__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN SNMP Version 3 Authentication Vulnerability [Cisco Security Advisory Document ID: 107408] June 12, 2008 15:00 GMT Number S-315 ______________________________________________________________________________ PROBLEM: Multiple Cisco products contain either of two authentication vulnerabilities inthe Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. PLATFORM: Cisco IOS Cisco IOS-XR Cisco Catalyst Operating System (CatOS) Cisco NX-OS Cisco Application Control Engine (ACE) Module Cisco ACE Appliance Cisco ACE XML Gateway Cisco MDS 9000 Series Multilayer Fabric Switches DAMAGE: Data leak or configuration changes. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is LOW. Successful exploitation of these ASSESSMENT: vulnerabilities could result in the disclosure of sensitive information on a device or allow an attacker to make configuration changes to a vulnerable device that is based on the SNMP configuration. ______________________________________________________________________________ CVSS 2 BASE SCORE: 5.4 TEMPORAL SCORE: 4.2 VECTOR: (AV:A/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C) ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-315.shtml ORIGINAL BULLETIN: http://www.cisco.com/en/US/products/products_security_ advisory09186a00809ac83b.shtml ADDITIONAL LINKS: https://rhn.redhat.com/errata/RHSA-2008-0528.html https://rhn.redhat.com/errata/RHSA-2008-0529.html http://www.kb.cert.org/vuls/id/878044 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2008-0960 ______________________________________________________________________________ [***** Start Cisco Security Advisory Document ID: 107408 *****] Cisco Security Advisory: SNMP Version 3 Authentication Vulnerabilities Document ID: 107408 Advisory ID: cisco-sa-20080610-snmpv3 http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml Revision 1.0 For Public Release 2008 June 10 1600 UTC (GMT) -------------------------------------------------------------------------------- Contents Summary Affected Products Details Vulnerability Scoring Details Impact Software Versions and Fixes Workarounds Obtaining Fixed Software Exploitation and Public Announcements Status of this Notice: FINAL Distribution Revision History Cisco Security Procedures -------------------------------------------------------------------------------- Summary Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default in Cisco products. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document. Note: SNMP versions 1, 2 and 2c are not impacted by these vulnerabilities. The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044 to these vulnerabilities. Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0960 has also been assigned to these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml. [Expand all sections] [Collapse all sections] Affected Products Vulnerable Products The following Cisco products are vulnerable. Cisco IOS Cisco IOS-XR Cisco Catalyst Operating System (CatOS) Cisco NX-OS Cisco Application Control Engine (ACE) Module Cisco ACE Appliance Cisco ACE XML Gateway Cisco MDS 9000 Series Multilayer Fabric Switches Note: The SNMP server is disabled by default. These vulnerabilities only impact devices that are configured for SNMPv3. To determine the version of SNMP configured in Cisco IOS, CatOS and IOS-XR, log in to the device and issue the show snmp group command. The security model field indicates the version of SNMP configured. The output "usm" is the abbreviation