Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3624 Securing the Cisco IOS and IOS XE Software Layer 2 Traceroute Server 26 September 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco IOS and IOS XE for Catalyst switches Publisher: Cisco Systems Operating System: Cisco Impact/Access: Access Confidential Data -- Remote/Unauthenticated Resolution: Mitigation Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-l2-traceroute - --------------------------BEGIN INCLUDED TEXT-------------------- Securing the Cisco IOS and IOS XE Software Layer 2 Traceroute Server Priority: Informational Advisory ID: cisco-sa-20190925-l2-traceroute First Published: 2019 September 25 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Summary o The Layer 2 (L2) traceroute utility identifies the L2 path that a packet takes from a source device to a destination device. Cisco IOS Software and Cisco IOS XE Software for Cisco Catalyst switches have inherited the L2 traceroute feature from Cisco CatOS Software. As such, this feature has been supported since Cisco IOS and IOS XE Software were first released. Cisco has confirmed that the L2 traceroute feature is not supported in Cisco IOS XR Software or Cisco NX-OS Software. The L2 traceroute feature is enabled by default in Cisco IOS and IOS XE Software for Cisco Catalyst switches. Enabling the feature starts the L2 traceroute server, which is reachable through IPv4, listening on UDP port 2228. The following example shows the output of the show ip sockets command on a device that has the L2 traceroute feature enabled: Switch#show ip sockets Proto Remote Port Local Port In Out Stat TTY OutputIF 17 0.0.0.0 0 10.10.10.1 2228 0 0 211 0 By design, the L2 traceroute server does not require authentication, and it allows certain information about an affected device to be read, including the following: Hostname Hardware model Configured interfaces Configured IP addresses VLAN database MAC address table Layer 2 filtering table Cisco Discovery Protocol (CDP) neighbor information Reading this information from multiple switches in the network could allow an attacker to build a complete L2 topology map of that network. Customers are advised to secure the L2 traceroute server as described in the Recommendations section of this advisory. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190925-l2-traceroute Recommendations o Secure the Layer 2 Traceroute Server Depending on whether the L2 traceroute feature is used in the environment and whether the Cisco IOS or IOS XE Software release supports the CLI commands to implement the respective option, there are several ways to secure the L2 traceroute server: Disable the L2 traceroute server. Restrict access to the L2 traceroute server through infrastructure access control lists (iACLs). Restrict access to the L2 traceroute server through control plane policing (CoPP). Upgrade to a release that has the L2 traceroute server disabled by default. Disable the Layer 2 Traceroute Server In Cisco IOS and IOS XE Software releases that support the command, the L2 traceroute server can be disabled by using the no l2 traceroute command in global configuration mode. Where available, the no l2 traceroute command will stop the L2 traceroute server immediately. Customers who are running a recent release of Cisco IOS or IOS XE Software, and the no l2 traceroute command is not available, are advised to contact their support organization. Use Infrastructure Access Control Lists to Restrict Access to the L2 Traceroute Server Although it can be difficult to block traffic that traverses a network, it is possible to identify malicious traffic and then block that traffic at the border of the network. Using iACLs is a network security best practice and should be considered as a long-term addition to good network security, as well as a mitigation for this specific issue. To help protect all devices with IP addresses in the infrastructure IP address range, customers are advised to include the following iACL example as part of the deployed iACL: !--- !--- Feature: L2 Traceroute !--- !--- !--- Deny L2 Traceroute traffic from all other sources !--- destined to infrastructure addresses !--- access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES WILDCARD eq 2228 !