May 2007 - Test - lists.nanog.org

Re: Slate Podcast on Estonian DOS atatck
by Scott Weeks 23 May '07

23 May '07

-------------- sean(a)donelan.com wrote:------------------------ From: Sean Donelan <sean(a)donelan.com> On Wed, 23 May 2007, Bill Woodcock wrote: > > http://www.slate.com/id/2166749/fr/podcast/ > John Markoff just called me for the NYT piece. Odd that it's just hitting > the news now, two weeks later. I wonder, does this mean Estonia is now more likely to act/re-act to its own homegrown miscreants which attack systems in other countries after seeing the impact it had in their own country? Or is this going to remain a case of the "bad guys" are always in some other country, not mine. ------------------------------------------------------------- That's a rhetorical question with a bit of tongue-in-cheek, yes? scott

1 0

Detailed Juniper J-Flow Overview
by Fergie 23 May '07

23 May '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ...that's _not_ a .pdf is sought, pointer appreciated. I'm trying to gather some flow-export data points, and Juniper's website is quite "pdf-friendly". Any additional pointers to sample output, etc. would be much appreciated. Thanks, - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.1 (Build 1012) wj8DBQFGU9AAq1pz9mNUZTMRAqzTAKDy1nm9pDMOk6xQFRq9huGe7fEglACg3ZrD B5G7nPkMGMgFFz4S0V7rGFU= =d1F5 -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/

2 1

Re: Interesting new dns failures
by Fergie 23 May '07

23 May '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -- "Chris L. Morrow" <christopher.morrow(a)verizonbusiness.com> wrote: >Sure work on an expedited removal process inside a real procedure from >ICANN down to the registry. Work on a metric and monetary system used to >punish/disincent registrys from allowing their systems to be abused. Work >on a service/solution for the end-user/enterprise that allows them to take >action based on solid intelligence in a timely fashion with tracking on >the bits of that intelligence. > >three options, go play :) > Good dialogue. Fow what it's worth, I never advocated pushing "mechanisms" into the DNS core to deal with this issue -- in fact, I agree with you: It's an issue that can dealt with locally in recursive DNS, and it also needs to be dealt with in the policies that exists. One technical, one non-technical. Even up. :-) - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.1 (Build 1012) wj8DBQFGU8Dkq1pz9mNUZTMRAuB3AJ4wWU9pq+thPlyR52jLCSH+UOW+3wCg/0Fx d82qbmHd89AVVSHgnFg+MAs= =VsuA -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/

1 0

Re: Interesting new dns failures
by Fergie 22 May '07

22 May '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -- David Ulevitch <davidu(a)everydns.net> wrote: >But very few people (okay, not nobody) are saying, "Hey, why should I allow that compromised windows box that has never sent me an MX request before all of the sudden be able to request 10,000 MX records across my resolvers?" "Why am I resolving a domain name that was just added into the DNS an hour ago but has already changed NS servers 50 times?" > >These questions, and more (but I'm biased to DNS), can be solved at the edge for those who want them. It's decentralized there. It's done the right way there. It's also doable in a safe and fail-open kind of way. > David, As you (and some others) may be aware, that's an approach that we (Trend Micro) took a while back, but we got a lot (that's an understatement) of push-back from service providers, specifically, because they're not very inclined to change out their infrastructure (in this case, their recursive DNS) for something that could identify these types of behaviors. And actually, in the case you mentioned above -- to identify this exact specific behavior. - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.1 (Build 1012) wj8DBQFGU2NQq1pz9mNUZTMRAn5EAKCxlJ6uAkM+GMK15oCezkBVXHcBpgCeLuzK Sn4ppcRBy8Nbc5MJU+zYiSE= =+JDX -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/

3 2

Cisco Security Advisory: Multiple Vulnerabilities in Cisco IOS While Processing SSL Packets
by Cisco Systems Product Security Incident Response Team 22 May '07

