-----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Cisco IOS Remote Router Crash August 13, 1998 15:00 GMT Number I-084 ______________________________________________________________________________ PROBLEM: A vulnerability exist in Cisco IOS software which makes it possible for untrusted, unauthenticated users to gain access to the login prompt. PLATFORM: Classic Cisco IOS software versions 9.1 and later. DAMAGE: If exploited, an attacker could cause the router to crash and reload without having to log into the router. SOLUTION: Apply workaround listed below. ______________________________________________________________________________ VULNERABILITY Cisco has no actual reports of malicious exploitation of ASSESSMENT: this vulnerability. However, there have been sporadic reports of unexplained crashes that have been consistent with the crashes caused by this vulnerability. ______________________________________________________________________________ [ Start Cisco Systems, Inc. Advisory ] Field Notice: Cisco IOS Remote Router Crash ============================= Revision 1.2 For release 08:00 AM US/Pacific, Wednesday, August 12, 1998 Cisco internal use only until release date Summary ======= An error in Cisco IOS software makes it possible for untrusted, unauthenticated users who can gain access to the login prompt of a router or other Cisco IOS device, via any means, to cause that device to crash and reload. This applies only to devices running classic Cisco IOS software. This includes most Cisco routers with model numbers greater than or equal to 1000, but does not include the 7xx series, the Catalyst LAN switches, WAN switching products in the IGX or BPX lines, the AXIS shelf, early models of the LS1010 or LS2020 ATM switches, or any host-based software. Who Is Affected =============== All users of classic Cisco IOS software versions 9.1 and later, but earlier than the repaired versions listed in the "Details" section of this notice, whose devices can be connected to interactively by untrusted users, are affected by this vulnerability. It is not necessary to be able to actually log in to exploit this vulnerability; simply establishing a terminal connection is sufficient. Note that some of the repaired software has been in the field for some time; you may already have installed it. Please check your software version number before assuming that you are affected. The vulnerability can be exploited using direct console or asynchronous serial connections (including dialup connections), TELNET connections, UNIX "r" command connections, LAT connections, MOP connections, X.29 connections, V.120 connections, and possibly others. Except in extraordinary security environments, administrators are strongly encouraged to assume that hostile users can find ways to make interactive connections to their Cisco IOS devices. If you are not running classic Cisco IOS software, then you are not affected by this vulnerability. If you are unsure whether your device is running classic Cisco IOS software, log into the device and issue the command show version. Classic Cisco IOS software will identify itself simply as "IOS" or "Internetwork Operating System Software", and affected software will have a version number greater than or equal to 9.1. Other Cisco devices either will not have the show version command, or will give different output. Impact ====== If attackers know the details of the Cisco IOS software error they will be able to cause the router to crash and reload without having to log in to the router. Because this problem involves damage to an internal data struture, it is possible that other, more subtle or targeted effects on system operation could also be induced by proper exploitation. Such exploitation, if it is possible at all, would require significant engineering skill and a thorough knowledge of the internal operation of Cisco IOS software, including Cisco trade secret information. Details ======= The Cisco IOS software error has been assigned Cisco bug ID CSCdj43337. Affected and Repaired Software Versions - -------------------------------------- This vulnerability affects all releases of Classic Cisco IOS software from 9.1 up to, but not including, the following corrected releases (including interim and beta software): * 11.3(1), 11.3(1)ED, 11.3(1)T * 11.2(10), 11.2(9)P, 11.2(9)XA, 11.2(10)BC * 11.1(15)CA, 11.1(16), 11.1(16)IA, 11.1(16)AA, 11.1(17)CC, 11.1(17)CT * 11.0(20.3) Releases of Cisco IOS software up to and including 10.3 have reached end of support, and no fixes are currently or planned to be available for those releases. All releases after 9.1 do, however, contain the problem. All planned fixes to Cisco IOS software have been completed and tested. Integration into regular released software is complete for all versions except 11.0. If you are running a version of software earlier than the ones listed above, please contact the Cisco TAC for assistance. As of the date of this notice, the fix for this problem is available for the 11.0 release only in the 11.0(20.3) version. This is an interim release, and has not been subjected to the same degree of testing as a regular IOS release. The first regular 11.0 release containing the fix will be 11.0(21). Release of 11.0(21) is tentatively scheduled for mid-September, 1998; this schedule is subject to change. Because of the relative maturity of the 11.0 Cisco IOS software, Cisco believes that installation of 11.0(20.3) carries less risk than would installation of an interim release for a newer Cisco IOS version, but customers are advised to use caution in installing 11.0(20.3), or any other interim release, in any critical device. Cisco is offering free software upgrades to all vulnerable customers, regardless of contract status. Customers with service contracts may upgrade to any Cisco IOS software version. Customers without contracts may upgrade to the latest versions of the images that they are already running (for example, from 11.2(2) to 11.2(11), but not from 11.2(2) to 11.3(3)). Customers without contracts who are running 10.3 or older software will receive free upgrades to fixed 11.0 versions, but should be careful to make sure that their hardware can support the new software before upgrading. Customers with contracts should obtain upgraded software through their regular update channels (generally via Cisco's Worldwide Web site). Customers without contracts should contact the Cisco TAC as explained in the "Cisco Security Procedures" section of this document, and should refer to the URL of this document as evidence of their entitlement. As with any software upgrade, you should check to make sure that your hardware can support the new software before upgrading. The most