for user-based security model and this indicates SNMPv3 is configured. Cisco IOS router#show snmp group groupname: test security model:v3 auth readview : v1default writeview: notifyview: row status: active Cisco CatOS 5500-1 (enable) show snmp group Security Model: v3 Security Name: userv3 Group Name: groupv3 Storage Type: nonvolatile Row Status: active Cisco IOS-XR RP/0/RP0/CPU0:ios#show snmp group groupname: test security model:usm readview : v1default writeview: - notifyview: v1default row status: nonVolatile IronPort IronPort C-Series, X-Series, and M-Series appliances utilize code covered by this advisory, but are not susceptible to any security risk. IronPort C-Series, X-Series, and M-Series incorporate the libraries under the advisory to provide anonymous read-only access to system health data. There is no risk of escalated authorization privileges allowing a 3rd party to make any configuration changes to the IronPort devices. IronPort S-Series and Encryption Appliances are not affected by this advisory. This announcement has also been posted on the IronPort Support Portal, available to IronPort customers: https://supportportal.ironport.com/irppcnctr/srvcd?u=http://secure-support.soma.ironport. com/announcement&sid=900016 Products Confirmed Not Vulnerable The following Cisco products are confirmed not vulnerable: Cisco PIX Security Appliances Cisco ASA Security Appliances Cisco Firewall Services Module (FWSM) Cisco Security Monitoring, Analysis, and Response System (MARS) Cisco Network Admission Control (NAC) Appliance CiscoWorks Wireless LAN Solution Engine (WLSE) No other Cisco products are currently known to be affected by these vulnerabilities. Top of the section Close Section Details SNMP defines a standard mechanism for remote management and monitoring of devices in an Internet Protocol (IP) network. There are three general types of SNMP operations: "get" requests to request information, "set" requests that modify the configuration of a remote device, and "trap" messages that provide a monitoring function. SNMP requests and traps are transported over User Datagram Protocol (UDP) and are received at the assigned destination port numbers 161 and 162, respectively. SNMPv3 provides secure access to devices by authenticating and encrypting packets over the network. RFC2574 defines the use of HMAC-MD5-96 and HMAC-SHA-96 as the possible authentication protocols for SNMPv3. Vulnerabilities have been identified in the authentication code of multiple SNMPv3 implementations. This advisory identifies two vulnerabilities that are almost identical. Both are specifically related to malformed SNMPv3 packets that manipulate the Hash Message Authentication Code (HMAC). The two vulnerabilities may impact both Secure Hashing Algorithm-1 (SHA-1) and Message-Digest Algorithm 5 (MD5). The vulnerabilities described in this document can be successfully exploited using spoofed SNMPv3 packets. These vulnerabilities are documented in the following Cisco Bug IDs: CSCsf04754 - IOS SNMPv3 HMAC Authentication issue ( registered customers only) CSCsf30109 - IOS-XR SNMPv3 HMAC Authentication issue ( registered customers only) CSCsf29976 - CatOS SNMPv3 HMAC Authentication issue ( registered customers only) CSCsq62662 - ACE XML Gw SNMPv3 HMAC Authentication issue ( registered customers only) CSCsq60664 - ACE Appliance SNMPv3 HMAC Authentication issue ( registered customers only) CSCsq60695 - ACE Module SNMPv3 HMAC Authentication issue ( registered customers only) CSCsq60582 - Nexus SNMPv3 HMAC Authentication issue ( registered customers only) Note: Although multiple software defects are listed, this advisory only identifies two vulnerabilities. Because different Cisco products require their own fixes, additional Bug IDs have been assigned. Top of the section Close Section Vulnerability Scoring Details Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html. Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss. CSCsf04754 - IOS SNMPv3 HMAC Authentication issue ( registered customers only) Calculate the environmental score of CSCsf04754 CVSS Base Score - 10 Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact Network Low None Complete Complete Complete CVSS Temporal Score - 8.3 Exploitability Remediation Level Report Confidence Functional Official-Fix Confirmed CSCsf30109 - IOS-XR SNMPv3 HMAC Authentication issue ( registered customers only) Calculate the environmental score of CSCsf30109 CVSS Base Score - 10 Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact Network Low None Complete Complete Complete CVSS Temporal Score - 8.3 Exploitability Remediation Level Report Confidence Functional Official-Fix Confirmed CSCsf29976 - CatOS SNMPv3 HMAC Authentication issue ( registered customers only) Calculate the environmental score of CSCsf29976 CVSS Base Score - 10 Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact Network Low None Complete Complete Complete CVSS Temporal Score - 8.3 Exploitability Remediation Level Report Confidence Functional Official-Fix Confirmed CSCsq62662 - ACE XML Gw SNMPv3 HMAC Authentication issue ( registered customers only) Calculate the environmental score of CSCsq62662 CVSS Base Score - 9.3 Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact Network Medium None Complete Complete Complete CVSS Temporal Score - 7.7 Exploitability Remediation Level Report Confidence Functional Official-Fix Confirmed CSCsq60664 - ACE Appliance SNMPv3 HMAC Authentication issue ( registered customers only) Calculate the environmental score of CSCsq60664 CVSS Base Score - 9.3 Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact Network Medium None Complete Complete Complete CVSS Temporal Score - 8.4 Exploitability Remediation Level Report Confidence Functional Workaround Confirmed CSCsq60695 - ACE Module SNMPv3 HMAC Authentication issue ( registered customers only) Calculate the environmental score of CSCsq60695 CVSS Base Score - 9.3 Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact Network Medium None Complete Complete Complete CVSS Temporal Score - 8.4 Exploitability Remediation Level Report Confidence Functional Workaround Confirmed CSCsq60582 - Nexus SNMPv3 HMAC Authentication issue ( registered customers only) Calculate the environmental score of CSCsq60582 CVSS Base Score - 9.3 Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact Network Medium None Complete Complete Complete CVSS Temporal Score - 8.4 Exploitability Remediation Level Report Confidence Functional Workaround Confirmed Top of the section Close Section Impact Successful exploitation of these vulnerabilities could result in the disclosure of sensitive information on a device or allow an attacker to make configuration changes to a vulnerable device that is based on the SNMP configuration. Top of the section Close Section Software Versions and Fixes When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table. Major Release Availability of Repaired Releases Affected 12.0-Based Releases First Fixed Release Recommended Release 12.0 Not Vulnerable 12.0DA Not Vulnerable 