22 May '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco IOS While Processing SSL Packets Advisory ID: cisco-sa-20070522-SSL http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml Revision 1.0 For Public Release 2007 May 22 1300 UTC (GMT) - ------------------------------------------------------------------------------- Summary ======= Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device. Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previusly encrypted information. Cisco IOS is affected by the following vulnerabilities: * Processing ClientHello messages, documented as Cisco bug ID CSCsb12598 * Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304 * Processing Finished messages, documented as Cisco bug ID CSCsd92405 Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml Note: Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml. Affected Products ================= Vulnerable Products +------------------ These vulnerabilities affect all Cisco devices running Cisco IOS software configured to use the SSL protocol. The following application layer protocols in Cisco IOS use SSL: * Hyper Text Transfer Protocol over SSL (HTTPS). This is the most commonly used protocol that employs SSL. * Cisco Network Security (CNS) Agent with SSL support * Firewall Support of HTTPS Authentication Proxy * Cisco IOS Clientless SSL VPN (WebVPN) support Other protocols that use encryption to provide security but do not use SSL are not affected by these vulnerabilities. Specifically, IPSec and Secure Shell (SSH) are not affected. To determine the software running on a Cisco IOS product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS." On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the Cisco IOS release name. Other Cisco devices will not have the show version command, or will give different output. Only Cisco IOS images that contain the Crypto Feature Set are vulnerable. Customers who are not running an IOS image with crypto support are not exposed to this vulnerability. Cisco IOS feature set naming indicates that IOS images with crypto support have 'K8' or 'K9' in the feature designator field. The following example shows output from a device running an IOS image with crypto support: Router>show version Cisco IOS Software, 7200 Software (C7200-IK9S-M), Version 12.3(14)T1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by Cisco Systems, Inc. Compiled Thu 31-Mar-05 08:04 by yiyan Since the feature set designator (IK9S) contains 'K9', it can be determine that this feature set contains crypto support. Additional information about Cisco IOS release naming is available at the following link: http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_white_paper…. The following text describes how to recognize if any of the affected services are enabled on a device. Hyper Text Transfer Protocol Over SSL (HTTPS) +-------------------------------------------- To determine if a device has HTTPS enabled, enter the command "show run | include ip http". The following example shows output from of a device that has HTTPS enabled: Router#show run | include secure-server ip http secure-server The following example shows output from a device that does not have HTTPS enabled: Router#show run | include secure-server no ip http secure-server CNS Agent With SSL Support +------------------------- CNS Agent with SSL support can only be enabled on devices running a Cisco IOS image that supports encryption. The following example shows output from a device that has CNS Agent configured to support SSL: Router#show run | include cns config initial cns config initial 10.1.1.1 encrypt no-persist If the output does not contain the encrypt keyword the CNS Agent is not vulnerable. Firewall Support of HTTPS Authentication Proxy +--------------------------------------------- To determine if a device has authentication proxy for HTTPS enabled, enter the command "show ip auth-proxy configuration". The following example shows output from a device that has authentication proxy for HTTPS enabled: Router#show ip auth-proxy configuration Authentication cache time is 60 minutes Authentication Proxy Rule Configuration Auth-proxy name my_pxy http list not specified auth-cache-time 1 minutes If the command does not produce any output, authentication proxy for HTTPS is not enabled. Cisco IOS Clientless SSL VPN (WebVPN) Enhanced Support +----------------------------------------------------- To determine if a device has Cisco IOS Clientless SSL VPN (WebVPN) enhanced support enabled, enter the command "show webvpn gateway". The following example shows output from a device that has Cisco IOS Clientless SSL VPN (WebVPN) enhanced support enabled: Router#show webvpn gateway Gateway Name Admin Operation ------------ ----- --------- web-server up up If the command does not produces any output, Cisco IOS Clientless SSL VPN (WebVPN) enhanced support is not enabled. Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= SSL is a protocol designed to provide a secure connection between two hosts. The SSL Protocol is described in RFC4346. While not necessary for the understanding of this advisory, users are encouraged to consult the section "7.3 handshake Protocol Overview" in RFC4346 as well as Figure 1 in the same section. The text of the RFC4346 is available at the following link: http://tools.ietf.org/html/rfc4346#section-7.3. An attacker can trigger these vulnerabilities after establishing a TCP connection, but prior to the exchange of authentication credentials, such as username/password or certificate. The requirement of the complete TCP 3-way handshake reduces the probability that these vulnerabilities will be exploited through the use of spoofed IP addresses. An attacker intercepting traffic between two affected devices cannot exploit these vulnerabilities if the SSL session is already established because SSL protects against such injection. However, such an attack could abnormally terminate an existing session, via a TCP RST, for example. The attacker could then wait for a new SSL session to be established and inject malicious packets at the beginning of the new SSL session, thus triggering the vulnerability. Processing ClientHello Messages May Cause Crash +---------------------------------------------- A vulnerable device may crash when processing a malformed ClientHello message. The ClientHello message is the first to be sent when a client connects to a server. It can also be sent after the SSL session is established; in such cases, the message is sent within the encrypted tunnel. This vulnerability is documented as Cisco bug ID CSCsb12598 Processing ChangeCipherSpec Messages May Cause Crash +--------------------------------------------------- A vulnerable device may crash when processing a malformed ChangeCipherSpec message. The ChangeCipherSpec message can only be sent after the ClientHello and ServerHello messages are exchanged. In most cases, the ChangeCipherSpec message is sent within the encrypted tunnel. This vulnerability is documented as Cisco bug ID CSCsb40304 Processing Finished Messages May Cause Crash +------------------------------------------- A vulnerable device may crash when processing a malformed Finished message. This message can only be sent as a part of a SSL handshake, but not as the first message. The Finished message is always sent within the encrypted tunnel. This vulnerability is documented as Cisco bug ID CSCsd92405 Vulnerability Scoring Details +---------------------------- Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco PSIRT will set the bias in all cases to normal. Customers are encouraged to apply the bias parameter when determining the environmental impact of a particular vulnerability. CVSS is a standards based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html. Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss. Cisco Bug IDs: CSCsb12598 - Processing ClientHello messages CVSS Base Score: 3.3 Access Vector: Remote Access Complexity: Low Authentication: Not Required Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete Impact Bias: Normal CVSS Temporal Score: 2.7 Exploitability: Functional Remediation Level: Official Fix Report Confidence: Confirmed CSCsb40304 - Processing ChangeCipherSpec messages CVSS Base Score: 3.3 Access Vector: Remote Access Complexity: Low Authentication: Not Required Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete Impact Bias: Normal CVSS Temporal Score: 2.7 Exploitability: Functional Remediation Level: Official Fix Report Confidence: Confirmed CSCsd92405 - Processing Finished messages CVSS Base Score: 3.3 Access Vector: Remote Access Complexity: Low Authentication: Not Required Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete Impact Bias: Normal CVSS Temporal Score: 2.7 Exploitability: Functional Remediation Level: Official Fix Report Confidence: Confirmed Impact ====== Successful exploitation of any vulnerability listed in this advisory may result in the crash of the affected device. Repeated exploitation can result in a sustained DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) describes a release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (the "First Fixed Release") and the anticipated date of availability for each are listed in the "Rebuild" and "Maintenance" columns. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label). For more information on the terms "Rebuild" and "Maintenance," consult the following URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_white_paper… +---------------------------------------------------------------------+ | Major Release | Availability of Repaired Releases | |-------------------------+-------------------------------------------| | Affected 12.0-Based | Rebuild | Maintenance | | Release | | | |-------------------------+-------------------------------------------| | 12.0T | Vulnerable; migrate to 12.2(46) or later | |-------------------------+-------------------------------------------| | 12.0WC | 12.0(5)WC17 | | |-------------------------+-------------------------------------------| | 12.0XE | Vulnerable; migrate to 12.1(26)E8 or | | | later | |-------------------------+-------------------------------------------| | 12.0XH | Vulnerable; migrate to 12.2(46) or later | |-------------------------+-------------------------------------------| | 12.0XI | Vulnerable; migrate to 12.2(46) or later | |-------------------------+-------------------------------------------| | 12.0XK | Vulnerable; migrate to 12.2(46) or later | |-------------------------+-------------------------------------------| | 12.0XL | Vulnerable; migrate to 12.2(46) or later | |-------------------------+-------------------------------------------| | 12.0XN | Vulnerable; migrate to 12.2(46) or later | |-------------------------+-------------------------------------------| | 12.0XQ | Vulnerable; migrate to 12.2(46) or later | |-------------------------+-------------------------------------------| | 12.0XR | Vulnerable; migrate to 12.2(46) or later | |-------------------------+-------------------------------------------| | 12.0XV | Vulnerable; migrate to 12.2(46) or later | |-------------------------+-------------------------------------------| | Affected 12.1-Based | Rebuild | Maintenance | | Release | | | |-------------------------+-------------------------------------------| | 12.1 | Vulnerable; migrate to 12.2(46) or later | |-------------------------+-------------------------------------------| | 12.1AY | Vulnerable; migrate to 12.1(22)EA9 or | | | later | |-------------------------+-------------------------------------------| | 12.1CX | Vulnerable; migrate to 12.2(46) or later | |-------------------------+-------------------------------------------| | | 12.1(26)E8 | | | 12.1E |-----------------------------+-------------| | | 12.1(27b)E2; available | | | | 25-June-07 | | |-------------------------+-----------------------------+-------------| | 12.1EA | 12.1(22)EA9 | | |-------------------------+-----------------------------+-------------| | 12.1EB | 12.1(26)EB2; available | | | | 30-July-07 | | |-------------------------+-------------------------------------------| | 12.1EC | Vulnerable; migrate to 12.3(21)BC or | | | later | |-------------------------+-------------------------------------------| | 12.1EW | Vulnerable; migrate to 12.2(25)EWA9 or | | | later | |-------------------------+-------------------------------------------| | 12.1EX | Vulnerable; migrate to 12.1(26)E8 or | | | later | |-------------------------+-------------------------------------------| | 12.1EY | Vulnerable; migrate to 12.1(26)E8 or | | | later | |-------------------------+-------------------------------------------| | 12.1T | Vulnerable; migrate to 12.2(46) or later | |-------------------------+-------------------------------------------| | 12.1XC | Vulnerable; migrate to 12.2(46) or later | |-------------------------+-------------------------------------------| | 12.1XD | Vulnerable; migrate to 12.2(46) or later | |-------------------------+-------------------------------------------| | 12.1XF | Vulnerable; migrate 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.1XG | Vulnerable; migrate 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.1XH | Vulnerable; migrate to 12.2(46) or later | |-------------------------+-------------------------------------------| | 12.1XI | Vulnerable; migrate to 12.2(46) or later | |-------------------------+-------------------------------------------| | 12.1XJ | Vulnerable; migrate to 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.1XL | 12.1(3a)XL2 | | |-------------------------+-------------------------------------------| | 12.1XM | Vulnerable; migrate to 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.1XP | Vulnerable; migrate to 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.1XQ | Vulnerable; migrate to 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.1XT | Vulnerable; migrate to12.3(22) or later | |-------------------------+-------------------------------------------| | 12.1XU | 12.1(5)XU2 | | |-------------------------+-------------------------------------------| | 12.1YB | Vulnerable; migrate to12.3(22) or later | |-------------------------+-------------------------------------------| | 12.1YC | Vulnerable; migrate to 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.1YD | Vulnerable; migrate to12.3(22) or later | |-------------------------+-------------------------------------------| | 12.1YE | Vulnerable; migrate to 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.1YF | Vulnerable; migrate to 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.1YI | Vulnerable; migrate to12.3(22) or later | |-------------------------+-------------------------------------------| | Affected 12.2-Based | Rebuild | Maintenance | | Release | | | |-------------------------+-----------------------------+-------------| | 12.2 | | 12.2(46) | |-------------------------+-------------------------------------------| | 12.2B | Vulnerable; migrate to 12.4(10) or later | |-------------------------+-------------------------------------------| | 12.2BC | Vulnerable; migrate to 12.3(17b)BC5 or | | | later | |-------------------------+-------------------------------------------| | 12.2BW | Vulnerable; migrate 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.2BY | Vulnerable; migrate to 12.4(10) or later | |-------------------------+-------------------------------------------| | 12.2BZ | Vulnerable; contact TAC | |-------------------------+-------------------------------------------| | 12.2CX | Vulnerable; migrate to 12.3(21)BC or | | | later | |-------------------------+-------------------------------------------| | 12.2CY | Vulnerable; migrate to 12.3(21)BC or | | | later | |-------------------------+-------------------------------------------| | 12.2CZ | Vulnerable; contact TAC | |-------------------------+-------------------------------------------| | 12.2DD | Vulnerable; migrate to 12.4(10) or later | |-------------------------+-------------------------------------------| | 12.2EW | Vulnerable; contact TAC | |-------------------------+-------------------------------------------| | 12.2EWA | Vulnerable; contact TAC | |-------------------------+-------------------------------------------| | 12.2EX | Vulnerable; migrate to 12.2(25)SEE3 or | | | later | |-------------------------+-------------------------------------------| | 12.2EY | Vulnerable; migrate to 12.2(35)SE or | | | later | |-------------------------+-------------------------------------------| | 12.2EZ | Vulnerable; migrate to 12.2(25)SEE3 or | | | later | |-------------------------+-------------------------------------------| | 12.2FX | Vulnerable; migrate to 12.2(25)SEE3 or | | | later | |-------------------------+-------------------------------------------| | 12.2FY | Vulnerable; migrate to 12.2(25)SEG2 or | | | later | |-------------------------+-------------------------------------------| | 12.2FZ | Vulnerable; migrate to 12.2(35)SE or | | | later | |-------------------------+-------------------------------------------| | 12.2IXA | Vulnerable; contact TAC | |-------------------------+-------------------------------------------| | 12.2IXB | Vulnerable; contact TAC | |-------------------------+-------------------------------------------| | 12.2JA | Vulnerable; migrate to 12.3(11)JA or | | | later | |-------------------------+-------------------------------------------| | 12.2JK | Vulnerable; migrate to 12.4(4)T or later | |-------------------------+-------------------------------------------| | 12.2S | Vulnerable; migrate to 12.2(31)SB2 or | | | later | |-------------------------+-------------------------------------------| | 12.2SB | 12.2(31)SB2 | | |-------------------------+-------------------------------------------| | 12.2SBC | Vulnerable; migrate to 12.2(31)SB2 or | | | later | |-------------------------+-------------------------------------------| | 12.2SE | | 12.2(35)SE | |-------------------------+-------------------------------------------| | 12.2SEA | Vulnerable; migrate to 12.2(25)SEE3 or | | | later | |-------------------------+-------------------------------------------| | 12.2SEB | Vulnerable; migrate to 12.2(25)SEE3 or | | | later | |-------------------------+-------------------------------------------| | 12.2SEC | Vulnerable; migrate to 12.2(25)SEE3 or | | | later | |-------------------------+-------------------------------------------| | 12.2SED | Vulnerable; migrate to 12.2(25)SEE3 or | | | later | |-------------------------+-------------------------------------------| | 12.2SEE | 12.2(25)SEE3 | | |-------------------------+-------------------------------------------| | 12.2SEF | Vulnerable; migrate to 12.2(35)SE or | | | later | |-------------------------+-------------------------------------------| | 12.2SEG | 12.2(25)SEG2 | | |-------------------------+-------------------------------------------| | 12.2SG | 12.2(37)SG | |-------------------------+-------------------------------------------| | 12.2SGA | 12.2(31)SGA1 | | |-------------------------+-----------------------------+-------------| | 12.2SRA | 12.2(33)SRA2 | | |-------------------------+-------------------------------------------| | 12.2SU | Vulnerable; migrate to 12.4(10) or later | |-------------------------+-------------------------------------------| | | 12.2(28)SV2 | | | 12.2SV |-----------------------------+-------------| | | 12.2(29)SV3 | | |-------------------------+-----------------------------+-------------| | 12.2SW | 12.2(25)SW8 | | |-------------------------+-------------------------------------------| | 12.2SX | Vulnerable; migrate to 12.2(18)SXE6b or | | | later | |-------------------------+-------------------------------------------| | 12.2SXA | Vulnerable; migrate to 12.2(18)SXE6b or | | | later | |-------------------------+-------------------------------------------| | 12.2SXB | Vulnerable; migrate to 12.2(18)SXE6b or | | | later | |-------------------------+-------------------------------------------| | 12.2SXD | Vulnerable; migrate to 12.2(18)SXE6b | |-------------------------+-------------------------------------------| | 12.2SXE | 12.2(18)SXE6b | | |-------------------------+-----------------------------+-------------| | 12.2SXF | 12.2(18)SXF | | |-------------------------+-------------------------------------------| | 12.2SY | Vulnerable; migrate to 12.2(18)SXE6b or | | | later | |-------------------------+-------------------------------------------| | 12.2T | Vulnerable; migrate 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.2TPC | 12.2(8)TPC10b | | |-------------------------+-------------------------------------------| | 12.2XA | Vulnerable; migrate to 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.2XB | Vulnerable; migrate to 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.2XD | Vulnerable; migrate to 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.2XE | Vulnerable; migrate to 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.2XF | Vulnerable; migrate to 12.3(21)BC or | | | later | |-------------------------+-------------------------------------------| | 12.2XG | Vulnerable; migrate to 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.2XH | Vulnerable; migrate to 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.2XI | Vulnerable; migrate to 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.2XJ | Vulnerable; migrate to 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.2XK | Vulnerable; migrate to 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.2XL | Vulnerable; migrate to 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.2XM | Vulnerable; migrate to 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.2XN | Vulnerable; migrate to 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.2XQ | Vulnerable; migrate to 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.2XR | Vulnerable; migrate to 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.2XS | Vulnerable; migrate to 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.2XT | Vulnerable; migrate to 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.2XU | Vulnerable; migrate to 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.2XV | Vulnerable; migrate to 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.2XW | Vulnerable; migrate to 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.2YA | Vulnerable; migrate to 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.2YB | Vulnerable; migrate to 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.2YC | Vulnerable; migrate to 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.2YD | Vulnerable; migrate to 12.4(10) or later | |-------------------------+-------------------------------------------| | 12.2YE | Vulnerable; migrate to 12.2(31)SB2 or | | | later | |-------------------------+-------------------------------------------| | 12.2YF | Vulnerable; migrate to 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.2YJ | Vulnerable; migrate to 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.2YL | Vulnerable; migrate to 12.4(10) or later | |-------------------------+-------------------------------------------| | 12.2YM | Vulnerable; migrate to 12.4(10) or later | |-------------------------+-------------------------------------------| | 12.2YN | Vulnerable; migrate to 12.4(10) or later | |-------------------------+-------------------------------------------| | 12.2YQ | Vulnerable; migrate to 12.4(10) or later | |-------------------------+-------------------------------------------| | 12.2YR | Vulnerable; migrate to 12.4(10) or later | |-------------------------+-------------------------------------------| | 12.2YU | Vulnerable; migrate to 12.4(10) or later | |-------------------------+-------------------------------------------| | 12.2YV | Vulnerable; migrate to 12.4(10) or later | |-------------------------+-------------------------------------------| | 12.2YW | Vulnerable; migrate to 12.4(10) or later | |-------------------------+-------------------------------------------| | 12.2YX | Vulnerable; migrate to 12.4(10) or later | |-------------------------+-------------------------------------------| | 12.2YY | Vulnerable; migrate to 12.4(10) or later | |-------------------------+-------------------------------------------| | 12.2YZ | Vulnerable; contact TAC | |-------------------------+-------------------------------------------| | 12.2ZA | Vulnerable; migrate to 12.2(18)SXE6b or | | | later | |-------------------------+-------------------------------------------| | 12.2ZB | Vulnerable; migrate to 12.4(10) or later | |-------------------------+-------------------------------------------| | 12.2ZD | Vulnerable; contact TAC | |-------------------------+-------------------------------------------| | 12.2ZE | Vulnerable; migrate to 12.3(22) or later | |-------------------------+-------------------------------------------| | 12.2ZF | Vulnerable; migrate to 12.4(10) or later | |-------------------------+-------------------------------------------| | 12.2ZH | Vulnerable; contact TAC | |-------------------------+-------------------------------------------| | 12.2ZJ | Vulnerable; migrate to 12.4(10) or later | |-------------------------+-------------------------------------------| | 12.2ZL | Vulnerable; contact TAC | |-------------------------+-------------------------------------------| | 12.2ZN | Vulnerable; migrate to 12.4(10) or later | |-------------------------+-------------------------------------------| | 12.2ZU | Vulnerable; contact TAC | |-------------------------+-------------------------------------------| | 12.2ZV | Vulnerable; contact TAC | |-------------------------+-------------------------------------------| | 12.2ZW | Vulnerable; contact TAC | |-------------------------+-------------------------------------------| | 12.2ZX | Vulnerable; contact TAC | |-------------------------+-------------------------------------------| | Affected 12.3-Based | Rebuild | Maintenance | | Release | | | |-------------------------+-----------------------------+-------------| | 12.3 | | 12.3(22) | |-------------------------+-------------------------------------------| | 12.3B | Vulnerable; migrate to 12.4(10) or later | |-------------------------+-------------------------------------------| | 12.3BC | 12.3(17b)BC5 | 12.3(21)BC | |-------------------------+-----------------------------+-------------| | 12.3JA | | 12.3(11)JA | |-------------------------+-----------------------------+-------------| | 12.3JEA | | 12.3(8)JEA | |-------------------------+-------------------------------------------| | 12.3JK | Vulnerable; contact TAC | |-------------------------+-------------------------------------------| | 12.3JX | Vulnerable; contact TAC | |-------------------------+-------------------------------------------| | 12.3T | Vulnerable; migrate to 12.4(10) or later | |-------------------------+-------------------------------------------| | 12.3TPC | Vulnerable; contact TAC | |-------------------------+-------------------------------------------| | 12.3XA | Vulnerable; contact TAC | |-------------------------+-------------------------------------------| | 12.3XB | Vulnerable; migrate to 12.4(10) or later | |-------------------------+-------------------------------------------| | 12.3XC | Vulnerable; contact TAC | |-------------------------+-------------------------------------------| | 12.3XD | Vulnerable; migrate to 12.4(10) or later | |-------------------------+-------------------------------------------| | 12.3XE | Vulnerable; contact TAC | |-------------------------+-------------------------------------------| | 12.3XF | Vulnerable; migrate to 12.4(10) or later | |-------------------------+-------------------------------------------| | 12.3XG | Vulnerable; contact TAC | |-------------------------+-------------------------------------------| | 12.3XH | Vulnerable; migrate to 12.4(10) or later | |-------------------------+-------------------------------------------| | 12.3XI | Vulnerable; contact TAC | |-------------------------+-------------------------------------------| | 12.3XJ | Vulnerable; migrate to 12.4(11)T or later | |-------------------------+-------------------------------------------| | 12.3XK | Vulnerable; contact TAC | |-------------------------+-------------------------------------------| | 12.3XQ | Vulnerable; migrate to 12.4(10) or later | |-------------------------+-------------------------------------------| | 12.3XR | Vulnerable; contact TAC | |-------------------------+-------------------------------------------| | 12.3XS | Vulnerable; migrate to 12.4(10) or later | |-------------------------+-------------------------------------------| | 12.3XU | Vulnerable; migrate to 12.4(11)T or later | |-------------------------+-------------------------------------------| | 12.3XW | Vulnerable; migrate to 12.4(11)T or later | |-------------------------+-------------------------------------------| | 12.3XX | 12.3(8)XX2d | | |-------------------------+-------------------------------------------| | 12.3YA | Vulnerable; contact TAC | |-------------------------+-------------------------------------------| | 12.3YD | Vulnerable; migrate to 12.4(11)T or later | |-------------------------+-------------------------------------------| | 12.3YF | Vulnerable; migrate to 12.4(11)T or later | |-------------------------+-------------------------------------------| | 12.3YG | Vulnerable; migrate to 12.4(11)T or later | |-------------------------+-------------------------------------------| | 12.3YH | Vulnerable; migrate to 12.4(11)T or later | |-------------------------+-------------------------------------------| | 12.3YI | Vulnerable; migrate to 12.4(11)T or later | |-------------------------+-------------------------------------------| | 12.3YK | Vulnerable; migrate to 12.4(11)T or later | |-------------------------+-------------------------------------------| | 12.3YQ | Vulnerable; migrate to 12.4(11)T or later | |-------------------------+-------------------------------------------| | 12.3YS | Vulnerable; migrate to 12.4(11)T or later | |-------------------------+-------------------------------------------| | 12.3YT | Vulnerable; migrate to 12.4(11)T or later | |-------------------------+-------------------------------------------| | 12.3YU | Vulnerable; contact TAC | |-------------------------+-------------------------------------------| | 12.3YX | Vulnerable; migrate to 12.4(11)T or later | |-------------------------+-------------------------------------------| | 12.3YZ | Vulnerable; contact TAC | |-------------------------+-------------------------------------------| | Affected 12.4-Based | Rebuild | Maintenance | | Release | | | |-------------------------+-----------------------------+-------------| | 12.4 | | 12.4(10) | |-------------------------+-----------------------------+-------------| | 12.4T | | 12.4(11)T | |-------------------------+-------------------------------------------| | 12.4XA | Vulnerable; contact TAC | |-------------------------+-------------------------------------------| | 12.4XB | Vulnerable; contact TAC | |-------------------------+-------------------------------------------| | 12.4XC | 12.4(4)XC6 | | |-------------------------+-----------------------------+-------------| | 12.4XD | 12.4(4)XD5 | | |-------------------------+-------------------------------------------| | 12.4XE | Vulnerable; contact TAC | |-------------------------+-------------------------------------------| | 12.4XP | Vulnerable; contact TAC | |-------------------------+-------------------------------------------| | 12.4XT | Vulnerable; contact TAC | +---------------------------------------------------------------------+ Workarounds =========== The only way to prevent a device from being susceptible to the listed vulnerabilities is to disable the affected service(s). However, if regular maintenance and operation of the device relies on these services, there is no workaround. It is possible to mitigate these vulnerabilities by preventing unauthorized hosts from accessing affected devices. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this advisory. This companion document is available at the following link: http://www.cisco.com/warp/public/707/cisco-air-20070522-SSL.shtml Control Plane Policing (CoPP) +---------------------------- Control Plane Policing: IOS software versions that support Control Plane Policing (CoPP) can be configured to help protect the device from attacks that target the management and control planes. CoPP is available in Cisco IOS release trains 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T. In the following CoPP example, the ACL entries that match the exploit packets with the permit action will be discarded by the policy-map drop function, while packets that match a "deny" action (not shown) are not affected by the policy-map drop function: ! Include deny statements up front for any protocols/ports/IP addresses that !-- should not be impacted by CoPP ! Include permit statements for the protocols/ports that will be governed by CoPP access-list 100 permit tcp any any eq 443 !-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4 !-- traffic in accordance with existing security policies and !-- configurations for traffic that is authorized to be sent !-- to infrastructure devices. ! !-- Create a Class-Map for traffic to be policed by !-- the CoPP feature. ! class-map match-all drop-SSL-class match access-group 100 ! !-- Create a Policy-Map that will be applied to the !-- Control-Plane of the device. ! policy-map drop-SSL-policy class drop-SSL-class drop !-- Apply the Policy-Map to the Control-Plane of the !-- device. ! control-plane service-policy input drop-SSL-policy Please note that in the 12.0S, 12.2S, and 12.2SX Cisco IOS trains, the policy-map syntax is different, as demonstrated by the following: policy-map drop-SSL-policy class drop-SSL-class police 32000 1500 1500 conform-action drop exceed-action drop NOTE: In the above CoPP example, the ACL entries with the "permit" action that match the exploit packets result in the discarding of those packets by the policy-map drop function, while packets that match the "deny" action are not affected by the policy-map drop function. Additional information on the configuration and use of the CoPP feature is available at the following links: http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd804f… and http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_gui… Access Control List (ACL) +------------------------ An Access Control List (ACL) can be used to help mitigate attacks targeting these vulnerabilities. ACLs can specify that only packets from legitimate sources are permitted to reach a device, and all others are to be dropped. The following example shows how to allow legitimate SSL sessions from trusted sources and deny all other SSL sessions: access-list 101 permit tcp host <legitimate_host_IP_address> host <router_IP_address> port 443 access-list 101 deny tcp any any port 443 Obtaining Fixed Software ======================== Cisco has made free software available to address this vulnerability for affected customers. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact either "psirt(a)cisco.com" or "security-alert(a)cisco.com" for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third-party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac(a)cisco.com Have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this Advisory. These vulnerabilities were discovered by Cisco during internal testing. Status of This Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml. In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce(a)cisco.com * first-teams(a)first.org * bugtraq(a)securityfocus.com * vulnwatch(a)vulnwatch.org * cisco(a)spot.colorado.edu * cisco-nsp(a)puck.nether.net * full-disclosure(a)lists.grok.org.uk * comp.dcom.sys.cisco(a)newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------------------------------------+ | Revision 1.0 | 2007-May-22 | Initial public release. | +---------------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.… This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. - ------------------------------------------------------------------------------- All contents are Copyright 2006-2007 Cisco Systems, Inc. All rights reserved. - ------------------------------------------------------------------------------- Updated: May 22, 2007 Document ID: 91888 - ------------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFGUv7w8NUAbBmDaxQRAt2eAJ9HfpjbjdXCbden9C3cegJgptT6fgCgscZ4 Ce+S5/oA5GrNfmtT4Taqm20= =IRzP -----END PGP SIGNATURE-----

