-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.3624
   Securing the Cisco IOS and IOS XE Software Layer 2 Traceroute Server
                             26 September 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco IOS and IOS XE for Catalyst switches
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Access Confidential Data -- Remote/Unauthenticated
Resolution:        Mitigation

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-l2-traceroute

- --------------------------BEGIN INCLUDED TEXT--------------------

Securing the Cisco IOS and IOS XE Software Layer 2 Traceroute Server

Priority:        Informational
Advisory ID:     cisco-sa-20190925-l2-traceroute
First Published: 2019 September 25 16:00 GMT
Version 1.0:     Final
Workarounds:     No workarounds available

Summary

  o The Layer 2 (L2) traceroute utility identifies the L2 path that a packet
    takes from a source device to a destination device. Cisco IOS Software and
    Cisco IOS XE Software for Cisco Catalyst switches have inherited the L2
    traceroute feature from Cisco CatOS Software. As such, this feature has
    been supported since Cisco IOS and IOS XE Software were first released.
    Cisco has confirmed that the L2 traceroute feature is not supported in
    Cisco IOS XR Software or Cisco NX-OS Software.

    The L2 traceroute feature is enabled by default in Cisco IOS and IOS XE
    Software for Cisco Catalyst switches. Enabling the feature starts the L2
    traceroute server, which is reachable through IPv4, listening on UDP port
    2228. The following example shows the output of the show ip sockets command
    on a device that has the L2 traceroute feature enabled:

        Switch#show ip sockets
        Proto        Remote      Port      Local       Port  In Out  Stat TTY OutputIF
         17     0.0.0.0             0 10.10.10.1       2228   0   0   211   0 

    By design, the L2 traceroute server does not require authentication, and it
    allows certain information about an affected device to be read, including
    the following:

       Hostname
       Hardware model
       Configured interfaces
       Configured IP addresses
       VLAN database
       MAC address table
       Layer 2 filtering table
       Cisco Discovery Protocol (CDP) neighbor information

    Reading this information from multiple switches in the network could allow
    an attacker to build a complete L2 topology map of that network.

    Customers are advised to secure the L2 traceroute server as described in
    the Recommendations section of this advisory.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190925-l2-traceroute

Recommendations

  o Secure the Layer 2 Traceroute Server

    Depending on whether the L2 traceroute feature is used in the environment
    and whether the Cisco IOS or IOS XE Software release supports the CLI
    commands to implement the respective option, there are several ways to
    secure the L2 traceroute server:

       Disable the L2 traceroute server.
       Restrict access to the L2 traceroute server through infrastructure
        access control lists (iACLs).
       Restrict access to the L2 traceroute server through control plane
        policing (CoPP).
       Upgrade to a release that has the L2 traceroute server disabled by
        default.

    Disable the Layer 2 Traceroute Server

    In Cisco IOS and IOS XE Software releases that support the command, the L2
    traceroute server can be disabled by using the no l2 traceroute command in
    global configuration mode. Where available, the no l2 traceroute command 
    will stop the L2 traceroute server immediately. Customers who are running a
    recent release of Cisco IOS or IOS XE Software, and the no l2 traceroute 
    command is not available, are advised to contact their support
    organization.

    Use Infrastructure Access Control Lists to Restrict Access to the L2
    Traceroute Server

    Although it can be difficult to block traffic that traverses a network, it
    is possible to identify malicious traffic and then block that traffic at
    the border of the network. Using iACLs is a network security best practice
    and should be considered as a long-term addition to good network security,
    as well as a mitigation for this specific issue. To help protect all
    devices with IP addresses in the infrastructure IP address range, customers
    are advised to include the following iACL example as part of the deployed
    iACL:

        !---
        !--- Feature: L2 Traceroute
        !---

        !---
        !--- Deny L2 Traceroute traffic from all other sources
        !--- destined to infrastructure addresses
        !---

        access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES WILDCARD eq 2228

        !---
        !--- Permit/deny all other Layer 3 and Layer 4 traffic in
        !--- accordance with existing security policies and
        !--- configurations.  Permit all other traffic to transit the
        !--- device.
        !---

        access-list 150 permit ip any any

        !---
        !--- Apply access-list to all interfaces (only one example
        !--- shown)
        !---

        interface GigabitEthernet 2/0
         ip access-group 150 in

    For further guidelines and recommendations for deployment techniques for
    iACLs, see the white paper Protecting Your Core: Infrastructure Protection
    Access Control Lists and the Cisco Guide to Harden Cisco IOS Devices .

