__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Cisco Multiple IOS IPS Vulnerability [Cisco Security Advisory Document ID: 81545] February 14, 2007 17:00 GMT Number R-140 ______________________________________________________________________________ PROBLEM: There are vulnerabilities in the Cisco IOS Intrusion Prevention System. PLATFORM: The following Cisco IOS release trains with the IPS feature set enabled are vulnerable to the fragmented packet evasion vulnerability: 12.3T, except versions 12.3(2)T, 12.3(4)T, and 12.3(7)T 12.4 12.4T 12.4XE The following Cisco IOS release trains with the IPS feature set enabled are vulnerable to the ATOMIC.TCP regular expression denial of service vulnerability: 12.3T, except versions 12.3(2)T, 12.3(4)T, and 12.3(7)T 12.3XQ, 12.3XR, 12.3XS, 12.3XW, 12.3XX, 12.3XY 12.3YA, 12.3YD, 12.3YG, 12.3YH, 12.3YI, 12.3YJ, 12.3YK, 12.3YM, 12.3YQ, 12.3YS, 12.3YT, 12.3YX, 12.3YZ 12.4 12.4MR 12.4T 12.4XA, 12.4XB DAMAGE: May allow a remote intruder to crash a router. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is LOW. May allow a remote intruder to crash a router. ASSESSMENT: ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/r-140.shtml ORIGINAL BULLETIN: http://www.cisco.com/en/US/products/products_security_ advisory09186a00807e0a5b.shtml ______________________________________________________________________________ [***** Start Cisco Security Advisory Document ID: 81545 *****] Cisco Security Advisory: Multiple IOS IPS Vulnerabilities Document ID: 81545 Advisory ID: cisco-sa-20070213-iosips http://www.cisco.com/warp/public/707/cisco-sa-20070213-iosips.shtml Revision 1.0 For Public Release 2007 February 13 1600 UTC (GMT) -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- Contents Summary Affected Products Details Impact Software Version and Fixes Workarounds Obtaining Fixed Software Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures -------------------------------------------------------------------------------- Summary The Intrusion Prevention System (IPS) feature set of Cisco IOSŪ contains several vulnerabilities. These include: Fragmented IP packets may be used to evade signature inspection. IPS signatures utilizing the regular expression feature of the ATOMIC.TCP signature engine may cause a router to crash resulting in a denial of service. There are mitigations and workarounds for these vulnerabilities. Cisco has made free software available to address these vulnerabilities for affected customers. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070213-iosips.shtml. Affected Products Vulnerable Products The following Cisco IOS release trains with the IPS feature set enabled are vulnerable to the fragmented packet evasion vulnerability: 12.3T, except versions 12.3(2)T, 12.3(4)T, and 12.3(7)T 12.4 12.4T 12.4XE The following Cisco IOS release trains with the IPS feature set enabled are vulnerable to the ATOMIC.TCP regular expression denial of service vulnerability: 12.3T, except versions 12.3(2)T, 12.3(4)T, and 12.3(7)T 12.3XQ, 12.3XR, 12.3XS, 12.3XW, 12.3XX, 12.3XY 12.3YA, 12.3YD, 12.3YG, 12.3YH, 12.3YI, 12.3YJ, 12.3YK, 12.3YM, 12.3YQ, 12.3YS, 12.3YT, 12.3YX, 12.3YZ 12.4 12.4MR 12.4T 12.4XA, 12.4XB To determine if the IPS feature set is active on an IOS device, use the show ip ips configuration command. This command will list the interfaces configured to use IPS inspection. You will then need to further check the status of each interface to confirm if they are enabled or not. router#show ip ips configuration Configured Config Locations: -none- Last signature default load time: 18:46:50 UTC Jan 5 2007 Last signature delta load time: -none- Last event action (SEAP) load time: -none- IPS Auto Update is not currently configured IPS fail closed is disabled Fastpath ips is enabled Quick run mode is enabled Event notification through syslog is enabled Event notification through SDEE is enabled Total Active Signatures: 85 Total Inactive Signatures: 61 IPS Rule Configuration IPS name test IPS Category CLI is not configured Interface Configuration Interface FastEthernet0/0 Inbound IPS rule is test Outgoing IPS rule is not set router#show ip interface FastEthernet0/0 FastEthernet0/0 is up, line protocol is upIn the above example, interface FastEthernet0/0 is configured to use IPS and is shown to be enabled. Products Confirmed Not Vulnerable No other Cisco products are currently known to be affected by this vulnerability. Details Cisco IOS Intrusion Prevention System (IPS) is an inline, deep-packet inspection- based feature that enables Cisco IOS software to mitigate network attacks. Cisco IOS IPS enables the network to defend itself with the intelligence to identify, classify, and stop or block certain malicious or damaging traffic in real time. The IOS IPS feature set contains multiple vulnerabilities. Only IOS images containing the IPS feature set are affected by