1 0

Cisco Security Advisory: Vulnerability In Crypto Library
by Cisco Systems Product Security Incident Response Team 22 May '07

22 May '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Vulnerability In Crypto Library Advisory ID: cisco-sa-20070522-crypto.shtml http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml Revision 1.0 For Public Release 2007 May 22 1300 UTC (GMT) - ------------------------------------------------------------------------------ Summary ======= A vulnerability has been discovered in a third party cryptographic library which is used by a number of Cisco products. This vulnerability may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to trigger this vulnerability without a valid certificate or valid application-layer credentials (such as a valid username or password). Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previusly encrypted information. The vulnerable cryptographic library is used in the following Cisco products: * Cisco IOS * Cisco IOS XR * Cisco PIX and ASA Security Appliances * Cisco Firewall Service Module (FWSM) * Cisco Unified CallManager This vulnerability is assigned CVE ID CVE-2006-3894. It is externally coordinated and is tracked by the following external coordinators: * JPCERT/CC - tracked as JVNVU#754281 * CPNI - tracked as NISCC-362917 * CERT/CC - tracked as VU#754281 Cisco has made free software available to address this vulnerability for affected customers. There are no workarounds available to mitigate the effects of the vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml. Note: Another related advisory is posted together with this Advisory. It also describes vulnerabilities related to cryptography that affect Cisco IOS. A combined software table for Cisco IOS only is available at http://www.cisco.com /warp/public/707/cisco-sa-20070522-cry-bundle.shtml and can be used to choose a software release which fixes all security vulnerabilities published as of May 22, 2007. The related advisory is published at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml Affected Products ================= Vulnerable Products +------------------ This vulnerability affects all products that use affected versions of third party cryptographic libraries and enabled applications that are using crypto-related function. The following Cisco products are identified to be vulnerable: * Cisco IOS * Cisco IOS XR * Cisco PIX and ASA Security Appliances (only 7.x releases are affected) * Cisco Firewall Service Module (FWSM), all releases prior 2.3(5) and 3.1(6) are affected * Cisco Unified CallManager The following text lists application layer protocols or features that must be enabled in order for a device to be vulnerable. It is sufficient that only one protocol or feature is enabled in order for a devices to be vulnerable. In order to be not vulnerable, all of the listed application protocols or features must be disabled. Affected protocols in Cisco IOS +------------------------------ To determine the software running on a Cisco IOS product, log in to the device and issue the "show version" command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS." On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the Cisco IOS release name. Other Cisco devices will not have the "show version" command, or will give different output. Only Cisco IOS images that contain the Crypto Feature Set are vulnerable. Customers who are not running an IOS image with crypto support are not exposed to this vulnerability. Cisco IOS feature set naming indicates that IOS images with crypto support have 'K8' or 'K9' in the feature designator field. The following example shows output from a device running an IOS image with crypto support: Router>show version Cisco IOS Software, 7200 Software (C7200-IK9S-M), Version 12.3(14)T1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by Cisco Systems, Inc. Compiled Thu 31-Mar-05 08:04 by yiyan Since the feature set designator (IK9S) contains 'K9', it can be determine that this feature set contains crypto support. Additional information about Cisco IOS release naming is available at the following link: http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_white_paper…. You are affected by this vulnerability if you are running one of the vulnerable IOS software releases and have, at least one, of the following protocols or features enabled: * Internet Security Association and Key Management Protocol (ISAKMP) * In some IOS releases the Secure Socket Layer (SSL) may also be affected * Threat Information Distribution Protocol (TIDP) * Cisco IOS SIP Gateway Signaling Support Over TLS (SIP-TLS) * Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) As some other protocols may use affected crypto library the most accurate way to determine if your IOS release is vulnerable is to consult fixed IOS releases table. Internet Security Association and Key Management Protocol (ISAKMP) +----------------------------------------------------------------- To determine if your device has ISAKMP enabled, enter the command "show crypto isakmp policy". Below is an example of a device that has ISAKMP enabled. Router#show crypto isakmp policy Global IKE policy Protection suite of priority 1 <more output> If your output is like in the following example then you do not have IKE enabled on your device. Router#show crypto isakmp policy ISAKMP is turned off In Cisco IOS two features rely on ISAKMP - IPSec and Group Domain of Interpretation (GDOI). Presence of either of these features is detected by the previous example. Prior to IOS version 12.3(8)T, IKE was enabled by default, with no crypto configuration needed for the IOS device to process IKE messages. 12.2SXD versions of Cisco IOS have IKE enabled by default. To ensure that IKE processing is disabled, enter the global configuration command "no crypto isakmp enable". As of IOS version 12.3(2)T (which includes all 12.4-based versions), crypto configuration is required to enable IKE message processing. In order for an IOS device to be vulnerable crypto map must be explicilty configured and applied to an interface. Secure Socket Layer (SSL) +------------------------ In some Cisco IOS software releases the vulnerable library is used to process elements of SSL functionalities. SSL is used to protect several application layer protocols like Hyper Text Transfer Protocol over SSL (HTTPS). HTTPS is not the only protocol that may use SSL but it is the most commonly known. In order to determine if your device has HTTPS configured enter the command "show running | include secure". Below is an example of a device that has HTTPS enabled. router#show running | include secure-server ip http secure-server Threat Information Distribution Protocol (TIDP) +---------------------------------------------- To determine if your device has TDIP enabled, enter the command "show running-config | include parameter-map". Below is an example of a device that has TDIP enabled. router#show running | include parameter-map parameter-map type tms TMS_PAR Cisco IOS SIP Gateway Signaling Support Over TLS (SIP-TLS) +--------------------------------------------------------- To determine if your device has SIP-TLS enabled, enter the command "show running-config | include crypto signaling". Below is an example of a device that has SIP-TLS enabled. router#show running | include crypto signaling crypto signaling default trustpoint user1 Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) +-------------------------------------------------------------------- To determine if your device has EAP-TLS enabled, enter the command "show running-config | include method". Below is an example of a device that has EAP-TLS enabled. Router#show running | include method method tls Affected protocols in Cisco IOS XR +--------------------------------- You are affected by this vulnerability if you are running one of the vulnerable Cisco IOS XR software releases and have, at least one, of the following protocols or features enabled: * Internet Security Association and Key Management Protocol (ISAKMP) * In some IOS XR releases the Secure Socket Layer (SSL) may also be affected * Secure Shell (SSH) Internet Security Association and Key Management Protocol (ISAKMP) +----------------------------------------------------------------- To determine if your device has ISAKMP enabled, enter the command "show running-config | include isakmp". Below is an example of a device that has IKE enabled. Router#show running-config | include isakmp crypto isakmp crypto isakmp policy 1 crypto isakmp profile profile-a Secure Socket Layer (SSL) +------------------------ SSL is used to provide secure communications to the application layer protocols like Hyper Text Transfer Protocol over SSL (HTTPS) and Object Request Brokers (ORB). To determine if your device has any service enabled that uses SSL, enter one of the following commands "show running-config | include http server ssl" or "show running-config | include xml agent corba ssl". Below is an example of a device that has both of the services enabled. Router#show running-config | include http server ssl http server ssl Router#show running-config | include xml agent corba ssl xml agent corba ssl Secure Shell (SSH) +----------------- SSH is an application and a protocol that provides secure replacement for the suite of Berkeley r-tools such as rsh, rlogin and rcp. It is highly prefered over Telnet for interactive sessions. To determine if your device has SSH enabled enter the command "show running-config | include ssh server". Below is an example of a device that has SSH enabled. Router#show running-config | include ssh server ssh server ssh server rate-limit 100 Affected protocols in Cisco PIX and ASA Security Appliances +---------------------------------------------------------- You are affected by this vulnerability if you are running one of the vulnerable Cisco PIX and ASA software releases and have, at least one, of the following protocols or features enabled: * Secure Shell (SSH) * Internet Security Association and Key Management Protocol (ISAKMP) * Secure Socket Layer (SSL) Secure Shell (SSH) +----------------- To determine if a device has SSH enabled, enter the command "show running" and observe the output. If it contains the line as in the following example then SSH is enabled. PIX#show running .... ssh <host_IP_address> <host_netmask> <interface> .... Internet Security Association and Key Management Protocol (ISAKMP) +----------------------------------------------------------------- To determine if a device has ISAKMP enabled, enter the command "show running" and observe the output. If it contains the lines as in the following example then ISAKMP is enabled. PIX#show running .... crypto isakmp policy 2 authentication rsa-sig .... Secure Socket Layer (SSL) +------------------------ SSL is used to protect several application layer protocols like Hyper Text Transfer Protocol over SSL (HTTPS) and Cisco Adaptive Security Device Manager (ASDM) session. To determine if a device has SSL enabled, enter the command "show running" and observe the output. If it contains the line as in the following example then SSL is enabled. PIX#show running .... http server enable .... Affected protocols in Cisco Unified CallManager +---------------------------------------------- You are affected by this vulnerability if you are running one of the vulnerable Cisco Unified CallManager software releases and have, at least one, of the following protocols or features enabled: * Certificate Authority Proxy Function (CAPF) * Cisco TAPI Service Provider (Cisco Unified CallManager TSP) Certificate Authority Proxy Function (CAPF) +------------------------------------------ CAPF is automatically installed with Cisco CallManager but is disabled by default. In order to verify if CAPF is enabled on your Unified CallManager do the following steps. * Step 1 - In Cisco CallManager Administration, choose Service > Service Parameter. * Step 2 - If you are running 4.x software then do the following: from the Server drop-down list box, choose the publisher database server. If you are running 5.x software then do the following: From the Server drop-down list box, choose the first node. * Step 3 - From the Service drop-down list box, choose the Cisco Certificate Authority Proxy Function service. If you are given CAPF parameters then CAPF is running on your system. Cisco TAPI Service Provider (Cisco Unified CallManager TSP) +---------------------------------------------------------- In order to determine if Cisco Unified CallManager TSP is installed open Windows Control Panel (Start > Control Panel) and click on Add/Remove Programs. If 'Cisco Unity-CM TSP' is listed then you have it installed on your system. Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by this vulnerability. Specifically, the following product's features or products are known not to be affected: * Cisco IOS + Secure Shell (SSH) + Secure Copy (SCP) * Cisco Unified Call Manager + Hyper Text Transfer Protocol over SSL (HTTPS) + Cisco Unified CallManager is configured for Secure Survivable Remote Site Telephony (SRST) * MeetingPlace Express and MeetingPlace for Telepresence * Cisco IP Communicator * All Cisco Unified IP Phones 7900 Series * CIP TN3270 Server * Cisco GSS 4400 Series Global Site Selector Appliances * Cisco CatOS The list is not exhaustive. Details ======= ASN.1 is defined by ITU-T (International Telecommunication Union - Telecommunication Standardization Sector) standards and it describes, among other things, data structures for encoding values. The vulnerability addressed by this advisory is related to the implementation of parsing certain data structures and is not a vulnerability in the standard itself. Protocols that use ASN.1 (e.g., voice over IP, Simple Network Management Protocol and others), but do not rely on the vulnerable crypto library, are not affected. This advisory only addresses an implementation issue in a particular crypto library from a single vendor. This vulnerability is present in the following Cisco products: * Cisco IOS, documented as Cisco bug ID CSCsd85587 * Cisco IOS XR, documented as Cisco bug ID CSCsg41084 * Cisco PIX and ASA Security Appliances, documented as Cisco bug ID CSCse91999 * Cisco Firewall Services Module (FWSM), documented as Cisco bug ID CSCsi97695 * Cisco Unified CallManager, documented as Cisco bug ID CSCsg44348 Vulnerability Scoring Details +---------------------------- Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco PSIRT will set the bias in all cases to normal. Customers are encouraged to apply the bias parameter when determining the environmental impact of a particular vulnerability. CVSS is a standards based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html. Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss. Cisco Bug IDs: CSCsd85587 - Router crashes when processing ISAKMP message CVSS Base Score: 3.3 Access Vector: Remote Access Complexity: Low Authentication: Not Required Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete Impact Bias: Normal CVSS Temporal Score: 2.7 Exploitability: Functional Remediation Level: Official Fix Report Confidence: Confirmed CSCsg41084 - IOS XR crashes when processing ISAKMP message CVSS Base Score: 3.3 Access Vector: Remote Access Complexity: Low Authentication: Not Required Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete Impact Bias: Normal CVSS Temporal Score: 2.7 Exploitability: Functional Remediation Level: Official Fix Report Confidence: Confirmed CSCse91999 - PIX/ASA crashes when processing ISAKMP message CVSS Base Score: 3.3 Access Vector: Remote Access Complexity: Low Authentication: Not Required Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete Impact Bias: Normal CVSS Temporal Score: 2.7 Exploitability: Functional Remediation Level: Official Fix Report Confidence: Confirmed CSCsg44348 - Unified CallManager crashes when processing crypto message CVSS Base Score: 3.3 Access Vector: Remote Access Complexity: Low Authentication: Not Required Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete Impact Bias: Normal CVSS Temporal Score: 2.7 Exploitability: Functional Remediation Level: Official Fix Report Confidence: Confirmed Impact ====== Successful exploitation of the vulnerability listed in this advisory may result in the crash of a vulnerable device. Repeated exploitation can result in a sustained DoS attack. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) describes a release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (the "First Fixed Release") and the anticipated date of availability for each are listed in the "Rebuild" and "Maintenance" columns. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label). For more information on the terms "Rebuild" and "Maintenance," consult the following URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_white_paper… Cisco IOS +-------- Fixed Cisco IOS software releases are listed in the table below. +-----------------------------------------------------------------------------+ | Major Release | Availability of Repaired Releases | |------------------------------+----------------------------------------------| | Affected 12.2-Based Release | Rebuild | Maintenance | |------------------------------+----------------------------------------------| | 12.2B | Vulnerable; migrate to 12.4(10) or later | |------------------------------+----------------------------------------------| | 12.2BC | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.2BZ | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.2CX | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.2CZ | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.2EW | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.2EWA | 12.2(25)EWA9 | | |------------------------------+----------------------------------------------| | 12.2EX | Vulnerable; migrate to 12.2(25)SEE3 or later | |------------------------------+----------------------------------------------| | 12.2EY | Vulnerable; migrate to 12.2(25)SEE3 or later | |------------------------------+----------------------------------------------| | 12.2EZ | Vulnerable; migrate to 12.2(25)SEE3 or later | |------------------------------+----------------------------------------------| | 12.2FX | Vulnerable; migrate to 12.2(25)SEE3 or later | |------------------------------+----------------------------------------------| | 12.2FY | Vulnerable; migrate to 12.2(35)SE2 or later | |------------------------------+----------------------------------------------| | 12.2FZ | Vulnerable; migrate to 12.2(35)SE2 or later | |------------------------------+----------------------------------------------| | 12.2IXA | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.2IXB | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.2IXC | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.2JA | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.2JK | Vulnerable; migrate to 12.4(6)T7 or later | |------------------------------+----------------------------------------------| | 12.2SB | 12.2(31)SB3 | | |------------------------------+---------------------+------------------------| | 12.2SE | 12.2(35)SE2 | | |------------------------------+----------------------------------------------| | 12.2SEA | Vulnerable; migrate to 12.2(25)SEE3 or later | |------------------------------+----------------------------------------------| | 12.2SEB | Vulnerable; migrate to 12.2(25)SEE3 or later | |------------------------------+----------------------------------------------| | 12.2SEC | Vulnerable; migrate to 12.2(25)SEE3 or later | |------------------------------+----------------------------------------------| | 12.2SED | Vulnerable; migrate to 12.2(25)SEE3 or later | |------------------------------+----------------------------------------------| | 12.2SEE | 12.2(25)SEE3 | | |------------------------------+----------------------------------------------| | 12.2SEF | Vulnerable; migrate to 12.2(35)SE2 or later | |------------------------------+----------------------------------------------| | 12.2SEG | Vulnerable; migrate to 12.2(35)SE2 or later | |------------------------------+----------------------------------------------| | 12.2SG | | 12.2(37)SG | |------------------------------+---------------------+------------------------| | 12.2SGA | 12.2(31)SGA1 | | |------------------------------+---------------------+------------------------| | 12.2SRA | 12.2(33)SRA3 | | |------------------------------+---------------------+------------------------| | 12.2SRB | | 12.2(33)SRB | |------------------------------+----------------------------------------------| | 12.2SXD | Vulnerable; migrate to 12.2(18)SXF8 or later | |------------------------------+----------------------------------------------| | 12.2SXE | Vulnerable; migrate to 12.2(18)SXF8 or later | |------------------------------+----------------------------------------------| | 12.2SXF | 12.2(18)SXF8 | | |------------------------------+----------------------------------------------| | 12.2T | Vulnerable; migrate to 12.3(22) or later | |------------------------------+----------------------------------------------| | 12.2XR | Vulnerable; migrate to 12.3(22) or later | |------------------------------+----------------------------------------------| | 12.2YU | Vulnerable; migrate to 12.4(10) or later | |------------------------------+----------------------------------------------| | 12.2YV | Vulnerable; migrate to 12.4(10) or later | |------------------------------+----------------------------------------------| | 12.2ZD | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.2ZE | Vulnerable; migrate to 12.3(22) or later | |------------------------------+----------------------------------------------| | 12.2ZF | Vulnerable; migrate to 12.4(10) or later | |------------------------------+----------------------------------------------| | 12.2ZG | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.2ZH | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.2ZJ | Vulnerable; migrate to 12.4(10) or later | |------------------------------+----------------------------------------------| | 12.2ZL | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.2ZU | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.2ZW | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | Affected 12.3-Based Release | Rebuild | Maintenance | |------------------------------+---------------------+------------------------| | 12.3 | | 12.3(22) | |------------------------------+----------------------------------------------| | 12.3B | Vulnerable; migrate to 12.4(10) or later | |------------------------------+----------------------------------------------| | 12.3BC | 12.3(17b)BC6 | | |------------------------------+----------------------------------------------| | 12.3JA | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.3JEA | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.3JK | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.3JL | 12.3(2)JL1 | | |------------------------------+----------------------------------------------| | 12.3JX | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.3T | Vulnerable; migrate to 12.4(10) or later | |------------------------------+----------------------------------------------| | 12.3TPC | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.3XA | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.3XB | Vulnerable; migrate to 12.4(10) or later | |------------------------------+----------------------------------------------| | 12.3XC | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.3XD | Vulnerable; migrate to 12.4(10) or later | |------------------------------+----------------------------------------------| | 12.3XE | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.3XF | Vulnerable; migrate to 12.4(10) or later | |------------------------------+----------------------------------------------| | 12.3XG | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.3XH | Vulnerable; migrate to 12.4(10) or later | |------------------------------+----------------------------------------------| | 12.3XI | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.3XJ | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.3XK | Vulnerable; migrate to 12.4(10) or later | |------------------------------+----------------------------------------------| | 12.3XQ | Vulnerable; migrate to 12.4(10) or later | |------------------------------+----------------------------------------------| | 