VARIoT IoT vulnerabilities database

VAR-200810-0263 | CVE-2008-4404 | IPv6 implementations insecurely update Forwarding Information Base |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The IPv6 Neighbor Discovery Protocol (NDP) implementation on IBM zSeries servers does not validate the origin of Neighbor Discovery messages, which allows remote attackers to cause a denial of service (loss of connectivity) or read private network traffic via a spoofed message that modifies the Forward Information Base (FIB), a related issue to CVE-2008-2476. A vulnerability in some implementations of the IPv6 Neighbor Discovery Protocol may allow a nearby attacker to intercept traffic or cause congested links to become overloaded. ----------------------------------------------------------------------
Did you know that a change in our assessment rating, exploit code
availability, or if an updated patch is released by the vendor, is
not part of this mailing-list?
Click here to learn more:
http://secunia.com/advisories/business_solutions/
----------------------------------------------------------------------
TITLE:
HP-UX IPv6 Neighbor Discovery Protocol Neighbor Solicitation
Vulnerability
SECUNIA ADVISORY ID:
SA33787
VERIFY ADVISORY:
http://secunia.com/advisories/33787/
CRITICAL:
Less critical
IMPACT:
Spoofing, Exposure of sensitive information, DoS
WHERE:
>From local network
OPERATING SYSTEM:
HP-UX 11.x
http://secunia.com/advisories/product/138/
DESCRIPTION:
A vulnerability has been reported in HP-UX, which can be exploited by
malicious people to conduct spoofing attacks, disclose potentially
sensitive information, or to cause a DoS (Denial of Service).
This is related to:
SA32112
The vulnerability is reported in HP-UX B.11.11, B.11.23, and B.11.31
running IPv6.
SOLUTION:
Apply patches.
HP-UX B.11.11:
Install patch PHNE_37898 or subsequent.
HP-UX B.11.23:
Install patch PHNE_37897 or subsequent.
HP-UX B.11.31:
Install patch PHNE_38680 or subsequent.
For more information:
SA32112
2) An unspecified error exists in the handling of PPPoE discovery
packets. which can be exploited to cause an out-of-bounds memory
access error by sending a specially crafted PPPoE discovery packet.
3) An error exists in the handling of incoming ICMPv6 "Packet Too
Big" messages, which can be exploited to shutdown the device.
This is related to:
SA31745
SOLUTION:
Update to firmware version 7.4.1.
Fixed versions:
2008-10-01 00:32:59 UTC (RELENG_7, 7.1-PRERELEASE)
2008-10-01 00:32:59 UTC (RELENG_7_0, 7.0-RELEASE-p5)
2008-10-01 00:32:59 UTC (RELENG_6, 6.4-PRERELEASE)
2008-10-01 00:32:59 UTC (RELENG_6_3, 6.3-RELEASE-p5)
Patch for FreeBSD 6.3:
http://security.FreeBSD.org/patches/SA-08:10/nd6-6.patch
http://security.FreeBSD.org/patches/SA-08:10/nd6-6.patch.asc
Patch for FreeBSD 7.0:
http://security.FreeBSD.org/patches/SA-08:10/nd6-7.patch
http://security.FreeBSD.org/patches/SA-08:10/nd6-7.patch.asc
PROVIDED AND/OR DISCOVERED BY:
The vendor credits David Miles. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01662367
Version: 1
HPSBUX02407 SSRT080107 rev.1 - HP-UX Running IPv6, Remote Denial of Service (DoS) and Unauthorized Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-02-02
Last Updated: 2009-02-02
Potential Security Impact: Remote Denial of Service (DoS) and unauthorized access
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP-UX running IPv6. This vulnerability could be exploited remotely resulting in a Denial of Service (DoS) and unauthorized access.
References: CVE-2008-2476, CVE-2008-4404
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.11, B.11.23, B.11.31 running IPv6
BACKGROUND
CVSS 2.0 Base Metrics
===============================================
Reference Base Vector Base Score
CVE-2008-2476 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3
CVE-2008-4404 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
===============================================
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
RESOLUTION
HP has provided the following software patches to resolve the vulnerabilities.
The patches are available for download from: http://itrc.hp.com
HP-UX Release - B.11.11 (11i v1)
Patch ID - PHNE_37898
HP-UX Release - B.11.23 (11i v2)
Patch ID - PHNE_37897
HP-UX Release - B.11.31 (11i v3)
Patch ID - PHNE_38680
MANUAL ACTIONS: No
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX B.11.11
=============
Networking.NET-KRN
Networking.NET-PRG
Networking.NET-RUN
Networking.NET-RUN-64
OS-Core.CORE-KRN
ProgSupport.C-INC
Networking.NET2-KRN
Networking.NMS2-KRN
OS-Core.CORE2-KRN
OS-Core.SYS-ADMIN
Networking.NET2-KRN
Networking.NMS2-KRN
OS-Core.CORE2-KRN
OS-Core.SYS-ADMIN
action: install patch PHNE_37898 or subsequent
URL: http://itrc.hp.com
HP-UX B.11.23
=============
Networking.NET-PRG
Networking.NET-RUN
ProgSupport.C-INC
Networking.NET-RUN-64
Networking.NET2-KRN
Networking.NET2-RUN
Networking.NMS2-KRN
OS-Core.CORE2-KRN
OS-Core.SYS2-ADMIN
Networking.NET-RUN-64
Networking.NET2-KRN
Networking.NET2-RUN
Networking.NMS2-KRN
OS-Core.CORE2-KRN
OS-Core.SYS2-ADMIN
action: install patch PHNE_37897 or subsequent
URL: http://itrc.hp.com
HP-UX B.11.31
=============
Networking.NET-RUN
ProgSupport.C-INC
Networking.NET-RUN-64
Networking.NET2-KRN
Networking.NET2-RUN
Networking.NMS2-KRN
OS-Core.CORE2-KRN
OS-Core.SYS2-ADMIN
Networking.NET-RUN-64
Networking.NET2-KRN
Networking.NET2-RUN
Networking.NMS2-KRN
OS-Core.CORE2-KRN
OS-Core.SYS2-ADMIN
action: install patch PHNE_38680 or subsequent
URL: http://itrc.hp.com
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) - 2 February 2009 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
- check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
- verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
\xa9Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBSYdFsuAfOvwtKn1ZEQK0VACeIKetdQfBDsssaZYXnerHz8AEwzEAn2iy
saLPK+/sw3/02JA+b0HuzPfv
=HTAW
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Do you need accurate and reliable IDS / IPS / AV detection rules?
Get in-depth vulnerability details:
http://secunia.com/binary_analysis/sample_analysis/
----------------------------------------------------------------------
TITLE:
Juniper Products Neighbor Discovery Protocol Neighbor Solicitation
Vulnerability
SECUNIA ADVISORY ID:
SA32116
VERIFY ADVISORY:
http://secunia.com/advisories/32116/
CRITICAL:
Less critical
IMPACT:
Manipulation of data
WHERE:
>From local network
OPERATING SYSTEM:
Juniper IVE OS Software 1.x
http://secunia.com/advisories/product/11660/
Juniper IVE OS Software 2.x
http://secunia.com/advisories/product/11661/
Juniper IVE OS Software 3.x
http://secunia.com/advisories/product/11662/
Juniper IVE OS Software 5.x
http://secunia.com/advisories/product/6644/
Juniper IVE OS Software 4.x
http://secunia.com/advisories/product/6645/
Juniper IVE OS Software 6.x
http://secunia.com/advisories/product/18562/
Juniper Networks DXOS 5.x
http://secunia.com/advisories/product/11183/
Juniper Networks IDP 4.x
http://secunia.com/advisories/product/11181/
Juniper Networks Infranet Controller 4000
http://secunia.com/advisories/product/11167/
Juniper Networks WXC Series
http://secunia.com/advisories/product/11164/
Juniper Networks WX Series
http://secunia.com/advisories/product/11163/
Juniper Networks Session and Resource Control (SRC) 2.x
http://secunia.com/advisories/product/19036/
Juniper Networks Secure Access 6000 SP
http://secunia.com/advisories/product/13184/
Juniper Networks Secure Access 4000 (NetScreen-SA 3000 Series)
http://secunia.com/advisories/product/3141/
Juniper Networks Secure Access 2000
http://secunia.com/advisories/product/11165/
Juniper Networks Infranet Controller 6000
http://secunia.com/advisories/product/11168/
Juniper Networks Secure Access 6000 (NetScreen-SA 5000 Series)
http://secunia.com/advisories/product/3132/
Juniper Networks Secure Access 700
http://secunia.com/advisories/product/11166/
Juniper Networks Session and Resource Control (SRC) 1.x
http://secunia.com/advisories/product/19034/
DESCRIPTION:
A vulnerability has been reported in multiple Juniper Networks
products, which can be exploited by malicious people to manipulate
the router's neighbor cache. This can be exploited to add a fake entry to the router's
neighbor cache via a neighbor solicitation request containing a
spoofed IPv6 address.
Successful exploitation may allow the interception or disruption of
network traffic, but requires that the IPv6 nodes involved in the
attack are using the same router.
NOTE: The vendor has not published a publicly available advisory and
has also refused to provide a list of the affected products or
patches as information about vulnerabilities is provided to
registered customers only. It is therefore unclear if only a subset
of the products reported as vulnerable in this advisory are affected.
SOLUTION:
It is currently unclear whether fixes are available.
PROVIDED AND/OR DISCOVERED BY:
US-CERT credits David Miles.
ORIGINAL ADVISORY:
Juniper (login required):
https://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2008-09-036&viewMode=view
US-CERT:
http://www.kb.cert.org/vuls/id/MAPG-7H2RZU
OTHER REFERENCES:
US-CERT VU#472363:
http://www.kb.cert.org/vuls/id/472363
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200810-0010 | CVE-2008-4609 | TCP may keep its offered receive window closed indefinitely (RFC 1122) |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
The TCP implementation in (1) Linux, (2) platforms based on BSD Unix, (3) Microsoft Windows, (4) Cisco products, and probably other operating systems allows remote attackers to cause a denial of service (connection queue exhaustion) via multiple vectors that manipulate information in the TCP state table, as demonstrated by sockstress. Part of the Transmission Control Protocol (TCP) specification (RFC 1122) allows a receiver to advertise a zero byte window, instructing the sender to maintain the connection but not send additional TCP payload data. The sender should then probe the receiver to check if the receiver is ready to accept data. Narrow interpretation of this part of the specification can create a denial-of-service vulnerability. By advertising a zero receive window and acknowledging probes, a malicious receiver can cause a sender to consume resources (TCP state, buffers, and application memory), preventing the targeted service or system from handling legitimate connections. Transmission Control Protocol (TCP) Multiple implementations of service disruption (DoS) Vulnerabilities exist. RFC793 It is prescribed by Transmission Control Protocol (TCP) Implementation of service disruption due to misuse of available resources after connection establishment (DoS) Vulnerabilities exist.Service operation disrupted by a remote third party (DoS) There is a possibility of being attacked. The core TCP/IP protocol is prone to multiple remote denial-of-service vulnerabilities.
The issues are tracked by Cisco Bug IDs CSCsv04836, CSCsv07712, CSCsv66169, CSCsv02768, CSCsv08325, and CSCsv08579.
These issues are reported to affect multiple vendors' implementations of the TCP/IP stack. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
Blue Coat ProxySG TCP Implementation Denial of Service
Vulnerabilities
SECUNIA ADVISORY ID:
SA37044
VERIFY ADVISORY:
http://secunia.com/advisories/37044/
DESCRIPTION:
Some vulnerabilities have been reported in Blue Coat ProxySG, which
can be exploited by malicious people to cause a DoS (Denial of
Service).
The vulnerabilities are caused due to errors in the TCP
implementation when processing TCP packets. These can be exploited to
exhaust system resources and render the appliance unresponsive to
legitimate requests.
SOLUTION:
Please consult the vendor's advisory for potential workaround
information.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits Outpost24.
ORIGINAL ADVISORY:
https://kb.bluecoat.com/index?page=content&id=SA37
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01923093
Version: 1
HPSBMI02473 SSRT080138 rev.1 - Cisco Catalyst Blade Switch 3020/3120, Remote Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-11-17
Last Updated: 2009-11-17
Potential Security Impact: Remote execution of arbitrary code, Denial of Service (DoS)
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential vulnerability has been identified with the Cisco Catalyst Blade Switch 3020/3021. The vulnerability could be exploited remotely to create a Denial of Service (DoS).
References: CVE-2008-4609, Cisco Security Advisory: TCP State Manipulation Denial of Service Vulnerabilities in Multiple Cisco Products(cisco-sa-20090908-tcp24)
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
Cisco Catalyst Blade Switch 3020 for c-Class BladeSystem running firmware earlier than v12.2(50)
Cisco Catalyst Blade Switch 3120G and Cisco Catalyst Blade Switch 3120X for HP running firmware earlier than v12.2(50)
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2008-4609 (AV:N/AC:M/Au:N/C:N/I:N/A:C) 7.1
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided firmware updates to resolve this vulnerability.