12.0DB 12.0(2)DB 12.4(18b) 12.0DC Vulnerable; first fixed in 12.3T 12.4(18b) 12.0S 12.0(28)S1 12.0(32)S5 12.0(33)S 12.0SC 12.0(7)SC 12.0SL Vulnerable; first fixed in 12.0S 12.0SP Vulnerable; first fixed in 12.0S 12.0ST Vulnerable; first fixed in 12.0S 12.0SX Vulnerable; first fixed in 12.0S 12.0SY 12.0(32)SY1 12.0SZ 12.0(30)SZ4 12.0T 12.0(1)T 12.4(18b) 12.0W Not Vulnerable 12.0WC 12.0(5)WC16 12.0WT Not Vulnerable 12.0XA Not Vulnerable 12.0XB Not Vulnerable 12.0XC Not Vulnerable 12.0XD Not Vulnerable 12.0XE 12.0(1)XE 12.0XF 12.0(2)XF1 12.0(2)XF 12.0XG Vulnerable; first fixed in 12.2 12.4(18b) 12.0XH Vulnerable; first fixed in 12.2 12.4(18b) 12.0XI Releases prior to 12.0(4)XI2 are vulnerable, release 12.0(4)XI2 and later are not vulnerable; first fixed in 12.2 12.4(18b) 12.0XJ Vulnerable; first fixed in 12.2 12.4(18b) 12.0XK Vulnerable; first fixed in 12.2 12.4(18b) 12.0XL Vulnerable; first fixed in 12.2 12.4(18b) 12.0XM Vulnerable; first fixed in 12.0T 12.4(18b) 12.0XN Vulnerable; first fixed in 12.2 12.4(18b) 12.0XQ Vulnerable; first fixed in 12.0T 12.4(18b) 12.0XR Vulnerable; first fixed in 12.2 12.4(18b) 12.0XS Vulnerable; first fixed in 12.1E 12.0XV Vulnerable; first fixed in 12.0T 12.4(18b) 12.0XW Not Vulnerable Affected 12.1-Based Releases First Fixed Release Recommended Release 12.1 Vulnerable; first fixed in 12.2 12.4(18b) 12.1AA Vulnerable; first fixed in 12.2 12.4(18b) 12.1AX Vulnerable; first fixed in 12.2EY 12.1AY Vulnerable; first fixed in 12.1EA 12.1(22)EA11 12.1AZ Vulnerable; first fixed in 12.1EA 12.1(22)EA11 12.1CX Releases prior to 12.1(7)CX are vulnerable, release 12.1(7)CX and later are not vulnerable; first fixed in 12.2 12.4(18b) 12.1DA Vulnerable; first fixed in 12.2DA 12.1DB Vulnerable; first fixed in 12.3T 12.4(18b) 12.1DC Vulnerable; first fixed in 12.3T 12.4(18b) 12.1E 12.1(1)E2 12.1EA 12.1(22)EA10 12.1(22)EA11 12.1EB Vulnerable; contact TAC 12.1EC Vulnerable; first fixed in 12.3BC 12.1EO 12.1(19)EO6 12.2(29)SVD1; Available on 13-JUN-2008 12.1EU Vulnerable; first fixed in 12.2SG 12.2(25)EWA14 12.2(31)SGA7 12.2(44)SG 12.1EV Vulnerable; first fixed in 12.2SV 12.2(29)SVD1; Available on 13-JUN-2008 12.1EW Vulnerable; first fixed in 12.2EW 12.2(25)EWA14 12.2(31)SGA7 12.2(44)SG 12.1EX Vulnerable; first fixed in 12.1E 12.1EY Vulnerable; first fixed in 12.1E 12.1EZ Vulnerable; first fixed in 12.1E 12.1GA Vulnerable; first fixed in 12.2 12.4(18b) 12.1GB Vulnerable; first fixed in 12.2 12.4(18b) 12.1T Vulnerable; first fixed in 12.2 12.4(18b) 12.1XA Vulnerable; first fixed in 12.2 12.4(18b) 12.1XB Vulnerable; first fixed in 12.2 12.4(18b) 12.1XC Vulnerable; first fixed in 12.2 12.4(18b) 12.1XD Vulnerable; first fixed in 12.2 12.4(18b) 12.1XE Vulnerable; first fixed in 12.1E 12.1XF Vulnerable; first fixed in 12.3 12.4(18b) 12.1XG Vulnerable; first fixed in 12.3 12.4(18b) 12.1XH Vulnerable; first fixed in 12.2 12.4(18b) 12.1XI Vulnerable; first fixed in 12.2 12.4(18b) 12.1XJ Vulnerable; first fixed in 12.3 12.4(18b) 12.1XK Not Vulnerable 12.1XL Vulnerable; first fixed in 12.3 12.4(18b) 12.1XM Vulnerable; first fixed in 12.3 12.4(18b) 12.1XN Not Vulnerable 12.1XO Not Vulnerable 12.1XP Vulnerable; first fixed in 12.3 12.4(18b) 12.1XQ Vulnerable; first fixed in 12.3 12.4(18b) 12.1XR Vulnerable; first fixed in 12.3 12.4(18b) 12.1XS Vulnerable; first fixed in 12.2 12.4(18b) 12.1XT Vulnerable; first fixed in 12.3 12.4(18b) 12.1XU Vulnerable; first fixed in 12.3 12.4(18b) 12.1XV Vulnerable; first fixed in 12.3 12.4(18b) 12.1XW Vulnerable; first fixed in 12.2 12.4(18b) 