Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.1026
Cisco IOS multiple vulnerabilities
28 March 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco IOS
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Root Compromise -- Existing Account
Execute Arbitrary Code/Commands -- Existing Account
Modify Arbitrary Files -- Existing Account
Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Read-only Data Access -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-1762 CVE-2019-1761 CVE-2019-1760
CVE-2019-1759 CVE-2019-1758 CVE-2019-1757
CVE-2019-1756 CVE-2019-1755 CVE-2019-1754
CVE-2019-1753 CVE-2019-1752 CVE-2019-1751
CVE-2019-1750 CVE-2019-1749 CVE-2019-1748
CVE-2019-1747 CVE-2019-1746 CVE-2019-1745
CVE-2019-1743 CVE-2019-1742 CVE-2019-1741
CVE-2019-1740 CVE-2019-1739 CVE-2019-1738
CVE-2019-1737
Reference: ESB-2019.0371
ESB-2019.0061
ESB-2019.0372.2
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-call-home-cert
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-evss
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-afu
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-nat64
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-c6500
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-rsp3-ospf
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-sms-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-nbar
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-pnp-cert
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-info
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-isdn
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-ipsla-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-ios-infoleak
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-cmp-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-iosxe-pe
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-iosxe-privesc
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-pfrv3
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-xeid
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-mgmtacl
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-eta-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-iosxe-cmdinj
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-iosxe-cmdinject
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-xecmd
Comment: This bulletin contains twenty-three (23) advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco IOS and IOS XE Software Smart Call Home Certificate Validation
Vulnerability
Priority: Medium
Advisory ID: cisco-sa-20190327-call-home-cert
First Published: 2019 March 27 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvg83741
CVE-2019-1757
CWE-295
CVSSÂ Score:
5.9 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X
Summary
o A vulnerability in the Cisco Smart Call Home feature of Cisco IOS and IOS
XE Software could allow an unauthenticated, remote attacker to gain
unauthorized read access to sensitive data using an invalid certificate.
The vulnerability is due to insufficient certificate validation by the
affected software. An attacker could exploit this vulnerability by
supplying a crafted certificate to an affected device. A successful
exploit could allow the attacker to conduct man-in-the-middle attacks to
decrypt confidential information on user connections to the affected
software.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-call-home-cert
Affected Products
o Vulnerable Products
This vulnerability affects devices that are running a vulnerable release
of Cisco IOS or IOS XE Software with the Smart Call Home feature enabled.
For information about which Cisco IOS and IOS XE Software releases are
vulnerable, see the Fixed Software section of this advisory.
Determining Whether Smart Call Home is Enabled
To determine whether the Smart Call Home feature has been configured,
administrators can use the show running-config | section call-home command
in the CLI. For a device to be vulnerable, the Call Home service has to be
enabled and at least one Call Home profile has to be active. The following
example shows the output of the show running-config | section call-home
command for a device that has the Smart Call Home feature enabled.
service call-home
call-home
contact-email-addr support@example.com
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
Determining the Cisco IOS Software Release
To determine which Cisco IOS Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device
is running Cisco IOS Software, the system banner displays text similar to
Cisco Internetwork Operating System Software or Cisco IOS Software. The
banner also displays the installed image name in parentheses, followed by
the Cisco IOS Software release number and release name. Some Cisco devices
do not support the show version command or may provide different output.
The following example shows the output of the command for a device that is
running Cisco IOS Software Release 15.5(2)T1 and has an installed image
name of C2951-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Mon 22-Jun-15 09:32 by prod_rel_team
For information about the naming and numbering conventions for Cisco IOS
Software releases, see the Cisco IOS and NX-OS Software Reference Guide.
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device
is running Cisco IOS XE Software, the system banner displays Cisco IOS
Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is
running Cisco IOS XE Software Release 16.2.1 and has an installed image
name of CAT3K_CAA-UNIVERSALK9-M:
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
For information about the naming and numbering conventions for Cisco IOS
XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco IOS XR
Software or Cisco NX-OS Software.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o For detailed information about affected and fixed software releases,
consult the Cisco IOS Software Checker.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the
Cisco Technical Assistance Center (TAC) or their contracted maintenance
providers.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker
, that identifies any Cisco Security Advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
described in each advisory ("First Fixed"). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified ("Combined First Fixed").
Customers can use this tool to perform the following tasks:
Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
Enter the output of the show version command for the tool to parse
Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the
most recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in
the following field:
By default, the Cisco IOS Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, use the Cisco IOS
Software Checker on Cisco.com and check the Medium check box in the Impact
Rating drop-down list.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the
Cisco IOS XE Software release.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-call-home-cert
Revision History
o
+----------+---------------------------+----------+---------+----------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+---------+----------------+
| 1.0 | Initial public release. | -- | Final | 2019-March-27 |
+----------+---------------------------+----------+---------+----------------+
================================================================================
Cisco IOS and IOS XE Software Short Message Service Denial of Service
Vulnerability
Priority: High
Advisory ID: cisco-sa-20190327-sms-dos
First Published: 2019 March 27 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvm07801
CVE-2019-1747
CWE-20
CVSSÂ Score:
8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in the implementation of the Short Message Service (SMS)
handling functionality of Cisco IOS Software and Cisco IOS XE Software
could allow an unauthenticated, remote attacker to trigger a denial of
service (DoS) condition on an affected device.
The vulnerability is due to improper processing of SMS protocol data units
(PDUs) that are encoded with a special character set. An attacker could
exploit this vulnerability by sending a malicious SMS message to an
affected device. A successful exploit could allow the attacker to cause
the wireless WAN (WWAN) cellular interface module on an affected device to
crash, resulting in a DoS condition that would require manual intervention
to restore normal operating conditions.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-sms-dos
This advisory is part of the March 27, 2019, release of the Cisco IOS and
IOS XE Software Security Advisory Bundled Publication, which includes 17
Cisco Security Advisories that describe 19 vulnerabilities. For a complete
list of the advisories and links to them, see Cisco Event Response: March
2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
Publication.
Affected Products
o Vulnerable Products
This vulnerability affects Cisco routers that have a Sierra Wireless WWAN
cellular interface module installed and that are running either Cisco IOS
Software Release 15.8(3)M or Cisco IOS XE Software Release 16.10.1. The
SMS handling functionality is enabled by default only when an active
subscriber identity module (SIM) card is installed on a Sierra Wireless
WWAN cellular interface module.
For information about which Cisco IOS and IOS XE Software releases are
vulnerable, see the Fixed Software section of this advisory.
Determining Whether a Device Is Using an Embedded Sierra Wireless WWAN
Cellular Interface Module
To determine whether a Cisco router is using a Sierra Wireless WWAN
cellular interface module, use the show inventory | include Sierra
Wireless privileged EXEC command on the device. The following example
shows the output of the show inventory | include Sierra Wireless command
on a router with a Sierra Wireless MC7750 WWAN cellular interface module.
Router#show inventory | include Sierra Wireless
NAME: "Modem 0 on Cellular0", DESCR: "Sierra Wireless MC7750 4G-V"
The modem slot number, the cellular interface number, and the description
differ depending on the platform and the model of the WWAN cellular
interface module installed. However, if this command does not exist, or it
does not produce any output, the device is not affected by the
vulnerability described in this advisory.
Determining the Cisco IOS Software Release
To determine which Cisco IOS Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device
is running Cisco IOS Software, the system banner displays text similar to
Cisco Internetwork Operating System Software or Cisco IOS Software. The
banner also displays the installed image name in parentheses, followed by
the Cisco IOS Software release number and release name. Some Cisco devices
do not support the show version command or may provide different output.
The following example shows the output of the command for a device that is
running Cisco IOS Software Release 15.5(2)T1 and has an installed image
name of C2951-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Mon 22-Jun-15 09:32 by prod_rel_team
For information about the naming and numbering conventions for Cisco IOS
Software releases, see the Cisco IOS and NX-OS Software Reference Guide.
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device
is running Cisco IOS XE Software, the system banner displays Cisco IOS
Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is
running Cisco IOS XE Software Release 16.2.1 and has an installed image
name of CAT3K_CAA-UNIVERSALK9-M:
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
For information about the naming and numbering conventions for Cisco IOS
XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco IOS XR
Software or Cisco NX-OS Software.
Details
o Successful exploitation of this vulnerability will cause the WWAN cellular
interface module on an affected device to crash. The crashed state is
localized within the WWAN cellular interface module and does not extend to
other modules or processes that are running on the device.
Customers whose devices have been affected by successful exploitation of
this vulnerability are advised to contact the Cisco Technical Assistance
Center (TAC) or their Customer Experience (CX) representative for
assistance in recovering the WWAN functionality.
Indicators of Compromise
o Exploitation of this vulnerability could cause the affected device to
repeatedly generate an error message similar to the following:
%Router-2-MODEM_DOWN: Cellular0 modem is now DOWN
Customers are advised to contact their support organization to review the
error message and determine whether the device has been affected by
exploitation of this vulnerability.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the
Cisco Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/
tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker
, that identifies any Cisco Security Advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
described in each advisory ("First Fixed"). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified ("Combined First Fixed").
Customers can use this tool to perform the following tasks:
Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
Enter the output of the show version command for the tool to parse
Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the
most recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in
the following field:
By default, the Cisco IOS Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, use the Cisco IOS
Software Checker on Cisco.com and check the Medium check box in the Impact
Rating drop-down list.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the
Cisco IOS XE Software release.
Note: Starting with Cisco IOS XE Software Release 16.9.1, any upgrade will
require Smart Licensing. Customers who plan to upgrade Cisco IOS XE to
Release 16.9.1 or later are advised to consider the Smart Licensing
requirement. The following documentation provides additional information:
Smart Licensing.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during the resolution of a Cisco TAC support
case.
Related to This Advisory
o Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software
Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-sms-dos
Revision History
o
+----------+---------------------------+----------+---------+----------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+---------+----------------+
| 1.0 | Initial public release. | -- | Final | 2019-March-27 |
+----------+---------------------------+----------+---------+----------------+
================================================================================
Cisco IOS and IOS XE Software Network-Based Application Recognition Denial of
Service Vulnerabilities
Priority: High
Advisory ID: cisco-sa-20190327-nbar
First Published: 2019 March 27 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvb51688
CSCvc94856
CSCvc99155
CSCvf01501
CVE-2019-1738
CVE-2019-1739
CVE-2019-1740
CWE-20
CVSSÂ Score:
8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Summary
o Multiple vulnerabilities in the Network-Based Application Recognition
(NBAR) feature of Cisco IOS Software and Cisco IOS XE Software could allow
an unauthenticated, remote attacker to cause an affected device to reload.
These vulnerabilities are due to a parsing issue on DNS packets. An
attacker could exploit these vulnerabilities by sending crafted DNS
packets through routers that are running an affected version and have NBAR
enabled. A successful exploit could allow the attacker to cause the
affected device to reload, resulting in a denial of service (DoS)
condition.
Cisco has released software updates that address these vulnerabilities.
There are no workarounds that address these vulnerabilities.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-nbar
This advisory is part of the March 27, 2019, release of the Cisco IOS and
IOS XE Software Security Advisory Bundled Publication, which includes 17
Cisco Security Advisories that describe 19 vulnerabilities. For a complete
list of the advisories and links to them, see Cisco Event Response: March
2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
Publication.
Affected Products
o Vulnerable Products
These vulnerabilities affect routers that are running vulnerable releases
of Cisco IOS or IOS XE Software and have been configured for NBAR
operations.
For information about which Cisco IOS and IOS XE Software releases are
vulnerable, see the Fixed Software section of this advisory.
Determining the NBAR Configuration
Administrators can verify whether NBAR is in use on a device by verifying
that the "show ip nbar control-plane | include NBAR state" CLI command
reports the state as "ACTIVATED". If that command does not produce output,
or it reports the state as "DEACTIVATED" then NBAR operation is not
configured.
Here is an example of a device on which NBAR is enabled:
Router#show ip nbar control-plane | include NBAR state
NBAR state is ACTIVATED
NBAR state: ACTIVATED
Here is an example of a device on which NBAR is disabled:
Router#show ip nbar control-plane | include NBAR state
NBAR state is DEACTIVATED
NBAR state: DEACTIVATED
Determining the Cisco IOS Software Release
To determine which Cisco IOS Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device
is running Cisco IOS Software, the system banner displays text similar to
Cisco Internetwork Operating System Software or Cisco IOS Software. The
banner also displays the installed image name in parentheses, followed by
the Cisco IOS Software release number and release name. Some Cisco devices
do not support the show version command or may provide different output.
The following example shows the output of the command for a device that is
running Cisco IOS Software Release 15.5(2)T1 and has an installed image
name of C2951-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Mon 22-Jun-15 09:32 by prod_rel_team
For information about the naming and numbering conventions for Cisco IOS
Software releases, see the Cisco IOS and NX-OS Software Reference Guide.