Product
Firmware Version
Cisco Catalyst Blade Switch 3020 for c-Class BladeSystem
12.2(50) SE1 or subsequent
Cisco Catalyst Blade Switch 3120G and Cisco Catalyst Blade Switch 3120X for HP
12.2(50) SE1 or subsequent
To Locate the Firmware Update
Browse to http://www.hp.com and do the following:
Select "Support & Drivers"
In Step 1 select "Download drivers and software (and firmware)"
In Step 2 enter "Cisco Catalyst Blade Switch"
Click on "Go"
Select the desired product
Select the desired Windows operating system
Click on "Firmware - Blade Infrastructure"
PRODUCT SPECIFIC INFORMATION
None
HISTORY
Version:1 (rev.1) - 17 November 2009 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAksEDAMACgkQ4B86/C0qfVm87gCgliWdpIKldzOKHRvJA5r9gR4Z
ge0AoMu3ueCbIB4y3HUmT/jReUzE4jym
=uBei
-----END PGP SIGNATURE-----
VAR-200902-0202 | CVE-2008-6096 | Juniper NetScreen ScreenOS Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in Juniper NetScreen ScreenOS before 5.4r10, 6.0r6, and 6.1r2 allows remote attackers to inject arbitrary web script or HTML via the user name parameter to the (1) web interface login page or the (2) telnet login page. ScreenOS is prone to an HTML-injection vulnerability because its administrative web interface fails to sufficiently sanitize user-supplied input data.
Attacker-supplied HTML and script code would run in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.
The issue affects ScreenOS 5.4.0r9.0. Juniper NetScreen ScreenOS is the core operating system of NetScreen firewall and other network products. Juniper NetScreen ScreenOS versions earlier than 5.4r10, 6.0r6 and 6.1r2 have a cross-site scripting vulnerability. ----------------------------------------------------------------------
Do you need accurate and reliable IDS / IPS / AV detection rules?
Get in-depth vulnerability details:
http://secunia.com/binary_analysis/sample_analysis/
----------------------------------------------------------------------
TITLE:
Juniper NetScreen ScreenOS Script Insertion Vulnerability
SECUNIA ADVISORY ID:
SA32078
VERIFY ADVISORY:
http://secunia.com/advisories/32078/
CRITICAL:
Moderately critical
IMPACT:
Cross Site Scripting
WHERE:
>From remote
OPERATING SYSTEM:
NetScreen ScreenOS 5.x
http://secunia.com/advisories/product/2569/
NetScreen ScreenOS 6.x
http://secunia.com/advisories/product/18925/
DESCRIPTION:
A vulnerability has been reported in Juniper NetScreen ScreenOS,
which can be exploited by malicious people to conduct script
insertion attacks. This can
be exploited to insert arbitrary HTML and script code, which will be
executed in another user's browser session in context of the web
interface when the event logs are viewed.
The vulnerability is reported in version 5.4.0r9.0 and reportedly
also affects versions prior to 6.0r6 and 6.1r2.
SOLUTION:
Update to version 5.4r10, 6.0r6, or 6.1r2.
PROVIDED AND/OR DISCOVERED BY:
Deral Heiland, Layered Defense
ORIGINAL ADVISORY:
Layered Defense:
http://www.layereddefense.com/netscreen01oct.html
Juniper (login required):
https://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2008-09-009&viewMode=view
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200810-0201 | CVE-2008-4368 | Apple Mac OS X Vulnerability in decrypting cipher text |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The default configuration of Java 1.5 on Apple Mac OS X 10.5.4 and 10.5.5 contains a jurisdiction policy that limits Java Cryptography Extension (JCE) key sizes to 128 bits, which makes it easier for attackers to decrypt ciphertext produced by JCE. Mac OS X is prone to a remote security vulnerability
VAR-200809-0440 | CVE-2008-4300 | Microsoft IIS of adsiis.dll Service disruption in (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
A certain ActiveX control in adsiis.dll in Microsoft Internet Information Services (IIS) allows remote attackers to cause a denial of service (browser crash) via a long string in the second argument to the GetObject method. NOTE: this issue was disclosed by an unreliable researcher, so it might be incorrect. IIS is prone to a denial-of-service vulnerability
VAR-200809-0441 | CVE-2008-4301 | Microsoft's Internet Information Services Vulnerability in |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
A certain ActiveX control in iisext.dll in Microsoft Internet Information Services (IIS) allows remote attackers to set a password via a string argument to the SetPassword method. NOTE: this issue could not be reproduced by a reliable third party. In addition, the original researcher is unreliable. Therefore the original disclosure is probably erroneous
VAR-200809-0366 | CVE-2008-4366 | Camera Life Arbitrary image upload component vulnerable to arbitrary code execution |
CVSS V2: 6.5 CVSS V3: - Severity: MEDIUM |
Unrestricted file upload vulnerability in the image upload component in Camera Life 2.6.2b4 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in a user directory under images/photos/upload. The issue occurs because the application fails to sanitize user-supplied input.
Camera Life 2.6.2b4 is vulnerable; other versions may also be affected
VAR-200809-0436 | CVE-2008-4296 | Cisco Linksys WRT350N Default password vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The Cisco Linksys WRT350N with firmware 1.0.3.7 has "admin" as its default password for the "admin" account, which makes it easier for remote attackers to obtain access. Provided by Cisco Systems Cisco Linksys WRT350N Contains a default password vulnerability. Linksys Wrt350n is prone to a remote security vulnerability
VAR-200809-0422 | CVE-2008-4322 |
RealFlex RealWin buffer overflow
Related entries in the VARIoT exploits database: VAR-E-200809-0693 |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Stack-based buffer overflow in RealFlex Technologies Ltd. RealWin Server 2.0, as distributed by DATAC, allows remote attackers to execute arbitrary code via a crafted FC_INFOTAG/SET_CONTROL packet. RealFlex RealWin demo version contains a vulnerability in the way "FC_INFOTAG/SET_CONTROL" packets are processed. DATAC RealWin Is FC_INFOTAG/SET_CONTROL A buffer overflow vulnerability exists due to improper handling of packets. DATAC RealWin Is Human Machine Interface With components, Microsoft Windows2000/XP Work on SCADA Server software. RealWin Is Crafted FC_INFOTAG/SET_CONTROL A buffer overflow vulnerability exists due to improper handling of packets.Arbitrary code execution or denial of service by a remote third party (DoS) There is a possibility of being attacked. DATAC RealWin SCADA server is prone to a remote stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. This may facilitate the complete compromise of affected computers. Failed exploit attempts may result in a denial-of-service condition.
RealWin SCADA server 2.0 is affected; other versions may also be vulnerable. ----------------------------------------------------------------------
Do you need accurate and reliable IDS / IPS / AV detection rules?
Get in-depth vulnerability details:
http://secunia.com/binary_analysis/sample_analysis/
----------------------------------------------------------------------
TITLE:
RealWin INFOTAG/SET_CONTROL Packet Processing Buffer Overflow
SECUNIA ADVISORY ID:
SA32055
VERIFY ADVISORY:
http://secunia.com/advisories/32055/
CRITICAL:
Moderately critical
IMPACT:
DoS, System access
WHERE:
>From remote
SOFTWARE:
RealWin 2.x
http://secunia.com/advisories/product/19990/
DESCRIPTION:
Ruben Santamarta has discovered a vulnerability in RealWin, which can
be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to a boundary error in the processing
of TCP packets received on port 910 by default.
SOLUTION:
Restrict network access to trusted users only.
PROVIDED AND/OR DISCOVERED BY:
Ruben Santamarta, Reversemode
ORIGINAL ADVISORY:
http://reversemode.com/index.php?option=com_content&task=view&id=55&Itemid=1
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200809-0455 | No CVE | RealWin SCADA Server Remote Stack Overflow Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
RealWin is a data acquisition and monitoring control system (SCADA) server product running on the Windows platform.
If a remote attacker sends a specially crafted FC_INFOTAG / SET_CONTROL message to the RealWin server, it can trigger a stack overflow and cause arbitrary code execution. The RealWin server uses a proprietary protocol to accept connections from FlewWin clients and can exploit this vulnerability without having valid credentials
VAR-200908-0109 | CVE-2008-7025 | Check Point ZoneAlarm of TrueVector Service disruption in (DoS) Vulnerabilities |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
TrueVector in Check Point ZoneAlarm 8.0.020.000, with vsmon.exe running, allows remote HTTP proxies to cause a denial of service (crash) and disable the HIDS module via a crafted response. ZoneAlarm Internet Security Suite is prone to a remote denial-of-service vulnerability that occurs in the TrueVector component when connecting to a malicious HTTP proxy.
ZoneAlarm Internet Security Suite 8.0.020 is vulnerable; other versions may also be affected
VAR-200809-0040 | CVE-2008-3806 | Cisco IOS In UDP Vulnerability in packet processing |
CVSS V2: 8.5 CVSS V3: - Severity: HIGH |
Cisco IOS 12.0 through 12.4 on Cisco 10000, uBR10012 and uBR7200 series devices handles external UDP packets that are sent to 127.0.0.0/8 addresses intended for IPC communication within the device, which allows remote attackers to cause a denial of service (device or linecard reload) via crafted UDP packets, a different vulnerability than CVE-2008-3805. Provided by Cisco Systems Cisco IOS The denial of service (DoS) There are vulnerabilities. This vulnerability is CVE-2008-3805 This is a different vulnerability.See the "Summary" for the impact of this vulnerability. Ios is prone to a denial-of-service vulnerability. ----------------------------------------------------------------------
Do you need accurate and reliable IDS / IPS / AV detection rules?
Get in-depth vulnerability details:
http://secunia.com/binary_analysis/sample_analysis/
----------------------------------------------------------------------
TITLE:
Cisco IOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA31990
VERIFY ADVISORY:
http://secunia.com/advisories/31990/
CRITICAL:
Moderately critical
IMPACT:
Exposure of sensitive information, DoS, System access
WHERE:
>From remote
OPERATING SYSTEM:
Cisco IOS R12.x
http://secunia.com/advisories/product/50/
Cisco IOS 12.x
http://secunia.com/advisories/product/182/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco IOS, which can be
exploited by malicious people to disclose sensitive information,
cause a DoS (Denial of Service), or to compromise a vulnerable
system.
1) An unspecified error exists in the processing of SSL packets
during the termination of an SSL session, which can potentially be
exploited to crash an affected system.
2) Two unspecified errors exist within the processing of Protocol
Independent Multicast (PIM) packets, which can be exploited to cause
an affected device to reload.
3) Unspecified errors within the processing of segmented Skinny Call
Control Protocol (SCCP) messages can be exploited to cause a Cisco
IOS device to reload.
Successful exploitation requires that the device is configured with
Network Address Translation (NAT) SCCP Fragmentation Support.
4) A memory leak in the processing of Session Initiation Protocol
(SIP) messages can be exploited to cause a DoS for all voice
services.
5) Multiple unspecified errors exist in the processing of SIP
messages, which can be exploited to cause a reload of an affected
device.
6) An unspecified error in the IOS Intrusion Prevention System (IPS)
feature when processing certain IPS signatures that use the
SERVICE.DNS engine can be exploited to cause a DoS via specially
crafted network traffic.
7) A security issue exists in the processing of extended communities
with Multi Protocol Label Switching (MPLS) Virtual Private Networks
(VPN), which can lead to traffic leaking from one MPLS VPN to
another.
This security issue does not affect Cisco IOS releases based on
12.1.
NOTE: This security issue was introduced with CSCee83237. Cisco IOS
images that do not include CSCee83237 are reportedly not affected.
8) An unspecified error within the Multi Protocol Label Switching
(MPLS) Forwarding Infrastructure (MFI) can be exploited to cause a
DoS via specially crafted network packets.
Successful exploitation requires access to the MPLS network.
9) An unspecified error within the Application Inspection Control
(AIC) can be exploited to cause a reload of an affected device via
specially crafted HTTP packets.
10) An unspecified error in the processing of Layer 2 Tunneling
Protocol (L2TP) packets can be exploited to cause an affected device
to reload via a specially crafted L2TP packets.
Successful exploitation requires that the L2TP mgmt daemon process is
running. This process may be enabled e.g. via Layer 2 virtual private
networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack
Group Bidding Protocol (SGBP), or Cisco Virtual Private Dial-Up
Networks (VPDN).
11) An unspecified error exists in the processing of IPC messages.
This vulnerability is reported in Cisco 10000, uBR10012, and uBR7200
series devices.
12) A security issue is caused due to the device automatically
enabling SNMP with a default community string, which can be exploited
to gain control an affected system.
Successful exploitation requires that a device is configured for
linecard redundancy.
SOLUTION:
Update to the fixed version (please see the vendor's advisories for
details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200809-0017 | CVE-2008-2474 | ABB PCU400 "x87" Buffer Overflow Vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Buffer overflow in x87 before 3.5.5 in ABB Process Communication Unit 400 (PCU400) 4.4 through 4.6 allows remote attackers to execute arbitrary code via a crafted packet using the (1) IEC60870-5-101 or (2) IEC60870-5-104 communication protocol to the X87 web interface. ABB PCU400 contains a vulnerability which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. ABB Made by company PCU400 Contains a buffer overflow vulnerability. ABB Provided by the company PCU400 Application server IEC-870-5-104 Use protocol RTU(Remote Terminal Unit) When SCADA A gateway device that communicates between servers.
