a specific Cisco IOS Software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified ("Combined First Fixed"). Customers can use this tool to perform the following tasks: Initiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse Enter the output of the show version command for the tool to parse Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS Software release--for example, 15.1(4)M2--in the following field: By default, the Cisco IOS Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, use the Cisco IOS Software Checker on Cisco.com and check the Medium check box in the Impact Rating drop-down list. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Related to This Advisory o Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-nat64 Revision History o +----------+---------------------------+----------+---------+----------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+---------+----------------+ | 1.0 | Initial public release. | -- | Final | 2019-March-27 | +----------+---------------------------+----------+---------+----------------+ ================================================================================ Cisco IOS Software Catalyst 6500 Series 802.1x Authentication Bypass Vulnerability Priority: Medium Advisory ID: cisco-sa-20190327-c6500 First Published: 2019 March 27 16:00 GMT Version 1.0: Final Workarounds: Yes Cisco Bug IDs: CSCvk25074 CVE-2019-1758 CWE-287 CVSS Score: 4.7 AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:X/RL:X/RC:X Summary o A vulnerability in 802.1x function of Cisco IOS Software on the Catalyst 6500 Series Switches could allow an unauthenticated, adjacent attacker to access the network prior to authentication. The vulnerability is due to how the 802.1x packets are handled in the process path. An attacker could exploit this vulnerability by attempting to connect to the network on an 802.1x configured port. A successful exploit could allow the attacker to intermittently obtain access to the network. Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-c6500 Affected Products o Vulnerable Products This vulnerability affects Cisco Catalyst 6500 Series Switches that are running a vulnerable release of Cisco IOS Software if the 802.1x feature is enabled with authentication host-mode being multi-domain, authentication violation being restrict, and in closed authentication mode on a given interface. For information about which software releases are vulnerable, see the Fixed Software section of this advisory. Assessing the 802.1x Configuration To determine whether the 802.1x feature is configured in a manner that makes a device vulnerable, perform the following tasks: 1. Administrators can log in to the device and use the show running-config | include multi-domain command in the CLI to check for the presence of the authentication host-mode multi-domain command in the interface configuration. If the command returns no output, the device is not vulnerable. If the command returns output, identify all the interfaces with the authentication host-mode multi-domain command present and proceed to the next step. 2. For each interface identified in the previous step, administrators can use the show running-config command in the CLI to check for the presence of authentication open. For each interface where the authentication mode is configured as open, the device on that interface is not vulnerable. For all other interfaces, complete the next step. 3. For each interface identified in the previous steps, administrators can use the show running-config command in the CLI to check for the presence of authentication violation restrict. If this command is present, the interface is vulnerable. The following shows an example of an AFFECTED configuration: interface GigabitEthernet1/4/1 switchport switchport switchport access vlan 100 switchport mode access switchport voice vlan 101 authentication event fail action next-method authentication event server dead action authorize voice authentication event server alive action reinitialize authentication host-mode multi-domain authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server authentication violation restrict mab dot1x pae authenticator dot1x timeout tx-period 2 spanning-tree portfast edge spanning-tree bpduguard enable The following shows an example of a NON-AFFECTED configuration: interface GigabitEthernet1/4/1 switchport switchport switchport access vlan 100 switchport mode access switchport voice vlan 101 authentication event fail action next-method authentication event server dead action authorize voice authentication event server alive action reinitialize authentication host-mode multi-domain authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server authentication violation shutdown mab dot1x pae authenticator dot1x timeout tx-period 