    Use Control Plane Policing to Restrict Access to the L2 Traceroute Server

    CoPP can be used to block untrusted UDP traffic to the device. Cisco IOS
    Software releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, 12.4T, and later
    support the CoPP feature. CoPP can be configured to do the following:

       Protect the management and control planes
       Minimize the risk and effectiveness of direct infrastructure attacks

    It does this by explicitly permitting only authorized traffic in accordance
    with existing security policies and configurations.

    To help protect all devices with IP addresses in the infrastructure IP
    address range, customers are advised to include the following CoPP as part
    of the deployed CoPP policy:

        !---
        !--- Feature: L2 Traceroute
        !---

        !---
        !--- Deny L2 Traceroute traffic from all other sources
        !--- destined to the device control plane.
        !---

        access-list 150 permit udp any any eq 2228

        !---
        !--- Permit (Police or Drop)/Deny (Allow) all other Layer3 and
        !--- Layer4 traffic in accordance with existing security policies
        !--- and configurations for traffic that is authorized to be sent
        !--- to infrastructure devices
        !--- Create a Class-Map for traffic to be policed by
        !--- the CoPP feature
        !---

        class-map match-all drop-l2trace-class
         match access-group 150

        !---
        !--- Create a Policy-Map that will be applied to the
        !--- Control-Plane of the device.
        !---

        policy-map control-plane-policy
         class drop-l2trace-class
          drop

        !---
        !--- Apply the Policy-Map to the
        !--- Control-Plane of the device
        !---

        control-plane
         service-policy input control-plane-policy

    For additional information on configuring and using the CoPP feature, see
    the Control Plane Policing Implementation Best Practices and the Cisco
    Guide to Harden Cisco IOS Devices .

    Upgrade to a Release That Has the L2 Traceroute Server Disabled by Default

    The following planned releases of Cisco IOS and IOS XE Software will have
    the L2 traceroute server disabled by default:

       Cisco IOS 15.2(7)E1 (December 2019) and later
       Cisco IOS XE 3.11.1E (December 2019) and later
       Cisco IOS XE 17.2.1 (March 2020) and later

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is aware of the
    availability of public exploit code that can be used to misuse the L2
    traceroute feature as described in this advisory.

Source

  o Cisco would like to thank the independent security researcher Chris Marget
    for reporting this issue.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190925-l2-traceroute

Revision History

  o +---------+------------------------+---------+--------+-------------------+
    | Version |      Description       | Section | Status |       Date        |
    +---------+------------------------+---------+--------+-------------------+
    | 1.0     | Initial public         | -       | Final  | 2019-September-25 |
    |         | release.               |         |        |                   |
    +---------+------------------------+---------+--------+-------------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXYw492aOgq3Tt24GAQis7Q//Qa4qcnE5yb7J/1+1GmkiFkl3DSDlcBRx
9F8s8a3owbeHYrOIIPvhtvYX5WaR53fD2RPgOjebFF0Ghf7NwMC8G6DEU8s7Iydx
FXnGiireeN67qO0d+INAG1ZNdwthf281pFer9KvFtRiAx8BQKO7z7DafUR9NCFJh
4ZgkbOYINY1IWI+bnT2rgFbKBut3W2ECY4bM3jUoBk88yfRuDEmDaZm4y5FDw3Zk
A+5otykawZCjD/6StiW+nEPfwNgW3jh4xjGcYCVfXUmfneFU9tOcOnSSJu9DKAJD
wB5vxLk5FBlhxIN+msOnYazpYzcqBh3HeY1JEsMC2ktceP64HBhJblJJd/SdjD8f
HzCuUgA7y20E88VWNTQ7vOiqAW4tAI5nDadQeKm/N/KfI3LDJBCf9/MbguQBj5kn
/OgdGMVNscwZut600U/DRJJIyIrTlOs35Jgqow0WT6YVzMYOW/0jgMUyJRqDol4q
fST9OTCGiRQ1ZWih3klwA0eSMg8Ypit75fAg1KEBo9lqzKpMkUm1XYZYrnqgivds
3czKdjwKlZjfbQRI3bJJxb78HiKduvGsn3+ryfvW2JYJ2+Gibt3yjw+suwhTsNcp
Bakg9GCDFQM6bs7gThRWl9Rr7YR7IxARxP6WrK0G61q9t6hOjZvIYW0a0KiDBxV+
1oQlqhiGwUI=
=ZPoK
-----END PGP SIGNATURE-----