The PCU400 'x87' executable version 3.5.5 is vulnerable; other versions may also be affected. Background
-----------------
Vendor product information:
PCU400 is the modern product when implementing an effective data acquisition network in SCADA-based systems
PCU400, Process Communication Unit 400 forms the communication interface to the network of remote terminal units (RTUs) together with the RCS Application Software located in the application server of a Network Manager SCADA system.
The PCU400 can be used as a SCADA front-end, communication gateway for Substation Automation systems or as a standalone protocol converter.
Two parts define the Data Acquisition system:
* RCS Application, a software package running in the Application Server
* PCU400, a front-end converter that implements the protocols and connects the physical lines
PCU 400 can be used in a variety of configurations to cater for different network topologies and different levels of fault tolerance in the system. The alternatives include single or redundant PCU 400 units.
Description
----------------
A buffer overflow exists in the component that handles IEC60870-5-101 and IEC60870-5-104 communication protocols.
The description of the vulnerability is intentionally limited as this software controls critical national infrastructure.
Impact
----------
An attacker can compromise the server which runs PCU400, which acts as the FEP server of the ABB SCADA system.
This vulnerability is another method to carry out the "field to control center" attack vector mentioned in C4's S4 2008 paper "Control System Attack Vectors and Examples: Field Site and Corporate Network", which will allow the attacker to control other RTUs connected to that FEP.
In addition, an attacker can use his control over the FEP server to insert a generic electric grid malware as specified in our SysScan08 presentation, in order to cause harm to the grid.
Both documents are available at http://www.c4-security.com/index-5.html .
Workaround/Fix
-----------------------
The vendor issued a hotfix to resolve this vulnerability.
Additional Information
-------------------------------
For additional information please contact us at info_at_c4-security.com.
Note that we will respond only to verified utility personnel and governmental agencies.
The CVE identifier assigned to this vulnerability by CERT is CVE-2008-2474
Credit
--------
This vulnerability was discovered and exploited by Idan Ofrat of C4. ----------------------------------------------------------------------
Do you need accurate and reliable IDS / IPS / AV detection rules?
Get in-depth vulnerability details:
http://secunia.com/binary_analysis/sample_analysis/
----------------------------------------------------------------------
TITLE:
ABB PCU400 X87 Buffer Overflow Vulnerability
SECUNIA ADVISORY ID:
SA32047
VERIFY ADVISORY:
http://secunia.com/advisories/32047/
CRITICAL:
Moderately critical
IMPACT:
DoS, System access
WHERE:
>From local network
SOFTWARE:
ABB PCU 400
http://secunia.com/advisories/product/19970/
DESCRIPTION:
A vulnerability has been reported in ABB PCU400, which can
potentially be exploited by malicious people to compromise a
vulnerable system.
PROVIDED AND/OR DISCOVERED BY:
Idan Ofrat of C4 Security
ORIGINAL ADVISORY:
C4 Security:
http://archives.neohapsis.com/archives/bugtraq/2008-09/0283.html
OTHER REFERENCES:
US-CERT VU#343971:
http://www.kb.cert.org/vuls/id/343971
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200809-0210 | CVE-2008-3638 | Apple Mac OS X Running on Java of file:// URL Vulnerability in arbitrary program execution in access |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Java on Apple Mac OS X 10.5.4 and 10.5.5 does not prevent applets from accessing file:// URLs, which allows remote attackers to execute arbitrary programs.
An attacker can exploit this issue by enticing an unsuspecting victim to visit a malicious webpage containing crafted Java applets.
Successfully exploiting this issue will allow attackers to run arbitrary code by launching arbitrary executables within the context of the affected application.
This issue affects Mac OS X 10.5.5 (and prior versions) and Mac OS X Server 10.5.5 (and prior versions). ----------------------------------------------------------------------
Do you need accurate and reliable IDS / IPS / AV detection rules?
Get in-depth vulnerability details:
http://secunia.com/binary_analysis/sample_analysis/
----------------------------------------------------------------------
TITLE:
Mac OS X Java Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA32018
VERIFY ADVISORY:
http://secunia.com/advisories/32018/
CRITICAL:
Highly critical
IMPACT:
Security Bypass, Exposure of system information, Exposure of
sensitive information, DoS, System access
WHERE:
>From remote
OPERATING SYSTEM:
Apple Macintosh OS X
http://secunia.com/advisories/product/96/
DESCRIPTION:
Some vulnerabilities have been reported and acknowledged in Java for
Mac OS X, which can be exploited by malicious people to cause a DoS
(Denial of Service), to bypass certain security restrictions,
disclose system information or potentially sensitive information, or
to compromise a vulnerable system.
1) An error leading to the use of an uninitialized variable exists in
the hash-based Message Authentication Code (HMAC) provider.
2) An error in the Java plug-in within the handling of "file://" URLs
can be exploited to launch local files when a user visits a web page
containing a specially crafted java applet.
3) Some vulnerabilities in Java 1.4.2_16 and Java 1.5.0_13 can be
exploited by malicious people to cause a DoS (Denial of Service), to
bypass certain security restrictions, disclose system information or
potentially sensitive information, or to compromise a vulnerable
system.
2) The vendor credits Nitesh Dhanjani and Billy Rios.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT3179
http://support.apple.com/kb/HT3178
OTHER REFERENCES:
SA28115
http://secunia.com/advisories/28115/
SA29239:
http://secunia.com/advisories/29239/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200809-0209 | CVE-2008-3637 | Apple Mac OS X is running on Java of HMAC provider Vulnerability to execute arbitrary code in |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
The Hash-based Message Authentication Code (HMAC) provider in Java on Apple Mac OS X 10.4.11, 10.5.4, and 10.5.5 uses an uninitialized variable, which allows remote attackers to execute arbitrary code via a crafted applet, related to an "error checking issue.".
Successful exploits will allow an attacker to run arbitrary code in the context of the affected software. Failed exploit attempts may result in denial-of-service conditions.
This issue affects the following:
Mac OS X 10.5.5 (and prior versions)
Mac OS X Server 10.5.5 (and prior versions)
Mac OS X 10.4.11 (and prior versions)
Mac OS X Server 10.4.11 (and prior versions). It is related to a "false detection vulnerability". ----------------------------------------------------------------------
Do you need accurate and reliable IDS / IPS / AV detection rules?
Get in-depth vulnerability details:
http://secunia.com/binary_analysis/sample_analysis/
----------------------------------------------------------------------
TITLE:
Mac OS X Java Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA32018
VERIFY ADVISORY:
http://secunia.com/advisories/32018/
CRITICAL:
Highly critical
IMPACT:
Security Bypass, Exposure of system information, Exposure of
sensitive information, DoS, System access
WHERE:
>From remote
OPERATING SYSTEM:
Apple Macintosh OS X
http://secunia.com/advisories/product/96/
DESCRIPTION:
Some vulnerabilities have been reported and acknowledged in Java for
Mac OS X, which can be exploited by malicious people to cause a DoS
(Denial of Service), to bypass certain security restrictions,
disclose system information or potentially sensitive information, or
to compromise a vulnerable system.
2) An error in the Java plug-in within the handling of "file://" URLs
can be exploited to launch local files when a user visits a web page
containing a specially crafted java applet.
3) Some vulnerabilities in Java 1.4.2_16 and Java 1.5.0_13 can be
exploited by malicious people to cause a DoS (Denial of Service), to
bypass certain security restrictions, disclose system information or
potentially sensitive information, or to compromise a vulnerable
system.
For more information:
SA29239
SA31010
SOLUTION:
-- Java for Mac OS X 10.4 --
Update to Release 7:
http://www.apple.com/support/downloads/javaformacosx104release7.html
-- Java for Mac OS X 10.5 --
Apply Update 2:
http://www.apple.com/support/downloads/javaformacosx105update2.html
PROVIDED AND/OR DISCOVERED BY:
1) The vendor credits Radim Marek.
2) The vendor credits Nitesh Dhanjani and Billy Rios.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT3179
http://support.apple.com/kb/HT3178
OTHER REFERENCES:
SA28115
http://secunia.com/advisories/28115/
SA29239:
http://secunia.com/advisories/29239/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200809-0037 | CVE-2008-3803 | Cisco IOS of Multiprotocol Label Switching (MPLS) VPN Vulnerability to read communication in |
CVSS V2: 5.1 CVSS V3: - Severity: MEDIUM |
A "logic error" in Cisco IOS 12.0 through 12.4, when a Multiprotocol Label Switching (MPLS) VPN with extended communities is configured, sometimes causes a corrupted route target (RT) to be used, which allows remote attackers to read traffic from other VPNs in opportunistic circumstances. Cisco IOS (Internetwork Operating System) is an operating system commonly used on Cisco routers and network switches.
This vulnerability is tracked by Cisco Bug ID CSCee83237 and CVE-2008-3803. ----------------------------------------------------------------------
Do you need accurate and reliable IDS / IPS / AV detection rules?
Get in-depth vulnerability details:
http://secunia.com/binary_analysis/sample_analysis/
----------------------------------------------------------------------
TITLE:
Cisco IOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA31990
VERIFY ADVISORY:
http://secunia.com/advisories/31990/
CRITICAL:
Moderately critical
IMPACT:
Exposure of sensitive information, DoS, System access
WHERE:
>From remote
OPERATING SYSTEM:
Cisco IOS R12.x
http://secunia.com/advisories/product/50/
Cisco IOS 12.x
http://secunia.com/advisories/product/182/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco IOS, which can be
exploited by malicious people to disclose sensitive information,
cause a DoS (Denial of Service), or to compromise a vulnerable
system.
1) An unspecified error exists in the processing of SSL packets
during the termination of an SSL session, which can potentially be
exploited to crash an affected system.
2) Two unspecified errors exist within the processing of Protocol
Independent Multicast (PIM) packets, which can be exploited to cause
an affected device to reload.
3) Unspecified errors within the processing of segmented Skinny Call
Control Protocol (SCCP) messages can be exploited to cause a Cisco
IOS device to reload.
Successful exploitation requires that the device is configured with
Network Address Translation (NAT) SCCP Fragmentation Support.
4) A memory leak in the processing of Session Initiation Protocol
(SIP) messages can be exploited to cause a DoS for all voice
services.
5) Multiple unspecified errors exist in the processing of SIP
messages, which can be exploited to cause a reload of an affected
device.
6) An unspecified error in the IOS Intrusion Prevention System (IPS)
feature when processing certain IPS signatures that use the
SERVICE.DNS engine can be exploited to cause a DoS via specially
crafted network traffic.
NOTE: This security issue was introduced with CSCee83237.
8) An unspecified error within the Multi Protocol Label Switching
(MPLS) Forwarding Infrastructure (MFI) can be exploited to cause a
DoS via specially crafted network packets.
Successful exploitation requires access to the MPLS network.
9) An unspecified error within the Application Inspection Control
(AIC) can be exploited to cause a reload of an affected device via
specially crafted HTTP packets.
10) An unspecified error in the processing of Layer 2 Tunneling
Protocol (L2TP) packets can be exploited to cause an affected device
to reload via a specially crafted L2TP packets.
Successful exploitation requires that the L2TP mgmt daemon process is
running. This process may be enabled e.g. via Layer 2 virtual private
networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack
Group Bidding Protocol (SGBP), or Cisco Virtual Private Dial-Up
Networks (VPDN).
11) An unspecified error exists in the processing of IPC messages.
This can be exploited to reload an affected device via a specially
crafted UDP packet sent to port 1975.
12) A security issue is caused due to the device automatically
enabling SNMP with a default community string, which can be exploited
to gain control an affected system.
Successful exploitation requires that a device is configured for
linecard redundancy.
SOLUTION:
Update to the fixed version (please see the vendor's advisories for
details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Workarounds are available to help mitigate this vulnerability.
This issue is triggered by a logic error when processing extended
communities on the PE device.
This issue cannot be deterministically exploited by an attacker.
Cisco has released free software updates that address these
vulnerabilities. Workarounds that mitigate these vulnerabilities are
available.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml
NOTE: The September 24, 2008 IOS Advisory bundled publication
includes twelve Security Advisories. Eleven of the advisories address
vulnerabilities in Cisco's IOS software, and one advisory addresses
vulnerabilities in Cisco Unified Communications Manager. Each
Advisory lists the releases that correct the vulnerability described
in the Advisory. Please reference the following software table to
find a release that fixes all published IOS software Advisories as of
September 24th, 2008:
http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml
Individual publication links are listed below:
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml
Affected Products
=================
Products running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and
configured for MPLS VPNs or VRF Lite are potentially affected.
Cisco IOS releases based on 12.1 are not affected.
Vulnerable Products
+------------------
Cisco IOS devices are vulnerable if they are configured for MPLS VPN
or VRF Lite and have a BGP session between the CE and PE devices, and
process extended communities. If a device is configured for MPLS VPN
or VRF Lite the command address-family ipv4 vrf <vrf-name> or
address-family ipv6 vrf <vrf-name> will be present in the device
configuration.
The following shows a command executed on a device configured for
MPLS VPN:
router#show running-config | include address-family [ipv4|ipv6]
address-family ipv4 vrf <vrf-name>
The following shows a PE device configured for an IPv4 BGP session
between the PE and the CE:
router bgp <Local AS>
address-family ipv4 vrf one
neighbor <neighbor IP> remote-as < Remote AS>
neighbor <neighbor IP> activate
To determine the software running on a Cisco product, log in to the
device and issue the "show version" command to display the system
banner. On the next line of
output, the image name will be displayed between parentheses,
followed by "Version" and the IOS release name. Other Cisco devices
will not have the "show version" command or will give different
output.