2 spanning-tree portfast edge spanning-tree bpduguard enable Determining the Cisco IOS Software Release To determine which Cisco IOS Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS Software, the system banner displays text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The banner also displays the installed image name in parentheses, followed by the Cisco IOS Software release number and release name. Some Cisco devices do not support the show version command or may provide different output. The following example shows the output of the command for a device that is running Cisco IOS Software Release 15.5(2)T1 and has an installed image name of C2951-UNIVERSALK9-M: Router> show version Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2015 by Cisco Systems, Inc. Compiled Mon 22-Jun-15 09:32 by prod_rel_team For information about the naming and numbering conventions for Cisco IOS Software releases, see the Cisco IOS and NX-OS Software Reference Guide. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco IOS XE Software, Cisco IOS XR Software, or Cisco NX-OS Software. Details o This vulnerability could be exploited when a host has already authenticated on the affected configured port and a new host in unauthorized mode tries to connect. The impact is intermittent access to the network prior to authentication. Workarounds o If the port is also configured with either authentication violation shutdown|protect, this vulnerability would not be exploitable. Fixed Software o For detailed information about affected and fixed software releases, consult the Cisco IOS Software Checker. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Cisco IOS Software To help customers determine their exposure to vulnerabilities in Cisco IOS Software, Cisco provides a tool, the Cisco IOS Software Checker, that identifies any Cisco Security Advisories that impact a specific Cisco IOS Software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified ("Combined First Fixed"). Customers can use this tool to perform the following tasks: Initiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse Enter the output of the show version command for the tool to parse Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS Software release--for example, 15.1(4)M2--in the following field: By default, the Cisco IOS Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, use the Cisco IOS Software Checker on Cisco.com and check the Medium check box in the Impact Rating drop-down list. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the resolution of a Cisco TAC support case. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-c6500 Revision History o +----------+---------------------------+----------+---------+----------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+---------+----------------+ | 1.0 | Initial public release. | -- | Final | 2019-March-27 | +----------+---------------------------+----------+---------+----------------+ ================================================================================ Cisco Aggregation Services Router 900 Route Switch Processor 3 OSPFv2 Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-20190327-rsp3-ospf First Published: 2019 March 27 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvh06656 CVE-2019-1749 CWE-20 CVSS Score: 7.4 AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the ingress traffic validation of Cisco IOS XE Software for Cisco Aggregation Services Router (ASR) 900 Route Switch Processor 3 (RSP3) could allow an unauthenticated, adjacent attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition. The vulnerability exists because the software insufficiently validates ingress traffic on the ASIC used on the RSP3 platform. An attacker could exploit this vulnerability by sending a malformed OSPF version 2 (OSPFv2) message to an affected device. A successful exploit could allow the attacker to cause a reload of the iosd process, triggering a reload of the affected device and resulting in a DoS condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-rsp3-ospf This advisory is part of the March 27, 2019, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 17 Cisco Security Advisories that describe 19 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Affected Products o Vulnerable Products This vulnerability affects Cisco ASR 900 RSP3 devices that are running Cisco IOS XE Software and are configured for OSPFv2 routing and OSPF Message Digest 5 (MD5) cryptographic authentication. Note: Devices configured for OSPFv2 routing and Hashed Message Authentication Code-Secure Hash Algorithm (HMAC-SHA) cryptographic authentication are not affected by this vulnerability. For information about which Cisco IOS XE Software releases are vulnerable, see the Fixed Software section of this