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device
is running Cisco IOS XE Software, the system banner displays Cisco IOS
Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is
running Cisco IOS XE Software Release 16.2.1 and has an installed image
name of CAT3K_CAA-UNIVERSALK9-M:
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
For information about the naming and numbering conventions for Cisco IOS
XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by these vulnerabilities.
Cisco has confirmed that these vulnerabilities does not affect Cisco IOS
XR Software or Cisco NX-OS Software.
Indicators of Compromise
o A successful exploit of these vulnerabilities will cause an affected
device to reload and generate a crashinfo file.
A successful exploit of these vulnerabilities may be confirmed by decoding
the stack trace for the device and determining whether the stack trace
correlates with these vulnerabilities.
Contact the Cisco Technical Assistance Center (TAC) to review the
crashinfo file and determine whether the device has been compromised by
exploitation of these vulnerabilities.
Workarounds
o There are no workarounds that address these vulnerabilities. However,
administrators can mitigate these vulnerabilities by disabling the NBAR
feature for an affected device until the device is upgraded to a software
release that addresses these vulnerabilities.
Fixed Software
o Cisco has released free software updates that address the vulnerabilities
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the
Cisco Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/
tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker
, that identifies any Cisco Security Advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
described in each advisory ("First Fixed"). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified ("Combined First Fixed").
Customers can use this tool to perform the following tasks:
Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
Enter the output of the show version command for the tool to parse
Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the
most recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in
the following field:
By default, the Cisco IOS Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, use the Cisco IOS
Software Checker on Cisco.com and check the Medium check box in the Impact
Rating drop-down list.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the
Cisco IOS XE Software release.
Note: Starting with Cisco IOS XE Software Release 16.9.1, any upgrade will
require Smart Licensing. Customers who plan to upgrade Cisco IOS XE to
Release 16.9.1 or later are advised to consider the Smart Licensing
requirement. The following documentation provides additional information:
Smart Licensing.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerabilities that are
described in this advisory.
Source
o This vulnerabilities were discovered during the resolution of a support
case.
Related to This Advisory
o Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software
Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-nbar
Revision History
o
+----------+---------------------------+----------+---------+----------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+---------+----------------+
| 1.0 | Initial public release. | -- | Final | 2019-March-27 |
+----------+---------------------------+----------+---------+----------------+
================================================================================
Cisco IOS and IOS XE Software Network Plug-and-Play Agent Certificate
Validation Vulnerability
Priority: High
Advisory ID: cisco-sa-20190327-pnp-cert
First Published: 2019 March 27 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvf36269
CSCvg01089
CVE-2019-1748
CWE-295
CVSSÂ Score:
7.4 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:X/RL:X/RC:X
Summary
o A vulnerability in the Cisco Network Plug-and-Play (PnP) agent of
Cisco IOS Software and Cisco IOS XE Software could allow an
unauthenticated, remote attacker to gain unauthorized access to sensitive
data.
The vulnerability exists because the affected software insufficiently
validates certificates. An attacker could exploit this vulnerability by
supplying a crafted certificate to an affected device. A successful
exploit could allow the attacker to conduct man-in-the-middle attacks to
decrypt and modify confidential information on user connections to the
affected software.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-pnp-cert
This advisory is part of the March 27, 2019, release of the Cisco IOS and
IOS XE Software Security Advisory Bundled Publication, which includes 17
Cisco Security Advisories that describe 19 vulnerabilities. For a complete
list of the advisories and links to them, see Cisco Event Response: March
2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
Publication.
Affected Products
o Vulnerable Products
This vulnerability affects Cisco devices that are running a vulnerable
release of Cisco IOS or IOS XE Software with the Cisco Plug-and-Play (PnP)
agent enabled and initiated.
The PnP agent is enabled on all Cisco IOS and IOS XE Software platforms by
default, but it is initiated only under one of the following conditions:
The startup configuration is absent.
A PnP profile has been configured and activated through the CLI.
For information about which Cisco IOS and IOS XE Software releases are
vulnerable, see the Fixed Software section of this advisory.
Determining Whether a PnP Profile Has Been Configured
To determine whether a PnP profile has been configured, administrators can
use the show pnp profile command in the CLI. The following example shows
the output of the show pnp profile command with a PnP profile named test
configured and activated:
Device# show pnp profile
Initiator Profile test: 0 open connections: 0 closing connections
Encap: xmpp11
WSSE header is not required. Configured authorization level is 1
Countdown: Security Unlock 0, Service Lock: 0, Service Req Wait: 0, Prxoy Req Wait 0, Service Resp Ack: 0
Max message (RX) is 50 Kbytes
XEP Faults are sent
Idle timeout infinite
Keepalive not configured
Reconnect time 60 seconds
Primary transport: xmpp socket to host 172.19.193.60, port 5222
Not connected, next reconnect attempt in 52 seconds
Device#
An empty output of this command indicates that no PnP profile has been
configured.
In some releases of Cisco IOS and IOS XE Software, the output of the show
pnp profile command is different. The following example shows the output
of the show pnp profile command in these releases with a PnP profile named
pnp-zero-touch configured and activated:
Device#show pnp profile
PnP Profiles: Active:1, Created:1, Deleted:0, Hidden:0
Name CBType Node Primary-Path Primary-Trans Backup-Trans
pnp-zero-touch User visible pnp/WORK-REQUEST HTTPS none
Initiator Profile pnp-zero-touch: 0 open connections: 0 closing connections
Encap: pnp
WSSE header is not required. Configured authorization level is 1
Max message (RX) is 50 Kbytes
XEP Faults are sent
Idle timeout infinite
Keepalive not configured
DNS Resolution: default
Reconnect time 60 seconds
Primary Transport:https to Host:-, IP:10.201.237.169, Port:443, Src-Intf:-, VRF:-, URL pnp/WORK-REQUEST
Not connected, next reconnect attempt in 30 seconds
In these releases, an output containing Active:0 indicates that no active
PnP profile has been configured.
Determining the Cisco IOS Software Release
To determine which Cisco IOS Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device
is running Cisco IOS Software, the system banner displays text similar to
Cisco Internetwork Operating System Software or Cisco IOS Software. The
banner also displays the installed image name in parentheses, followed by
the Cisco IOS Software release number and release name. Some Cisco devices
do not support the show version command or may provide different output.
The following example shows the output of the command for a device that is
running Cisco IOS Software Release 15.5(2)T1 and has an installed image
name of C2951-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Mon 22-Jun-15 09:32 by prod_rel_team
For information about the naming and numbering conventions for Cisco IOS
Software releases, see the Cisco IOS and NX-OS Software Reference Guide.
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device
is running Cisco IOS XE Software, the system banner displays Cisco IOS
Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is
running Cisco IOS XE Software Release 16.2.1 and has an installed image
name of CAT3K_CAA-UNIVERSALK9-M:
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
For information about the naming and numbering conventions for Cisco IOS
XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco IOS XR
Software or Cisco NX-OS Software.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the
Cisco Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/
tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker
, that identifies any Cisco Security Advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
described in each advisory ("First Fixed"). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified ("Combined First Fixed").
Customers can use this tool to perform the following tasks:
Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
Enter the output of the show version command for the tool to parse
Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the
most recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in
the following field:
By default, the Cisco IOS Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, use the Cisco IOS
Software Checker on Cisco.com and check the Medium check box in the Impact
Rating drop-down list.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the
Cisco IOS XE Software release.
Note: Starting with Cisco IOS XE Software Release 16.9.1, any upgrade will
require Smart Licensing. Customers who plan to upgrade Cisco IOS XE to
Release 16.9.1 or later are advised to consider the Smart Licensing
requirement. The following documentation provides additional information:
Smart Licensing.
Note: Releases of Cisco IOS and IOS XE Software that contain the fix for
this vulnerability require that the PnP server-provided
certificate contains a valid Subject Alternative Name (SAN) field to
verify the sever identity. The software compares the SAN field of this
certificate to the PnP server DNS name or IP address that is configured in
the PnP profile on the Cisco IOS or IOS XE device.
Customers using an on-premises Cisco Application Policy Infrastructure
Controller Enterprise Module (APIC-EM) or Cisco Digital Network
Architecture (DNA) Center as a PnP server must ensure that the PnP server
certificate contains a valid SAN field. If it does not contain a valid SAN
field, the administrator must generate a certificate signing request (CSR)
that includes the appropriate SAN field, have the new certificate signed
by their certificate authority (CA), and then install it on the PnP
server.
Further details on how to obtain a CA-signed certificate for the
Cisco APIC-EM are available in the Securing the Cisco APIC-EM chapter of
the Cisco Application Policy Infrastructure Controller Enterprise Module
Administrator Guide. Further details for Cisco DNA Center can be found in
the Configure System Settings chapter of the Cisco Digital Network
Architecture Center Administrator Guide.
Customers who require assistance to configure a self-signed certificate
with a valid SAN field are advised to contact the Cisco Technical
Assistance Center (TAC) or their contracted maintenance providers.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Related to This Advisory
o Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software
Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-pnp-cert
Revision History
o
+----------+---------------------------+----------+---------+----------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+---------+----------------+
| 1.0 | Initial public release. | -- | Final | 2019-March-27 |
+----------+---------------------------+----------+---------+----------------+
================================================================================
Cisco IOS and IOS XE Software Information Disclosure Vulnerability
Priority: Medium
Advisory ID: cisco-sa-20190327-info
First Published: 2019 March 27 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvg97571
CSCvi66418
CVE-2019-1762
CWE-200
CVSSÂ Score:
4.4 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X
Summary
o A vulnerability in the Secure Storage feature of Cisco IOS and IOS XE
Software could allow an authenticated, local attacker to access sensitive
system information on an affected device.
The vulnerability is due to improper memory operations performed at
encryption time, when affected software handles configuration updates. An
attacker could exploit this vulnerability by retrieving the contents of
specific memory locations of an affected device. A successful exploit
could result in the disclosure of keying materials that are part of the
device configuration, which can be used to recover critical system
information.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-info
Affected Products
o Vulnerable Products
This vulnerability affects Cisco devices with the Secure Storage feature
enabled that are running a vulnerable release of Cisco IOS or IOS XE
Software.
There are two bugs linked to this advisory that both address the same
vulnerability:
Cisco bug CSCvg97571 was raised to address the code changes in Cisco
IOS Software Release 15.6(3) M1 or subsequent releases.
Cisco bug CSCvi66418 was raised to address the code changes in Cisco
IOS XE Software Release 16.6.1 or subsequent releases.
For information about which Cisco IOS and IOS XE Software releases are
vulnerable, see the Fixed Software section of this advisory.
Determining Whether Secure Storage is Enabled
There are two methods for determining whether the Secure Storage feature
is enabled on a device:
Option 1: Using the show running-config all | include service
private-config-encryption Command.
To determine whether a device is configured with the Secure Storage
feature enabled, use the show running-config all | include service
private-config-encryption privileged EXEC command on the device. The
following example shows the output of the show running-config all |
include service private-config-encryption command on a Cisco device that
has the Secure Storage feature enabled.
Router# show running-config all | include service private-config-encryption
service private-config-encryption
If this command does not exist, or if it produces any other output, the
device is not affected by the vulnerability described in this advisory.
Option 2: Using the show parser encrypt file status | include Feature
Command.
To determine whether the Secure Storage feature is enabled on a device,
use the show parser encrypt file status | include Feature privileged EXEC
command on the device. The following example shows the output of the show
parser encrypt file status | include Feature command on a Cisco device
that has the Secure Storage feature enabled.
Router# show parser encrypt file status | include Feature
Feature: Enabled
If this command does not exist, or if it produces any other output, the
device is not affected by the vulnerability described in this advisory.
Determining the Cisco IOS Software Release
To determine which Cisco IOS Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device
is running Cisco IOS Software, the system banner displays text similar to
Cisco Internetwork Operating System Software or Cisco IOS Software. The
banner also displays the installed image name in parentheses, followed by
the Cisco IOS Software release number and release name. Some Cisco devices
do not support the show version command or may provide different output.
The following example shows the output of the command for a device that is
running Cisco IOS Software Release 15.5(2)T1 and has an installed image
name of C2951-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Mon 22-Jun-15 09:32 by prod_rel_team
For information about the naming and numbering conventions for Cisco IOS
Software releases, see the Cisco IOS and NX-OS Software Reference Guide.
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device
is running Cisco IOS XE Software, the system banner displays Cisco IOS
Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is
running Cisco IOS XE Software Release 16.2.1 and has an installed image
name of CAT3K_CAA-UNIVERSALK9-M:
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
For information about the naming and numbering conventions for Cisco IOS
XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco IOS XR
Software or Cisco NX-OS Software.