The following example identifies a Cisco product that is running
Cisco IOS release 12.4(11)T2:
Router#show version
Cisco IOS Software, 7200 Software (C7200-ADVSECURITYK9-M), Version 12.4(11)T2, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Tue 01-May-07 04:19 by prod_rel_team
<output truncated>
Additional information on the Cisco IOS release naming conventions
can be found on the document entitled "White Paper: Cisco IOS
Reference Guide", which is available at
http://www.cisco.com/warp/public/620/1.html
Products Confirmed Not Vulnerable
+--------------------------------
Cisco products not configured for MPLS VPNs or VRF Lite are
unaffected by this vulnerability.
Cisco products that do not run IOS are unaffected by this
vulnerability.
Cisco IOS-XR is not affected.
No other Cisco products are currently known to be affected by this
vulnerability.
Details
=======
MPLS VPNs allow for the creation of 'virtual networks' that customers
can use to segregate traffic into multiple, isolated VPNs. Traffic
within each MPLS VPN is kept separate from the others, thereby
maintaining a virtual private network.
More information on MPLS and MPLS VPNs is available at the following
link:
http://www.cisco.com/en/US/products/ps6557/products_ios_technology_home.html
A bug exists when processing extended communities with MPLS VPNs. If this occurs,
traffic can leak from one MPLS VPN to another.
The following two examples of this scenario are the most common:
1) MPLS VPN configuration with BGP running inside the VRF between the
PE and CE devices.
2) MPLS Inter-AS option A with BGP running between the Autonomous
System Border Routers (ASBR).
The mitigation in the Workarounds section filters extended
communities on a PE device, preventing them from being received by
devices configured for MPLS VPN. Cisco
IOS images that do not include CSCee83237 are not vulnerable to this
issue.
It is important to note that this condition cannot be triggered by an
attacker and that the condition does not provide ways to determine
the flow of traffic between VPNs.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CVSS Base Score - 5.1
Access Vector - Network
Access Complexity - High
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - Partial
Availability Impact - Partial
CVSS Temporal Score - 4.2
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
This vulnerability may cause traffic to be improperly routed between
MPLS VPNs, which may lead to a breach of confidentiality.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|--------------+----------------------------------------------------|
| Affected | | Recommended |
| 12.0-Based | First Fixed Release | Release |
| Releases | | |
|--------------+----------------------------------+-----------------|
| 12.0 | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.0DA | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.0DB | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.0DC | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| | 12.0(30)S5 | |
| | | 12.0(32)S11 |
| 12.0S | 12.0(31)S3 | |
| | | 12.0(33)S1 |
| | 12.0(32)S | |
|--------------+----------------------------------+-----------------|
| 12.0SC | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.0SL | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.0SP | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.0ST | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| | | 12.0(32)S11 |
| 12.0SX | Vulnerable; first fixed in 12.0S | |
| | | 12.0(33)S1 |
|--------------+----------------------------------+-----------------|
| 12.0SY | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| | | 12.0(32)S11 |
| 12.0SZ | 12.0(30)SZ4 | |
| | | 12.0(33)S1 |
|--------------+----------------------------------+-----------------|
| 12.0T | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.0W | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.0WC | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.0WT | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.0XA | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.0XB | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.0XC | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.0XD | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.0XE | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.0XF | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.0XG | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.0XH | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.0XI | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.0XJ | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.0XK | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.0XL | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.0XM | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.0XN | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.0XQ | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.0XR | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.0XS | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.0XT | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.0XV | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| Affected | | Recommended |
| 12.1-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.1 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.2-Based | First Fixed Release | Release |
| Releases | | |
|--------------+----------------------------------+-----------------|
| 12.2 | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2B | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2BC | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2BW | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2BX | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2BY | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2BZ | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2CX | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2CY | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2CZ | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2DA | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2DD | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2DX | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2EW | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2EWA | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2EX | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2EY | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2EZ | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2FX | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2FY | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2FZ | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2IRB | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2IXA | Vulnerable; migrate to any | 12.2(18)IXG |
| | release in 12.2IXD | |
|--------------+----------------------------------+-----------------|
| 12.2IXB | Vulnerable; migrate to any | 12.2(18)IXG |
| | release in 12.2IXD | |
|--------------+----------------------------------+-----------------|
| 12.2IXC | Vulnerable; migrate to any | 12.2(18)IXG |
| | release in 12.2IXD | |
|--------------+----------------------------------+-----------------|
| 12.2IXD | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2IXE | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2IXF | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2IXG | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2JA | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2JK | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2MB | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2MC | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| | 12.2(30)S and later are | 12.2(33)SB2; |
| 12.2S | vulnerable. 12.2(25)S and before | Available on |
| | are not vulnerable | 26-SEP-08 |
|--------------+----------------------------------+-----------------|
| | 12.2(28)SB5 | |
| | | 12.2(33)SB2; |
| 12.2SB | 12.2(31)SB2 | Available on |
| | | 26-SEP-08 |
| | 12.2(31)SB3x | |
|--------------+----------------------------------+-----------------|
| | Vulnerable; first fixed in | 12.2(33)SB2; |
| 12.2SBC | 12.2SB | Available on |
| | | 26-SEP-08 |
|--------------+----------------------------------+-----------------|
| 12.2SCA | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2SE | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2SEA | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2SEB | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2SEC | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2SED | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2SEE | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2SEF | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2SEG | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2SG | 12.2(37)SG | 12.2(46)SG1 |
|--------------+----------------------------------+-----------------|
| 12.2SGA | 12.2(31)SGA8 | 12.2(31)SGA8 |
|--------------+----------------------------------+-----------------|
| 12.2SL | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2SM | 12.2(29)SM2 | 12.2(29)SM4 |
|--------------+----------------------------------+-----------------|
| 12.2SO | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2SRA | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2SRB | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2SRC | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2SU | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2SV | 12.2(29b)SV1 | |
|--------------+----------------------------------+-----------------|
| 12.2SVA | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2SVC | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2SVD | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2SW | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2SX | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2SXA | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2SXB | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2SXD | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2SXE | Vulnerable; first fixed in | 12.2(18)SXF15 |
| | 12.2SXF | |
|--------------+----------------------------------+-----------------|
| 12.2SXF | 12.2(18)SXF3 | 12.2(18)SXF15 |
|--------------+----------------------------------+-----------------|
| 12.2SXH | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2SY | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2SZ | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2T | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2TPC | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2XA | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2XB | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2XC | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2XD | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2XE | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2XF | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2XG | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2XH | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2XI | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2XJ | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2XK | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2XL | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2XM | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2XN | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2XNA | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2XNB | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2XO | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2XQ | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2XR | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2XS | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2XT | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2XU | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2XV | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2XW | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2YA | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2YB | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2YC | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2YD | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2YE | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2YF | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2YG | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2YH | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2YJ | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2YK | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2YL | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2YM | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2YN | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2YO | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2YP | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2YQ | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2YR | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2YS | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2YT | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2YU | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2YV | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2YW | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2YX | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2YY | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2YZ | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2ZA | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2ZB | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2ZC | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2ZD | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2ZE | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2ZF | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2ZG | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2ZH | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2ZJ | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2ZL | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2ZP | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2ZU | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| | Vulnerable; first fixed in | 12.2(33)SB2; |
| 12.2ZX | 12.2SB | Available on |
| | | 26-SEP-08 |
|--------------+----------------------------------+-----------------|
| 12.2ZY | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.2ZYA | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| Affected | | Recommended |
| 12.3-Based | First Fixed Release | Release |
| Releases | | |
|--------------+----------------------------------+-----------------|
| 12.3 | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3B | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3BC | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3BW | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3EU | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3JA | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3JEA | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3JEB | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3JEC | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3JK | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3JL | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3JX | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| | | 12.4(15)T7 |
| 12.3T | Vulnerable; first fixed in 12.4 | |
| | | 12.4(18c) |
|--------------+----------------------------------+-----------------|
| 12.3TPC | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3VA | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3XA | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3XB | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3XC | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3XD | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3XE | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3XF | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3XG | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3XI | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3XJ | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3XK | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| | | 12.4(15)T7 |
| 12.3XL | Vulnerable; first fixed in 12.4 | |
| | | 12.4(18c) |
|--------------+----------------------------------+-----------------|
| 12.3XQ | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3XR | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3XS | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3XU | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3XW | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3XX | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3XY | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3XZ | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3YA | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3YD | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| | Vulnerable; first fixed in | 12.3(14)YX13 |
| 12.3YF | 12.3YX | |
| | | 12.4(15)T7 |
|--------------+----------------------------------+-----------------|
| 12.3YG | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3YH | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3YI | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3YJ | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|--------------+----------------------------------+-----------------|
| 12.3YK | 12.3(11)YK3 | 12.4(15)T7 |
|--------------+----------------------------------+-----------------|
| | | 12.3(14)YM13; |
| 12.3YM | 12.3(14)YM10 | Available on |
| | | 30-SEP-08 |
|--------------+----------------------------------+-----------------|
| 12.3YQ | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|--------------+----------------------------------+-----------------|
| 12.3YS | 12.3(11)YS2 | 12.4(15)T7 |
|--------------+----------------------------------+-----------------|
| 12.3YT | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|--------------+----------------------------------+-----------------|
| | | 12.4(2)XB10 |
| | Vulnerable; first fixed in | |
| 12.3YU | 12.4XB | 12.4(9)XG3 |
| | | |
| | | 12.4(15)T7 |
|--------------+----------------------------------+-----------------|
| 12.3YX | 12.3(14)YX7 | 12.3(14)YX13 |
|--------------+----------------------------------+-----------------|
| 12.3YZ | 12.3(11)YZ2 | |
|--------------+----------------------------------+-----------------|
| 12.3ZA | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| Affected | | Recommended |
| 12.4-Based | First Fixed Release | Release |
| Releases | | |
|--------------+----------------------------------+-----------------|
| | 12.4(10c) | |
| | | |
| | 12.4(12a) | |
| | | |
| | 12.4(13) | |
| | | |
| 12.4 | 12.4(3h) | 12.4(18c) |
| | | |
| | 12.4(5c) | |
| | | |
| | 12.4(7e) | |
| | | |
| | 12.4(8d) | |
|--------------+----------------------------------+-----------------|
| 12.4JA | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.4JK | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.4JL | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.4JMA | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.4JMB | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.4JMC | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.4JX | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.4MD | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.4MR | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| | | 12.4(15)SW2; |
| 12.4SW | 12.4(11)SW1 | Available on |
| | | 28-SEP-08 |
|--------------+----------------------------------+-----------------|
| | 12.4(11)T2 | |
| | | |
| | 12.4(15)T | |
| | | |
| | 12.4(2)T6 | |
| 12.4T | | 12.4(15)T7 |
| | 12.4(4)T8 | |
| | | |
| | 12.4(6)T7 | |
| | | |
| | 12.4(9)T3 | |
|--------------+----------------------------------+-----------------|
| 12.4XA | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|--------------+----------------------------------+-----------------|
| 12.4XB | 12.4(2)XB6 | 12.4(2)XB10 |
|--------------+----------------------------------+-----------------|
| 12.4XC | 12.4(4)XC7 | 12.4(15)T7 |
|--------------+----------------------------------+-----------------|
| | | 12.4(4)XD11; |
| 12.4XD | 12.4(4)XD7 | Available on |
| | | 26-SEP-08 |
|--------------+----------------------------------+-----------------|
| 12.4XE | 12.4(6)XE3 | 12.4(15)T7 |
|--------------+----------------------------------+-----------------|
| 12.4XF | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.4XG | 12.4(9)XG2 | 12.4(9)XG3 |
|--------------+----------------------------------+-----------------|
| 12.4XJ | 12.4(11)XJ2 | 12.4(15)T7 |
|--------------+----------------------------------+-----------------|
| 12.4XK | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|--------------+----------------------------------+-----------------|
| 12.4XL | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.4XM | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.4XN | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.4XP | Vulnerable; contact TAC | |
|--------------+----------------------------------+-----------------|
| 12.4XQ | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.4XR | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.4XT | 12.4(6)XT1 | 12.4(15)T7 |
|--------------+----------------------------------+-----------------|
| 12.4XV | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.4XW | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.4XY | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.4XZ | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.4YA | Not Vulnerable | |
+-------------------------------------------------------------------+
Workarounds
===========
Customers running versions of Cisco IOS that support filtering of
extended communities can prevent the corruption of the route target
(RT) by applying a BGP route-map that removes RT entries on inbound
BGP sessions.
The following configuration example applied in the ipv4 address
family of a PE device removes extended communities from the CE
router:
router bgp <Local AS>
address-family ipv4 vrf one
neighbor <neighbor IP>
remote-as <Remote AS>
neighbor <neighbor IP>
activate neighbor <neighbor IP>
route-map FILTER in exit-address-family
!
ip extcommunity-list 100 permit _RT.*_
!
!
route-map FILTER permit 10
set extcomm-list 100 delete
!