12.3XR | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.3XS | Vulnerable; migrate to 12.4(10) or later | |------------------------------+----------------------------------------------| | 12.3XU | Vulnerable; migrate to 12.4(6)T7 or later | |------------------------------+----------------------------------------------| | 12.3XW | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.3XX | Vulnerable; migrate to 12.4(10) or later | |------------------------------+----------------------------------------------| | 12.3YA | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.3YD | Vulnerable; migrate to 12.4(6)T7 or later | |------------------------------+----------------------------------------------| | 12.3YF | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.3YG | Vulnerable; migrate to 12.4(6)T7 or later | |------------------------------+----------------------------------------------| | 12.3YH | Vulnerable; migrate to 12.4(6)T7 or later | |------------------------------+----------------------------------------------| | 12.3YI | Vulnerable; migrate to 12.4(6)T7 or later | |------------------------------+----------------------------------------------| | 12.3YK | Vulnerable; migrate to 12.4(6)T7 or later | |------------------------------+----------------------------------------------| | 12.3YQ | Vulnerable; migrate to 12.4(6)T7 or later | |------------------------------+----------------------------------------------| | 12.3YS | Vulnerable; migrate to 12.4(6)T7 or later | |------------------------------+----------------------------------------------| | 12.3YT | Vulnerable; migrate to 12.4(6)T7 or later | |------------------------------+----------------------------------------------| | 12.3YU | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.3YX | 12.3(14)YX7 | | |------------------------------+----------------------------------------------| | 12.3YZ | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | Affected 12.4-Based Release | Rebuild | Maintenance | |------------------------------+---------------------+------------------------| | 12.4 | 12.4(7d) | 12.4(10) | |------------------------------+---------------------+------------------------| | 12.4SW | 12.4(11)SW1 | | |------------------------------+---------------------+------------------------| | | 12.4(6)T7 | | | |---------------------+------------------------| | 12.4T | 12.4(9)T3 | | | |---------------------+------------------------| | | 12.4(11)T1 | | |------------------------------+----------------------------------------------| | 12.4XA | Vulnerable; migrate to 12.4(6)T7 or later | |------------------------------+----------------------------------------------| | 12.4XB | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.4XC | 12.4(4)XC6 | | |------------------------------+---------------------+------------------------| | 12.4XD | 12.4(4)XD6 | | |------------------------------+----------------------------------------------| | 12.4XE | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.4XJ | 12.4(11)XJ2 | | |------------------------------+----------------------------------------------| | 12.4XP | Vulnerable; contact TAC | +-----------------------------------------------------------------------------+ Cisco IOS XR +----------- The following table lists fixed Cisco IOS XR software. +---------------------------------------------------------------------+ | Cisco IOS XR | SMU ID | SMU Name | | Version | | | |---------------------+-----------------+-----------------------------| | 3.2.3 | AA01802 | hfr-k9sec-3.2.3.CSCsg41084 | |---------------------+-----------------+-----------------------------| | 3.2.4 | AA01801 | hfr-k9sec-3.2.4.CSCsg41084 | |---------------------+-----------------+-----------------------------| | 3.2.6 | AA01800 | hfr-k9sec-3.2.6.CSCsg41084 | |---------------------+-----------------+-----------------------------| | 3.3.0 | AA01799, | hfr-k9sec-3.3.0.CSCsg41084 | | | AA01780 | | |---------------------+-----------------+-----------------------------| | 3.3.0 | AA01780 | c12k-k9sec-3.3.0.CSCsg41084 | |---------------------+-----------------+-----------------------------| | 3.3.1 | AA01781 | c12k-k9sec-3.3.1.CSCsg41084 | |---------------------+-----------------+-----------------------------| | 3.3.1 | AA01798 | hfr-k9sec-3.3.1.CSCsg41084 | |---------------------+-----------------+-----------------------------| | 3.3.2 | AA01797 | hfr-k9sec-3.3.2.CSCsg41084 | |---------------------+-----------------+-----------------------------| | 3.3.3 | AA01796 | hfr-k9sec-3.3.3.CSCsg41084 | |---------------------+-----------------+-----------------------------| | 3.3.3 | AA01785 | c12k-k9sec-3.3.3.CSCsg41084 | |---------------------+-----------------+-----------------------------| | 3.4.0 | AA01782 | c12k-k9sec-3.4.0.CSCsg41084 | |---------------------+-----------------+-----------------------------| | 3.4.0 | AA01795 | hfr-k9sec-3.4.0.CSCsg41084 | |---------------------+-----------------+-----------------------------| | 3.4.1 | AA01783 | c12k-k9sec-3.4.1.CSCsg41084 | |---------------------+-----------------+-----------------------------| | 3.4.1 | AA01794 | hfr-k9sec-3.4.1.CSCsg41084 | +---------------------------------------------------------------------+ IOS XR Package Installation Envelopes (PIE) can be downloaded from File Exchange at: https://upload.cisco.com/cgi-bin/swc/fileexg/main.cgi?CONTYPES=IOS-XR Installation instructions are included in the accompanying .txt files. Cisco PIX and ASA Security Appliance +----------------------------------- This vulnerability is fixed in the following 7.x software releases: 7.0(6.7), 7.1(2.27), 7.2(1.22), 7.2(2). All 8.x software releases do contain the fixed library and are not affected. No 6.x software releases are affected by this vulnerability. Cisco Firewall Service Module (FWSM) +----------------------------------- This vulnerability is fixed in the following software releases: * 2.3(5) maintenance release, expected in 2007-June * 3.1(6) maintenance release, expected in 2007-June Cisco Unified CallManager +------------------------ This vulnerability is fixed in the following software releases. * 4.0(x) releases are vulnerable but no fix will be provided. Customers are advised to upgrade to the fixed 4.1 or 4.2 software. * 4.1(3)sr.5 expected in 2007-May-24 * 4.2(3)sr.2 expected in 2007-May * 4.3(1)sr.1 expected 2007-Jun * 5.0(4) - no fixed software planned, users should upgrade to 5.1(2) * 5.1(1) - no fixed software planned, users should upgrade to 5.1(2) * 5.1(2) Workarounds =========== The only way to prevent a device being susceptible to the listed vulnerabilities is to disable the affected service(s). However, if regular maintenance and operation of the device relies on these services then there is no workaround. It is possible to mitigate these vulnerabilities by preventing unauthorized hosts to access the affected devices. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this advisory: http://www.cisco.com/warp/ public/707/cisco-air-20070522-crypto.shtml Control Plane Policing (CoPP) +---------------------------- Control Plane Policing: IOS software versions that support Control Plane Policing (CoPP) can be configured to help protect the device from attacks that target the management and control planes. CoPP is available in Cisco IOS release trains 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T. In the CoPP example below, the ACL entries that match the exploit packets with the permit action will be discarded by the policy-map drop function, while packets that match a deny action (not shown) are not affected by the policy-map drop function. !-- Include deny statements up front for any protocols/ports/IP addresses that !-- should not be impacted by CoPP !-- Include permit statements for the protocols/ports that will be governed by CoPP !-- port 443 - HTTPS access-list 100 permit tcp any any eq 443 !-- port 500 - IKE access-list 100 permit udp any any eq 500 !-- port 848 - GDOI access-list 100 permit tcp any any eq 848 !-- port 5060 - SIP-TLS access-list 100 permit tcp any any eq 5060 !-- port 5354 - TIDP access-list 100 permit tcp any any eq 5354 !-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4 !-- traffic in accordance with existing security policies and !-- configurations for traffic that is authorized to be sent !-- to infrastructure devices. ! !-- Create a Class-Map for traffic to be policed by !-- the CoPP feature. ! class-map match-all Drop-Known-Undesirable match access-group 100 ! !-- Create a Policy-Map that will be applied to the !-- Control-Plane of the device. ! policy-map CoPP-Input-Policy class Drop-Known-Undesirable drop !-- Apply the Policy-Map to the Control-Plane of the !-- device. ! control-plane service-policy input CoPP-Input-Policy Please note that in the 12.0S, 12.2S, and 12.2SX Cisco IOS trains, the policy-map syntax is different: policy-map CoPP-Input-Policy class Drop-Known-Undesirable police 32000 1500 1500 conform-action drop exceed-action drop NOTE: In the above CoPP example, the ACL entries with the "permit" action that match the exploit packets result in the discarding of those packets by the policy-map drop function, while packets that match the "deny" action are not affected by the policy-map drop function. Additional information on the configuration and use of the CoPP feature can be found at http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd804f… and http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_gui… Access Control List (ACL) +------------------------ Access control lists can be used to help mitigate attacks that may try to exploit these vulnerabilities. This is done in a way that only packets from the legitimate sources are allowed to reach the device and all others are dropped. access-list 101 permit tcp host <legitimate_host_IP_address> host <router_IP_address> eq 443 access-list 101 permit udp host <legitimate_host_IP_address> host <router_IP_address> eq 500 access-list 101 permit tcp host <legitimate_host_IP_address> host <router_IP_address> eq 506 access-list 101 permit tcp host <legitimate_host_IP_address> host <router_IP_address> eq 4848 access-list 101 permit tcp host <legitimate_host_IP_address> host <router_IP_address> eq 5060 access-list 101 permit tcp host <legitimate_host_IP_address> host <router_IP_address> eq 5354 access-list 101 deny tcp any any eq 443 access-list 101 deny udp any any eq 500 access-list 101 deny tcp any any eq 506 access-list 101 deny udp any any eq 4848 access-list 101 deny tcp any any eq 5060 access-list 101 deny tcp any any eq 5354 Obtaining Fixed Software ======================== Cisco has made free software available to address this vulnerability for affected customers. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact either "psirt(a)cisco.com" or "security-alert(a)cisco.com" for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third-party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac(a)cisco.com Have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this Advisory. This vulnerability was discovered by Cisco during internal testing. Status of This Notice: Interim ============================== THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml. In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce(a)cisco.com * first-teams(a)first.org * bugtraq(a)securityfocus.com * vulnwatch(a)vulnwatch.org * cisco(a)spot.colorado.edu * cisco-nsp(a)puck.nether.net * full-disclosure(a)lists.grok.org.uk * comp.dcom.sys.cisco(a)newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------------------------------------+ | Revision 1.0 | 2007-May-22 | Initial public release. | +---------------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.… This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. - ------------------------------------------------------------------------------- All contents are Copyright 2006-2007 Cisco Systems, Inc. All rights reserved. - ------------------------------------------------------------------------------- Updated: May 22, 2007 Document ID: 91890 - ------------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFGUv7c8NUAbBmDaxQRAse8AJ9YwxPEprfhiJNzLVTLMXsTnTuWSwCghmmF qlrKeNA331DvYso6f2C5mRk= =dfTU -----END PGP SIGNATURE-----