advisory. Determining Whether OSPFv2 Routing Is Configured Administrators can use the show running-config | include router ospf command to determine whether OSPFv2 routing is enabled. The following example shows the output of the command for a device that has the OSPFv2 routing feature enabled: rsp3#show running-config | include router ospf router ospf 1 Empty output of this command indicates that the feature is not configured. Determining Whether OSPF MD5 Authentication Is Configured Administrators can use the show running-config | include authentication message-digest command to determine whether OSPF MD5 authentication is enabled on any interface or globally. The following example shows the output of the command from a device that has OSPF MD5 authentication enabled on one interface: rsp3-1#show running-config | include authentication message-digest ip ospf authentication message-digest The following example shows the output of the command from a device that has OSPF MD5 authentication enabled globally for OSPF area 0: rsp3-2#show running-config | include authentication message-digest area 0 authentication message-digest Empty output of this command indicates that the feature is not enabled on any interface or globally. Determining the Cisco IOS XE Software Release To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text. The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.6.1 and has an installed image name of PPC_LINUX_IOSD-UNIVERSALK9-M: rsp3-device# show version Cisco IOS XE Software, Version 16.06.01 Cisco IOS Software [Everest], ASR900 Software (PPC_LINUX_IOSD-UNIVERSALK9-M), Version 16.6.1, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2017 by Cisco Systems, Inc. Compiled Sat 22-Jul-17 03:12 by mcpre For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco IOS Software, Cisco IOS XR Software, or Cisco NX-OS Software. Workarounds o There are no workarounds that address this vulnerability. To mitigate this issue on Cisco IOS Software releases 15.4(1)T and later, administrators can configure OSPFv2 to use HMAC-SHA algorithms for cryptographic authentication instead of MD5 algorithms. Information about platform support and Cisco software image support is available through Cisco Feature Navigator. Further information on configuring OSPFv2 for cryptographic authentication using HMAC-SHA is available in the OSPFv2 Cryptographic Authentication chapter of the IP Routing: OSPF Configuration Guide. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/ tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker , that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified ("Combined First Fixed"). Customers can use this tool to perform the following tasks: Initiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse Enter the output of the show version command for the tool to parse Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in the following field: By default, the Cisco IOS Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, use the Cisco IOS Software Checker on Cisco.com and check the Medium check box in the Impact Rating drop-down list. For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the Cisco IOS XE Software release. Note: Starting with Cisco IOS XE Software Release 16.9.1, any upgrade will require Smart Licensing. Customers who plan to upgrade Cisco IOS XE to Release 16.9.1 or later are advised to consider the Smart Licensing requirement. The following documentation provides additional information: Smart Licensing. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the resolution of a Cisco TAC support case. Related to This Advisory o Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190327-rsp3-ospf Revision History o +----------+---------------------------+----------+---------+----------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+---------+----------------+ | 1.0 | Initial public release. | -- | Final | 2019-March-27 | +----------+---------------------------+----------+---------+----------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXJxc/WaOgq3Tt24GAQgIshAAqkBNP+6/VnEVPGCyFV1tJ7x4vHqBWm+w Mnn7de34fcOhiIIeOIeR0UTvh8rrbkOmFp/ciCR6hrkRu9fRYWGHAdOQimszbIiw u1jvfhgpnoAIgTcjZCmwnW92I/5RP84sZfYYAMIdcHdHoce3WWvg845MO3c9Ip3F xyPtQUK+yToruEoFkr/lvRo0eDntiwSFDwJYG4hzyjlWgXcC0FQiyw5zywl3gPgm OpXfYFpyiE447sF/gWZilJlDniWX59uO73UlaIhBEcRStr9SxR5hBKYGYAXQYk4Y i2Z8nxEoJmhdqqPomfOzaadyX8coOXba/j+a7yHfTfQVA5MD0DEqZJ+ZSPrVRtN+ rYAVn9/SAvw1duPo91fbkMh9HJ8d6s7GosfXrs4wAj6IYsTeWzH+4cYwWkeMk6o/ jM6/KDQEyJaQcissB/xPXK5l9CG7e6549CiLoo9scnmBgMgYXKA6mkLc07azA1zD 54TyQxZBFg1pMHtoJ1Dfezc3ZnKcd2/SGqgy57uDfYZgK4kmbNTtf6rvWWNMIJQG esKuNduGO7rBZcoS3yqxFGLN1EEJy46hxBQMk+y06sa4MABhj66wVe4bjAzIAtRy n5SAJmAcErZWRRPE4gOry6JwN4F2FkapQlbYG2RvmGAlsONxBV2jhipqNreO4bDR 8539mOinJuA= =bsCb -----END PGP SIGNATURE-----