Details
o The Cisco IOS and IOS XE Software Secure Storage feature allows
administrators to secure critical configuration information by storing it
in an encrypted form. An affected software release may not perform a
complete encryption buffer cleanup, which may result in the storage of an
unencrypted version of the configuration file together with the encrypted
version. An attacker can take advantage of this vulnerability by
retrieving the contents of specific memory locations mapped to a storage
device that is used to store the device configuration.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o For detailed information about affected and fixed software releases,
consult the Cisco IOS Software Checker.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the
Cisco Technical Assistance Center (TAC) or their contracted maintenance
providers.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker
, that identifies any Cisco Security Advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
described in each advisory ("First Fixed"). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified ("Combined First Fixed").
Customers can use this tool to perform the following tasks:
Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
Enter the output of the show version command for the tool to parse
Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the
most recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in
the following field:
By default, the Cisco IOS Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, use the Cisco IOS
Software Checker on Cisco.com and check the Medium check box in the Impact
Rating drop-down list.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the
Cisco IOS XE Software release.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during the resolution of a Cisco TAC support
case.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-info
Revision History
o
+----------+---------------------------+----------+---------+----------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+---------+----------------+
| 1.0 | Initial public release. | -- | Final | 2019-March-27 |
+----------+---------------------------+----------+---------+----------------+
================================================================================
Cisco IOS and IOS XE Software ISDN Interface Denial of Service Vulnerability
Priority: High
Advisory ID: cisco-sa-20190327-isdn
First Published: 2019 March 27 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCuz74957
CSCvk01977
CVE-2019-1752
CWE-20
CVSSÂ Score:
8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in the ISDN functions of Cisco IOS Software and Cisco IOS
XE Software could allow an unauthenticated, remote attacker to cause the
device to reload.
The vulnerability is due to incorrect processing of specific values in the
Q.931 information elements. An attacker could exploit this vulnerability
by calling the affected device with specific Q.931 information elements
being present. An exploit could allow the attacker to cause the device to
reload, resulting in a denial of service (DoS) condition on an affected
device.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-isdn
This advisory is part of the March 27, 2019, release of the Cisco IOS and
IOS XE Software Security Advisory Bundled Publication, which includes 17
Cisco Security Advisories that describe 19 vulnerabilities. For a complete
list of the advisories and links to them, see Cisco Event Response: March
2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
Publication.
Affected Products
o Vulnerable Products
This vulnerability affects devices that are running a vulnerable version
of Cisco IOS or IOS XE Software and are configured with an ISDN interface.
For more information about which Cisco IOS and IOS XE Software releases
are vulnerable, see the Fixed Software section of this advisory.
Determining the ISDN Interface
Administrators can identify devices that have an ISDN interface by using
the show running config | include isdn switch-type command in the CLI. The
following example shows the output of the command on a device with an ISDN
interface:
Router#show running-config | include isdn switch-type
isdn switch-type primary-net5
isdn switch-type primary-net5
Router#
The switch type is irrelevant to the vulnerability and could be any value,
as shown in the previous example.
Determining the Cisco IOS Software Release
To determine which Cisco IOS Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device
is running Cisco IOS Software, the system banner displays text similar to
Cisco Internetwork Operating System Software or Cisco IOS Software. The
banner also displays the installed image name in parentheses, followed by
the Cisco IOS Software release number and release name. Some Cisco devices
do not support the show version command or may provide different output.
The following example shows the output of the command for a device that is
running Cisco IOS Software Release 15.5(2)T1 and has an installed image
name of C2951-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Mon 22-Jun-15 09:32 by prod_rel_team
For information about the naming and numbering conventions for Cisco IOS
Software releases, see the Cisco IOS and NX-OS Software Reference Guide.
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device
is running Cisco IOS XE Software, the system banner displays Cisco IOS
Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is
running Cisco IOS XE Software Release 16.2.1 and has an installed image
name of CAT3K_CAA-UNIVERSALK9-M:
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
For information about the naming and numbering conventions for Cisco IOS
XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco IOS XR
Software or Cisco NX-OS Software.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the
Cisco Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/
tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker
, that identifies any Cisco Security Advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
described in each advisory ("First Fixed"). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified ("Combined First Fixed").
Customers can use this tool to perform the following tasks:
Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
Enter the output of the show version command for the tool to parse
Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the
most recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in
the following field:
By default, the Cisco IOS Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, use the Cisco IOS
Software Checker on Cisco.com and check the Medium check box in the Impact
Rating drop-down list.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the
Cisco IOS XE Software release.
Note: Starting with Cisco IOS XE Software Release 16.9.1, any upgrade will
require Smart Licensing. Customers who plan to upgrade Cisco IOS XE to
Release 16.9.1 or later are advised to consider the Smart Licensing
requirement. The following documentation provides additional information:
Smart Licensing.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during the resolution of a Cisco TAC support
case.
Related to This Advisory
o Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software
Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-isdn
Revision History
o
+----------+---------------------------+----------+---------+----------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+---------+----------------+
| 1.0 | Initial public release. | -- | Final | 2019-March-27 |
+----------+---------------------------+----------+---------+----------------+
================================================================================
Cisco IOS and IOS XE Software IP Service Level Agreement Denial of Service
Vulnerability
Priority: High
Advisory ID: cisco-sa-20190327-ipsla-dos
First Published: 2019 March 27 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvf37838
CVE-2019-1737
CWE-400
CVSSÂ Score:
8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in the processing of IP Service Level Agreement (SLA)
packets by Cisco IOS Software and Cisco IOS XE software could allow an
unauthenticated, remote attacker to cause an interface wedge and an
eventual denial of service (DoS) condition on the affected device.
The vulnerability is due to improper socket resources handling in the IP
SLA responder application code. An attacker could exploit this
vulnerability by sending crafted IP SLA packets to an affected device. An
exploit could allow the attacker to cause an interface to become wedged,
resulting in an eventual denial of service (DoS) condition on the affected
device.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-ipsla-dos
This advisory is part of the March 27, 2019, release of the Cisco IOS and
IOS XE Software Security Advisory Bundled Publication, which includes 17
Cisco Security Advisories that describe 19 vulnerabilities. For a complete
list of the advisories and links to them, see Cisco Event Response: March
2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
Publication.
Affected Products
o Vulnerable Products
This vulnerability affects routers that are running vulnerable releases of
Cisco IOS and IOS XE Software and have been configured for IP SLA
Responder operations.
For information about which Cisco IOS and IOS XE Software releases are
vulnerable, see the Fixed Software section of this advisory.
Determining the IP SLA Configuration
Administrators can verify whether IP SLA Responder is in use on a device
by verifying that it is reported as "Enabled" in the output of the show ip
sla responder CLI command.
Here is an example of the output of that command on a router configured
for IP SLA Responder operations:
Router#show ip sla responder
General IP SLA Responder on Control port 1967
General IP SLA Responder on Control V2 port 1167
General IP SLA Responder is: Enabled
Determining the Cisco IOS Software Release
To determine which Cisco IOS Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device
is running Cisco IOS Software, the system banner displays text similar to
Cisco Internetwork Operating System Software or Cisco IOS Software. The
banner also displays the installed image name in parentheses, followed by
the Cisco IOS Software release number and release name. Some Cisco devices
do not support the show version command or may provide different output.
The following example shows the output of the command for a device that is
running Cisco IOS Software Release 15.5(2)T1 and has an installed image
name of C2951-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Mon 22-Jun-15 09:32 by prod_rel_team
For information about the naming and numbering conventions for Cisco IOS
Software releases, see the Cisco IOS and NX-OS Software Reference Guide.
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device
is running Cisco IOS XE Software, the system banner displays Cisco IOS
Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is
running Cisco IOS XE Software Release 16.2.1 and has an installed image
name of CAT3K_CAA-UNIVERSALK9-M:
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
For information about the naming and numbering conventions for Cisco IOS
XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco IOS XR
Software or Cisco NX-OS Software.
Details
o Queue wedges occur when certain packets are received and queued by a Cisco
IOS or IOS-XE router or switch but, due to a processing error, are never
removed from the queue.
Consult the Workarounds section of this advisory for more information
about queue wedges and some detection mechanisms that may be used to
identify a blocked interface in Cisco IOS Software. Also see the Cisco
Security Blog Cisco IOS Queue Wedges Explained.
Indicators of Compromise
o On devices where this vulnerability is exploited, crafted IP SLA packets
will get stuck in the ingress input queue of the receiving interface and
eventually wedge the queue. Once this interface is wedged, it will stop
receiving traffic until the router is reloaded.
Workarounds
o There are no workarounds that address this vulnerability.
The following identification mechanisms exist for this vulnerability:
Embedded Event Manager
A Cisco IOS Embedded Event Manager (EEM) policy that is based on Tool
Command Language (Tcl) can be used on vulnerable Cisco IOS devices to
identify and detect an interface queue wedge that is caused by this
vulnerability. The policy allows administrators to monitor the interfaces
for Cisco IOS device and detect when the interface input queues are full.
When Cisco IOS EEM detects potential exploitation of this vulnerability,
the policy can trigger a response by sending an alert to the network
administrator, who could then decide to implement an upgrade, implement
suitable mitigations or reload the device to clear the input queue.
The Tcl script is available for download at the "Cisco Beyond: Embedded
Event Manager (EEM) Scripting Community" at the following link: https://
supportforums.cisco.com/docs/DOC-19337
For additional information, see the Cisco Security Blog Cisco IOS Queue
Wedges Explained.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the
Cisco Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/
tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker
, that identifies any Cisco Security Advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
described in each advisory ("First Fixed"). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified ("Combined First Fixed").
Customers can use this tool to perform the following tasks:
Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
Enter the output of the show version command for the tool to parse
Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the
most recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in
the following field:
By default, the Cisco IOS Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, use the Cisco IOS
Software Checker on Cisco.com and check the Medium check box in the Impact
Rating drop-down list.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the
Cisco IOS XE Software release.
Note: Starting with Cisco IOS XE Software Release 16.9.1, any upgrade will
require Smart Licensing. Customers who plan to upgrade Cisco IOS XE to
Release 16.9.1 or later are advised to consider the Smart Licensing
requirement. The following documentation provides additional information:
Smart Licensing.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during the resolution of a Cisco TAC support
case.
Related to This Advisory
o Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software
Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-ipsla-dos
Revision History
o
+----------+---------------------------+----------+---------+----------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+---------+----------------+
| 1.0 | Initial public release. | -- | Final | 2019-March-27 |
+----------+---------------------------+----------+---------+----------------+
================================================================================
Cisco IOS and IOS XE Software Hot Standby Router Protocol Information Leak
Vulnerability
Priority: Medium
Advisory ID: cisco-sa-20190327-ios-infoleak
First Published: 2019 March 27 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvj98575
CVE-2019-1761
CWE-665
CVSSÂ Score:
4.3 AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X
Summary
o A vulnerability in the Hot Standby Router Protocol (HSRP) subsystem of
Cisco IOS and IOS XE Software could allow an unauthenticated, adjacent
attacker to receive potentially sensitive information from an affected
device. The vulnerability is due to insufficient memory initialization. An
attacker could exploit this vulnerability by receiving HSRPv2 traffic from
an adjacent HSRP member. A successful exploit could allow the attacker to
receive potentially sensitive information from the adjacent device.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-ios-infoleak
Affected Products
o Vulnerable Products
This vulnerability affects Cisco IOS and IOS XE Software. For information
about which software releases are vulnerable, see the Fixed Software
section of this advisory.
Determining the Cisco IOS Software Release
To determine which Cisco IOS Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device
is running Cisco IOS Software, the system banner displays text similar to
Cisco Internetwork Operating System Software or Cisco IOS Software. The
banner also displays the installed image name in parentheses, followed by
the Cisco IOS Software release number and release name. Some Cisco devices
do not support the show version command or may provide different output.
The following example shows the output of the command for a device that is
running Cisco IOS Software Release 15.5(2)T1 and has an installed image
name of C2951-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Mon 22-Jun-15 09:32 by prod_rel_team
For information about the naming and numbering conventions for Cisco IOS
Software releases, see the Cisco IOS and NX-OS Software Reference Guide.
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device
is running Cisco IOS XE Software, the system banner displays Cisco IOS
Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is
running Cisco IOS XE Software Release 16.2.1 and has an installed image
name of CAT3K_CAA-UNIVERSALK9-M:
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
For information about the naming and numbering conventions for Cisco IOS
XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o For detailed information about affected and fixed software releases,
consult the Cisco IOS Software Checker.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the
Cisco Technical Assistance Center (TAC) or their contracted maintenance
providers.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker
, that identifies any Cisco Security Advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
described in each advisory ("First Fixed"). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified ("Combined First Fixed").