12.1XX Vulnerable; first fixed in 12.2 12.4(18b) 12.1XY Vulnerable; first fixed in 12.2 12.4(18b) 12.1XZ Vulnerable; first fixed in 12.2 12.4(18b) 12.1YA Vulnerable; first fixed in 12.3 12.4(18b) 12.1YB Vulnerable; first fixed in 12.3 12.4(18b) 12.1YC Vulnerable; first fixed in 12.3 12.4(18b) 12.1YD Vulnerable; first fixed in 12.3 12.4(18b) 12.1YE Releases prior to 12.1(5)YE6 are vulnerable, release 12.1(5)YE6 and later are not vulnerable; first fixed in 12.3 12.4(18b) 12.1YF Vulnerable; first fixed in 12.3 12.4(18b) 12.1YG Not Vulnerable 12.1YH Vulnerable; first fixed in 12.3 12.4(18b) 12.1YI Vulnerable; first fixed in 12.3 12.4(18b) 12.1YJ Vulnerable; first fixed in 12.1EA 12.1(22)EA11 Affected 12.2-Based Releases First Fixed Release Recommended Release 12.2 12.2(26c) 12.2(27c) 12.2(28d) 12.2(29b) 12.2(40) 12.4(18b) 12.2B Vulnerable; first fixed in 12.3T 12.4(18b) 12.2BC Vulnerable; first fixed in 12.3BC 12.2BW Vulnerable; first fixed in 12.3 12.4(18b) 12.2BY Vulnerable; first fixed in 12.3T 12.4(18b) 12.2BZ Vulnerable; first fixed in 12.3XI 12.2CX Vulnerable; first fixed in 12.3BC 12.2CY Vulnerable; first fixed in 12.3BC 12.2CZ Not Vulnerable 12.2DA 12.2(10)DA4 12.2(12)DA11 12.2DD Vulnerable; first fixed in 12.3T 12.4(18b) 12.2DX Vulnerable; first fixed in 12.3T 12.4(18b) 12.2EU Vulnerable; first fixed in 12.2SG 12.2(25)EWA14 12.2(31)SGA7 12.2(44)SG 12.2EW 12.2(18)EW7 12.2(20)EW4 12.2(25)EWA14 12.2(31)SGA7 12.2(44)SG 12.2EWA 12.2(20)EWA3 12.2(25)EWA11 12.2(25)EWA7 12.2(25)EWA8 12.2(25)EWA14 12.2EX 12.2(35)EX 12.2(44)EX; Available on 26-JUN-2008 12.2EY 12.2(37)EY 12.2EZ Vulnerable; first fixed in 12.2SEE 12.2FX Vulnerable; first fixed in 12.2SEE 12.2FY Vulnerable; first fixed in 12.2SEG 12.2FZ Vulnerable; first fixed in 12.2SE 12.2(44)SE2 12.2IXA Vulnerable; migrate to any release in 12.2IXD 12.2IXB Not Vulnerable 12.2IXC Not Vulnerable 12.2IXD Not Vulnerable 12.2IXE Not Vulnerable 12.2IXF Not Vulnerable 12.2JA Vulnerable; first fixed in 12.3JA 12.2JK Vulnerable; first fixed in 12.4T 12.4(15)T5 12.2MB Vulnerable; first fixed in 12.2SW 12.2MC 12.2(15)MC2h 12.4(18b) 12.2S 12.2(14)S18 12.2(18)S13 12.2(20)S13 12.2(25)S11 12.2(31)SB12 12.2(33)SRC1 12.2SB 12.2(28)SB4 12.2(31)SB2 12.2(31)SB3x 12.2(31)SB12 12.2SBC Vulnerable; first fixed in 12.2SB 12.2(31)SB12 12.2SCA Not Vulnerable 12.2SE 12.2(35)SE 12.2(44)SE2 12.2SEA Vulnerable; first fixed in 12.2SEE 12.2SEB Vulnerable; first fixed in 12.2SEE 12.2SEC Vulnerable; first fixed in 12.2SEE 12.2SED Vulnerable; first fixed in 12.2SEE 12.2SEE 12.2(25)SEE3 12.2SEF 12.2(25)SEF2 12.2(44)SE2 12.2SEG 12.2(25)SEG2 12.2SG 12.2(25)SG1 12.2(31)SG1 12.2(31)SG2 12.2(37)SG 12.2(44)SG 12.2SGA Not Vulnerable 12.2SL Not Vulnerable 12.2SM 12.2(29)SM2 12.2(29)SM3 12.2SO 12.2(18)SO7 12.2(29)SVD1; Available on 13-JUN-2008 12.2SRA 12.2(33)SRA1 12.2SRB Not Vulnerable 12.2SRC Not Vulnerable 12.2SU Not Vulnerable 12.2SV 12.2(27)SV5 12.2(28)SV1 12.2(29)SV3 12.2(29a)SV1 12.2(29b)SV 12.2(29)SVD1; Available on 13-JUN-2008 12.2SVA Not Vulnerable 12.2SVC Not Vulnerable 12.2SVD Not Vulnerable 12.2SW 12.2(25)SW8 12.2SX Vulnerable; first fixed in 12.2SXF 12.2(18)SXF15; Available on 08-AUG-2008 12.2SXA Vulnerable; first fixed in 12.2SXF 12.2(18)SXF15; Available on 08-AUG-2008 12.2SXB Vulnerable; first fixed in 12.2SXF 12.2(18)SXF15; Available on 08-AUG-2008 12.2SXD 12.2(18)SXD7a 12.2(18)SXF15; Available on 08-AUG-2008 12.2SXE 12.2(18)SXE6a 12.2(18)SXF15; Available on 08-AUG-2008 12.2SXF 12.2(18)SXF10a 12.2(18)SXF12a 12.2(18)SXF6 12.2(18)SXF15; Available on 