common problem is inadequate RAM. Assistance is available on Cisco's Worldwide Web site at http://www.cisco.com. Workarounds - ---------- It is possible to work around this problem by preventing interactive access to the Cisco IOS device. If only IP-based interactive access is of concern, this can be done by using the ip access-class line configuration to apply an access list to all virtual terminals in the system. However, it is important to remember that non-IP-based means of making interactive connections to Cisco IOS devices do exist, and to eliminate those means as possible routes of attack. Interactive access can be prevented completely by applying the configuration command no exec to any asynchronous line, or the command transport input none to any virtual terminal line, that may be accessible to untrusted users. Exploitation and Public Announcements ===================================== Cisco has had no actual reports of malicious exploitation of this vulnerability. However, there have been sporadic reports of unexplained crashes that have been consistent with the crashes caused by this vulnerability; the vulnerability was initially identified because of such a report. It is possible that the reported crashes could have been caused by random events, but it is also possible that they could have been deliberate. Cisco has essentially no information that would be useful in determining which is the case. None of the customers reporting the crashes indicated any suspicion of a deliberate attack. Cisco knows of no public announcements of this vulnerability before the date of this notice. Status of This Notice ===================== This is a final field notice. Although Cisco cannot guarantee the accuracy of all statements in this notice, all the facts have been checked to the best of our ability. Cisco does not anticipate issuing updated versions of this notice unless there is some material change in the facts. Should there be a significant change in the facts, Cisco may update this notice. Distribution - ----------- This notice will be posted on Cisco's Worldwide Web site at http://www.cisco.com/warp/public/770/ioslogin-pub.shtml. In addition to Worldwide Web posting, the initial version of this notice is being sent to the following e-mail and Usenet news recipients: * cust-security-announce@cisco.com * bugtraq@netspace.org * first-teams@first.org (includes CERT/CC) * cisco@spot.colorado.edu * comp.dcom.sys.cisco * first-info@first.org * Various internal Cisco mailing lists Future updates of this notice, if any, will be placed on Cisco's Worldwide Web server, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the URL given above for any updates. Revision History - --------------- Revision 1.2, 9:00 Initial released version AM US/Pacific, 10-AUG-1998 Cisco Security Procedures ========================= Please report security issues with Cisco products, and/or sensitive security intrusion emergencies involving Cisco products, to security-alert@cisco.com. Reports may be encrypted using PGP; public RSA and DSS keys for "security-alert@cisco.com" are on the public PGP keyservers. The alias "security-alert@cisco.com" is used only for reports incoming to Cisco. Mail sent to the list goes only to a very small group of users within Cisco. Neither outside users nor unauthorized Cisco employees may subscribe to "security-alert@cisco.com". Please do not use "security-alert@cisco.com" for configuration questions, for security intrusions that you do not consider to be sensitive emergencies, or for general, non-security-related support requests. We do not have the capacity to handle such requests through this channel, and will refer them to the TAC, delaying response to your questions. We advise contacting the TAC directly with these requests. TAC contact numbers are as follows: * +1 800 553 2447 (toll-free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com All formal public security notices generated by Cisco are sent to the public mailing list "cust-security-announce@cisco.com". For information on subscribing to this mailing list, send a message containing the single line "info cust-security-announce" to "majordomo@cisco.com". An analogous list, "cust-security-discuss@cisco.com" is available for public discussion of the notices and of other Cisco security issues. ===================================================================== This notice is copyright 1998 by Cisco Systems, Inc. This notice may be redistributed freely after the release date given at the top of the notice, provided that redistributed copies are complete and unmodified, including all date and version information. [ End Cisco Systems, Inc. Advisory ] ______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Cisco Systems, Inc. for the information contained in this bulletin. ______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the CIAC voice number 925-422-8193 and leave a message, or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC duty person, and the secondary PIN number, 8550074 is for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 3. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called Majordomo, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting ciac-bulletin, spi-announce OR spi-notes for list-name: E-mail to ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov: subscribe list-name e.g., subscribe ciac-bulletin You will receive an acknowledgment email immediately with a confirmation that you will need to mail back to the addresses above, as per the instructions in the email. This is a partial protection to make sure you are really the one who asked to be signed up for the list in question. If you include the word 'help' in the body of an email to the above address, it will also send back an information file on how to subscribe/unsubscribe, get past issues of CIAC bulletins via email, etc. PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) I-074: Buffer Overflow in Some Implementations of IMAP Servers I-075: Microsoft Office 98 Security Vulnerability I-076: SGI IRIX ioconfig(1M) and disk_bandwidth(1M) Vulnerability I-077: Mime Name Vulnerability in Outlook and Messenger I-078: HP-UX ftp Security Vulnerability I-079: IBM AIX "sdrd" daemon Vulnerability I-080: Microsoft Exchange Denial of Service Attacks I-081: HP-UX & MPEix Predictive Vulnerability I-082: HP-UX Netscape Servers Vulnerability I-083: Eudora Pro E-Mail Attachment Vulnerability -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAwUBNdMaJ7nzJzdsy3QZAQG/xgP/YLZIDLT1WzB8kz0gjj+CSDa9zK/RqSGO u2qNs2DDEoNwkO3jZ8cI97gymB9p/OFhSi84NZuVbjWKnJ+h4Rkc//nsAbRC4m+H Acc7ZjXOJ9bB9DoK4DFBBbEj1bQ6wYr1pdY9uzpyZlNnLIZjo6HSqGj78xs82RIx wotYku0Minc= =CrBm -----END PGP SIGNATURE-----