Customers can use this tool to perform the following tasks:
Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
Enter the output of the show version command for the tool to parse
Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the
most recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in
the following field:
By default, the Cisco IOS Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, use the Cisco IOS
Software Checker on Cisco.com and check the Medium check box in the Impact
Rating drop-down list.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during the resolution of a Cisco TAC support
case.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-ios-infoleak
Revision History
o
+----------+---------------------------+----------+---------+----------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+---------+----------------+
| 1.0 | Initial public release. | -- | Final | 2019-March-27 |
+----------+---------------------------+----------+---------+----------------+
================================================================================
Cisco IOS and IOS XE Software Cluster Management Protocol Denial of Service
Vulnerability
Priority: High
Advisory ID: cisco-sa-20190327-cmp-dos
First Published: 2019 March 27 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvj25068
CSCvj25124
CVE-2019-1746
CWE-20
CVSSÂ Score:
7.4 AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in the Cluster Management Protocol (CMP) processing code
in Cisco IOS Software and Cisco IOS XE Software could allow an
unauthenticated, adjacent attacker to trigger a denial of service (DoS)
condition on an affected device.
The vulnerability is due to insufficient input validation when processing
CMP management packets. An attacker could exploit this vulnerability by
sending malicious CMP management packets to an affected device. A
successful exploit could cause the switch to crash, resulting in a DoS
condition. The switch will reload automatically.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-cmp-dos
This advisory is part of the March 27, 2019, release of the Cisco IOS and
IOS XE Software Security Advisory Bundled Publication, which includes 17
Cisco Security Advisories that describe 19 vulnerabilities. For a complete
list of the advisories and links to them, see Cisco Event Response: March
2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
Publication.
Affected Products
o Vulnerable Products
This vulnerability affects Cisco Catalyst Switches that are running a
vulnerable release of Cisco IOS or IOS XE Software when the switch meets
all the following conditions:
CMP is enabled. On some platforms, CMP is enabled by default.
The switch is configured to be part of a cluster domain.
The switch has a role of command switch or member switch.
For information about which Cisco IOS and IOS XE Software releases are
vulnerable, see the Fixed Software section of this advisory.
Determining Whether the Switch Has a Vulnerable Configuration
There are two methods for determining whether the switch has a vulnerable
configuration.
Option 1: Using the show cluster | include cluster Command
To determine the status of CMP on a device and verify that is configured
to be part of a cluster domain, use the show cluster | include cluster
privileged EXEC command on the device. The following example shows the
output of the show cluster | include cluster command on a Cisco Catalyst
Switch that has CMP enabled and that is also part of a cluster domain.
SWITCH#show cluster | include cluster
<ROLE> for cluster <CLUSTER_NAME>
If this command does not exist, or if it produces any other output, the
device is not affected by the vulnerability described in this advisory.
Option 2: Using the show running-config [all] Command
To determine whether a device is configured with CMP enabled, use the show
running-config all | include cluster run privileged EXEC command on the
device. The following example shows the output of the show running-config
all | include cluster run command on a switch that has CMP enabled:
SWITCH#show running-config all | include cluster run
cluster run
To determine whether a device has been configured to be part of a cluster
domain either as a command switch or as a member switch, use the show
running-config | include cluster commander|cluster member privileged EXEC
command. On a switch that is not a part of a cluster domain, this command
will result in empty output.
The following example shows the output of the show running-config |
include cluster commander|cluster member command on a device that is
configured to be part of cluster domain with a role of command switch.
SWITCH#show running-config | include cluster commander|cluster member
cluster member <NUMBER> mac-address <MAC-ADDRESS>
The following example shows the output of the show running-config |
include cluster commander|cluster member command on a device that is
configured to be part of cluster domain with a role of member switch.
SWITCH#show running-config | include cluster commander|cluster member
cluster commander-address <MAC-ADDRESS> <CLUSTER-INFORMATION>
When Option 2 is used to assess the device, it is affected by the
vulnerability described in this advisory only if both the following
conditions are true:
The output of the show running-config all | include cluster run
command includes the following exact string:
cluster run
The show running-config | include cluster commander|cluster member
command does not result in empty output.
Determining the Cisco IOS Software Release
To determine which Cisco IOS Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device
is running Cisco IOS Software, the system banner displays text similar to
Cisco Internetwork Operating System Software or Cisco IOS Software. The
banner also displays the installed image name in parentheses, followed by
the Cisco IOS Software release number and release name. Some Cisco devices
do not support the show version command or may provide different output.
The following example shows the output of the command for a device that is
running Cisco IOS Software Release 15.5(2)T1 and has an installed image
name of C2951-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Mon 22-Jun-15 09:32 by prod_rel_team
For information about the naming and numbering conventions for Cisco IOS
Software releases, see the Cisco IOS and NX-OS Software Reference Guide.
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device
is running Cisco IOS XE Software, the system banner displays Cisco IOS
Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is
running Cisco IOS XE Software Release 16.2.1 and has an installed image
name of CAT3K_CAA-UNIVERSALK9-M:
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
For information about the naming and numbering conventions for Cisco IOS
XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco IOS XR
Software or Cisco NX-OS Software.
Details
o CMP is a collection of underlying technologies that facilitate the
management of a group of switches with use of a single IP address.
In each cluster, there is a master switch called the command switch, and
the rest of the switches serve as member switches. The command switch
provides the primary management interface for the entire cluster. Switches
within a cluster domain use CMP to perform all signaling and configuration
operations. CMP uses encapsulated Ethernet frames that contain a
Subnetwork Access Protocol (SNAP) header with the Cisco Organizationally
Unique Identifier (OUI) and CMP protocol identifier.
The vulnerability is due to insufficient input validation when processing
CMP management packets. Due to the Layer 2 nature of CMP, only an attacker
with access to the local network segment on which the targeted device
resides could exploit the vulnerability described in this advisory. A
successful exploit could cause the switch to crash, resulting in a DoS
condition. The switch will reload automatically.
Indicators of Compromise
o Exploitation of this vulnerability could cause the affected switch to
generate error messages similar to the following:
Mar 22 2019 10:18:29.180 EST: %DATACORRUPTION-CLUSTER_MEMBER_2-1-DATAINCONSISTENCY: copy error, -PC= 0x2A9E20z
-Traceback= 463F74z 486D64z 2B8F2D8z 2A9E20z 2A7C74z 2A7EE8z 297DD08z 297A088z
Mar 22 2019 10:18:33.385 EST: %SYS-CLUSTER_MEMBER_2-3-TIMERNEG: Cannot start timer (0x48D3988) with negative offset (-805296368). -Process= "Cluster Base", ipl= 0, pid= 281
-Traceback= 463F74z 1F22304z 2A17DCz 297DD08z 297A088z
Unexpected exception to CPU vector 1 (undefined instruction), PC = 2
-Traceback= 0x2z 0x31EC60z 0x1655CF4z
The values printed after the -Traceback= text are version dependent.
Customers are advised to contact their support organization to review the
error messages and determine whether the device has been compromised by
exploitation of this vulnerability.
Workarounds
o There are no workarounds that address this vulnerability.
Disabling CMP would eliminate the exploit vector. Administrators can
disable CMP by using the no cluster run command in global configuration
mode. This action may be a suitable mitigation until switches that are
affected by this vulnerability can be upgraded.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the
Cisco Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/
tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker
, that identifies any Cisco Security Advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
described in each advisory ("First Fixed"). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified ("Combined First Fixed").
Customers can use this tool to perform the following tasks:
Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
Enter the output of the show version command for the tool to parse
Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the
most recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in
the following field:
By default, the Cisco IOS Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, use the Cisco IOS
Software Checker on Cisco.com and check the Medium check box in the Impact
Rating drop-down list.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the
Cisco IOS XE Software release.
Note: Starting with Cisco IOS XE Software Release 16.9.1, any upgrade will
require Smart Licensing. Customers who plan to upgrade Cisco IOS XE to
Release 16.9.1 or later are advised to consider the Smart Licensing
requirement. The following documentation provides additional information:
Smart Licensing.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during the resolution of a Cisco TAC support
case.
Related to This Advisory
o Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software
Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-cmp-dos
Revision History
o
+----------+---------------------------+----------+---------+----------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+---------+----------------+
| 1.0 | Initial public release. | -- | Final | 2019-March-27 |
+----------+---------------------------+----------+---------+----------------+
================================================================================
Cisco IOS XE Software Privilege Escalation Vulnerability
Priority: High
Advisory ID: cisco-sa-20190327-iosxe-pe
First Published: 2019 March 27 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvi42203
CVE-2019-1753
CWE-20
CVSSÂ Score:
8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in the web UI of Cisco IOS XE Software could allow an
authenticated but unprivileged (level 1), remote attacker to run
privileged Cisco IOS commands by using the web UI.
The vulnerability is due to a failure to validate and sanitize input in
Web Services Management Agent (WSMA) functions. An attacker could exploit
this vulnerability by submitting a malicious payload to the affected
device's web UI. A successful exploit could allow the lower-privileged
attacker to execute arbitrary commands with higher privileges on the
affected device.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-iosxe-pe
This advisory is part of the March 27, 2019, release of the Cisco IOS and
IOS XE Software Security Advisory Bundled Publication, which includes 17
Cisco Security Advisories that describe 19 vulnerabilities. For a complete
list of the advisories and links to them, see Cisco Event Response: March
2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
Publication.
Affected Products
o Vulnerable Products
This vulnerability affects Cisco devices that are running an affected
release of Cisco IOS XE Software with the web server feature enabled.
For information about which Cisco IOS XE Software releases are vulnerable,
see the Fixed Software section of this advisory.
Assessing the HTTP Server Configuration
To determine whether the HTTP Server feature is enabled for a device,
administrators can log in to the device and use the show running-config |
include http (secure|server) command in the CLI to check for the presence
of the ip http server command or the ip http secure-server command in the
global configuration. If either command is present and configured, the
HTTP Server feature is enabled for the device.
The following example shows the output of the show running-config |
include http (secure|server) command for a router that has the HTTP Server
feature enabled:
Router# show running-config | include http (secure|server)
ip http server
ip http secure-server
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device
is running Cisco IOS XE Software, the system banner displays Cisco IOS
Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is
running Cisco IOS XE Software Release 16.2.1 and has an installed image
name of CAT3K_CAA-UNIVERSALK9-M:
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
For information about the naming and numbering conventions for Cisco IOS
XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco IOS
Software, Cisco IOS XR Software, or Cisco NX-OS Software.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the
Cisco Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/
tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker
, that identifies any Cisco Security Advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
described in each advisory ("First Fixed"). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified ("Combined First Fixed").
Customers can use this tool to perform the following tasks:
Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
Enter the output of the show version command for the tool to parse
Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the
most recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in
the following field:
By default, the Cisco IOS Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, use the Cisco IOS
Software Checker on Cisco.com and check the Medium check box in the Impact
Rating drop-down list.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the
Cisco IOS XE Software release.
Note: Starting with Cisco IOS XE Software Release 16.9.1, any upgrade will
require Smart Licensing. Customers who plan to upgrade Cisco IOS XE to
Release 16.9.1 or later are advised to consider the Smart Licensing
requirement. The following documentation provides additional information:
Smart Licensing.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Related to This Advisory
o Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software
Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-iosxe-pe
Revision History
o
+----------+---------------------------+----------+---------+----------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+---------+----------------+
| 1.0 | Initial public release. | -- | Final | 2019-March-27 |
+----------+---------------------------+----------+---------+----------------+
================================================================================
Cisco IOS XE Software Privilege Escalation Vulnerability
Priority: High
Advisory ID: cisco-sa-20190327-iosxe-privesc
First Published: 2019 March 27 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvi36813
CVE-2019-1754
CWE-20
CVSSÂ Score:
8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in the authorization subsystem of Cisco IOS XE Software
could allow an authenticated but unprivileged (level 1), remote attacker
to run privileged Cisco IOS commands by using the web UI.
The vulnerability is due to improper validation of user privileges of web
UI users. An attacker could exploit this vulnerability by submitting a
malicious payload to a specific endpoint in the web UI. A successful
exploit could allow the lower-privileged attacker to execute arbitrary
commands with higher privileges on the affected device.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-iosxe-privesc
This advisory is part of the March 27, 2019, release of the Cisco IOS and
IOS XE Software Security Advisory Bundled Publication, which includes 17
Cisco Security Advisories that describe 19 vulnerabilities. For a complete
list of the advisories and links to them, see Cisco Event Response: March
2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
Publication.
Affected Products
o Vulnerable Products
This vulnerability affects Cisco devices that are running an affected
release of Cisco IOS XE Software with the web server feature enabled.
For information about which Cisco IOS XE Software releases are vulnerable,
see the Fixed Software section of this advisory.
Assessing the HTTP Server Configuration
To determine whether the HTTP Server feature is enabled for a device,
administrators can log in to the device and use the show running-config |
include http (secure|server) command in the CLI to check for the presence
of the ip http server command or the ip http secure-server command in the
global configuration. If either command is present and configured, the
HTTP Server feature is enabled for the device.