these vulnerabilities. Fragmented Packet Evasion Vulnerability Some of the IPS signatures utilize regular expressions. Due to a vulnerability, an attacker can evade those IPS signatures by sending malicious network traffic as IP fragments. This may result in potential malicious traffic bypassing signature inspection and possibly allow the exploitation of protected systems. IPS signatures which do not utilize regular expressions are not affected by this vulnerability. All IP protocols (e.g. TCP, UDP, ICMP) are affected by this vulnerability. There is a mitigation for this vulnerability. This vulnerability is documented in Cisco Bug ID CSCsg15598 ( registered customers only) . ATOMIC.TCP Regular Expression Denial of Service Vulnerability Certain network traffic can trigger IPS signatures which use the regular expression feature of the ATOMIC.TCP signature engine which may cause the IOS IPS device to crash. This may cause a denial of service resulting in disruption network traffic. Signature 3123.0 (Netbus Pro Traffic) has been demonstrated to trigger this vulnerability. There is a workaround for this vulnerability. This vulnerability is documented in Cisco Bug ID CSCsa53334 ( registered customers only) . Vulnerability Scoring Details Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco PSIRT will set the bias in all cases to normal. Customers are encouraged to apply the bias parameter when determining the environmental impact of a particular vulnerability. CVSS is a standards based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html. Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss. CSCsg15598 ( registered customers only) - DYIDS: Fragmentation prevents signature recognition Calculate the environmental score of CSCsg15598 CVSS Base Score - 4.7 Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact Impact Bias Remote Low Not Required Partial Partial None Normal CVSS Temporal Score - 3.9 Exploitability Remediation Level Report Confidence Functional Official Fix Confirmed CSCsa53334 ( registered customers only) - bus error in single_pkt_regex Calculate the environmental score of CSCsa53334 CVSS Base Score - 3.3 Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact Impact Bias Remote Low Not Required None None Complete Normal CVSS Temporal Score - 2.7 Exploitability Remediation Level Report Confidence Functional Official Fix Confirmed Impact Successful exploitation of the fragmented packet evasion vulnerability may result in an attacker being able to evade detection by an IOS IPS device. This could allow protected systems to be covertly attacked. Successful exploitation of the ATOMIC.TCP regular expression denial of service vulnerability may cause an IOS IPS device to crash. Software Version and Fixes When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix (the "First Fixed Release") and the anticipated date of availability for each are listed in the "Rebuild" and "Maintenance" columns. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label). For more information on the terms "Rebuild" and "Maintenance," consult the following URL: http://www.cisco.com/warp/public/620/1.html Major Release Availability of Repaired Releases Affected 12.3-Based Release Rebuild Maintenance 12.3T All 12.3(2)T, 12.3(4)T, and 12.3(7)T releases are not vulnerable All 12.3(8)T releases are vulnerable 12.3(11)T10 12.3(14)T7 Limited platform support is available: contact TAC Please migrate to 12.4(12) or later 12.3XQ Vulnerable; migrate to 12.4(12) or later 12.3XR Vulnerable; contact TAC 12.3XS Vulnerable; migrate to 12.4(12) or later 12.3XW Vulnerable; migrate to 12.3(11)YF or later 12.3XX Vulnerable; migrate to 12.4(12) or later 12.3XY Vulnerable; migrate to 12.4(12) or later 12.3YA Vulnerable; contact TAC 12.3YD Vulnerable; migrate to 12.4(2)T3 or later 12.3YG Vulnerable; migrate to 12.4(2)T3 or later 12.3YH Vulnerable; migrate to 12.4(2)T3 or later 12.3YI Vulnerable; migrate to 12.4(2)T3 or later 12.3YJ Vulnerable; migrate to 12.3(14)YQ8 or later 12.3YK Vulnerable; migrate to 12.4(4)T or later 12.3YM 12.3(14)YM5 12.3YQ 12.3(14)YQ8 12.3YS Vulnerable; migrate to 12.4(4)T or later 12.3YT Vulnerable; migrate to 12.4(4)T or later 12.3YX 12.3(14)YX3 12.3YZ 12.3(11)YZ Affected 12.4-Based Release Rebuild Maintenance 12.4 12.4(1c) 12.4(3b) 12.4(5) 12.4(7e); available 26-Mar-07 All 12.4(8) releases are vulnerable 12.4(10b) 12.4(12) 12.4MR 12.4(6)MR1 12.4T 12.4(2)T3 12.4(4)T 12.4(6)T 12.4(9)T3; available 9-Apr-07 12.4(11)T1 12.4XA 12.4(2)XA2 12.4XB 12.4(2)XB3 12.4XE Vulnerable; contact TAC Workarounds The effectiveness of any mitigation or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied mitigation or fix is the most appropriate for use in the intended network before it is deployed. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-air-20070213-iosips.shtml Fragmented Packet Evasion Vulnerability There is a mitigation for the fragmented packet evasion vulnerability. The fragments keyword of IOS transit Access Control Lists (ACL) can be used to prohibit fragmented IP packets from transiting an IOS device. More information about filtering IP fragments can be found here: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_ paper09186a00801afc76.shtml#frag Blocking IP fragments may have adverse affects on some protocols (like HTTP, FTP and Kerberos/Active Directory), so this workaround should be used with caution. access-list 100 deny tcp any 10.1.1.0 0.0.0.255 fragments access-list 100 deny udp any 10.1.1.0 0.0.0.255 fragmentsATOMIC.TCP Regular Expression Denial of Service Vulnerability There is a workaround for the ATOMIC.TCP regular expression denial of service vulnerability by deleting IPS signature 3123.0 from the IOS IPS Signature Definition File (SDF). Disabling signature 3123.0 is alone not sufficient for the workaround to be effective. The following commands will delete signature 3123.0 from an IOS IPS device. router#configure terminal router(config)#ip ips signature 3123 delete %IPS Signature 3123:0 is marked for deletion %IPS The signature will be deleted when signatures are reloaded or saved router(config)#interface FastEthernet0/0 router(config)#no ip ips test in router(config)#ip ips test in router(config)#exit In the above example, signature 3123.0 is first deleted from the Signature Definition File, then the IPS instance running on interface FastEthernet0/0 is stopped and started to reinitialize the IPS state to reflect the signature deletion. If the IPS feature set is configured on multiple interfaces, then these steps must be completed for each affected interface. To determine if signature 3123 is active, use the show ip ips signature command. router#show ip ips signatures | include 3123 3123:0 N A MED 0 0 0 100 30 FA N S46 In the command output above, the N after 3123.0 indicates that the signature is present in the configuration but not enabled. Once the signature has been deleted, rerunning the show ip ips signature command shows: router#show ip ips signatures | include 3123 3123:0 N* A MED 0 0 0 100 30 FA N S46 In the command output above, the N* after 3123.0 indicates that the signature has been deleted from the configuration. The IPS feature set must be restarted on each interface configured for IPS to complete the workaround. Once completed, the output of the show ip ips signature command will show: router#show ip ips signatures | include 3123 router#This vulnerability may affect any IPS signature using the regular expression functionality of the ATOMIC.TCP engine. Currently, Cisco only ships one signature configured this way (3123.0). If custom signatures have been added to an IOS IPS device configured use the ATOMIC.TCP engine with a regular expression, these signatures must also be deleted from the IPS configuration to ensure the effectiveness of the workaround. Obtaining Fixed Software Cisco will make free software available to address this vulnerability for affected customers. This advisory will be updated as fixed software becomes available. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades. Customers with Service Contracts Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. +1 800 553 2447 (toll free from within North America) +1 408 526 7209 (toll call from anywhere in the world) e-mail: tac@cisco.com Have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. The fragmented packet evasion vulnerability was discovered internally by Cisco. The ATOMIC.TCP regular expression denial of service vulnerability was reported to Cisco by a customer. Status of This Notice: FINAL THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20070213-iosips.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. cust-security-announce@cisco.com first-teams@first.org bugtraq@securityfocus.com vulnwatch@vulnwatch.org cisco@spot.colorado.edu cisco-nsp@puck.nether.net full-disclosure@lists.grok.org.uk comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History Revision 1.0 2007-February-13 Initial public release. Cisco Security Procedures Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. [***** End Cisco Security Advisory Document ID: 81545 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Cisco for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) R-130: Vulnerability in HTML Help ActiveX Control (928843) R-131: Vulnerabilities in Microsoft Office (932554) R-132: Vulnerabilities in Microsoft Word (929434) R-133: Vulnerability in Microsft RichEdit (918118) R-134: Vulnerability in Microsoft MFC (924667) R-135: Vulnerability in Windows Image Acquisition Service (927802) R-136: Vulnerability in Windows Shell (928255) R-137: Vulnerability in Step-by-Step Interactive Training (923723) R-138: Cumulative Security Update for Internet Explorer (928090) R-139: Security Vulnerability in the in.telnetd(1M) Daemon