Cisco Security Notice: Cisco IOS Syslog Crash

11 Jan 1999

      -----BEGIN PGP SIGNED MESSAGE-----

Field Notice:
Cisco IOS Syslog Crash
==================================================================
Revision 1.1
For release 08:00 US/Pacific, Monday, January 11, 1999

For Cisco internal use only until release date

Summary
=======
Certain versions of Cisco IOS software may crash or hang when they receive
invalid user datagram protocol (UDP) packets sent to their "syslog" ports
(port 514). At least one commonly-used Internet scanning tool generates
packets which can cause such crashes and hangs. This fact has been announced
on public Internet mailing lists which are widely read both by security
professionals and by security "crackers", and should be considered public
information.

This vulnerability affects devices running Cisco IOS software version
11.3AA, version 11.3DB, or any 12.0-based version (including 12.0 mainline,
12.0S, 12.0T, and any other regular released version whose number starts
with "12.0"). The vulnerability has been corrected in certain special
releases, and will be corrected in maintenance and interim releases which
will be issued in the future; see the section on "Software Versions and
Fixes" for details on which versions are affected, and on which versions
are, or will be, fixed. Cisco intends to provide fixes for all affected IOS
variants.

There is a configuration workaround for this vulnerability.

Who is Affected
===============
All Cisco devices which are running classic Cisco IOS software with any of
the versions listed as affected under "Software Versions and Fixes" are
vulnerable to attack. This includes 11.3AA, 11.3DB, and all 12.0 versions,
up to the repaired releases listed in the table. No particular configuration
is needed to make a Cisco IOS device vulnerable.

It is possible to filter out the attack traffic using access lists; see
"Workarounds" in this document. However, except at Internet firewalls, the
appropriate filters are not common in customer configurations. You should
carefully evaluate your configuration before assuming that any filtering you
have already configured protects you against this attack.

Affected Devices
- --------------
It is impossible to list all Cisco products in this notice; the lists below
include only the most commonly used or most asked-about products.

If you are unsure whether your device is running classic Cisco IOS software,
log into the device and issue the command "show version". Classic Cisco IOS
software will identify itself simply as "IOS" or "Internetwork Operating
System Software". Other Cisco devices either will not have the "show version"
command, or will give different output.

Cisco devices that run classic Cisco IOS software include:

   * Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 8xx, ubr9xx, 1xxx,
     25xx, 26xx, 30xx, 36xx, 38xx, 40xx, 45xx, 47xx, AS52xx, AS53xx, AS58xx,
     64xx, 70xx, 72xx (including the ubr72xx), 75xx, and 12xxx series.
   * Most recent versions of the LS1010 ATM switch.
   * Some versions of the Catalyst 2900XL LAN switch.
   * The Cisco DistributedDirector.

The affected software versions are relatively new, and are not necessarily
available on every device listed above.

If you are not running classic Cisco IOS software, then you are not affected
by this vulnerability. Cisco devices which do not run classic Cisco IOS
software, and are not affected by this vulnerability, include the following:

   * 7xx dialup routers (750, 760, and 770 series) are not affected.
   * Catalyst 19xx, 28xx, 29xx, 3xxx, and 5xxx LAN switches are not
     affected, except for some versions of the Catalyst 2900XL. However,
     optional router modules running Cisco IOS software in switch
     backplanes, such as the RSM module for the Catalyst 5000 and 5500, are
     affected.
   * WAN switching products in the IGX and BPX lines are not affected.
   * The MGX (formerly known as the AXIS shelf) is not affected.
   * No host-based software is affected.
   * The Cisco PIX Firewall is not affected.
   * The Cisco LocalDirector is not affected.
   * The Cisco Cache Engine is not affected.

Impact
======
Attackers can cause Cisco IOS devices to crash and reload. Furthermore, an
attacker can repeat the process at will. By striking continuously, an
attacker might be able to completely disable a Cisco IOS device until that
device was reconfigured by its administrator.

Some Cisco IOS devices have been observed to hang instead of crashing when
attacked. These devices do not recover until manually restarted by reset or
power cycle. This means that it might be necessary for an administrator to
physically visit an attacked device in order to recover from the attack,
even if the attacker is no longer actively sending any traffic.