The following example shows the output of the show running-config |
include http (secure|server) command for a router that has the HTTP Server
feature enabled:
Router# show running-config | include http (secure|server)
ip http server
ip http secure-server
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device
is running Cisco IOS XE Software, the system banner displays Cisco IOS
Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is
running Cisco IOS XE Software Release 16.2.1 and has an installed image
name of CAT3K_CAA-UNIVERSALK9-M:
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
For information about the naming and numbering conventions for Cisco IOS
XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device
is running Cisco IOS XE Software, the system banner displays Cisco IOS
Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is
running Cisco IOS XE Software Release 16.2.1 and has an installed image
name of CAT3K_CAA-UNIVERSALK9-M:
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
For information about the naming and numbering conventions for Cisco IOS
XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco IOS
Software, Cisco IOS XR Software, or Cisco NX-OS Software.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the
Cisco Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/
tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker
, that identifies any Cisco Security Advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
described in each advisory ("First Fixed"). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified ("Combined First Fixed").
Customers can use this tool to perform the following tasks:
Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
Enter the output of the show version command for the tool to parse
Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the
most recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in
the following field:
By default, the Cisco IOS Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, use the Cisco IOS
Software Checker on Cisco.com and check the Medium check box in the Impact
Rating drop-down list.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the
Cisco IOS XE Software release.
Note: Starting with Cisco IOS XE Software Release 16.9.1, any upgrade will
require Smart Licensing. Customers who plan to upgrade Cisco IOS XE to
Release 16.9.1 or later are advised to consider the Smart Licensing
requirement. The following documentation provides additional information:
Smart Licensing.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Related to This Advisory
o Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software
Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-iosxe-privesc
Revision History
o
+----------+---------------------------+----------+---------+----------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+---------+----------------+
| 1.0 | Initial public release. | -- | Final | 2019-March-27 |
+----------+---------------------------+----------+---------+----------------+
================================================================================
Cisco IOS XE Software Performance Routing Version 3 Denial of Service
Vulnerability
Priority: Medium
Advisory ID: cisco-sa-20190327-pfrv3
First Published: 2019 March 27 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvj55896
CVE-2019-1760
CWE-20
CVSSÂ Score:
6.8 AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in Performance Routing Version 3 (PfRv3) of Cisco IOS XE
Software could allow an unauthenticated, remote attacker to cause the
affected device to reload.
The vulnerability is due to the processing of malformed smart probe
packets. An attacker could exploit this vulnerability by sending specially
crafted smart probe packets at the affected device. A successful exploit
could allow the attacker to reload the device, resulting in a denial of
service (DoS) attack on an affected system.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-pfrv3
Affected Products
o Vulnerable Products
This vulnerability affects Cisco devices that are running a vulnerable
release of Cisco IOS XE Software if the performance routing version 3
(PfRv3) feature is enabled.
For information about which software releases are vulnerable, see the
Fixed Software section of this advisory.
Assessing the PfRv3 Configuration
To determine whether the PfRv3 feature is enabled for a device,
administrators can log in to the device and use the show running-config |
include ^domain command in the CLI to check for the presence of the domain
<domain-name> command in the global configuration.
The following example shows the output of the show running-config |
include ^domain command for a router that has the PfRv3 feature enabled:
IWAN_Router#show run | include ^domain
domain iwan
IWAN_Router#
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device
is running Cisco IOS XE Software, the system banner displays Cisco IOS
Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is
running Cisco IOS XE Software Release 16.2.1 and has an installed image
name of CAT3K_CAA-UNIVERSALK9-M:
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
For information about the naming and numbering conventions for Cisco IOS
XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco IOS
Software, Cisco IOS XR Software, or Cisco NX-OS Software.
Details
o Although the exploit is triggered with a crafted smart probe packet, it is
recommended that administrators deploy PfRv3 with tunnel protection
enabled, which makes it difficult to inject the smart probe packet into
the network to achieve exploitation.
This vulnerability is caused by a software regression that only affects
Cisco IOS XE Software.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o For detailed information about affected and fixed software releases,
consult the Cisco IOS Software Checker.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the
Cisco Technical Assistance Center (TAC) or their contracted maintenance
providers.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker
, that identifies any Cisco Security Advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
described in each advisory ("First Fixed"). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified ("Combined First Fixed").
Customers can use this tool to perform the following tasks:
Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
Enter the output of the show version command for the tool to parse
Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the
most recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in
the following field:
By default, the Cisco IOS Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, use the Cisco IOS
Software Checker on Cisco.com and check the Medium check box in the Impact
Rating drop-down list.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the
Cisco IOS XE Software release.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during the resolution of a Cisco TAC support
case.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-pfrv3
Revision History
o
+----------+---------------------------+----------+---------+----------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+---------+----------------+
| 1.0 | Initial public release. | -- | Final | 2019-March-27 |
+----------+---------------------------+----------+---------+----------------+
================================================================================
Cisco IOS XE Software Information Disclosure Vulnerability
Priority: High
Advisory ID: cisco-sa-20190327-xeid
First Published: 2019 March 27 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvi36797
CVE-2019-1742
CWE-16
CVSSÂ Score:
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X
Summary
o A vulnerability in the web UI of Cisco IOS XE Software could allow an
unauthenticated, remote attacker to access sensitive configuration
information.
The vulnerability is due to improper access control to files within the
web UI. An attacker could exploit this vulnerability by sending a
malicious request to an affected device. A successful exploit could allow
the attacker to gain access to sensitive configuration information.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-xeid
This advisory is part of the March 27, 2019, release of the Cisco IOS and
IOS XE Software Security Advisory Bundled Publication, which includes 17
Cisco Security Advisories that describe 19 vulnerabilities. For a complete
list of the advisories and links to them, see Cisco Event Response: March
2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
Publication.
Affected Products
o Vulnerable Products
This vulnerability affects Cisco devices that are running an affected
release of Cisco IOS XE Software with the web server feature enabled.
For information about which Cisco IOS XE Software releases are vulnerable,
see the Fixed Software section of this advisory.
Assessing the HTTP Server Configuration
To determine whether the HTTP Server feature is enabled for a device,
administrators can log in to the device and use the show running-config |
include http (secure|server) command in the CLI to check for the presence
of the ip http server command or the ip http secure-server command in the
global configuration. If either command is present and configured, the
HTTP Server feature is enabled for the device.
The following example shows the output of the show running-config |
include http (secure|server) command for a router that has the HTTP Server
feature enabled:
Router# show running-config | include http (secure|server)
ip http sjavascript:void(0);erver
ip http secure-server
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device
is running Cisco IOS XE Software, the system banner displays Cisco IOS
Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is
running Cisco IOS XE Software Release 16.2.1 and has an installed image
name of CAT3K_CAA-UNIVERSALK9-M:
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
For information about the naming and numbering conventions for Cisco IOS
XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco IOS
Software, Cisco IOS XR Software, or Cisco NX-OS Software.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the
Cisco Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/
tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker
, that identifies any Cisco Security Advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
described in each advisory ("First Fixed"). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified ("Combined First Fixed").
Customers can use this tool to perform the following tasks:
Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
Enter the output of the show version command for the tool to parse
Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the
most recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in
the following field:
By default, the Cisco IOS Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, use the Cisco IOS
Software Checker on Cisco.com and check the Medium check box in the Impact
Rating drop-down list.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the
Cisco IOS XE Software release.
Note: Starting with Cisco IOS XE Software Release 16.9.1, any upgrade will
require Smart Licensing. Customers who plan to upgrade Cisco IOS XE to
Release 16.9.1 or later are advised to consider the Smart Licensing
requirement. The following documentation provides additional information:
Smart Licensing.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Related to This Advisory
o Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software
Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-xeid
Revision History
o
+----------+---------------------------+----------+---------+----------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+---------+----------------+
| 1.0 | Initial public release. | -- | Final | 2019-March-27 |
+----------+---------------------------+----------+---------+----------------+
================================================================================
Cisco IOS XE Software Gigabit Ethernet Management Interface Access Control List
Bypass Vulnerability
Priority: Medium
Advisory ID: cisco-sa-20190327-mgmtacl
First Published: 2019 March 27 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvk47405
CSCvm97704
CVE-2019-1759
CWE-284
CVSSÂ Score:
5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X
Summary
o A vulnerability in access control list (ACL) functionality of the Gigabit
Ethernet Management interface of Cisco IOS XE Software could allow an
unauthenticated, remote attacker to reach the configured IP addresses on
the Gigabit Ethernet Management interface.
The vulnerability is due to a logic error that was introduced in the Cisco
IOS XE Software 16.1.1 Release, which prevents the ACL from working when
applied against the management interface. An attacker could exploit this
issue by attempting to access the device via the management interface.
Cisco has released software updates that address this vulnerability. There
are partial workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-mgmtacl
Affected Products
o Vulnerable Products
This vulnerability affects Cisco devices that are running a vulnerable
16.x release of Cisco IOS XE Software and are configured with an access
control list (ACL) on the Gigabit Ethernet Management interface. This
vulnerability was introduced in Cisco IOS XE Software Release 16.1.1.
For information about which software releases are vulnerable, see the
Fixed Software section of this advisory.
Assessing the Gigabit Ethernet Management Interface
To determine whether the Gigabit Ethernet Management interface
configuration is affected, administrators can log in to the device and use
the show running-config | section interface GigabitEthernet0$ command in
the CLI to check for the presence of the ip access-group command or the
ipv6 traffic-filter command. If either command is present and configured,
the device has an affected configuration.
The following example shows the output of the show running-config |
section interface GigabitEthernet0$ command for a router that has an
affected configuration:
Router# sh running-config | section interface GigabitEthernet0$
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device
is running Cisco IOS XE Software, the system banner displays Cisco IOS
Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is
running Cisco IOS XE Software Release 16.2.1 and has an installed image
name of CAT3K_CAA-UNIVERSALK9-M:
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
For information about the naming and numbering conventions for Cisco IOS
XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco IOS
Software, Cisco IOS XR Software, or Cisco NX-OS Software.
Details
o If an access list is applied to the Gigabit Ethernet Management interface,
it is not evaluated from Cisco IOS XE Software Release 16.1.1 until the
first fix, resulting in the ACL being bypassed.
All platforms are addressed under Cisco Bug ID CSCvk47405 with the
exception of Cisco Catalyst 9200 Series Switches, which are addressed
under Cisco Bug ID CSCvm97704.
Workarounds
o For features that leverage the TTYs, administrators can apply an access
control list to all VTY lines, which will mitigate this vulnerability for
those applications as shown in the following example:
!
! Create the Access Control List
!
ip access-list standard Mgmt-Int-ACL
remark *** Allow Trusted Hosts ***
permit 192.168.0.1
remark *** Deny all Others ***
deny any
!
! Applied the ACL to the VTY lines
!
line vty 0 4
access-class Mgmt-Int-ACL in
!
! Applied to the http server (if enabled)
!
ip http access-class ipv4 Mgmt-Int-ACL
Applications that are accessible on the device but do not use the TTYs
application-specific ACLs (where supported) would have to be configured.
One example is if the HTTP server is enabled. To apply an HTTP server ACL,
see the following example:
!
! Create the Access Control List
!
ip access-list standard Mgmt-Int-ACL
remark *** Allow Trusted Hosts ***
permit 192.168.0.1
remark *** Deny all Others ***
deny any
!
! Applied to the http server (if enabled)
!
ip http access-class ipv4 Mgmt-Int-ACL
Applications that are accessible on the device that do not require a TTY
to be allocated and do not support application-specific ACLs are still
exposed. Two examples are TFTP and FTP.
Fixed Software
o For detailed information about affected and fixed software releases,
consult the Cisco IOS Software Checker.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the
Cisco Technical Assistance Center (TAC) or their contracted maintenance
providers.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker
, that identifies any Cisco Security Advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
described in each advisory ("First Fixed"). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified ("Combined First Fixed").
Customers can use this tool to perform the following tasks:
Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
Enter the output of the show version command for the tool to parse
Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the
most recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in
the following field:
By default, the Cisco IOS Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, use the Cisco IOS
Software Checker on Cisco.com and check the Medium check box in the Impact
Rating drop-down list.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the
Cisco IOS XE Software release.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during the resolution of a Cisco TAC support
case.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-mgmtacl
Revision History
o
+----------+---------------------------+----------+---------+----------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+---------+----------------+
| 1.0 | Initial public release. | -- | Final | 2019-March-27 |
+----------+---------------------------+----------+---------+----------------+
================================================================================
Cisco IOS XE Software Encrypted Traffic Analytics Denial of Service
Vulnerability
Priority: High
Advisory ID: cisco-sa-20190327-eta-dos
First Published: 2019 March 27 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvi77889
CVE-2019-1741
CWE-20
CVSSÂ Score:
8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in the Cisco Encrypted Traffic Analytics (ETA) feature of
Cisco IOS XE Software could allow an unauthenticated, remote attacker to
cause a denial of service (DoS) condition.