The following configuration example applied in the ipv6 address
family of a PE device removes extended communities from the CE
router:
router bgp <Local AS>
address-family ipv6 vrf one
neighbor <neighbor IP>
remote-as <Remote AS>
neighbor <neighbor IP>
activate neighbor <neighbor IP>
route-map FILTER in exit-address-family
!
ip extcommunity-list 100 permit _RT.*_
!
!
route-map FILTER permit 10
set extcomm-list 100 delete
!
Note: The capability of filtering extended communities is only
available in certain 12.0S and 12.2S based Cisco IOS releases.
BGP session between the PE and the CE needs to cleared to make this
configuration change effective.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability cannot be deterministically triggered by an
attacker.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-Sep-24 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkjaLeoACgkQ86n/Gc8U/uCNwQCdEOd3v5A+paECb9s2gMBUr0JH
DEwAnRtvu3aQrECRin/QmElp7oudHZJX
=EVLU
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
VAR-200809-0356 | CVE-2008-3810 | Cisco IOS In SCCP Service disruption related to message processing (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco IOS 12.2 and 12.4, when NAT Skinny Call Control Protocol (SCCP) Fragmentation Support is enabled, allows remote attackers to cause a denial of service (device reload) via segmented SCCP messages, aka CSCsg22426, a different vulnerability than CVE-2008-3811. The problem is Bug ID : CSCsg22426 It is a problem. this is CVE-2008-3811 Is a different vulnerability.Service disruption by a third party (DoS) There is a possibility that.
A successful exploit may cause affected devices to reload, denying service to legitimate users. ----------------------------------------------------------------------
Do you need accurate and reliable IDS / IPS / AV detection rules?
Get in-depth vulnerability details:
http://secunia.com/binary_analysis/sample_analysis/
----------------------------------------------------------------------
TITLE:
Cisco IOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA31990
VERIFY ADVISORY:
http://secunia.com/advisories/31990/
CRITICAL:
Moderately critical
IMPACT:
Exposure of sensitive information, DoS, System access
WHERE:
>From remote
OPERATING SYSTEM:
Cisco IOS R12.x
http://secunia.com/advisories/product/50/
Cisco IOS 12.x
http://secunia.com/advisories/product/182/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco IOS, which can be
exploited by malicious people to disclose sensitive information,
cause a DoS (Denial of Service), or to compromise a vulnerable
system.
1) An unspecified error exists in the processing of SSL packets
during the termination of an SSL session, which can potentially be
exploited to crash an affected system.
2) Two unspecified errors exist within the processing of Protocol
Independent Multicast (PIM) packets, which can be exploited to cause
an affected device to reload.
Successful exploitation requires that the device is configured with
Network Address Translation (NAT) SCCP Fragmentation Support.
4) A memory leak in the processing of Session Initiation Protocol
(SIP) messages can be exploited to cause a DoS for all voice
services.
6) An unspecified error in the IOS Intrusion Prevention System (IPS)
feature when processing certain IPS signatures that use the
SERVICE.DNS engine can be exploited to cause a DoS via specially
crafted network traffic.
7) A security issue exists in the processing of extended communities
with Multi Protocol Label Switching (MPLS) Virtual Private Networks
(VPN), which can lead to traffic leaking from one MPLS VPN to
another.
NOTE: This security issue was introduced with CSCee83237.
8) An unspecified error within the Multi Protocol Label Switching
(MPLS) Forwarding Infrastructure (MFI) can be exploited to cause a
DoS via specially crafted network packets.
Successful exploitation requires access to the MPLS network.
9) An unspecified error within the Application Inspection Control
(AIC) can be exploited to cause a reload of an affected device via
specially crafted HTTP packets.
10) An unspecified error in the processing of Layer 2 Tunneling
Protocol (L2TP) packets can be exploited to cause an affected device
to reload via a specially crafted L2TP packets.
Successful exploitation requires that the L2TP mgmt daemon process is
running. This process may be enabled e.g. via Layer 2 virtual private
networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack
Group Bidding Protocol (SGBP), or Cisco Virtual Private Dial-Up
Networks (VPDN).
11) An unspecified error exists in the processing of IPC messages.
This can be exploited to reload an affected device via a specially
crafted UDP packet sent to port 1975.
12) A security issue is caused due to the device automatically
enabling SNMP with a default community string, which can be exploited
to gain control an affected system.
Successful exploitation requires that a device is configured for
linecard redundancy.
SOLUTION:
Update to the fixed version (please see the vendor's advisories for
details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Cisco has released free software updates that address this
vulnerability. A workaround that mitigates this vulnerability is
available.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml
Note: The September 24, 2008 IOS Advisory bundled publication
includes twelve Security Advisories. Eleven of the advisories address
vulnerabilities in Cisco's IOS software, and one advisory addresses
vulnerabilities in Cisco Unified Communications Manager. Each
Advisory lists the releases that correct the vulnerability described
in the Advisory. Please reference the following software table to
find a release that fixes all published IOS software Advisories as of
September 24th, 2008:
http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml
Individual publication links are listed below:
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml
Affected Products
=================
Vulnerable Products
+------------------
This security advisory applies to all Cisco products that run Cisco
IOS Software configured for NAT and that support the NAT SCCP
Fragmentation Support feature. This feature was first introduced in
Cisco IOS version 12.4(6)T.
To verify if NAT is enabled on a Cisco IOS device log into the device
and issue the command show ip nat statistics. The following example
shows a device configured with NAT:
Router# show ip nat statistics
Total translations: 2 (0 static, 2 dynamic; 0 extended)
Outside interfaces: Serial0
Inside interfaces: Ethernet1
Hits: 135 Misses: 5
Expired translations: 2
Dynamic mappings:
-- Inside Source
access-list 1 pool mypool refcount 2
pool mypool: netmask 255.255.255.0
start 192.168.10.1 end 192.168.10.254
type generic, total addresses 14, allocated 2 (14%), misses 0
Alternatively, you can use the show running-config | include ip nat
command to verify if NAT has been enabled on the router interfaces.
Note: With reference to NAT, the term "inside" refers to those
networks that will be translated. Inside this domain, hosts will have
addresses in one address space, while on the "outside", they will
appear to have addresses in another address space when NAT is
configured. The first address space is referred to as the local
address space and the second is referred to as the global address
space. The ip nat inside and ip nat outside interface commands must
be present on the corresponding router interfaces in order for NAT to
be enabled.
In order to determine the software that runs on a Cisco IOS product,
log in to the device and issue the show version command to display
the system banner. Cisco IOS software identifies itself as
"Internetwork Operating System Software" or simply "IOS." On the next
line of output, the image name displays between parentheses, followed
by "Version" and the Cisco IOS release name. Other Cisco devices do
not have the show version command or give different output.
The following example shows output from a device that runs an IOS
image:
router>show version
Cisco IOS Software, 7200 Software (C7200-ADVSECURITYK9-M), Version 12.4(6)T2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Tue 16-May-06 16:09 by kellythw
<more output removed for brevity>
Products Confirmed Not Vulnerable
+--------------------------------
Cisco IOS XR and IOS XE are not affected by this vulnerability.
Cisco IOS devices not explicitly configured for NAT are not
vulnerable.
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
The Skinny Call Control Protocol (SCCP) enables voice communication
between an SCCP client and a Call Manager (CM). Typically, the CM
provides service to the SCCP clients on TCP Port 2000 by default.
Initially, an SCCP client connects to the CM by establishing a TCP
connection; the client will also establish a TCP connection with a
secondary CM, if available. A segmented payload that requires an IP
or port translation will no longer be dropped. The NAT SCCP
Fragmentation Support feature was introduced in Cisco IOS version
12.4(6)T.
This vulnerability is documented in Cisco Bug ID CSCsg22426
and CSCsi17020, and has been assigned CVE identifiers CVE-2008-3810
and CVE-2008-3811.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsg22426 - Cisco IOS Skinny Call Control Protocol (SCCP) Vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsi17020 - Router may reload after NAT with certain skinny packets
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of this vulnerability may cause the affected
device to reload. Repeated exploitation will result in a denial of
service (DoS) condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+-------------------------------------------------------------------+
| Major Release | Availability of Repaired Releases |
|-------------------+-----------------------------------------------|
| Affected | | |
| 12.0-Based | First Fixed Release | Recommended Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.0 based releases |
|-------------------------------------------------------------------|
| Affected | | |
| 12.1-Based | First Fixed Release | Recommended Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.1 based releases |
|-------------------------------------------------------------------|
| Affected | | |
| 12.2-Based | First Fixed Release | Recommended Release |
| Releases | | |
|-------------------+-----------------------+-----------------------|
| 12.2 | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2B | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2BC | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2BW | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2BX | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2BY | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2BZ | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2CX | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2CY | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2CZ | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2DA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2DD | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2DX | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2EW | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2EWA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2EX | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2EY | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2EZ | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2FX | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2FY | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2FZ | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2IRB | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2IXA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2IXB | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2IXC | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2IXD | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2IXE | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2IXF | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2IXG | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2JA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2JK | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2MB | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2MC | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2S | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SB | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SBC | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SCA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SE | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SEA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SEB | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SEC | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SED | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SEE | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SEF | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SEG | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SG | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SGA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SL | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SM | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SO | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SRA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SRB | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SRC | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SU | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SV | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SVA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SVC | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SVD | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SW | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SX | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SXA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SXB | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SXD | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SXE | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SXF | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| | Not Vulnerable | |
| 12.2SXH | | |
| | http://www.cisco.com/ | |
| | go/pn | |
|-------------------+-----------------------+-----------------------|
| 12.2SY | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SZ | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2T | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2TPC | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XB | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XC | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XD | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XE | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XF | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XG | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XH | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XI | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XJ | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XK | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XL | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XM | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XN | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XNA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XNB | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XO | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XQ | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XR | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XS | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XT | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XU | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XV | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XW | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YB | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YC | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YD | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YE | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YF | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YG | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YH | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YJ | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YK | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YL | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YM | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YN | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YO | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YP | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YQ | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YR | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YS | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YT | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YU | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YV | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YW | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YX | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YY | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YZ | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2ZA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2ZB | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2ZC | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2ZD | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2ZE | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2ZF | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2ZG | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2ZH | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2ZJ | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2ZL | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2ZP | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2ZU | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2ZX | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2ZY | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2ZYA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| Affected | | |
| 12.3-Based | First Fixed Release | Recommended Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.3 based releases |
|-------------------------------------------------------------------|
| Affected | | |
| 12.4-Based | First Fixed Release | Recommended Release |
| Releases | | |
|-------------------+-----------------------+-----------------------|
| 12.4 | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4JA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4JK | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4JL | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4JMA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4JMB | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4JMC | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4JX | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4MD | 12.4(11)MD4 | 12.4(15)MD1 |
|-------------------+-----------------------+-----------------------|
| 12.4MR | 12.4(16)MR | 12.4(19)MR |
|-------------------+-----------------------+-----------------------|
| | 12.4(15)SW2; | 12.4(15)SW2; |
| 12.4SW | Available on | Available on |
| | 28-SEP-08 | 28-SEP-08 |
|-------------------+-----------------------+-----------------------|
| | 12.4(11)T4 | |
| | | |
| | 12.4(15)T2 | |
| | | |
| 12.4T | 12.4(20)T | 12.4(15)T7 |
| | | |
| | 12.4(6)T11 | |
| | | |
| | 12.4(9)T5 | |
|-------------------+-----------------------+-----------------------|
| 12.4XA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XB | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XC | Vulnerable; first | 12.4(15)T7 |
| | fixed in 12.4T | |
|-------------------+-----------------------+-----------------------|
| 12.4XD | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XE | Vulnerable; first | 12.4(15)T7 |
| | fixed in 12.4T | |
|-------------------+-----------------------+-----------------------|
| 12.4XF | Vulnerable; first | 12.4(15)T7 |
| | fixed in 12.4T | |
|-------------------+-----------------------+-----------------------|
| 12.4XG | 12.4(9)XG3 | 12.4(9)XG3 |
|-------------------+-----------------------+-----------------------|
| 12.4XJ | Vulnerable; first | 12.4(15)T7 |
| | fixed in 12.4T | |
|-------------------+-----------------------+-----------------------|
| 12.4XK | Vulnerable; first | 12.4(15)T7 |
| | fixed in 12.4T | |
|-------------------+-----------------------+-----------------------|
| 12.4XL | 12.4(15)XL2 | 12.4(15)XL2 |
|-------------------+-----------------------+-----------------------|
| 12.4XM | 12.4(15)XM1 | 12.4(15)XM1 |
|-------------------+-----------------------+-----------------------|
| 12.4XN | Vulnerable; contact | |
| | TAC | |
|-------------------+-----------------------+-----------------------|
| 12.4XP | Vulnerable; contact | |
| | TAC | |
|-------------------+-----------------------+-----------------------|
| 12.4XQ | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XR | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XT | Vulnerable; first | 12.4(15)T7 |
| | fixed in 12.4T | |
|-------------------+-----------------------+-----------------------|
| 12.4XV | Vulnerable; contact | |
| | TAC | |
|-------------------+-----------------------+-----------------------|
| 12.4XW | 12.4(11)XW7 | 12.4(11)XW9 |
|-------------------+-----------------------+-----------------------|
| 12.4XY | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XZ | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4YA | Not Vulnerable | |
+-------------------------------------------------------------------+
Workarounds
===========
As workaround, an administrator can disable SCCP NAT support using
the no ip nat service skinny tcp port 2000 command, as shown in the
following example:
Router(config)# no ip nat service skinny tcp port 2000
Note: If your Cisco CallManager is using a TCP port for skinny
signaling different from the default port (2000), you need to adjust
this command accordingly.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-teams@first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+----------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-September-24 | public |
| | | release |
+----------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkjaLdUACgkQ86n/Gc8U/uBM1ACeMzZ03zyWQhMRkiHOGUi20KeT
NAoAnR9OVAOw7st0mwFWyEmatcQIxy2v
=CqpX
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
VAR-200809-0357 | CVE-2008-3811 | Cisco IOS In SCCP Service disruption related to message processing (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco IOS 12.2 and 12.4, when NAT Skinny Call Control Protocol (SCCP) Fragmentation Support is enabled, allows remote attackers to cause a denial of service (device reload) via segmented SCCP messages, aka Cisco Bug ID CSCsi17020, a different vulnerability than CVE-2008-3810. The problem is Bug ID : CSCsi17020 It is a problem. this is CVE-2008-3810 Is a different vulnerability.Service disruption by a third party (DoS) There is a possibility that.