Some devices have crashed without providing stack traces; devices crashed
using this vulnerability may indicate that they were "restarted by
power-on", even when that is not actually the case.

Workarounds
===========
You can work around this vulnerability by preventing any affected Cisco IOS
device from receiving or processing UDP datagrams addressed to its port 514.
This can be done either using packet filtering on surrounding devices, or by
using input access list filtering on the affected IOS device itself.

If you use an input access list, that list should be applied to all
interfaces to which attackers may be able to send datagrams. This includes
not only physical LAN and WAN interfaces, but virtual subinterfaces of those
physical interfaces, as well as virtual interfaces and/or interface
templates corresponding to GRE, L2TP, L2F, and other tunnelling protocols.

The input access list must block traffic destined for UDP port 514 at any of
the Cisco IOS device's own IP addresses, as well as at any broadcast or
multicast addresses on which the Cisco IOS device may be listening. It's
important to remember to block old-style "all-zeroes" broadcasts as well as
new-style "all-ones" broadcasts. It is not necessary to block traffic being
forwarded to other hosts; only traffic actually addressed to the Cisco IOS
device is of interest.

There is no single input access list that will work in all configurations.
It is very important that you understand the effect of your access list in
your specific configuration before you activate the list.

The following example shows a possible access list for a three-interface
router, along with the configuration commands needed to apply that access
list. The example assumes that there is no need for input filtering other
than as a workaround for this vulnerability.

     ! Deny all multicasts, and all unspecified-net broadcasts, to port 514
     access-list 101 deny udp any 224.0.0.0 31.255.255.255 eq 514
     ! Deny old-style unspecified-net broadcasts
     access-list 101 deny udp any host 0.0.0.0 eq 514
     ! Deny network-specific broadcasts. This example assumes that all of
     ! the local interfaces are on the class B network 172.16.0.0, subnetted
     ! everywhere with mask 255.255.255.0. This will differ from network
     ! to network. Note that we block both new-style and old-style broadcasts.
     access-list 101 deny udp any 172.16.0.255 0.0.255.0 eq 514
     access-list 101 deny udp any 172.16.0.0   0.0.255.0 eq 514
     ! Deny packets sent to the addresses of our own network interfaces.
     access-list 101 deny udp any host 172.16.1.1 eq 514
     access-list 101 deny udp any host 172.16.2.1 eq 514
     access-list 101 deny udp any host 172.16.3.3 eq 514
     ! Permit all other traffic (default would be to deny)
     access-list 101 permit ip any any

     ! Apply the access list to the input side of each interface
     interface ethernet 0
     ip address 172.16.1.1 255.255.255.0
     ip access-group 101 in

     interface ethernet 2
     ip address 172.16.2.1 255.255.255.0
     ip access-group 101 in

     interface ethernet 3
     ip address 172.16.3.3 255.255.255.0
     ip access-group 101 in

It can be complicated to list all possible addresses, and especially all
possible broadcast addresses, to which attack packets might be sent. If you
do not expect to need to forward any legitimate syslog traffic received on
an interface, you may wish to simply block all syslog traffic arriving on
that interface. Remember that this will affect traffic routed through the
Cisco IOS device as well as traffic destined to the device; if the IOS
device is expected to forward syslog packets, you will have to do the
detailed filtering.

Input access lists have an impact on system performance, and should be
installed with a degree of caution, especially on systems that are running
very near their capacity limits.

Software Versions and Fixes
===========================
This vulnerability has Cisco bug ID CSCdk77426.

Many Cisco software images have been or will be specially reissued to
correct this vulnerability. For example, regular released version 12.0(2) is
vulnerable, as are interim versions 12.0(2.1) through 12.0(2.3) The first
fixed interim version of 12.0 mainline software is 12.0(2.4). However, a
special release, 12.0(2a), contains only the fix for this vulnerability, and
does not include any of the other bug fixes from later 12.0 interim
releases.

If you were running 12.0(2), and wanted to upgrade to fix this problem,
without taking the risk of instability presented by installing the 12.0(2.4)
interim release, you could upgrade to 12.0(2a). 12.0(2a) represents a "code
branch" from the 12.0(2) base, which merges back into the 12.0 mainline at
12.0(2.4).