The vulnerability is due to a logic error that exists when handling a
malformed incoming packet, leading to access to an internal data structure
after it has been freed. An attacker could exploit this vulnerability by
sending crafted, malformed IP packets to an affected device. A successful
exploit could allow the attacker to cause an affected device to reload,
resulting in a DoS condition.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-eta-dos
This advisory is part of the March 27, 2019, release of the Cisco IOS and
IOS XE Software Security Advisory Bundled Publication, which includes 17
Cisco Security Advisories that describe 19 vulnerabilities. For a complete
list of the advisories and links to them, see Cisco Event Response: March
2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
Publication.
Affected Products
o Vulnerable Products
This vulnerability affects Cisco devices that are running a vulnerable
release of Cisco IOS XE Software and are configured to use the Cisco ETA
feature.
For information about which Cisco IOS XE Software releases are vulnerable,
see the Fixed Software section of this advisory.
Assessing the Cisco Encrypted Traffic Analytics Configuration
Administrators can verify if a device is configured for ETA operation by
using the show platform software et-analytics global CLI command. If the
operations are configured, that command will list the configured
interfaces in its output.
Here is an example of a device where ETA operation has been configured on
the GigabitEthernet0/0/0 interface:
bsns-4331-4#show platform software et-analytics global
ET-Analytics Global state
=========================
All Interfaces : Off
IP Flow-record Destination: 192.0.2.2: 2055
Inactive timer: 15
ET-Analytics interfaces
=========================
GigabitEthernet0/0/0
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device
is running Cisco IOS XE Software, the system banner displays Cisco IOS
Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is
running Cisco IOS XE Software Release 16.2.1 and has an installed image
name of CAT3K_CAA-UNIVERSALK9-M:
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
For information about the naming and numbering conventions for Cisco IOS
XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco IOS
Software, Cisco IOS XR Software, or Cisco NX-OS Software.
Details
o A vulnerability exists in the logic that is used by the Cisco ETA feature
when processing malformed inbound packets on an interface configured for
Cisco ETA operations. The logic error could cause an internal data
structure to be freed while processing the packet. When the processing
requires accessing the freed structure, an error occurs, and the device
reloads.
Indicators of Compromise
o Exploitation of this vulnerability will cause an affected device to reload
and generate a core file.
Contact the Cisco Technical Assistance Center (TAC) to review the core
file and determine whether the device has been compromised by exploitation
of this vulnerability.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the
Cisco Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/
tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker
, that identifies any Cisco Security Advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
described in each advisory ("First Fixed"). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified ("Combined First Fixed").
Customers can use this tool to perform the following tasks:
Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
Enter the output of the show version command for the tool to parse
Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the
most recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in
the following field:
By default, the Cisco IOS Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, use the Cisco IOS
Software Checker on Cisco.com and check the Medium check box in the Impact
Rating drop-down list.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the
Cisco IOS XE Software release.
Note: Starting with Cisco IOS XE Software Release 16.9.1, any upgrade will
require Smart Licensing. Customers who plan to upgrade Cisco IOS XE to
Release 16.9.1 or later are advised to consider the Smart Licensing
requirement. The following documentation provides additional information:
Smart Licensing.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Related to This Advisory
o Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software
Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-eta-dos
Revision History
o
+----------+---------------------------+----------+---------+----------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+---------+----------------+
| 1.0 | Initial public release. | -- | Final | 2019-March-27 |
+----------+---------------------------+----------+---------+----------------+
================================================================================
Cisco IOS XE Software Command Injection Vulnerability
Priority: High
Advisory ID: cisco-sa-20190327-iosxe-cmdinj
First Published: 2019 March 27 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvi36824
CVE-2019-1755
CWE-20
CVSSÂ Score:
6.5 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in the Web Services Management Agent (WSMA) function of
Cisco IOS XE Software could allow an authenticated, remote attacker to
execute arbitrary Cisco IOS commands as a privilege level 15 user.
The vulnerability occurs because the affected software improperly
sanitizes user-supplied input. An attacker could exploit this
vulnerability by submitting crafted HTTP requests to the targeted
application. A successful exploit could allow the attacker to execute
arbitrary commands on the affected device.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-iosxe-cmdinj
This advisory is part of the March 27, 2019, release of the Cisco IOS and
IOS XE Software Security Advisory Bundled Publication, which includes 17
Cisco Security Advisories that describe 19 vulnerabilities. For a complete
list of the advisories and links to them, see Cisco Event Response: March
2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
Publication.
Affected Products
o Vulnerable Products
This vulnerability affects Cisco devices that are running an affected
release of Cisco IOS XE Software with the web server feature enabled.
For information about which Cisco IOS XE Software releases are vulnerable,
see the Fixed Software section of this advisory.
Assessing the HTTP Server Configuration
To determine whether the HTTP Server feature is enabled for a device,
administrators can log in to the device and use the show running-config |
include http (secure|server) command in the CLI to check for the presence
of the ip http server command or the ip http secure-server command in the
global configuration. If either command is present and configured, the
HTTP Server feature is enabled for the device.
The following example shows the output of the show running-config |
include http (secure|server) command for a router that has the HTTP Server
feature enabled:
Router# show running-config | include http (secure|server)
ip http server
ip http secure-server
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device
is running Cisco IOS XE Software, the system banner displays Cisco IOS
Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is
running Cisco IOS XE Software Release 16.2.1 and has an installed image
name of CAT3K_CAA-UNIVERSALK9-M:
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
For information about the naming and numbering conventions for Cisco IOS
XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco IOS
Software, Cisco IOS XR Software, or Cisco NX-OS Software.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the
Cisco Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/
tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker
, that identifies any Cisco Security Advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
described in each advisory ("First Fixed"). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified ("Combined First Fixed").
Customers can use this tool to perform the following tasks:
Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
Enter the output of the show version command for the tool to parse
Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the
most recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in
the following field:
By default, the Cisco IOS Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, use the Cisco IOS
Software Checker on Cisco.com and check the Medium check box in the Impact
Rating drop-down list.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the
Cisco IOS XE Software release.
Note: Starting with Cisco IOS XE Software Release 16.9.1, any upgrade will
require Smart Licensing. Customers who plan to upgrade Cisco IOS XE to
Release 16.9.1 or later are advised to consider the Smart Licensing
requirement. The following documentation provides additional information:
Smart Licensing.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Related to This Advisory
o Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software
Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-iosxe-cmdinj
Revision History
o
+----------+---------------------------+----------+---------+----------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+---------+----------------+
| 1.0 | Initial public release. | -- | Final | 2019-March-27 |
+----------+---------------------------+----------+---------+----------------+
================================================================================
Cisco IOS XE Software Command Injection Vulnerability
Priority: High
Advisory ID: cisco-sa-20190327-iosxe-cmdinject
First Published: 2019 March 27 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvi36805
CVE-2019-1756
CWE-20
CVSSÂ Score:
7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in Cisco IOS XE Software could allow an authenticated,
remote attacker to execute commands on the underlying Linux shell of an
affected device with root privileges.
The vulnerability occurs because the affected software improperly
sanitizes user-supplied input. An attacker who has valid administrator
access to an affected device could exploit this vulnerability by supplying
a username with a malicious payload in the web UI and subsequently making
a request to a specific endpoint in the web UI. A successful exploit could
allow the attacker to run arbitrary commands as the root user, allowing
complete compromise of the system.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-iosxe-cmdinject
This advisory is part of the March 27, 2019, release of the Cisco IOS and
IOS XE Software Security Advisory Bundled Publication, which includes 17
Cisco Security Advisories that describe 19 vulnerabilities. For a complete
list of the advisories and links to them, see Cisco Event Response: March
2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
Publication.
Affected Products
o Vulnerable Products
This vulnerability affects Cisco devices that are running an affected
release of Cisco IOS XE Software with the web server feature enabled.
For information about which Cisco IOS XE Software releases are vulnerable,
see the Fixed Software section of this advisory.
Assessing the HTTP Server Configuration
To determine whether the HTTP Server feature is enabled for a device,
administrators can log in to the device and use the show running-config |
include http (secure|server) command in the CLI to check for the presence
of the ip http server command or the ip http secure-server command in the
global configuration. If either command is present and configured, the
HTTP Server feature is enabled for the device.
The following example shows the output of the show running-config |
include http (secure|server) command for a router that has the HTTP Server
feature enabled:
Router# show running-config | include http (secure|server)
ip http server
ip http secure-server
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device
is running Cisco IOS XE Software, the system banner displays Cisco IOS
Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is
running Cisco IOS XE Software Release 16.2.1 and has an installed image
name of CAT3K_CAA-UNIVERSALK9-M:
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
For information about the naming and numbering conventions for Cisco IOS
XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco IOS
Software, Cisco IOS XR Software, or Cisco NX-OS Software.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the
Cisco Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/
tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker
, that identifies any Cisco Security Advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
described in each advisory ("First Fixed"). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified ("Combined First Fixed").
Customers can use this tool to perform the following tasks:
Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
Enter the output of the show version command for the tool to parse
Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the
most recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in
the following field:
By default, the Cisco IOS Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, use the Cisco IOS
Software Checker on Cisco.com and check the Medium check box in the Impact
Rating drop-down list.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the
Cisco IOS XE Software release.
Note: Starting with Cisco IOS XE Software Release 16.9.1, any upgrade will
require Smart Licensing. Customers who plan to upgrade Cisco IOS XE to
Release 16.9.1 or later are advised to consider the Smart Licensing
requirement. The following documentation provides additional information:
Smart Licensing.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Related to This Advisory
o Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software
Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-iosxe-cmdinject
Revision History
o
+----------+---------------------------+----------+---------+----------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+---------+----------------+
| 1.0 | Initial public release. | -- | Final | 2019-March-27 |
+----------+---------------------------+----------+---------+----------------+
================================================================================
Cisco IOS XE Software Command Injection Vulnerability
Priority: High
Advisory ID: cisco-sa-20190327-xecmd
First Published: 2019 March 27 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvj61307
CVE-2019-1745
CWE-78
CVSSÂ Score:
8.8 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in Cisco IOS XE Software could allow an authenticated,
local attacker to inject arbitrary commands that are executed with
elevated privileges.
The vulnerability is due to insufficient input validation of commands
supplied by the user. An attacker could exploit this vulnerability by
authenticating to a device and submitting crafted input to the affected
commands. An exploit could allow the attacker to gain root privileges on
the affected device.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-xecmd
This advisory is part of the March 27, 2019, release of the Cisco IOS and
IOS XE Software Security Advisory Bundled Publication, which includes 17
Cisco Security Advisories that describe 19 vulnerabilities. For a complete
list of the advisories and links to them, see Cisco Event Response: March
2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
Publication.
Affected Products
o Vulnerable Products
This vulnerability affects Cisco devices that are running a vulnerable
release of Cisco IOS XE Software.
For information about which Cisco IOS XE Software releases are vulnerable,
see the Fixed Software section of this advisory.
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device
is running Cisco IOS XE Software, the system banner displays Cisco IOS
Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is
running Cisco IOS XE Software Release 16.2.1 and has an installed image
name of CAT3K_CAA-UNIVERSALK9-M:
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
For information about the naming and numbering conventions for Cisco IOS
XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco IOS
Software, Cisco IOS XR Software, or Cisco NX-OS Software.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the
Cisco Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/
tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker
, that identifies any Cisco Security Advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
described in each advisory ("First Fixed"). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified ("Combined First Fixed").
Customers can use this tool to perform the following tasks:
Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
Enter the output of the show version command for the tool to parse
Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the
most recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in
the following field:
By default, the Cisco IOS Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, use the Cisco IOS
Software Checker on Cisco.com and check the Medium check box in the Impact
Rating drop-down list.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the
Cisco IOS XE Software release.
Note: Starting with Cisco IOS XE Software Release 16.9.1, any upgrade will
require Smart Licensing. Customers who plan to upgrade Cisco IOS XE to
Release 16.9.1 or later are advised to consider the Smart Licensing
requirement. The following documentation provides additional information:
Smart Licensing.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Related to This Advisory
o Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software
Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-xecmd
Revision History
o
+----------+---------------------------+----------+---------+----------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+---------+----------------+
| 1.0 | Initial public release. | -- | Final | 2019-March-27 |
+----------+---------------------------+----------+---------+----------------+
================================================================================
Cisco IOS XE Software Catalyst 4500 Cisco Discovery Protocol Denial of Service
Vulnerability
Priority: High
Advisory ID: cisco-sa-20190327-evss
First Published: 2019 March 27 16:00 GMT
Version 1.0: Final
Workarounds: Yes
Cisco Bug IDs: CSCvk24566
CVE-2019-1750
CWE-20
CVSSÂ Score:
7.4 AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in the Easy Virtual Switching System (VSS) of Cisco IOS XE
Software on Catalyst 4500 Series Switches could allow an unauthenticated,
adjacent attacker to cause the switches to reload.
The vulnerability is due to incomplete error handling when processing
Cisco Discovery Protocol (CDP) packets used with the Easy Virtual
Switching System. An attacker could exploit this vulnerability by sending
a specially crafted CDP packet. An exploit could allow the attacker to
cause the device to reload, resulting in a denial of service (DoS)
condition.
