Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3624
Securing the Cisco IOS and IOS XE Software Layer 2 Traceroute Server
26 September 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco IOS and IOS XE for Catalyst switches
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Access Confidential Data -- Remote/Unauthenticated
Resolution: Mitigation
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-l2-traceroute
- --------------------------BEGIN INCLUDED TEXT--------------------
Securing the Cisco IOS and IOS XE Software Layer 2 Traceroute Server
Priority: Informational
Advisory ID: cisco-sa-20190925-l2-traceroute
First Published: 2019 September 25 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Summary
o The Layer 2 (L2) traceroute utility identifies the L2 path that a packet
takes from a source device to a destination device. Cisco IOS Software and
Cisco IOS XE Software for Cisco Catalyst switches have inherited the L2
traceroute feature from Cisco CatOS Software. As such, this feature has
been supported since Cisco IOS and IOS XE Software were first released.
Cisco has confirmed that the L2 traceroute feature is not supported in
Cisco IOS XR Software or Cisco NX-OS Software.
The L2 traceroute feature is enabled by default in Cisco IOS and IOS XE
Software for Cisco Catalyst switches. Enabling the feature starts the L2
traceroute server, which is reachable through IPv4, listening on UDP port
2228. The following example shows the output of the show ip sockets command
on a device that has the L2 traceroute feature enabled:
Switch#show ip sockets
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 0.0.0.0 0 10.10.10.1 2228 0 0 211 0
By design, the L2 traceroute server does not require authentication, and it
allows certain information about an affected device to be read, including
the following:
Hostname
Hardware model
Configured interfaces
Configured IP addresses
VLAN database
MAC address table
Layer 2 filtering table
Cisco Discovery Protocol (CDP) neighbor information
Reading this information from multiple switches in the network could allow
an attacker to build a complete L2 topology map of that network.
Customers are advised to secure the L2 traceroute server as described in
the Recommendations section of this advisory.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190925-l2-traceroute
Recommendations
o Secure the Layer 2 Traceroute Server
Depending on whether the L2 traceroute feature is used in the environment
and whether the Cisco IOS or IOS XE Software release supports the CLI
commands to implement the respective option, there are several ways to
secure the L2 traceroute server:
Disable the L2 traceroute server.
Restrict access to the L2 traceroute server through infrastructure
access control lists (iACLs).
Restrict access to the L2 traceroute server through control plane
policing (CoPP).
Upgrade to a release that has the L2 traceroute server disabled by
default.
Disable the Layer 2 Traceroute Server
In Cisco IOS and IOS XE Software releases that support the command, the L2
traceroute server can be disabled by using the no l2 traceroute command in
global configuration mode. Where available, the no l2 traceroute command
will stop the L2 traceroute server immediately. Customers who are running a
recent release of Cisco IOS or IOS XE Software, and the no l2 traceroute
command is not available, are advised to contact their support
organization.
Use Infrastructure Access Control Lists to Restrict Access to the L2
Traceroute Server
Although it can be difficult to block traffic that traverses a network, it
is possible to identify malicious traffic and then block that traffic at
the border of the network. Using iACLs is a network security best practice
and should be considered as a long-term addition to good network security,
as well as a mitigation for this specific issue. To help protect all
devices with IP addresses in the infrastructure IP address range, customers
are advised to include the following iACL example as part of the deployed
iACL:
!---
!--- Feature: L2 Traceroute
!---
!---
!--- Deny L2 Traceroute traffic from all other sources
!--- destined to infrastructure addresses
!---
access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES WILDCARD eq 2228
!---
!--- Permit/deny all other Layer 3 and Layer 4 traffic in
!--- accordance with existing security policies and
!--- configurations. Permit all other traffic to transit the
!--- device.
!---
access-list 150 permit ip any any
!---
!--- Apply access-list to all interfaces (only one example
!--- shown)
!---
interface GigabitEthernet 2/0
ip access-group 150 in
For further guidelines and recommendations for deployment techniques for
iACLs, see the white paper Protecting Your Core: Infrastructure Protection
Access Control Lists and the Cisco Guide to Harden Cisco IOS Devices .