A successful exploit may cause affected devices to reload, denying service to legitimate users. ----------------------------------------------------------------------
Do you need accurate and reliable IDS / IPS / AV detection rules?
Get in-depth vulnerability details:
http://secunia.com/binary_analysis/sample_analysis/
----------------------------------------------------------------------
TITLE:
Cisco IOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA31990
VERIFY ADVISORY:
http://secunia.com/advisories/31990/
CRITICAL:
Moderately critical
IMPACT:
Exposure of sensitive information, DoS, System access
WHERE:
>From remote
OPERATING SYSTEM:
Cisco IOS R12.x
http://secunia.com/advisories/product/50/
Cisco IOS 12.x
http://secunia.com/advisories/product/182/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco IOS, which can be
exploited by malicious people to disclose sensitive information,
cause a DoS (Denial of Service), or to compromise a vulnerable
system.
1) An unspecified error exists in the processing of SSL packets
during the termination of an SSL session, which can potentially be
exploited to crash an affected system.
2) Two unspecified errors exist within the processing of Protocol
Independent Multicast (PIM) packets, which can be exploited to cause
an affected device to reload.
Successful exploitation requires that the device is configured with
Network Address Translation (NAT) SCCP Fragmentation Support.
4) A memory leak in the processing of Session Initiation Protocol
(SIP) messages can be exploited to cause a DoS for all voice
services.
6) An unspecified error in the IOS Intrusion Prevention System (IPS)
feature when processing certain IPS signatures that use the
SERVICE.DNS engine can be exploited to cause a DoS via specially
crafted network traffic.
7) A security issue exists in the processing of extended communities
with Multi Protocol Label Switching (MPLS) Virtual Private Networks
(VPN), which can lead to traffic leaking from one MPLS VPN to
another.
NOTE: This security issue was introduced with CSCee83237.
8) An unspecified error within the Multi Protocol Label Switching
(MPLS) Forwarding Infrastructure (MFI) can be exploited to cause a
DoS via specially crafted network packets.
Successful exploitation requires access to the MPLS network.
9) An unspecified error within the Application Inspection Control
(AIC) can be exploited to cause a reload of an affected device via
specially crafted HTTP packets.
10) An unspecified error in the processing of Layer 2 Tunneling
Protocol (L2TP) packets can be exploited to cause an affected device
to reload via a specially crafted L2TP packets.
Successful exploitation requires that the L2TP mgmt daemon process is
running. This process may be enabled e.g. via Layer 2 virtual private
networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack
Group Bidding Protocol (SGBP), or Cisco Virtual Private Dial-Up
Networks (VPDN).
11) An unspecified error exists in the processing of IPC messages.
This can be exploited to reload an affected device via a specially
crafted UDP packet sent to port 1975.
12) A security issue is caused due to the device automatically
enabling SNMP with a default community string, which can be exploited
to gain control an affected system.
Successful exploitation requires that a device is configured for
linecard redundancy.
SOLUTION:
Update to the fixed version (please see the vendor's advisories for
details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Cisco has released free software updates that address this
vulnerability. A workaround that mitigates this vulnerability is
available.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml
Note: The September 24, 2008 IOS Advisory bundled publication
includes twelve Security Advisories. Eleven of the advisories address
vulnerabilities in Cisco's IOS software, and one advisory addresses
vulnerabilities in Cisco Unified Communications Manager. Each
Advisory lists the releases that correct the vulnerability described
in the Advisory. Please reference the following software table to
find a release that fixes all published IOS software Advisories as of
September 24th, 2008:
http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml
Individual publication links are listed below:
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml
Affected Products
=================
Vulnerable Products
+------------------
This security advisory applies to all Cisco products that run Cisco
IOS Software configured for NAT and that support the NAT SCCP
Fragmentation Support feature. This feature was first introduced in
Cisco IOS version 12.4(6)T.
To verify if NAT is enabled on a Cisco IOS device log into the device
and issue the command show ip nat statistics. The following example
shows a device configured with NAT:
Router# show ip nat statistics
Total translations: 2 (0 static, 2 dynamic; 0 extended)
Outside interfaces: Serial0
Inside interfaces: Ethernet1
Hits: 135 Misses: 5
Expired translations: 2
Dynamic mappings:
-- Inside Source
access-list 1 pool mypool refcount 2
pool mypool: netmask 255.255.255.0
start 192.168.10.1 end 192.168.10.254
type generic, total addresses 14, allocated 2 (14%), misses 0
Alternatively, you can use the show running-config | include ip nat
command to verify if NAT has been enabled on the router interfaces.
Note: With reference to NAT, the term "inside" refers to those
networks that will be translated. Inside this domain, hosts will have
addresses in one address space, while on the "outside", they will
appear to have addresses in another address space when NAT is
configured. The first address space is referred to as the local
address space and the second is referred to as the global address
space. The ip nat inside and ip nat outside interface commands must
be present on the corresponding router interfaces in order for NAT to
be enabled.
In order to determine the software that runs on a Cisco IOS product,
log in to the device and issue the show version command to display
the system banner. Cisco IOS software identifies itself as
"Internetwork Operating System Software" or simply "IOS." On the next
line of output, the image name displays between parentheses, followed
by "Version" and the Cisco IOS release name. Other Cisco devices do
not have the show version command or give different output.
The following example shows output from a device that runs an IOS
image:
router>show version
Cisco IOS Software, 7200 Software (C7200-ADVSECURITYK9-M), Version 12.4(6)T2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Tue 16-May-06 16:09 by kellythw
<more output removed for brevity>
Products Confirmed Not Vulnerable
+--------------------------------
Cisco IOS XR and IOS XE are not affected by this vulnerability.
Cisco IOS devices not explicitly configured for NAT are not
vulnerable.
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
The Skinny Call Control Protocol (SCCP) enables voice communication
between an SCCP client and a Call Manager (CM). Typically, the CM
provides service to the SCCP clients on TCP Port 2000 by default.
Initially, an SCCP client connects to the CM by establishing a TCP
connection; the client will also establish a TCP connection with a
secondary CM, if available. A segmented payload that requires an IP
or port translation will no longer be dropped. The NAT SCCP
Fragmentation Support feature was introduced in Cisco IOS version
12.4(6)T.
This vulnerability is documented in Cisco Bug ID CSCsg22426
and CSCsi17020, and has been assigned CVE identifiers CVE-2008-3810
and CVE-2008-3811.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsg22426 - Cisco IOS Skinny Call Control Protocol (SCCP) Vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsi17020 - Router may reload after NAT with certain skinny packets
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of this vulnerability may cause the affected
device to reload. Repeated exploitation will result in a denial of
service (DoS) condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+-------------------------------------------------------------------+
| Major Release | Availability of Repaired Releases |
|-------------------+-----------------------------------------------|
| Affected | | |
| 12.0-Based | First Fixed Release | Recommended Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.0 based releases |
|-------------------------------------------------------------------|
| Affected | | |
| 12.1-Based | First Fixed Release | Recommended Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.1 based releases |
|-------------------------------------------------------------------|
| Affected | | |
| 12.2-Based | First Fixed Release | Recommended Release |
| Releases | | |
|-------------------+-----------------------+-----------------------|
| 12.2 | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2B | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2BC | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2BW | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2BX | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2BY | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2BZ | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2CX | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2CY | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2CZ | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2DA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2DD | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2DX | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2EW | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2EWA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2EX | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2EY | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2EZ | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2FX | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2FY | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2FZ | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2IRB | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2IXA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2IXB | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2IXC | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2IXD | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2IXE | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2IXF | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2IXG | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2JA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2JK | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2MB | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2MC | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2S | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SB | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SBC | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SCA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SE | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SEA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SEB | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SEC | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SED | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SEE | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SEF | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SEG | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SG | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SGA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SL | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SM | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SO | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SRA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SRB | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SRC | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SU | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SV | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SVA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SVC | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SVD | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SW | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SX | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SXA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SXB | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SXD | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SXE | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SXF | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| | Not Vulnerable | |
| 12.2SXH | | |
| | http://www.cisco.com/ | |
| | go/pn | |
|-------------------+-----------------------+-----------------------|
| 12.2SY | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2SZ | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2T | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2TPC | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XB | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XC | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XD | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XE | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XF | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XG | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XH | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XI | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XJ | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XK | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XL | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XM | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XN | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XNA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XNB | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XO | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XQ | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XR | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XS | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XT | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XU | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XV | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2XW | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YB | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YC | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YD | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YE | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YF | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YG | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YH | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YJ | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YK | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YL | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YM | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YN | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YO | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YP | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YQ | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YR | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YS | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YT | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YU | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YV | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YW | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YX | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YY | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2YZ | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2ZA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2ZB | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2ZC | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2ZD | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2ZE | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2ZF | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2ZG | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2ZH | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2ZJ | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2ZL | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2ZP | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2ZU | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2ZX | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2ZY | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.2ZYA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| Affected | | |
| 12.3-Based | First Fixed Release | Recommended Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.3 based releases |
|-------------------------------------------------------------------|
| Affected | | |
| 12.4-Based | First Fixed Release | Recommended Release |
| Releases | | |
|-------------------+-----------------------+-----------------------|
| 12.4 | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4JA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4JK | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4JL | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4JMA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4JMB | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4JMC | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4JX | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4MD | 12.4(11)MD4 | 12.4(15)MD1 |
|-------------------+-----------------------+-----------------------|
| 12.4MR | 12.4(16)MR | 12.4(19)MR |
|-------------------+-----------------------+-----------------------|
| | 12.4(15)SW2; | 12.4(15)SW2; |
| 12.4SW | Available on | Available on |
| | 28-SEP-08 | 28-SEP-08 |
|-------------------+-----------------------+-----------------------|
| | 12.4(11)T4 | |
| | | |
| | 12.4(15)T2 | |
| | | |
| 12.4T | 12.4(20)T | 12.4(15)T7 |
| | | |
| | 12.4(6)T11 | |
| | | |
| | 12.4(9)T5 | |
|-------------------+-----------------------+-----------------------|
| 12.4XA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XB | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XC | Vulnerable; first | 12.4(15)T7 |
| | fixed in 12.4T | |
|-------------------+-----------------------+-----------------------|
| 12.4XD | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XE | Vulnerable; first | 12.4(15)T7 |
| | fixed in 12.4T | |
|-------------------+-----------------------+-----------------------|
| 12.4XF | Vulnerable; first | 12.4(15)T7 |
| | fixed in 12.4T | |
|-------------------+-----------------------+-----------------------|
| 12.4XG | 12.4(9)XG3 | 12.4(9)XG3 |
|-------------------+-----------------------+-----------------------|
| 12.4XJ | Vulnerable; first | 12.4(15)T7 |
| | fixed in 12.4T | |
|-------------------+-----------------------+-----------------------|
| 12.4XK | Vulnerable; first | 12.4(15)T7 |
| | fixed in 12.4T | |
|-------------------+-----------------------+-----------------------|
| 12.4XL | 12.4(15)XL2 | 12.4(15)XL2 |
|-------------------+-----------------------+-----------------------|
| 12.4XM | 12.4(15)XM1 | 12.4(15)XM1 |
|-------------------+-----------------------+-----------------------|
| 12.4XN | Vulnerable; contact | |
| | TAC | |
|-------------------+-----------------------+-----------------------|
| 12.4XP | Vulnerable; contact | |
| | TAC | |
|-------------------+-----------------------+-----------------------|
| 12.4XQ | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XR | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XT | Vulnerable; first | 12.4(15)T7 |
| | fixed in 12.4T | |
|-------------------+-----------------------+-----------------------|
| 12.4XV | Vulnerable; contact | |
| | TAC | |
|-------------------+-----------------------+-----------------------|
| 12.4XW | 12.4(11)XW7 | 12.4(11)XW9 |
|-------------------+-----------------------+-----------------------|
| 12.4XY | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XZ | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4YA | Not Vulnerable | |
+-------------------------------------------------------------------+
Workarounds
===========
As workaround, an administrator can disable SCCP NAT support using
the no ip nat service skinny tcp port 2000 command, as shown in the
following example:
Router(config)# no ip nat service skinny tcp port 2000
Note: If your Cisco CallManager is using a TCP port for skinny
signaling different from the default port (2000), you need to adjust
this command accordingly.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-teams@first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+----------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-September-24 | public |
| | | release |
+----------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkjaLdUACgkQ86n/Gc8U/uBM1ACeMzZ03zyWQhMRkiHOGUi20KeT
NAoAnR9OVAOw7st0mwFWyEmatcQIxy2v
=CqpX
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
VAR-200809-0358 | CVE-2008-3812 | Cisco IOS of IOS firewall Application Inspection Control (AIC) Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
Cisco IOS 12.4, when IOS firewall Application Inspection Control (AIC) with HTTP Deep Packet Inspection is enabled, allows remote attackers to cause a denial of service (device reload) via a malformed HTTP transit packet.
