CI-00.10
Published: 2000-12-04 00:00:00
Updated: 2000-12-04 00:00:00
Multiple Vulnerabilities in CBOS
Revision 1.0
For Public Release 2000 December 04 08:00 (GMT +0800)
_________________________________________________________________
Summary
Multiple vulnerabilities have been identified and fixed in CBOS, an
operating system for the Cisco 600 family of routers.
* Any router in the Cisco 600 family that is configured to allow Web
access can be locked by sending a specific URL. Web access is
disabled by default, and it is usually enabled in order to
facilitate remote configuration. This defect is documented as
Cisco bug ID CSCdr98772.
* By sending a stream of TCP SYN packets to the router, it is
possible to exhaust all available TCP sockets. The consequence is
that no new TCP sessions addressed to the router will be
established. The difference between this vulnerability and a SYN
Denial-of-Service attack is that this one can be accomplished by a
slow stream of packets (one per second). This defect is documented
as Cisco bug ID CSCds59206.
* Invalid login attempts using the Web interface are not logged.
This defect is documented as Cisco bug ID CSCds19142.
* It is possible to lock up the router by sending a large ICMP ECHO
(PING) packet to it. This defect is documented as Cisco bug ID
CSCds23921.
The following releases of CBOS are vulnerable to all defects: 2.0.1,
2.1.0, 2.1.0a, 2.2.0, 2.2.1, 2.2.1a, 2.3, 2.3.2, 2.3.5, 2.3.7 and
2.3.8.
These defects will be fixed in the following CBOS releases: 2.3.5.015,
2.3.7.002, 2.3.9 and 2.4.1. Customers are urged to upgrade to releases
that are not vulnerable to this defect as shown in detail in the
section Software Versions and Fixes below.
This advisory is available at the
http://www.cisco.com/warp/public/707/CBOS-multiple.shtml .
Affected Products
The affected models are: 627, 633, 673, 675, 675E, 677, 677i and 678.
These models are vulnerable if they run any of the following, or
earlier, CBOS releases: 2.0.1, 2.1.0, 2.1.0a, 2.2.0, 2.2.1, 2.2.1a,
2.3, 2.3.2, 2.3.5, 2.3.7 and 2.3.8.
No other releases of CBOS software are affected by this vulnerability.
No other Cisco products are affected by this vulnerability.
These defects will be fixed in the following CBOS releases: 2.3.5.015,
2.3.7.002, 2.3.9 and 2.4.1
Details
CSCdr98772
The behavior is caused by inadequate URL parsing in CBOS. Each
URL was expected to terminate with a minimum of a single space
character (ACSII code 32, decimal). Sending a URL that does not
terminate with a space causes CBOS to enter an infinite loop.
It is necessary to power cycle the router to resume operation.
In order to exploit this vulnerability, a router must be
configured to accept Web connections. Having a Web access
password configured does not provide protection against this
vulnerability.
Note:Web access on all Cisco 600 routers is disabled by default
and must be explicitly enabled.
CSCds59206
By sending a stream of SYN packets addressed to the router, it
is possible to exhaust all available TCP sockets within CBOS.
This is due to the memory leak in CBOS. When a router is set
into a state where it cannot accept a new connection, it can be
maintained in this state by a slow stream of SYN packets until
the router is rebooted. The stream can be as slow as one packet
per second, so one machine with a 64Kb connection can hold up
approximately 150 routers.
Note: This does not effect non-TCP traffic. All User Datagram
Protocol (UDP) and Internet Control Message Protocol (ICMP)
packets can be handled by a router without any problems. All
existing and new TCP sessions through the router will not be
affected.
When an attacking stream is terminated, a router recovers
itself within a few minutes.
CSCds19142
Using the Cisco Web Management interface, it is possible to
keep guessing an access password without those password
attempts being logged. A password may be either "exec-only" or
"enable". A user with an "exec-only" password cannot change a
router configuration.
CSCds23921
By sending a large (at least 65500 bytes in size) ICMP ECHO
(PING) packet to the router itself, it is possible to overflow
an internal variable and cause router lockup. The router is not
affected by the packets which are routed through it.
Impact
CSCdr98772
By sending a tailored URL to a router, it is possible to cause
a Denial-of-Service. Every affected router must be powered off
and back on in order to restore its normal functionality.
CSCds59206
It is possible to prevent all TCP access to a router. This
blocks all attempts at remote router administration.
CSCds19142
Long term, brute force password guessing can be performed
without being noticed. When the correct password is guessed, it
can be used to view or modify router configuration. This may be
particularly dangerous in installations where multiple routers
have the same password.