Use Control Plane Policing to Restrict Access to the L2 Traceroute Server
CoPP can be used to block untrusted UDP traffic to the device. Cisco IOS
Software releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, 12.4T, and later
support the CoPP feature. CoPP can be configured to do the following:
Protect the management and control planes
Minimize the risk and effectiveness of direct infrastructure attacks
It does this by explicitly permitting only authorized traffic in accordance
with existing security policies and configurations.
To help protect all devices with IP addresses in the infrastructure IP
address range, customers are advised to include the following CoPP as part
of the deployed CoPP policy:
!---
!--- Feature: L2 Traceroute
!---
!---
!--- Deny L2 Traceroute traffic from all other sources
!--- destined to the device control plane.
!---
access-list 150 permit udp any any eq 2228
!---
!--- Permit (Police or Drop)/Deny (Allow) all other Layer3 and
!--- Layer4 traffic in accordance with existing security policies
!--- and configurations for traffic that is authorized to be sent
!--- to infrastructure devices
!--- Create a Class-Map for traffic to be policed by
!--- the CoPP feature
!---
class-map match-all drop-l2trace-class
match access-group 150
!---
!--- Create a Policy-Map that will be applied to the
!--- Control-Plane of the device.
!---
policy-map control-plane-policy
class drop-l2trace-class
drop
!---
!--- Apply the Policy-Map to the
!--- Control-Plane of the device
!---
control-plane
service-policy input control-plane-policy
For additional information on configuring and using the CoPP feature, see
the Control Plane Policing Implementation Best Practices and the Cisco
Guide to Harden Cisco IOS Devices .
Upgrade to a Release That Has the L2 Traceroute Server Disabled by Default
The following planned releases of Cisco IOS and IOS XE Software will have
the L2 traceroute server disabled by default:
Cisco IOS 15.2(7)E1 (December 2019) and later
Cisco IOS XE 3.11.1E (December 2019) and later
Cisco IOS XE 17.2.1 (March 2020) and later
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is aware of the
availability of public exploit code that can be used to misuse the L2
traceroute feature as described in this advisory.
Source
o Cisco would like to thank the independent security researcher Chris Marget
for reporting this issue.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190925-l2-traceroute
Revision History
o +---------+------------------------+---------+--------+-------------------+
| Version | Description | Section | Status | Date |
+---------+------------------------+---------+--------+-------------------+
| 1.0 | Initial public | - | Final | 2019-September-25 |
| | release. | | | |
+---------+------------------------+---------+--------+-------------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXYw492aOgq3Tt24GAQis7Q//Qa4qcnE5yb7J/1+1GmkiFkl3DSDlcBRx
9F8s8a3owbeHYrOIIPvhtvYX5WaR53fD2RPgOjebFF0Ghf7NwMC8G6DEU8s7Iydx
FXnGiireeN67qO0d+INAG1ZNdwthf281pFer9KvFtRiAx8BQKO7z7DafUR9NCFJh
4ZgkbOYINY1IWI+bnT2rgFbKBut3W2ECY4bM3jUoBk88yfRuDEmDaZm4y5FDw3Zk
A+5otykawZCjD/6StiW+nEPfwNgW3jh4xjGcYCVfXUmfneFU9tOcOnSSJu9DKAJD
wB5vxLk5FBlhxIN+msOnYazpYzcqBh3HeY1JEsMC2ktceP64HBhJblJJd/SdjD8f
HzCuUgA7y20E88VWNTQ7vOiqAW4tAI5nDadQeKm/N/KfI3LDJBCf9/MbguQBj5kn
/OgdGMVNscwZut600U/DRJJIyIrTlOs35Jgqow0WT6YVzMYOW/0jgMUyJRqDol4q
fST9OTCGiRQ1ZWih3klwA0eSMg8Ypit75fAg1KEBo9lqzKpMkUm1XYZYrnqgivds
3czKdjwKlZjfbQRI3bJJxb78HiKduvGsn3+ryfvW2JYJ2+Gibt3yjw+suwhTsNcp
Bakg9GCDFQM6bs7gThRWl9Rr7YR7IxARxP6WrK0G61q9t6hOjZvIYW0a0KiDBxV+
1oQlqhiGwUI=
=ZPoK
-----END PGP SIGNATURE-----