08-AUG-2008 12.2SXH Not Vulnerable 12.2SY Not Vulnerable 12.2SZ Vulnerable; first fixed in 12.2S 12.2(31)SB12 12.2(33)SRC1 12.2T Vulnerable; first fixed in 12.3 12.4(18b) 12.2TPC 12.2(8)TPC10b 12.2UZ Vulnerable; first fixed in 12.2SB 12.2(31)SB12 12.2XA Vulnerable; first fixed in 12.3 12.4(18b) 12.2XB Vulnerable; first fixed in 12.3 12.4(18b) 12.2XC Vulnerable; first fixed in 12.3T 12.4(18b) 12.2XD Vulnerable; first fixed in 12.3 12.4(18b) 12.2XE Vulnerable; first fixed in 12.3 12.4(18b) 12.2XF Vulnerable; first fixed in 12.3BC 12.2XG Vulnerable; first fixed in 12.3 12.4(18b) 12.2XH Vulnerable; first fixed in 12.3 12.4(18b) 12.2XI Vulnerable; first fixed in 12.3 12.4(18b) 12.2XJ Vulnerable; first fixed in 12.3 12.4(18b) 12.2XK Vulnerable; first fixed in 12.3 12.4(18b) 12.2XL Vulnerable; first fixed in 12.3 12.4(18b) 12.2XM Vulnerable; first fixed in 12.3 12.4(18b) 12.2XN 12.2(33)XN1 12.4(18b) 12.2XNA Not Vulnerable 12.2XO Not Vulnerable 12.2XQ Vulnerable; first fixed in 12.3 12.4(18b) 12.2XR Vulnerable; first fixed in 12.3 12.4(18b) 12.2XS Vulnerable; first fixed in 12.3 12.4(18b) 12.2XT Vulnerable; first fixed in 12.3 12.4(18b) 12.2XU Vulnerable; first fixed in 12.3 12.4(18b) 12.2XV Vulnerable; first fixed in 12.3 12.4(18b) 12.2XW Vulnerable; first fixed in 12.3 12.4(18b) 12.2YA 12.2(4)YA12 12.4(18b) 12.2YB Vulnerable; first fixed in 12.3 12.4(18b) 12.2YC Vulnerable; first fixed in 12.3 12.4(18b) 12.2YD Vulnerable; first fixed in 12.3T 12.4(18b) 12.2YE Not Vulnerable 12.2YF Vulnerable; first fixed in 12.3 12.4(18b) 12.2YG Vulnerable; first fixed in 12.3 12.4(18b) 12.2YH Vulnerable; first fixed in 12.3 12.4(18b) 12.2YJ Vulnerable; first fixed in 12.3 12.4(18b) 12.2YK Vulnerable; first fixed in 12.3T 12.4(18b) 12.2YL Vulnerable; first fixed in 12.3T 12.4(18b) 12.2YM Vulnerable; first fixed in 12.3T 12.4(18b) 12.2YN Vulnerable; first fixed in 12.3T 12.4(18b) 12.2YO Vulnerable; migrate to any release in 12.2SY 12.2(18)SXF15; Available on 08-AUG-2008 12.2YP Vulnerable; first fixed in 12.3 12.4(18b) 12.2YQ Vulnerable; first fixed in 12.3T 12.4(18b) 12.2YR Vulnerable; first fixed in 12.3T 12.4(18b) 12.2YS Vulnerable; first fixed in 12.3T 12.4(18b) 12.2YT Vulnerable; first fixed in 12.3 12.4(18b) 12.2YU Vulnerable; first fixed in 12.3T 12.4(18b) 12.2YV Vulnerable; first fixed in 12.3T 12.4(18b) 12.2YW Vulnerable; first fixed in 12.3T 12.4(18b) 12.2YX Not Vulnerable 12.2YY Vulnerable; first fixed in 12.3T 12.4(18b) 12.2YZ Vulnerable; first fixed in 12.2S 12.2(31)SB12 12.2(33)SRC1 12.2ZA Vulnerable; first fixed in 12.2SXF 12.2(18)SXF15; Available on 08-AUG-2008 12.2ZB Vulnerable; first fixed in 12.3T 12.4(18b) 12.2ZC Vulnerable; first fixed in 12.3T 12.4(18b) 12.2ZD Vulnerable; contact TAC 12.2ZE Vulnerable; first fixed in 12.3 12.4(18b) 12.2ZF Vulnerable; first fixed in 12.3T 12.4(18b) 12.2ZG Vulnerable; first fixed in 12.3YG 12.3(2)XA7 12.4(15)T5 12.4(18b) 12.2ZH 12.2(13)ZH9 12.2(13)ZH11 12.2ZJ Vulnerable; first fixed in 12.3T 12.4(18b) 12.2ZL Vulnerable; first fixed in 12.3T 12.4(15)T5 12.4(18b) 12.2ZP Vulnerable; first fixed in 12.3T 12.4(18b) 12.2ZU 12.2(18)ZU1 12.2(33)SXH3; Available on 03-JUL-2008 12.2ZY Not Vulnerable Affected 12.3-Based Releases First Fixed Release Recommended Release 12.3 12.3(17c) 12.3(18a) 12.3(19a) 12.3(20a) 12.3(21) 12.4(18b) 12.3B Vulnerable; first fixed in 12.3T 12.4(18b) 12.3BC 12.3(17b)BC3 12.3(21)BC 12.3BW Vulnerable; first fixed in 12.3T 12.4(18b) 12.3EU Not Vulnerable 12.3JA 12.3(11)JA 12.3(7)JA5 12.3(8)JA3; Available on 18-SEP-2008 12.3JEA Not Vulnerable 