CSCds23921
It is possible to lock up the router thus causing
Denial-of-Service. Every affected device must be powered off
and back on in order to restore its normal functionality.
Software Versions and Fixes
The following table summarizes the CBOS software releases affected by
the defects described in this notice and scheduled dates on which the
earliest corresponding fixed releases will be available. Dates are
tentative and subject to change.
+===========+================+==============================================+
| | | |
| Release | Description or | Availability of Repaired Releases* |
| | Platform |==================+===========================+
| | | Patch release** | General Availability (GA) |
+===========+================+==================+===========================+
| All | 627, 633, 673 | 2.3.5.015 | |
| releases | 675, 677, 678 | 2000-DEC-11 | |
+-----------+----------------+------------------+---------------------------+
| 2.3.7.001 | 677i | 2.3.7.002 | |
| | | 2000-DEC-11 | |
+-----------+----------------+------------------+---------------------------+
| All | All platforms | | 2.3.9 |
| releases | | | 2001-JAN |
+-----------+----------------+------------------+---------------------------+
| All | All platforms | | 2.4.1 |
| releases | | | 2000-DEC-11 |
+===========+================+==================+===========================+
| Notes |
+===========================================================================+
|* All dates are estimated and subject to change. |
+---------------------------------------------------------------------------+
|** Patch releases are subjected to less rigorous testing than regular |
| GA releases, and may have serious bugs. |
+===========================================================================+
Obtaining Fixed Software
Cisco is offering free software upgrades to eliminate this
vulnerability for all affected customers.
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's Worldwide
Web site at http://www.cisco.com.
Customers without contracts should get their upgrades by contacting
the Cisco Technical Assistance Center (TAC). TAC contacts are as
follows:
* +1 800 553 2447 (toll-free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Give the URL of this notice as evidence of your entitlement to a free
upgrade. Free upgrades for non-contract customers must be requested
through the TAC. Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.
Workarounds
CSCdr98772
There are two workarounds for this vulnerability. The potential
for exploitation can be lessened by ensuring that Web access to
the router is limited to a legitimate IP address.
This can be done by entering the following commands while in
enable mode:
cbos# set web remote 10.0.0.1
cbos# set web remote enabled
where 10.0.0.1 is the address of the host with a legitimate
need for Web access to the router.
Alternatively, disabling the Web access completely will also
prevent this vulnerability from being exploited. This can be
done by entering the following command while in enable mode:
cbos# set web remote disable
CSCds59206
There is no workaround for this vulnerability.
CSCds19142
The Web Management interface can be disabled by entering the
following commands in enable mode:
cbos# set web remote disable
CSCds23921
All incoming ICMP ECHO (PING) packets destined to the router
itself should be denied. That can be achieved by following
commands:
cbos# set filter number on deny incoming all 0.0.0.0 0.0.0.0
<eth0_IP_address> 255.255.255.255 protocol ICMP
cbos# set filter number+1 on deny incoming all 0.0.0.0 0.0.0.0
<wan0_IP_address> 255.255.255.255 protocol ICMP
Where number is a free filter number between 0 and 17.
Exploitation and Public Announcements
The vulnerability CSCdr98772 was discovered by several customers. It
was also discussed at public forums. PSIRT has received reports that
this vulnerability has been exploited in vivo.
The vulnerability CSCds23921 was discovered by a customer. The other
two vulnerabilities (CSCds59206 and CSCds19142) were discovered during
internal testing.
The Cisco Product Security Incident Response Team (PSIRT) is not aware
of any public announcements of CSCds59206, CSCds19142 and CSCds23921.
Status of This Notice: INTERIM
This is an interim notice. Cisco expects the contents of this report
to change. The reader is warned that this notice may contain
inaccurate or incomplete information. Although Cisco cannot guarantee
the accuracy of all statements in this notice, all of the facts have
been checked to the best of our ability. Cisco anticipates issuing
monthly updates of this notice until it reaches final status.
Distribution
This notice will be posted on Cisco's Worldwide Web site at
http://www.cisco.com/warp/public/707/CBOS-multiple.shtml. In addition
to Worldwide Web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients:
* cust-security-announce@cisco.com
* bugtraq@securityfocus.com
* first-teams@first.org (includes CERT/CC)
* cisco@spot.colorado.edu
* comp.dcom.sys.cisco
* firewalls@lists.gnac.com
* Various internal Cisco mailing lists
Future updates of this notice, if any, will be placed on Cisco's
Worldwide Web server, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the URL given above for any updates.
Revision History
Revision 1.0 2000-December-03 21:00 GMT+00 Draft for initial public
release