Cisco has released software updates that address this vulnerability. There
are workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-evss
This advisory is part of the March 27, 2019, release of the Cisco IOS and
IOS XE Software Security Advisory Bundled Publication, which includes 17
Cisco Security Advisories that describe 19 vulnerabilities. For a complete
list of the advisories and links to them, see Cisco Event Response: March
2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
Publication.
Affected Products
o Vulnerable Products
This vulnerability affects Cisco Catalyst 4500/4500X Series Switches that
are running a vulnerable release of Cisco IOS XE Software and have CDP
enabled.
For information about which software releases are vulnerable, see the
Fixed Software section of this advisory.
There are two different configurations where the switch is vulnerable:
1. Cisco Catalyst 4500/4500X Series device has CDP enabled with CDP
Application TLVs.
2. When an admin is converting the switches' configuration from
standalone mode to virtual switch mode using easy virtual switching.
Determining if CDP Is Enabled
To determine whether use of the Cisco Discovery Protocol is enabled for a
device, administrators can use the show cdp command in the device CLI. The
output of the command displays global Cisco Discovery Protocol information
or, if the protocol is disabled, indicates that use of the protocol is not
enabled. Examples of both are shown as follows:
Switch#show cdp
Global CDP information:
Sending CDP packets every 60 seconds
Sending a holdtime value of 180 seconds
Sending CDPv2 advertisements is enabled
Switch#
Switch#show cdp
% CDP is not enabled
Switch#
Determining if CDP Application TLVs Are Enabled
By default, CDP Application TLV processing is enabled. To determine if CDP
Application TLVs are disabled, administrators can issue the show
running-config | include no cdp tlv app CLI command. If the output returns
nothing, then processing of CDP Application TLVs is enabled. If it returns
output, it will indicate which interfaces have the CDP Application TLVs
processing disabled, as shown in the following example:
Switch#show running-config | include no cdp tlv app
no cdp tlv app
no cdp tlv app
no cdp tlv app
Switch#
Determining if Admin Is Converting the Switches' Configuration From
Standalone Mode to Virtual Switch Mode Using Easy Virtual Switching
When an admin issues the switch convert mode easy-virtual-switch exec
command on a device, it commences configuring the switches to operate as a
VSS. Once the configuration has completed, the switches will reload. Part
of this process is that UDP port 5500 is opened until the switches reload.
During this period, it is possible to remotely exploit this vulnerability.
Once the system reloads as a VSS, only the adjacent vector is available.
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device
is running Cisco IOS XE Software, the system banner displays Cisco IOS
Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is
running Cisco IOS XE Software Release 16.2.1 and has an installed image
name of CAT3K_CAA-UNIVERSALK9-M:
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
For information about the naming and numbering conventions for Cisco IOS
XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco IOS
Software, Cisco IOS XR Software, or Cisco NX-OS Software.
Details
o While the attack vector is network during the admin converting the
switches configuration from standalone mode to virtual switch mode using
easy virtual switching, the attack complexity also increases to high,
resulting in a lower CVSSv3 score than would be assigned with the attack
vector being adjacent and the attack complexity being low.
Indicators of Compromise
o The traceback generated with the crash will indicate that the system
crashed in the process vss bringup, as shown in the following example:
IOSD-EXT-SIGNAL: Segmentation fault(11), Process = vss bringup
Customers experiencing a crash with this traceback should raise a case
with their support organization to confirm they are hitting this
vulnerability.
Workarounds
o Disabling CDP Application Type, Length, Value (TLV)
By default, CDP Application TLVs are enabled. Disabling CDP Application
TLVs will mitigate this vulnerability. To disable use of CDP Application
TLVs globally for a device, use the no cdp tlv app command in the global
configuration CLI. To disable use of CDP Application TLVs for a specific
interface of a device, use the no cdp tlv app command in the interface
configuration CLI.
To see if CDP Application TLVs are in use on the device before disabling
them, use the command show cdp tlv app. If the command returns output,
then it is advisable not to disable the CDP TLV App globally.
Disabling CDP
If CDP is not required, administrators may disable use of the Cisco
Discovery Protocol by a device. To disable use of the protocol globally
for a device, use the no cdp run command in the global configuration CLI.
To disable use of the protocol for a specific interface of a device, use
the no cdp enable command in the interface configuration CLI.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the
Cisco Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/
tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker
, that identifies any Cisco Security Advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
described in each advisory ("First Fixed"). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified ("Combined First Fixed").
Customers can use this tool to perform the following tasks:
Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
Enter the output of the show version command for the tool to parse
Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the
most recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in
the following field:
By default, the Cisco IOS Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, use the Cisco IOS
Software Checker on Cisco.com and check the Medium check box in the Impact
Rating drop-down list.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the
Cisco IOS XE Software release.
Note: Starting with Cisco IOS XE Software Release 16.9.1, any upgrade will
require Smart Licensing. Customers who plan to upgrade Cisco IOS XE to
Release 16.9.1 or later are advised to consider the Smart Licensing
requirement. The following documentation provides additional information:
Smart Licensing.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during the resolution of a Cisco TAC support
case.
Related to This Advisory
o Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software
Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-evss
Revision History
o
+----------+---------------------------+----------+---------+----------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+---------+----------------+
| 1.0 | Initial public release. | -- | Final | 2019-March-27 |
+----------+---------------------------+----------+---------+----------------+
================================================================================
Cisco IOS XE Software Arbitrary File Upload Vulnerability
Priority: High
Advisory ID: cisco-sa-20190327-afu
First Published: 2019 March 27 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvi48984
CVE-2019-1743
CWE-20
CVSSÂ Score:
8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in the web UI framework of Cisco IOS XE Software could
allow an authenticated, remote attacker to make unauthorized changes to
the filesystem of the affected device.
The vulnerability is due to improper input validation. An attacker could
exploit this vulnerability by crafting a malicious file and uploading it
to the device. An exploit could allow the attacker to gain elevated
privileges on the affected device.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-afu
This advisory is part of the March 27, 2019, release of the Cisco IOS and
IOS XE Software Security Advisory Bundled Publication, which includes 17
Cisco Security Advisories that describe 19 vulnerabilities. For a complete
list of the advisories and links to them, see Cisco Event Response: March
2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
Publication.
Affected Products
o Vulnerable Products
This vulnerability affects Cisco devices that are running an affected
release of Cisco IOS XE Software with the web server feature enabled.
For information about which Cisco IOS XE Software releases are vulnerable,
see the Fixed Software section of this advisory.
Assessing the HTTP Server Configuration
To determine whether the HTTP Server feature is enabled for a device,
administrators can log in to the device and use the show running-config |
include http (secure|server) command in the CLI to check for the presence
of the ip http server command or the ip http secure-server command in the
global configuration. If either command is present and configured, the
HTTP Server feature is enabled for the device.
The following example shows the output of the show running-config |
include http (secure|server) command for a router that has the HTTP Server
feature enabled:
Router# show running-config | include http (secure|server)
ip http server
ip http secure-server
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device
is running Cisco IOS XE Software, the system banner displays Cisco IOS
Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is
running Cisco IOS XE Software Release 16.2.1 and has an installed image
name of CAT3K_CAA-UNIVERSALK9-M:
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
For information about the naming and numbering conventions for Cisco IOS
XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco IOS
Software, Cisco IOS XR Software, or Cisco NX-OS Software.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the
Cisco Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/
tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker
, that identifies any Cisco Security Advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
described in each advisory ("First Fixed"). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified ("Combined First Fixed").
Customers can use this tool to perform the following tasks:
Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
Enter the output of the show version command for the tool to parse
Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the
most recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in
the following field:
By default, the Cisco IOS Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, use the Cisco IOS
Software Checker on Cisco.com and check the Medium check box in the Impact
Rating drop-down list.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the
Cisco IOS XE Software release.
Note: Starting with Cisco IOS XE Software Release 16.9.1, any upgrade will
require Smart Licensing. Customers who plan to upgrade Cisco IOS XE to
Release 16.9.1 or later are advised to consider the Smart Licensing
requirement. The following documentation provides additional information:
Smart Licensing.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Related to This Advisory
o Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software
Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-afu
Revision History
o
+----------+---------------------------+----------+---------+----------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+---------+----------------+
| 1.0 | Initial public release. | -- | Final | 2019-March-27 |
+----------+---------------------------+----------+---------+----------------+
================================================================================
Cisco IOS Software NAT64 Denial of Service Vulnerability
Priority: High
Advisory ID: cisco-sa-20190327-nat64
First Published: 2019 March 27 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvk61580
CVE-2019-1751
CWE-20
CVSSÂ Score:
8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in the Network Address Translation 64 (NAT64) functions of
Cisco IOS Software could allow an unauthenticated, remote attacker to
cause either an interface queue wedge or a device reload.
The vulnerability is due to the incorrect handling of certain IPv4 packet
streams that are sent through the device. An attacker could exploit this
vulnerability by sending specific IPv4 packet streams through the device.
An exploit could allow the attacker to either cause an interface queue
wedge or a device reload, resulting in a denial of service (DoS)
condition.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-nat64
This advisory is part of the March 27, 2019, release of the Cisco IOS and
IOS XE Software Security Advisory Bundled Publication, which includes 17
Cisco Security Advisories that describe 19 vulnerabilities. For a complete
list of the advisories and links to them, see Cisco Event Response: March
2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
Publication.
Affected Products
o Vulnerable Products
This vulnerability affects devices that are running a vulnerable release
of Cisco IOS Software and are configured with either NAT64 (Stateless or
Stateful), Mapping of Address and Port Using Translation (MAP-T), or
Mapping of Address and Port Using Encapsulation (MAP-E).
For more information about which Cisco IOS Software releases are
vulnerable, see the Fixed Software section of this advisory.
Determining the NAT64 Configuration
Administrators can identify devices that have either NAT64 (Stateless or
Stateful), MAP-T, or MAP-E by using the show running-config | include
nat64 enable|nat64 map-t|nat64 map-e command in the CLI. If the command
returns output with nat64 in it, the device is vulnerable. The following
example shows the output of the command on a device with NAT64 enabled:
Router#show running-config | include nat64 enable|nat64 map-t|nat64 map-e
nat64 enable
nat64 enable
nat64 prefix stateless 2001:DB9:0:1::/96
nat64 route 192.1.1.0/24 GigabitEthernet0/1
Router#
Determining the Cisco IOS Software Release
To determine which Cisco IOS Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device
is running Cisco IOS Software, the system banner displays text similar to
Cisco Internetwork Operating System Software or Cisco IOS Software. The
banner also displays the installed image name in parentheses, followed by
the Cisco IOS Software release number and release name. Some Cisco devices
do not support the show version command or may provide different output.
The following example shows the output of the command for a device that is
running Cisco IOS Software Release 15.5(2)T1 and has an installed image
name of C2951-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Mon 22-Jun-15 09:32 by prod_rel_team
For information about the naming and numbering conventions for Cisco IOS
Software releases, see the Cisco IOS and NX-OS Software Reference Guide.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco IOS XE
Software, Cisco IOS XR Software, or Cisco NX-OS Software.
Details
o Queue wedges occur when certain packets are received and queued by a Cisco
IOS or IOS XE router or switch but, due to a processing error, are never
removed from the queue.
Consult the Workarounds section of this advisory for more information
about queue wedges and some detection mechanisms that may be used to
identify a blocked interface in Cisco IOS Software. See also the Cisco
Security Blog Cisco IOS Queue Wedges Explained.
In the event of exploitation, if the source of the exploit traffic is
identified and subsequently blocked so that this traffic doesn't continue
to reach the vulnerable device, administrators can increase the hold queue
via the interface CLI configuration command hold-queue <number> in until
they can reload the router, as shown in the following example:
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#inte gigabitEthernet 1
Router(config-if)#hold
Router(config-if)#hold-queue 350 in
Router(config-if)#end
Router#
Indicators of Compromise
o If the device is exploited and results in a queue wedge, the output of the
show interface command will show an interface with the size of the input
queue being greater than the max, as shown in the following example:
Router#show interface | include Input queue:
Input queue: 76/75/180/0 (size/max/drops/flushes); Total output drops: 0
Workarounds
o There are no workarounds that address this vulnerability.
The following identification mechanisms exist for the queue wedge exploit
for this vulnerability:
Embedded Event Manager
A Cisco IOS Embedded Event Manager (EEM) policy that is based on Tool
Command Language (Tcl) can be used on vulnerable Cisco IOS devices to
identify and detect an interface queue wedge that is caused by this
vulnerability. The policy allows administrators to monitor the interfaces
for Cisco IOS device and detect when the interface input queues are full.
When Cisco IOS EEM detects potential exploitation of this vulnerability,
the policy can trigger a response by sending an alert to the network
administrator, who could then decide to implement an upgrade, implement
suitable mitigations, or reload the device to clear the input queue.