12.3JEB Not Vulnerable 12.3JEC Not Vulnerable 12.3JK 12.3(2)JK2 12.3(8)JK1 12.3(2)JK4; Available on 30-JUN-2008 12.3(8)JK2; Available on 30-JUN-2008 12.3JL 12.3(2)JL1 12.3(2)JL4 12.3JX Vulnerable; contact TAC 12.3(7)JX11 12.3T 12.3(11)T11 12.4(18b) 12.3TPC 12.3(4)TPC11b 12.3VA Vulnerable; contact TAC 12.3XA 12.3(2)XA6 12.3(2)XA7 12.3XB Vulnerable; first fixed in 12.3T 12.4(18b) 12.3XC 12.3(2)XC5 12.4(15)T5 12.4(18b) 12.3XD Vulnerable; first fixed in 12.3T 12.4(18b) 12.3XE 12.3(2)XE5 12.4(15)T5 12.4(18b) 12.3XF Vulnerable; first fixed in 12.3T 12.4(18b) 12.3XG Vulnerable; first fixed in 12.3YG 12.4(15)T5 12.4(18b) 12.3XH Vulnerable; first fixed in 12.3T 12.4(18b) 12.3XI 12.3(7)XI8a 12.3XJ Vulnerable; first fixed in 12.3YX 12.3(14)YX11 12.4(15)T5 12.3XK Vulnerable; first fixed in 12.3T 12.4(18b) 12.3XQ Vulnerable; first fixed in 12.4 12.4(18b) 12.3XR 12.3(7)XR7 12.4(15)T5 12.4(18b) 12.3XS Vulnerable; first fixed in 12.4 12.4(18b) 12.3XU Vulnerable; first fixed in 12.4T 12.4(15)T5 12.3XW Vulnerable; first fixed in 12.3YX 12.3(14)YX11 12.4(15)T5 12.3XY Vulnerable; first fixed in 12.3T 12.4(18b) 12.3YA Vulnerable; first fixed in 12.4 12.4(15)T5 12.4(18b) 12.3YD Vulnerable; first fixed in 12.4T 12.4(15)T5 12.3YF Vulnerable; first fixed in 12.3YX 12.3(14)YX11 12.4(15)T5 12.3YG 12.3(8)YG6 12.4(15)T5 12.3YH Vulnerable; first fixed in 12.4T 12.4(15)T5 12.3YI Vulnerable; first fixed in 12.4T 12.4(15)T5 12.3YJ Vulnerable; first fixed in 12.4T 12.4(15)T5 12.3YK 12.3(11)YK3 12.4(15)T5 12.3YM 12.3(14)YM8 12.3(14)YM12 12.3YQ Vulnerable; first fixed in 12.4T 12.4(15)T5 12.3YS 12.3(11)YS2 12.4(15)T5 12.3YT Vulnerable; first fixed in 12.4T 12.4(15)T5 12.3YU Vulnerable; first fixed in 12.4XB 12.3YX 12.3(14)YX4 12.3(14)YX11 12.3YZ 12.3(11)YZ2 Affected 12.4-Based Releases First Fixed Release Recommended Release 12.4 12.4(10) 12.4(3f) 12.4(5c) 12.4(7c) 12.4(8b) 12.4(18b) 12.4JA Not Vulnerable 12.4JK Not Vulnerable 12.4JMA Not Vulnerable 12.4JMB Not Vulnerable 12.4JMC Not Vulnerable 12.4JX Not Vulnerable 12.4MD Not Vulnerable 12.4MR 12.4(9)MR 12.4SW Not Vulnerable 12.4T 12.4(11)T 12.4(2)T6 12.4(4)T5 12.4(6)T4 12.4(9)T1 12.4(15)T5 12.4XA Vulnerable; first fixed in 12.4T 12.4(15)T5 12.4XB 12.4(2)XB3 12.4XC 12.4(4)XC5 12.4XD 12.4(4)XD4 12.4(15)T5 12.4XE 12.4(6)XE2 12.4(15)T5 12.4XF Not Vulnerable 12.4XG Not Vulnerable 12.4XJ Not Vulnerable 12.4XK Not Vulnerable 12.4XL Not Vulnerable 12.4XM Not Vulnerable 12.4XN Not Vulnerable 12.4XQ Not Vulnerable 12.4XT Not Vulnerable 12.4XV Not Vulnerable 12.4XW Not Vulnerable 12.4XY Not Vulnerable 12.4XZ Not Vulnerable Cisco CatOS The following table lists fixed Cisco Catalyst Operating System (CatOS) software. Affected Product Affected Release First Fixed Release Cisco Catalyst Operating System (CatOS) 6.x 6.4(23) 7.x 7.6(19) 8.5.x 8.5(7) 8.6.x 8.6(1) Cisco IOS XR The following table lists fixed Cisco IOS XR software. Cisco IOS XR Version SMU ID SMU Name 3.2.2 AA01681 hfr-base-3.2.2.CSCsf30109 3.2.3 AA01682 hfr-base-3.2.3.CSCsf30109 3.2.4 AA01683 hfr-base-3.2.4.CSCsf30109 3.2.6 AA01684 hfr-base-3.2.6.CSCsf30109 3.3.0 AA01685 hfr-base-3.3.0.CSCsf30109 3.3.0 AA01690 c12k-base-3.3.0.CSCsf30109 3.3.1 AA01686 hfr-base-3.3.1.CSCsf30109 3.3.1 AA01688 c12k-base-3.3.1.CSCsf30109 3.3.2 Not vulnerable Not vulnerable 3.4.x Not vulnerable Not vulnerable Cisco NX-OS The following table lists fixed Cisco NX-OS software. Affected Product Affected Release First Fixed Release Cisco NX-OS 4.0.(1)a 4.0.