A successful exploit may cause affected devices to reload, denying service to legitimate users. Cisco IOS is the Internet operating system used on Cisco networking equipment.
Cisco has released free software updates that address this
vulnerability.
A mitigation for this vulnerability is available. See the
"Workarounds" section for details.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml
Note: The September 24, 2008 IOS Advisory bundled publication
includes twelve Security Advisories. Eleven of the advisories address
vulnerabilities in Cisco's IOS software, and one advisory addresses
vulnerabilities in Cisco Unified Communications Manager. Each
Advisory lists the releases that correct the vulnerability described
in the Advisory. Please reference the following software table to
find a release that fixes all published IOS software Advisories as of
September 24th, 2008:
http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml
Individual publication links are listed below:
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml
Affected Products
=================
The HTTP AIC feature was introduced in Cisco IOS Software Release
12.4(9)T. The software table in this advisory identifies the affected
releases.
To determine the software running on a Cisco IOS product, log in to
the device and issue the show version command-line interface (CLI)
command to display the system banner. Cisco IOS software will
identify itself as "Internetwork Operating System Software" or simply
"IOS." On the next line of output, the image name will be displayed
between parentheses, followed by "Version" and the Cisco IOS release
name. Other Cisco devices will not have the show version command, or
will give different output.
The following example shows output from a device running Cisco IOS
image 12.4(15)T2:
router#show version
Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M),
Version 12.4(15)T2, RELEASE SOFTWARE (fc7) Technical Support:
http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco
Systems, Inc. Compiled Thu 17-Jan-08 23:12 by prod_rel_team
!--- Output truncated.
Additional information on the Cisco IOS release naming conventions
can be found on the document entitled "White Paper: Cisco IOS
Reference Guide", which is available at
http://www.cisco.com/warp/public/620/1.html
The device is vulnerable if the configuration has a Layer 7 class map
and Layer 7 policy map for HTTP deep packet inspection (DPI), and
these policies are applied to any firewall zone.
If the output contains Policy: http layer7-policymap name , the
device is vulnerable. IOS releases before 12.4(9)T are not affected by this
issue. Products confirmed not vulnerable include:
* Cisco PIX
* Cisco ASA
* Cisco Firewall Services Module (FWSM)
* The Virtual Firewall (VFW) application on the multiservice blade
(MSB) on the Cisco XR 12000 Series Router
Details
=======
Firewalls are networking devices that control access to an
organization's network assets. Firewalls are often positioned at the
entrance points into networks. Cisco IOS software provides a set of
security features that enable you to configure a simple or elaborate
firewall policy, according to your particular requirements.
HTTP uses port 80 by default to transport Internet web services,
which are commonly used on the network and rarely challenged with
regard to their legitimacy and conformance to standards. Because port
80 traffic is typically allowed through the network without being
challenged, many application developers are leveraging HTTP traffic
as an alternative transport protocol that will allow their
application's traffic to travel through or even bypass the firewall. It also detects
users who are tunneling applications through port 80. If the packet
is not in compliance with the HTTP protocol, it will be dropped, the
connection will be reset, and a syslog message will be generated, as
appropriate.
HTTP runs over TCP. For this vulnerability to be exploited, a full
three-way handshake between client and server is required before any
malicious traffic would be processed to result in a device reload.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerability in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsh12480 - IOSFW with HTTP AIC may reload on processing crafted
HTTP packet
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability may result in a reload
of the affected device. Repeated exploitation attempts may result in
a sustained denial of service attack.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+-------------------------------------------------------------------+
| Major Release | Availability of Repaired Releases |
|-----------------+-------------------------------------------------|
| Affected | | Recommended |
| 12.0-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.0 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.1-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.1 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.2-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.2 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.3-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.3 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.4-Based | First Fixed Release | Release |
| Releases | | |
|-----------------+-----------------------------------+-------------|
| 12.4 | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4JA | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4JK | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4JL | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4JMA | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4JMB | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4JMC | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4JX | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4MD | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4MR | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4SW | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| | Releases prior to 12.4(9)T are | |
| | not vulnerable. First fixed in: | |
| | | |
| 12.4T | 12.4(9)T7 | 12.4(15)T7 |
| | | |
| | 12.4(11)T4 | |
| | | |
| | 12.4(15)T | |
|-----------------+-----------------------------------+-------------|
| 12.4XA | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4XB | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4XC | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4XD | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4XE | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|-----------------+-----------------------------------+-------------|
| 12.4XF | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4XG | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4XJ | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|-----------------+-----------------------------------+-------------|
| 12.4XK | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|-----------------+-----------------------------------+-------------|
| 12.4XL | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4XM | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4XN | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4XP | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4XQ | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4XT | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4XV | Vulnerable; contact TAC | |
|-----------------+-----------------------------------+-------------|
| 12.4XW | 12.4(11)XW1 | 12.4(11)XW9 |
|-----------------+-----------------------------------+-------------|
| 12.4XY | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4XZ | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4YA | Not Vulnerable | |
+-------------------------------------------------------------------+
Workarounds
===========
There are no known workarounds for this vulnerability. All other firewall features will continue to perform
normally. This example shows an existing
configuration, followed by how to remove AIC HTTP Deep Packet
Inspection:
!--- Existing Configuration
!
parameter-map type inspect global
!
class-map type inspect http match-any layer7-classmap
class-map type inspect match-any layer4-classmap
match protocol http
!
policy-map type inspect http layer7-policymap
class type inspect http layer7-classmap
allow
class class-default
policy-map type inspect layer4-policymap
class type inspect layer4-classmap
inspect global
service-policy http layer7-policymap
class class-default
!
zone security inside
description ** Inside Network **
zone security outside
description ** Outside Network **
zone-pair security in2out source inside destination outside
description ** Zone Pair - inside to outside **
service-policy type inspect layer4-policymap
Remove the service-policy from the zone-pair in question:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#zone-pair security in2out source inside destination outside
Router(config-sec-zone-pair)#no service-policy type inspect layer4-policymap
Router(config-sec-zone-pair)#exit
Remove the linkage between policy-map type inspect layer4-policymap
and policy-map type inspect http layer7-policymap:
Router(config)#policy-map type inspect layer4-policymap
Router(config-pmap)#class type inspect layer4-classmap
Router(config-pmap-c)#no service-policy http layer7-policymap
Router(config-pmap-c)#exit
Router(config-pmap)#exit
Reapply the service-policy to the zone-pair in question:
Router(config)#zone-pair security in2out source inside destination outside
Router(config-sec-zone-pair)#service-policy type inspect layer4-policymap
Router(config-sec-zone-pair)#exit
Although not required, for completeness of the configuration the
policy-map type inspect http layer7-policymap and class-map type
inspect http match-any layer7-classmap are recommended to be removed.
Router(config)#no policy-map type inspect http layer7-policymap
Router(config)#no class-map type inspect http match-any layer7-classmap
Router(config)#exit
Router#
Obtaining Fixed Software
========================
Cisco has released free software updates that address this
vulnerability. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was found by Cisco internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+----------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-September-24 | public |
| | | release |
+----------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkjaLbkACgkQ86n/Gc8U/uBSqwCgi7dmsFhp1u9fxWgLqVpMPtV+
fuIAn3f11gNGT/LITk11YI6fjv7W1Q20
=0tmt
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
Do you need accurate and reliable IDS / IPS / AV detection rules?
Get in-depth vulnerability details:
http://secunia.com/binary_analysis/sample_analysis/
----------------------------------------------------------------------
TITLE:
Cisco IOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA31990
VERIFY ADVISORY:
http://secunia.com/advisories/31990/
CRITICAL:
Moderately critical
IMPACT:
Exposure of sensitive information, DoS, System access
WHERE:
>From remote
OPERATING SYSTEM:
Cisco IOS R12.x
http://secunia.com/advisories/product/50/
Cisco IOS 12.x
http://secunia.com/advisories/product/182/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco IOS, which can be
exploited by malicious people to disclose sensitive information,
cause a DoS (Denial of Service), or to compromise a vulnerable
system.
1) An unspecified error exists in the processing of SSL packets
during the termination of an SSL session, which can potentially be
exploited to crash an affected system.
2) Two unspecified errors exist within the processing of Protocol
Independent Multicast (PIM) packets, which can be exploited to cause
an affected device to reload.
3) Unspecified errors within the processing of segmented Skinny Call
Control Protocol (SCCP) messages can be exploited to cause a Cisco
IOS device to reload.
Successful exploitation requires that the device is configured with
Network Address Translation (NAT) SCCP Fragmentation Support.
4) A memory leak in the processing of Session Initiation Protocol
(SIP) messages can be exploited to cause a DoS for all voice
services.
6) An unspecified error in the IOS Intrusion Prevention System (IPS)
feature when processing certain IPS signatures that use the
SERVICE.DNS engine can be exploited to cause a DoS via specially
crafted network traffic.
7) A security issue exists in the processing of extended communities
with Multi Protocol Label Switching (MPLS) Virtual Private Networks
(VPN), which can lead to traffic leaking from one MPLS VPN to
another.
NOTE: This security issue was introduced with CSCee83237.
8) An unspecified error within the Multi Protocol Label Switching
(MPLS) Forwarding Infrastructure (MFI) can be exploited to cause a
DoS via specially crafted network packets.
Successful exploitation requires access to the MPLS network.
10) An unspecified error in the processing of Layer 2 Tunneling
Protocol (L2TP) packets can be exploited to cause an affected device
to reload via a specially crafted L2TP packets.
Successful exploitation requires that the L2TP mgmt daemon process is
running. This process may be enabled e.g. via Layer 2 virtual private
networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack
Group Bidding Protocol (SGBP), or Cisco Virtual Private Dial-Up
Networks (VPDN).
11) An unspecified error exists in the processing of IPC messages.
This can be exploited to reload an affected device via a specially
crafted UDP packet sent to port 1975.
12) A security issue is caused due to the device automatically
enabling SNMP with a default community string, which can be exploited
to gain control an affected system.
SOLUTION:
Update to the fixed version (please see the vendor's advisories for
details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200809-0359 | CVE-2008-3813 | Cisco IOS of L2TP mgmt daemon process In L2TP Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in Cisco IOS 12.2 and 12.4, when the L2TP mgmt daemon process is enabled, allows remote attackers to cause a denial of service (device reload) via a crafted L2TP packet. Cisco IOS is prone to a denial-of-service vulnerability.
A remote attacker can exploit this issue to cause an affected device to reload.
This vulnerability is tracked by Cisco bug ID CSCsh48879 and by CVE-2008-3813. ----------------------------------------------------------------------
Do you need accurate and reliable IDS / IPS / AV detection rules?
Get in-depth vulnerability details:
http://secunia.com/binary_analysis/sample_analysis/
----------------------------------------------------------------------
TITLE:
Cisco IOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA31990
VERIFY ADVISORY:
http://secunia.com/advisories/31990/
CRITICAL:
Moderately critical
IMPACT:
Exposure of sensitive information, DoS, System access
WHERE:
>From remote
OPERATING SYSTEM:
Cisco IOS R12.x
http://secunia.com/advisories/product/50/
Cisco IOS 12.x
http://secunia.com/advisories/product/182/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco IOS, which can be
exploited by malicious people to disclose sensitive information,
cause a DoS (Denial of Service), or to compromise a vulnerable
system.
1) An unspecified error exists in the processing of SSL packets
during the termination of an SSL session, which can potentially be
exploited to crash an affected system.
2) Two unspecified errors exist within the processing of Protocol
Independent Multicast (PIM) packets, which can be exploited to cause
an affected device to reload.
Successful exploitation requires that the device is configured with
Network Address Translation (NAT) SCCP Fragmentation Support.
4) A memory leak in the processing of Session Initiation Protocol
(SIP) messages can be exploited to cause a DoS for all voice
services.
6) An unspecified error in the IOS Intrusion Prevention System (IPS)
feature when processing certain IPS signatures that use the
SERVICE.DNS engine can be exploited to cause a DoS via specially
crafted network traffic.
7) A security issue exists in the processing of extended communities
with Multi Protocol Label Switching (MPLS) Virtual Private Networks
(VPN), which can lead to traffic leaking from one MPLS VPN to
another.
NOTE: This security issue was introduced with CSCee83237.
8) An unspecified error within the Multi Protocol Label Switching
(MPLS) Forwarding Infrastructure (MFI) can be exploited to cause a
DoS via specially crafted network packets.
Successful exploitation requires access to the MPLS network.
11) An unspecified error exists in the processing of IPC messages.
12) A security issue is caused due to the device automatically
enabling SNMP with a default community string, which can be exploited
to gain control an affected system.