In every case, these special releases are one-time spot fixes, and will not
be maintained. The upgrade path from, say, 12.0(2a), is to 12.0(3).

See the following table for information about affected and repaired software
versions. All dates in the table are tentative and subject to change.

+----------+-------------+---------------+---------------+-----------------+
|          |             |    Special    |  First fixed  |                 |
|          |             | one-time spot |    interim    |   First fixed   |
| Cisco IOS|             |  fix release; | release** (fix|     regular     |
|   Major  | Description |  most stable  |   will carry  |   maintenance   |
| Release  |             |   immediate   |  forward into |release (or other|
|          |             |  upgrade path |   all later   |long term upgrade|
|          |             |  (see above)  |   versions)   |      path)      |
+----------+-------------+---------------+---------------+-----------------+
|                           Unaffected releases                            |
+----------+-------------+---------------+---------------+-----------------+
|11.2 and  |Unaffected   |               |               |                 |
|earlier,  |early        |               |               |                 |
|all       |releases (no |Unaffected     |Unaffected     |Unaffected       |
|variants  |syslog       |               |               |                 |
|          |server)      |               |               |                 |
+----------+-------------+---------------+---------------+-----------------+
|11.3,     |             |               |               |                 |
|11.3T,    |             |               |               |                 |
|11.3DA,   |11.3 releases|               |               |                 |
|11.3MA,   |without      |Unaffected     |Unaffected     |Unaffected       |
|11.3NA,   |syslog       |               |               |                 |
|11.3WA,   |servers      |               |               |                 |
|11.3(2)XA |             |               |               |                 |
|          |             |               |               |                 |
+----------+-------------+---------------+---------------+-----------------+
|                           11.3-based releases                            |
+----------+-------------+---------------+---------------+-----------------+
|          |11.3 early   |               |               |                 |
|11.3AA    |deployment   |11.3(7)AA2,    |11.3(7.2)AA    |11.3(8)AA,       |
|          |for AS58xx   |8-JAN-1999*    |               |15-FEB-1999*     |
+----------+-------------+---------------+---------------+-----------------+
|          |11.3 for     |               |               |                 |
|          |Cisco NRP    |               |               |                 |
|11.3DB    |routing blade|       -       |       -       |11.3(7)DB2,      |
|          |in Cisco 6400|               |               |18-JAN-1999*     |
|          |xDSL DSLAM   |               |               |                 |
+----------+-------------+---------------+---------------+-----------------+
|                           12.0-based releases                            |
+----------+-------------+---------------+---------------+-----------------+
|12.0      |12.0 mainline|12.0(2a),      |12.0(2.4)      |12.0(3),         |
|          |             |8-JAN-1999*    |               |1-FEB-1999*      |
+----------+-------------+---------------+---------------+-----------------+
|          |12.0 new     |               |               |                 |
|12.0T     |technology   |12.0(2a)T1,    |12.0(2.4)T     |12.0(3)T,        |
|          |early        |11-JAN-1999*   |               |15-FEB-1999*     |
|          |deployment   |               |               |                 |
+----------+-------------+---------------+---------------+-----------------+
|          |ISP support: |               |               |                 |
|12.0S     |7200, RSP,   |       -       |12.0(2.3)S     |12.0(2)S***,     |
|          |GSR          |               |27-DEC-1998    |18-JAN-1999*     |
+----------+-------------+---------------+---------------+-----------------+
|          |12.0 for     |               |               |                 |
|          |Cisco 6400   |               |               |                 |
|          |universal    |               |               |                 |
|12.0DB    |access       |       -       |       -       |12.0(2)DB,       |