--- !--- Permit/deny all other Layer 3 and Layer 4 traffic in !--- accordance with existing security policies and !--- configurations. Permit all other traffic to transit the !--- device. !--- access-list 150 permit ip any any !--- !--- Apply access-list to all interfaces (only one example !--- shown) !--- interface GigabitEthernet 2/0 ip access-group 150 in For further guidelines and recommendations for deployment techniques for iACLs, see the white paper Protecting Your Core: Infrastructure Protection Access Control Lists and the Cisco Guide to Harden Cisco IOS Devices . Use Control Plane Policing to Restrict Access to the L2 Traceroute Server CoPP can be used to block untrusted UDP traffic to the device. Cisco IOS Software releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, 12.4T, and later support the CoPP feature. CoPP can be configured to do the following: Protect the management and control planes Minimize the risk and effectiveness of direct infrastructure attacks It does this by explicitly permitting only authorized traffic in accordance with existing security policies and configurations. To help protect all devices with IP addresses in the infrastructure IP address range, customers are advised to include the following CoPP as part of the deployed CoPP policy: !--- !--- Feature: L2 Traceroute !--- !--- !--- Deny L2 Traceroute traffic from all other sources !--- destined to the device control plane. !--- access-list 150 permit udp any any eq 2228 !--- !--- Permit (Police or Drop)/Deny (Allow) all other Layer3 and !--- Layer4 traffic in accordance with existing security policies !--- and configurations for traffic that is authorized to be sent !--- to infrastructure devices !--- Create a Class-Map for traffic to be policed by !--- the CoPP feature !--- class-map match-all drop-l2trace-class match access-group 150 !--- !--- Create a Policy-Map that will be applied to the !--- Control-Plane of the device. !--- policy-map control-plane-policy class drop-l2trace-class drop !--- !--- Apply the Policy-Map to the !--- Control-Plane of the device !--- control-plane service-policy input control-plane-policy For additional information on configuring and using the CoPP feature, see the Control Plane Policing Implementation Best Practices and the Cisco Guide to Harden Cisco IOS Devices . Upgrade to a Release That Has the L2 Traceroute Server Disabled by Default The following planned releases of Cisco IOS and IOS XE Software will have the L2 traceroute server disabled by default: Cisco IOS 15.2(7)E1 (December 2019) and later Cisco IOS XE 3.11.1E (December 2019) and later Cisco IOS XE 17.2.1 (March 2020) and later Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is aware of the availability of public exploit code that can be used to misuse the L2 traceroute feature as described in this advisory. Source o Cisco would like to thank the independent security researcher Chris Marget for reporting this issue. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190925-l2-traceroute Revision History o +---------+------------------------+---------+--------+-------------------+ | Version | Description | Section | Status | Date | +---------+------------------------+---------+--------+-------------------+ | 1.0 | Initial public | - | Final | 2019-September-25 | | | release. | | | | +---------+------------------------+---------+--------+-------------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXYw492aOgq3Tt24GAQis7Q//Qa4qcnE5yb7J/1+1GmkiFkl3DSDlcBRx 9F8s8a3owbeHYrOIIPvhtvYX5WaR53fD2RPgOjebFF0Ghf7NwMC8G6DEU8s7Iydx FXnGiireeN67qO0d+INAG1ZNdwthf281pFer9KvFtRiAx8BQKO7z7DafUR9NCFJh 4ZgkbOYINY1IWI+bnT2rgFbKBut3W2ECY4bM3jUoBk88yfRuDEmDaZm4y5FDw3Zk A+5otykawZCjD/6StiW+nEPfwNgW3jh4xjGcYCVfXUmfneFU9tOcOnSSJu9DKAJD wB5vxLk5FBlhxIN+msOnYazpYzcqBh3HeY1JEsMC2ktceP64HBhJblJJd/SdjD8f HzCuUgA7y20E88VWNTQ7vOiqAW4tAI5nDadQeKm/N/KfI3LDJBCf9/MbguQBj5kn /OgdGMVNscwZut600U/DRJJIyIrTlOs35Jgqow0WT6YVzMYOW/0jgMUyJRqDol4q fST9OTCGiRQ1ZWih3klwA0eSMg8Ypit75fAg1KEBo9lqzKpMkUm1XYZYrnqgivds 3czKdjwKlZjfbQRI3bJJxb78HiKduvGsn3+ryfvW2JYJ2+Gibt3yjw+suwhTsNcp Bakg9GCDFQM6bs7gThRWl9Rr7YR7IxARxP6WrK0G61q9t6hOjZvIYW0a0KiDBxV+ 1oQlqhiGwUI= =ZPoK -----END PGP SIGNATURE-----