1 0

Re: Interesting new dns failures
by Tim Franklin 22 May '07

22 May '07

Jay R. Ashworth wrote: > Such is not my experience, and I strongly advise people against such > stupidity. Oh, I'd absolutely advise against it - but the branding people and the lawyers typically think otherwise. The case that gets a bit murky for me is genuinely multi-national entities. In *theory* that ought to be what .com is for, but registering yourcompany.cc for every country where you have an operating entity looks sort of legit. (Yes, I've been asked to do this before.) > But if we play to their ignorance, they'll *never* learn, will they? > > I don't have overmuch trouble getting people to understand microsys.us Oh, if there's the slightest hint of interest in learning, I'll explain - apologies if I implied otherwise. Regards, Tim.

2 2

Re: OK - functioning administration of 44.0.0.0/8
by Brandon Butterworth 21 May '07

21 May '07

> Any reason it hasn't migrated over to IPv6 and 44/8 returned to the > free pool? Old software, efficiency (lots of the embedded low power hardware), no need to as 44. is all the space needed. Lots of other reasons I don't know When it started it was quite advanced, it was pretty much the only IP in the UK in the mid 80s. For some ISPs UK dial up Internet access started out using software developed for ampr Google and http://en.wikipedia.org/wiki/KA9Q have more details for those wondering. brandon

3 3

Re: OK - functioning administration of 44.0.0.0/8
by Brandon Butterworth 21 May '07

21 May '07

> The last time I looked into this there wasn't anything being done with > the block It's been in use for a very long time (>10years) > but now I see lots of people assigned to do various things - > should have looked before I said anything, but in 2001 this was totally > dead, at least in Iowa/Nebraska. Over the last few years broadband availability has obsoleted many uses of it. There was some 44. vpn'd over the Internet (probably still is, I closed the GB7BBC gateway into that last year) As there are legal restrictions on traffic into amateur networks it's generally not directly connected to the Internet brandon

2 1

Re: Interesting new dns failures
by Tim Franklin 21 May '07

21 May '07

Stewart Honsberger wrote: > Which is why new TLDs like .xxx et al. are redundant. I can see that > becoming a haven for vanity domains. It gets worse. In a previous life, I had the job of de-bunking^Wevaluating whichever bunch of alt-root snake-oil salesmen had managed to get an audience with our CTO with the pitch that it would be absolutely brilliant if everyone could just invent their own TLD. "Just imagine - Fooboz could own .fooboz, then they could have sales.fooboz, support.fooboz, widgets.fooboz..." "You know sales.fooboz.com, www.sales.fooboz.com, and www.fooboz.com/sales all work today, right?" Added to that their own panel of "Internet experts" to decide if a given Fooboz out of 47 (last time I checked) potential trade-mark holders on 'fooboz' and countless possible companies of the same name has the *real* claim on the .fooboz TLD. Feh. That way lies madness. Regards, Tim.

1 0