|          |concentrator |               |               |18-JAN-1999*     |
|          |node switch  |               |               |                 |
|          |processor    |               |               |                 |
|          |(lab use)    |               |               |                 |
+----------+-------------+---------------+---------------+-----------------+
|          |             |12.0(1)W5(5a)  |               |12.0(1)W5(6)     |
|          |12.0 for     |and            |               |(platform support|
|12.0(1)W  |Catalyst 8500|12.0(1a)W5(5b) |12.0(1)W5(5.15)|for Catalyst     |
|          |and LS1010   |(LS1010        |               |8540M will be in |
|          |             |platform only) |               |12.0(1)W5(7))    |
+----------+-------------+---------------+---------------+-----------------+
|          |One-time     |               |               |                 |
|          |early        |               |               |                 |
|          |deployment   |               |               |Unaffected;      |
|          |for CH-OC12  |Unaffected;    |               |general upgrade  |
|12.0(0.6) |in Catalyst  |one-time       |Unaffected     |path is via      |
|W5        |8500 series  |release        |               |12.0(1)W5        |
|          |switches     |               |               |releases.        |
|          |             |               |               |                 |
|          |             |               |               |                 |
+----------+-------------+---------------+---------------+-----------------+
|          |Short-life   |               |               |                 |
|          |release;     |               |               |Upgrade to       |
|12.0(1)XA3|merged to    |Obsolete       |Merged         |12.0(2a)T1and/or |
|          |12.0T at     |               |               |to 12.0(3)T      |
|          |12.0(2)T     |               |               |                 |
+----------+-------------+---------------+---------------+-----------------+
|          |Short-life   |               |               |                 |
|          |release for  |               |               |                 |
|          |Cisco 800    |               |               |                 |
|12.0(1)XB |series;      |12.0(1)XB1     |Merged         |Upgrade to       |
|          |merged to    |               |               |12.0(3)T         |
|          |12.0T at     |               |               |                 |
|          |12.0(3)T     |               |               |                 |
+----------+-------------+---------------+---------------+-----------------+
|          |Short-life   |               |               |                 |
|          |release for  |               |               |                 |
|          |new features |               |               |                 |
|          |in Cisco     |               |               |                 |
|          |2600, Cisco  |               |               |                 |
|12.0(2)XC |3600,        |12.0(2)XC1,    |Merged         |Upgrade to       |
|          |ubr7200,     |7-JAN-1999*    |               |12.0(3)T         |
|          |ubr900       |               |               |                 |
|          |series;      |               |               |                 |
|          |merged to    |               |               |                 |
|          |12.0T at     |               |               |                 |
|          |12.0(3)T     |               |               |                 |
+----------+-------------+---------------+---------------+-----------------+
|          |Short-life   |               |               |                 |
|          |release for  |               |               |                 |
|          |ISDN voice   |               |               |                 |
|12.0(2)XD |features;    |12.0(2)XD1,    |Merged         |Upgrade to       |
|          |merged to    |18-JAN-1999*   |               |12.0(3)T         |
|          |12.0T at     |               |               |                 |
|          |12.0(3)T.    |               |               |                 |
+----------+-------------+---------------+---------------+-----------------+
|12.0(1)XE |Short-life   |12.0(2)XE,     |Merged         |Upgrade to       |
|          |release      |18-JAN-1999*   |               |12.0(3)T         |
+----------+-------------+---------------+---------------+-----------------+