The Tcl script is available for download from the Cisco Beyond: Embedded
Event Manager (EEM) Scripting Community at the following link: https://
supportforums.cisco.com/docs/DOC-19337
For additional information, see the Cisco Security Blog Cisco IOS Queue
Wedges Explained.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the
Cisco Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/
tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
Software, Cisco provides a tool, the Cisco IOS Software Checker, that
identifies any Cisco Security Advisories that impact a specific Cisco IOS
Software release and the earliest release that fixes the vulnerabilities
described in each advisory ("First Fixed"). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified ("Combined First Fixed").
Customers can use this tool to perform the following tasks:
Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
Enter the output of the show version command for the tool to parse
Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the
most recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
Cisco IOS Software release--for example, 15.1(4)M2--in the following field:
By default, the Cisco IOS Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, use the Cisco IOS
Software Checker on Cisco.com and check the Medium check box in the Impact
Rating drop-down list.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Related to This Advisory
o Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software
Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-nat64
Revision History
o
+----------+---------------------------+----------+---------+----------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+---------+----------------+
| 1.0 | Initial public release. | -- | Final | 2019-March-27 |
+----------+---------------------------+----------+---------+----------------+
================================================================================
Cisco IOS Software Catalyst 6500 Series 802.1x Authentication Bypass
Vulnerability
Priority: Medium
Advisory ID: cisco-sa-20190327-c6500
First Published: 2019 March 27 16:00 GMT
Version 1.0: Final
Workarounds: Yes
Cisco Bug IDs: CSCvk25074
CVE-2019-1758
CWE-287
CVSSÂ Score:
4.7 AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:X/RL:X/RC:X
Summary
o A vulnerability in 802.1x function of Cisco IOS Software on the Catalyst
6500 Series Switches could allow an unauthenticated, adjacent attacker to
access the network prior to authentication.
The vulnerability is due to how the 802.1x packets are handled in the
process path. An attacker could exploit this vulnerability by attempting
to connect to the network on an 802.1x configured port. A successful
exploit could allow the attacker to intermittently obtain access to the
network.
Cisco has released software updates that address this vulnerability. There
are workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-c6500
Affected Products
o Vulnerable Products
This vulnerability affects Cisco Catalyst 6500 Series Switches that are
running a vulnerable release of Cisco IOS Software if the 802.1x feature
is enabled with authentication host-mode being multi-domain,
authentication violation being restrict, and in closed authentication mode
on a given interface.
For information about which software releases are vulnerable, see the
Fixed Software section of this advisory.
Assessing the 802.1x Configuration
To determine whether the 802.1x feature is configured in a manner that
makes a device vulnerable, perform the following tasks:
1. Administrators can log in to the device and use the show
running-config | include multi-domain command in the CLI to check for
the presence of the authentication host-mode multi-domain command in
the interface configuration. If the command returns no output, the
device is not vulnerable. If the command returns output, identify all
the interfaces with the authentication host-mode multi-domain command
present and proceed to the next step.
2. For each interface identified in the previous step, administrators can
use the show running-config command in the CLI to check for the
presence of authentication open. For each interface where the
authentication mode is configured as open, the device on that
interface is not vulnerable. For all other interfaces, complete the
next step.
3. For each interface identified in the previous steps, administrators
can use the show running-config command in the CLI to check for the
presence of authentication violation restrict. If this command is
present, the interface is vulnerable.
The following shows an example of an AFFECTED configuration:
interface GigabitEthernet1/4/1
switchport
switchport
switchport access vlan 100
switchport mode access
switchport voice vlan 101
authentication event fail action next-method
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 2
spanning-tree portfast edge
spanning-tree bpduguard enable
The following shows an example of a NON-AFFECTED configuration:
interface GigabitEthernet1/4/1
switchport
switchport
switchport access vlan 100
switchport mode access
switchport voice vlan 101
authentication event fail action next-method
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation shutdown
mab
dot1x pae authenticator
dot1x timeout tx-period 2
spanning-tree portfast edge
spanning-tree bpduguard enable
Determining the Cisco IOS Software Release
To determine which Cisco IOS Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device
is running Cisco IOS Software, the system banner displays text similar to
Cisco Internetwork Operating System Software or Cisco IOS Software. The
banner also displays the installed image name in parentheses, followed by
the Cisco IOS Software release number and release name. Some Cisco devices
do not support the show version command or may provide different output.
The following example shows the output of the command for a device that is
running Cisco IOS Software Release 15.5(2)T1 and has an installed image
name of C2951-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Mon 22-Jun-15 09:32 by prod_rel_team
For information about the naming and numbering conventions for Cisco IOS
Software releases, see the Cisco IOS and NX-OS Software Reference Guide.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco IOS XE
Software, Cisco IOS XR Software, or Cisco NX-OS Software.
Details
o This vulnerability could be exploited when a host has already
authenticated on the affected configured port and a new host in
unauthorized mode tries to connect. The impact is intermittent access to
the network prior to authentication.
Workarounds
o If the port is also configured with either authentication violation
shutdown|protect, this vulnerability would not be exploitable.
Fixed Software
o For detailed information about affected and fixed software releases,
consult the Cisco IOS Software Checker.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the
Cisco Technical Assistance Center (TAC) or their contracted maintenance
providers.
Cisco IOS Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
Software, Cisco provides a tool, the Cisco IOS Software Checker, that
identifies any Cisco Security Advisories that impact a specific Cisco IOS
Software release and the earliest release that fixes the vulnerabilities
described in each advisory ("First Fixed"). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified ("Combined First Fixed").
Customers can use this tool to perform the following tasks:
Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
Enter the output of the show version command for the tool to parse
Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the
most recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
Cisco IOS Software release--for example, 15.1(4)M2--in the following field:
By default, the Cisco IOS Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, use the Cisco IOS
Software Checker on Cisco.com and check the Medium check box in the Impact
Rating drop-down list.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during the resolution of a Cisco TAC support
case.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-c6500
Revision History
o
+----------+---------------------------+----------+---------+----------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+---------+----------------+
| 1.0 | Initial public release. | -- | Final | 2019-March-27 |
+----------+---------------------------+----------+---------+----------------+
================================================================================
Cisco Aggregation Services Router 900 Route Switch Processor 3 OSPFv2 Denial of
Service Vulnerability
Priority: High
Advisory ID: cisco-sa-20190327-rsp3-ospf
First Published: 2019 March 27 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvh06656
CVE-2019-1749
CWE-20
CVSSÂ Score:
7.4 AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in the ingress traffic validation of Cisco IOS XE Software
for Cisco Aggregation Services Router (ASR) 900 Route Switch Processor 3
(RSP3) could allow an unauthenticated, adjacent attacker to trigger a
reload of an affected device, resulting in a denial of service (DoS)
condition.
The vulnerability exists because the software insufficiently validates
ingress traffic on the ASIC used on the RSP3 platform. An attacker could
exploit this vulnerability by sending a malformed OSPF version 2 (OSPFv2)
message to an affected device. A successful exploit could allow the
attacker to cause a reload of the iosd process, triggering a reload of the
affected device and resulting in a DoS condition.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-rsp3-ospf
This advisory is part of the March 27, 2019, release of the Cisco IOS and
IOS XE Software Security Advisory Bundled Publication, which includes 17
Cisco Security Advisories that describe 19 vulnerabilities. For a complete
list of the advisories and links to them, see Cisco Event Response: March
2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
Publication.
Affected Products
o Vulnerable Products
This vulnerability affects Cisco ASR 900 RSP3 devices that are running
Cisco IOS XE Software and are configured for OSPFv2 routing and OSPF
Message Digest 5 (MD5) cryptographic authentication.
Note: Devices configured for OSPFv2 routing and Hashed Message
Authentication Code-Secure Hash Algorithm (HMAC-SHA) cryptographic
authentication are not affected by this vulnerability.
For information about which Cisco IOS XE Software releases are vulnerable,
see the Fixed Software section of this advisory.
Determining Whether OSPFv2 Routing Is Configured
Administrators can use the show running-config | include router ospf
command to determine whether OSPFv2 routing is enabled. The following
example shows the output of the command for a device that has the OSPFv2
routing feature enabled:
rsp3#show running-config | include router ospf
router ospf 1
Empty output of this command indicates that the feature is not configured.
Determining Whether OSPF MD5 Authentication Is Configured
Administrators can use the show running-config | include
authentication message-digest command to determine whether OSPF MD5
authentication is enabled on any interface or globally. The following
example shows the output of the command from a device that has OSPF MD5
authentication enabled on one interface:
rsp3-1#show running-config | include authentication message-digest
ip ospf authentication message-digest
The following example shows the output of the command from a device that
has OSPF MD5 authentication enabled globally for OSPF area 0:
rsp3-2#show running-config | include authentication message-digest
area 0 authentication message-digest
Empty output of this command indicates that the feature is not enabled on
any interface or globally.
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device,
administrators can log in to the device, use the show version command in
the CLI, and then refer to the system banner that appears. If the device
is running Cisco IOS XE Software, the system banner displays Cisco IOS
Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is
running Cisco IOS XE Software Release 16.6.1 and has an installed image
name of PPC_LINUX_IOSD-UNIVERSALK9-M:
rsp3-device# show version
Cisco IOS XE Software, Version 16.06.01
Cisco IOS Software [Everest], ASR900 Software (PPC_LINUX_IOSD-UNIVERSALK9-M), Version 16.6.1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Sat 22-Jul-17 03:12 by mcpre
For information about the naming and numbering conventions for Cisco IOS
XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco IOS
Software, Cisco IOS XR Software, or Cisco NX-OS Software.
Workarounds
o There are no workarounds that address this vulnerability.
To mitigate this issue on Cisco IOS Software releases 15.4(1)T and later,
administrators can configure OSPFv2 to use HMAC-SHA algorithms for
cryptographic authentication instead of MD5 algorithms.
Information about platform support and Cisco software image support is
available through Cisco Feature Navigator. Further information on
configuring OSPFv2 for cryptographic authentication using HMAC-SHA is
available in the OSPFv2 Cryptographic Authentication chapter of the IP
Routing: OSPF Configuration Guide.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the
Cisco Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/
tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker
, that identifies any Cisco Security Advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
described in each advisory ("First Fixed"). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified ("Combined First Fixed").
Customers can use this tool to perform the following tasks:
Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
Enter the output of the show version command for the tool to parse
Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the
most recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
Cisco IOS or IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in
the following field:
By default, the Cisco IOS Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, use the Cisco IOS
Software Checker on Cisco.com and check the Medium check box in the Impact
Rating drop-down list.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
Release Notes, or Cisco IOS XE 3SG Release Notes, depending on the
Cisco IOS XE Software release.
Note: Starting with Cisco IOS XE Software Release 16.9.1, any upgrade will
require Smart Licensing. Customers who plan to upgrade Cisco IOS XE to
Release 16.9.1 or later are advised to consider the Smart Licensing
requirement. The following documentation provides additional information:
Smart Licensing.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during the resolution of a Cisco TAC support
case.
Related to This Advisory
o Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software
Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190327-rsp3-ospf
Revision History
o
+----------+---------------------------+----------+---------+----------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+---------+----------------+
| 1.0 | Initial public release. | -- | Final | 2019-March-27 |
+----------+---------------------------+----------+---------+----------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXJxc/WaOgq3Tt24GAQgIshAAqkBNP+6/VnEVPGCyFV1tJ7x4vHqBWm+w
Mnn7de34fcOhiIIeOIeR0UTvh8rrbkOmFp/ciCR6hrkRu9fRYWGHAdOQimszbIiw
u1jvfhgpnoAIgTcjZCmwnW92I/5RP84sZfYYAMIdcHdHoce3WWvg845MO3c9Ip3F
xyPtQUK+yToruEoFkr/lvRo0eDntiwSFDwJYG4hzyjlWgXcC0FQiyw5zywl3gPgm
OpXfYFpyiE447sF/gWZilJlDniWX59uO73UlaIhBEcRStr9SxR5hBKYGYAXQYk4Y
i2Z8nxEoJmhdqqPomfOzaadyX8coOXba/j+a7yHfTfQVA5MD0DEqZJ+ZSPrVRtN+
rYAVn9/SAvw1duPo91fbkMh9HJ8d6s7GosfXrs4wAj6IYsTeWzH+4cYwWkeMk6o/
jM6/KDQEyJaQcissB/xPXK5l9CG7e6549CiLoo9scnmBgMgYXKA6mkLc07azA1zD
54TyQxZBFg1pMHtoJ1Dfezc3ZnKcd2/SGqgy57uDfYZgK4kmbNTtf6rvWWNMIJQG
esKuNduGO7rBZcoS3yqxFGLN1EEJy46hxBQMk+y06sa4MABhj66wVe4bjAzIAtRy
n5SAJmAcErZWRRPE4gOry6JwN4F2FkapQlbYG2RvmGAlsONxBV2jhipqNreO4bDR
8539mOinJuA=
=bsCb
-----END PGP SIGNATURE-----