SOLUTION:
Update to the fixed version (please see the vendor's advisories for
details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Software Layer 2 Tunneling
Protocol (L2TP) Denial of Service Vulnerability
Advisory ID: cisco-sa-20080924-l2tp
http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml
Revision 1.0
For Public Release 2008 September 24 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
=======
A vulnerability exists in the Cisco IOS software implementation of
Layer 2 Tunneling Protocol (L2TP), which affects limited Cisco IOS
software releases.
Several features enable the L2TP mgmt daemon process within Cisco IOS
software, including but not limited to Layer 2 virtual private
networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack
Group Bidding Protocol (SGBP) and Cisco Virtual Private Dial-Up
Networks (VPDN). Once this process is enabled the device is
vulnerable.
This vulnerability will result in a reload of the device when
processing a specially crafted L2TP packet.
Cisco has released free software updates that address this
vulnerability.
Workarounds that mitigate this vulnerability are available.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml
Note: The September 24, 2008 IOS Advisory bundled publication
includes twelve Security Advisories. Eleven of the advisories address
vulnerabilities in Cisco's IOS software, and one advisory addresses
vulnerabilities in Cisco Unified Communications Manager. Each
Advisory lists the releases that correct the vulnerability described
in the Advisory. Please reference the following software table to
find a release that fixes all published IOS software Advisories as of
September 24th, 2008:
http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml
Individual publication links are listed below:
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml
Affected Products
=================
All devices running affected versions of 12.2 or 12.4 Cisco IOS
system software and that have a vulnerable configuration are affected
by this vulnerability.
Vulnerable Products
+------------------
To determine if a device is vulnerable, first confirm that the device
is running an affected version of 12.2 or 12.4 Cisco IOS system
software. Then check for the process L2TP mgmt daemon running on the
device.
To determine the software version running on a Cisco product, log in
to the device and issue the show version command to display the
system banner. Cisco IOS software will identify itself as
"Internetwork Operating System Software" or simply "IOS." On the next
line of output, the image name will be displayed between parentheses,
followed by "Version" and the IOS release name. Other Cisco devices
will not have the show version command or will give different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.4(11)T2:
Router#show version
Cisco IOS Software, 7200 Software (C7200-ADVSECURITYK9-M), Version 12.4(11)T2, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Tue 01-May-07 04:19 by prod_rel_team
<output truncated>
Additional information on the Cisco IOS release naming conventions
can be found in the document entitled "White Paper: Cisco IOS
Reference Guide," which is available at
http://www.cisco.com/warp/public/620/1.html
To check if the process L2TP mgmt daemon is running on a device, log
into the command line interface (CLI) and issue the command show
processes | include L2TP . (NOTE: The command is case sensitive.) If
the output returns a line with the process name L2TP mgmt daemon, the
device is vulnerable. The following example shows a device running
the L2TP mgmt daemon process:
Router#show processes | include L2TP
158 Mwe 62590FE4 4 3 133322900/24000 0 L2TP mgmt daemon
Router#
The L2TP mgmt daemon is started by several different types of
configurations that may be deployed in networks that leverage the
L2TP protocol. If any of the following commands appear within a
device's configuration, show running-config, then the device will
have started the L2TP mgmt daemon and is vulnerable.
* Device is configured with Virtual Private Dial-Up Networks
(VPDN).
The command vpdn enable will appear in the device configuration.
* Device is configured for L2TP or L2TPv3 Client-Initiated VPDN
Tunneling.
The command pseudowire peer-ip-address vcid pw-class
pw-class-name " appears in the device configuration.
* Device is configured with Stack Group Bidding Protocol (SGBP).
The command sgbp group group-name will appear in the device
configuration.
* A L2TP signaling template has been defined.
The command l2tp-class l2tp-class name will appear in the device
configuration.
* Devices configured for Layer 2 Tunnel Protocol Version 3
The commands pseudowire-class pseudowire-class name and a
successfully applied interface xconnect command will appear in
the device configuration.
Products Confirmed Not Vulnerable
+--------------------------------
* Devices that are running Cisco IOS versions that are not
explicitly listed in the software table below as vulnerable, are
not affected.
* Cisco IOS XR is not affected.
No other Cisco products are currently known to be affected by this
vulnerability.
Details
=======
Documented in RFC2661, L2TP and RFC3931, L2TPv3 are protocols for
tunneling network traffic between two peers over an existing network.
Several features leverage the L2TP protocol and start the L2TP mgmt
daemon within Cisco IOS. These features have been outlined in this
advisory under the Vulnerable Products section.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerability in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsh48879 - Crafted L2TP packet triggers a device reload.
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability will result in a reload
of the device. Repeated exploitation may result in an extended denial
of service (DoS) condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|--------------+----------------------------------------------------|
| Affected | | Recommended |
| 12.0-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.0 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.1-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.1 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.2-Based | First Fixed Release | Release |
| Releases | | |
|--------------+-----------------------------------+----------------|
| 12.2 | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2B | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2BC | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2BW | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2BX | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2BY | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2BZ | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2CX | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2CY | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2CZ | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2DA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2DD | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2DX | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2EW | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2EWA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2EX | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2EY | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2EZ | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2FX | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2FY | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2FZ | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2IRB | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2IXA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2IXB | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2IXC | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2IXD | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2IXE | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2IXF | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2IXG | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2JA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2JK | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2MB | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2MC | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2S | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SB | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SBC | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SCA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| | Note: Releases prior to 12.2(37) | |
| 12.2SE | SE are not vulnerable. First | 12.2(46)SE |
| | fixed in 12.2(44)SE | |
|--------------+-----------------------------------+----------------|
| 12.2SEA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SEB | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SEC | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SED | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SEE | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SEF | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SEG | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| | Note: Releases prior to 12.2(37) | |
| 12.2SG | SG are not vulnerable. First | 12.2(46)SG1 |
| | Fixed in 12.2(44)SG | |
|--------------+-----------------------------------+----------------|
| 12.2SGA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SL | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SM | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SO | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SRA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SRB | 12.2(33)SRB1 | 12.2(33)SRB4 |
|--------------+-----------------------------------+----------------|
| 12.2SRC | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SU | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SV | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SVA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SVC | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SVD | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SW | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SX | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SXA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SXB | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SXD | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SXE | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SXF | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SXH | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SY | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SZ | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2T | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2TPC | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XB | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XC | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XD | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XE | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XF | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XG | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XH | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XI | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XJ | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XK | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XL | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XM | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XN | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XNA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XNB | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XO | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XQ | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XR | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XS | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XT | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XU | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XV | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XW | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YB | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YC | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YD | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YE | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YF | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YG | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YH | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YJ | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YK | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YL | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YM | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YN | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YO | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YP | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YQ | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YR | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YS | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YT | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YU | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YV | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YW | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YX | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YY | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YZ | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2ZA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2ZB | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2ZC | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2ZD | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2ZE | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2ZF | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2ZG | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2ZH | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2ZJ | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2ZL | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2ZP | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2ZU | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2ZX | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2ZY | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2ZYA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| Affected | | Recommended |
| 12.3-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.3 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.4-Based | First Fixed Release | Release |
| Releases | | |
|--------------+-----------------------------------+----------------|
| 12.4 | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4JA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4JK | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4JL | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4JMA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4JMB | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4JMC | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4JX | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4MD | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| | Note: Releases prior to 12.4(11) | |
| 12.4MR | MR are not vulnerable. First | 12.4(19)MR |
| | fixed in 12.4(16)MR | |
|--------------+-----------------------------------+----------------|
| | | 12.4(15)SW2; |
| 12.4SW | 12.4(11)SW3 | Available on |
| | | 28-SEP-08 |
|--------------+-----------------------------------+----------------|
| | Note: Releases prior to 12.4(11)T | |
| 12.4T | are not vulnerable. First fixed | 12.4(15)T7 |
| | in 12.4(15)T | |
|--------------+-----------------------------------+----------------|
| 12.4XA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4XB | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4XC | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4XD | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4XE | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4XF | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4XG | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4XJ | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|--------------+-----------------------------------+----------------|
| 12.4XK | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4XL | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4XM | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4XN | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4XP | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4XQ | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4XT | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4XV | Vulnerable; contact TAC | |
|--------------+-----------------------------------+----------------|
| 12.4XW | 12.4(11)XW1 | 12.4(11)XW9 |
|--------------+-----------------------------------+----------------|
| 12.4XY | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4XZ | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4YA | Not Vulnerable | |
+-------------------------------------------------------------------+
Workarounds
===========
The following workarounds have been identified for this
vulnerability.
Note: L2TP implementations will need to allow UDP 1701, from trusted
addresses to infrastructure addresses. This does not provide for a
full mitigation as the source addresses may be spoofed.
Note: L2TPv3 over IP only implementations need to deny all UDP 1701
from anywhere to the infrastructure addresses.
* Infrastructure Access Control Lists
Although it is often difficult to block traffic that transits a
network, it is possible to identify traffic that should never be
allowed to target infrastructure devices and block that traffic
at the border of networks. Infrastructure Access Control Lists
(iACLs) are a network security best practice and should be
considered as a long-term addition to good network security as
well as a workaround for these specific vulnerabilities. The iACL
example below should be included as part of the deployed
infrastructure access-list which will protect all devices with IP
addresses in the infrastructure IP address range:
!--- Permit L2TP UDP 1701 packets from all trusted
!--- sources destined to infrastructure addresses.
!--- NOTE: This does not prevent spoofed attacks.
!--- To be a full mitigation, no trusted source
!--- addresses should be listed.
!--- Omit this line if using a L2TPv3 over IP implementation only.
access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES MASK
INFRASTRUCTURE_ADDRESSES MASK eq 1701
!--- Deny L2TP UDP 1701 packets from all
!--- sources destined to infrastructure addresses.
access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 1701
!--- If using a L2TPv3 over IP implementation ensure to allow L2TPv3
access-list 150 permit 115 <source_ip_address and mask>
<destination_ip_address and mask>
!--- Permit/deny all other Layer 3 and Layer 4 traffic in accordance
!--- with existing security policies and configurations
!--- Permit all other traffic to transit the device.
access-list 150 permit ip any any
!--- Apply access-list to all interfaces (only one example shown)
interface serial 2/0
ip access-group 150 in
The white paper entitled "Protecting Your Core: Infrastructure
Protection Access Control Lists" presents guidelines and
recommended deployment techniques for infrastructure protection
access lists. This white paper can be obtained at the following
link:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml
* Control Plane Policing
Control Plane Policing (CoPP) can be used to block L2TP access to
the device. CoPP can be
configured on a device to protect the management and control
planes and minimize the risk and effectiveness of direct
infrastructure attacks by explicitly permitting only authorized
traffic that is sent to infrastructure devices in accordance with
existing security policies and configurations. The CoPP example
below should be included as part of the deployed CoPP which will
protect all devices with IP addresses in the infrastructure IP
address range.
!--- Deny all trusted source L2TP UDP traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so that it
!--- will not be policed by the CoPP feature.
!--- NOTE: This does not prevent spoofed attacks.
!--- To be a full mitigation, no trusted source
!--- addresses should be listed.
!--- Omit this line if using an L2TPv3 over IP implementation only.
access-list 111 deny udp TRUSTED_SOURCE_ADDRESSES MASK
INFRASTRUCTURE_ADDRESSES MASK eq 1701
!--- Permit all L2TP UDP traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so that it
!--- will be policed and dropped by the CoPP feature
access-list 111 permit udp any INFRASTRUCTURE_ADDRESSES MASK eq 1701
!--- If using an L2TPv3 over IP implementation ensure not to drop L2TPv3
access-list 111 deny 115 <source_ip_address and mask>
<destination_ip_address and mask>
!--- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4
!--- traffic in accordance with existing security policies and
!--- configurations for traffic that is authorized to be sent
!--- to infrastructure devices
!--- Create a Class-Map for traffic to be policed by
!--- the CoPP feature
class-map match-all drop-l2tp-class
match access-group 111
!--- Create a Policy-Map that will be applied to the
!--- Control-Plane of the device.
policy-map drop-l2tp-traffic
class drop-l2tp-class
drop
!--- Apply the Policy-Map to the
!--- Control-Plane of the device
control-plane
service-policy input drop-l2tp-traffic
In the above CoPP example, the access control list entries (ACEs)
that match the potential exploit packets with the "permit" action
result in these packets being discarded by the policy-map "drop"
function, while packets that match the "deny" action (not shown)
are not affected by the policy-map drop function. Please note
that the policy-map syntax is different in the 12.2S and 12.0S
Cisco IOS trains:
policy-map drop-l2tp-traffic
class drop-l2tp-class
police 32000 1500 1500 conform-action drop exceed-action drop
Additional information on the configuration and use of the CoPP
feature is available at the following link:
http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html
Additional mitigations that can be deployed on Cisco devices within
the network are available in the Cisco Applied Mitigation Bulletin
companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20080924-l2tp.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-teams@first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+----------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-September-24 | public |
| | | release |
+----------------------------------------+
Cisco Security Procedures
==========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkjaLcgACgkQ86n/Gc8U/uC/CQCfcC70VVLkBqFMyqTqBh9mP0pu
BY4AniOvIpCfu1wKu/Zz7USner4MTUnB
=jfZd
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/