  * All projected dates are estimates, and are subject to change

 ** Interim releases are subjected to less rigorous testing than regular
    maintenance releases, and may have serious bugs.

*** The vulnerability is fixed in 12.0(2)S. The 12.0(2.3)S interim release
    is available to the field before the 12.0(2)S regular release because of
    internal process considerations. This entry is not a misprint.

Getting Fixed Software
- --------------------
Cisco is offering free software updates to correct this vulnerability for
all vulnerable customers, regardless of contract status. Note, however, that
because information about this vulnerability has been disseminated by third
parties, Cisco has been forced to release this notice before updates are
available for all software versions. The projected fix dates in the table
above are subject to change, but represent Cisco's best estimate of the
dates on which fixes will be available.

As with any software change, you should check to make sure that your
hardware can support the new software before installing it.  The most common
problem is inadequate RAM. While this is seldom a problem when upgrading
within a major release (say, from 11.2(11)P to 11.2(17)P), it is often an
issue when upgrading between major releases (say, from 11.2P to 11.3T).

Because fixes will be made available for all affected releases, this
vulnerability will rarely, if ever, require an upgrade to a new major
release. Cisco recommends very careful planning for any upgrade between
major releases. When upgrading between major releases, you must be
especially careful to make certain that no known bugs will prevent the new
software from working properly in your environment.

Further upgrade planning assistance is available on Cisco's Worldwide Web
site at http://www.cisco.com.

Customers with service contracts should obtain new software through their
regular update channels (generally via Cisco's Worldwide Web site).
Customers with service contracts may upgrade to any software release, but
must, as always, remain within the boundaries of the feature sets they have
purchased..

Customers without service contracts may upgrade only to obtain the bug
fixes; they are not offered upgrades to versions newer than required to
resolve the defects. In general, customers without service contracts will be
restricted to upgrading within a single row of the table above, except when
no upgrade within the same row is available in a timely manner. Customers
without service contracts should get their updates by contacting the  Cisco
TAC. TAC contacts are as follows:

   * +1 800 553 2447 (toll-free from within North America)
   * +1 408 526 7209 (toll call from anywhere in the world)
   * tac@cisco.com

Give the URL of this notice as evidence of your entitlement to a free
update. Free updates for non-contract customers must be requested through
the TAC. Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software updates.

Exploitation and Public Announcements
=====================================
A third party announced this vulnerability on the "bugtraq@netspace.org"
electronic mailing list on December 22, 1998. The third party's announcement
included sufficient information to allow any computer-literate person with a
moderate interest in security to exploit the vulnerability. On that same
day, Cisco sent an informal acknowledgement and a description of the
workaround both to the "bugtraq" list and to some other Internet discussion
forums, as well as to all Cisco customers who had requested security updates
by subscribing to the "cust-security-announce@cisco.com" mailing list.

Cisco has seen the information from "bugtraq" reposted on several Worldwide
Web sites catering to those interested in computer security.

All of the Worldwide Web sites in question, and all of the discussion
forums, including the "bugtraq" mailing list, are open to the public, and
many of them are widely read by people interested in computer and network
security. Customers should assume that any potential attacker is likely to
know that this vulnerability exists, and furthermore is likely to know how
to exploit the vulnerability.

This vulnerability can be exploited using tools available to the public on
the Internet; an attacker would not need to write any software to exploit
the vulnerability. Minimal skill is required. No special equipment is
required.

Despite specifically inviting such reports, Cisco has received no actual
reports of malicious exploitation of this vulnerability.

Status of This Notice
=====================
This is a final field notice. Although Cisco cannot guarantee the accuracy
of all statements in this notice, all the facts have been checked to the
best of our ability. Cisco does not anticipate issuing updated versions of
this notice unless there is some material change in the facts. Should there
be a significant change in the facts, Cisco may update this notice.

Distribution
- ----------
This notice will be posted on Cisco's Worldwide Web site at
http://www.cisco.com/warp/public/770/iossyslog-pub.shtml . In addition to
Worldwide Web posting, the initial version of this notice is being sent to
the following e-mail and Usenet news recipients:

   * cust-security-announce@cisco.com
   * bugtraq@netspace.org
   * first-teams@first.org (includes CERT/CC)
   * first-info@first.org
   * cisco@spot.colorado.edu
   * comp.dcom.sys.cisco
   * nanog@merit.edu
   * Various internal Cisco mailing lists

Future updates of this notice, if any, will be placed on Cisco's Worldwide
Web server, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
URL given above for any updates.

Revision History
- ----------------
 Revision 1.0,         First release candidate version.
 22:00 US/Pacific,
 9-JAN-1999

 Revision 1.1,         Correct upgrade path for 12.0XE
 09:45 US/Pacific,
 10-JAN-1999

Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering to
receive security information from Cisco, is available on Cisco's Worlwide
Web site at http://www.cisco.com/warp/public/791/sec_incident_response.shtml.
This includes instructions for press inquiries regarding Cisco security
notices.

==================================================================
This notice is copyright 1999 by Cisco Systems, Inc. This notice may be
redistributed freely after the release date given at the top of the text,
provided that redistributed copies are complete and unmodified, including
this copyright notice and all date and version information.
==================================================================

Cisco Security Notice: Cisco IOS Syslog Crash

security-alert＠cisco.com