(2) Available June 2008 Cisco ACE Products The following table lists fixed Cisco Application Control Engine (ACE) software. Affected Product Affected Release First Fixed Release Cisco Application Control Engine (ACE) Module 3.0(0)A1(6.x) A2(1.0) A2(1.0a) A2(1.1) Cisco Application Control Engine (ACE) Appliance A1(7.0) A1(7.0a) A1(7.0b) A1(7.0c) A1(8.0) A1(8.0a) Cisco Application Control Engine (ACE) XML Gateway 4.x 5.x 6.0 6.0.1 Available June 2008 Cisco MDS software The following table lists fixed Cisco MDS Multilayer Switch software. Affected Product Affected Release First Fixed Release Cisco MDS 9000 2.1 3.0 3.2 3.4.1 Available June 2008 Top of the section Close Section Workarounds The following workarounds have been identified for these vulnerabilities. Infrastructure Access Control Lists Although it is often difficult to block traffic that transits a network, it is possible to identify traffic that should never be allowed to target infrastructure devices and block that traffic at the border of networks. Infrastructure Access Control Lists (iACLs) are a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for these specific vulnerabilities. The iACL example below should be included as part of the deployed infrastructure access-list which will protect all devices with IP addresses in the infrastructure IP address range: Note: UDP port 161 is applicable for all versions of SNMP. !--- Permit SNMP UDP 161 packets from !--- trusted hosts destined to infrastructure addresses. access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 161 !--- Deny SNMP UDP 161 packets from all !--- other sources destined to infrastructure addresses. access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 161 !--- Permit/deny all other Layer 3 and Layer 4 traffic in accordance !--- with existing security policies and configurations !--- Permit all other traffic to transit the device. access-list 150 permit ip any any !--- Apply iACL to relevant interfaces interface serial 2/0 ip access-group 150 inThe white paper entitled "Protecting Your Core: Infrastructure Protection Access Control Lists" presents guidelines and recommended deployment techniques for infrastructure protection access lists. This white paper can be obtained at the following link: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml Control Plane Policing Control Plane Policing (CoPP) can be used to block untrusted SNMP access to the device. Cisco IOS software releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support the CoPP feature. CoPP can be configured on a device to protect the management and control planes and minimize the risk and effectiveness of direct infrastructure attacks by explicitly permitting only authorized traffic that is sent to infrastructure devices in accordance with existing security policies and configurations. The following example, which uses 192.168.100.1 to represent a trusted host, can be adapted to your network. !--- Deny SNMP UDP traffic from trusted hosts to all IP addresses !--- configured on all interfaces of the affected device so that !--- it will be allowed by the CoPP feature access-list 111 deny udp host 192.168.100.1 any eq 161 !--- Permit all other SNMP UDP traffic sent to all IP addresses !--- configured on all interfaces of the affected device so that it !--- will be policed and dropped by the CoPP feature access-list 111 permit udp any any eq 161 !--- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4 !--- traffic in accordance with existing security policies and !--- configurations for traffic that is authorized to be sent !--- to infrastructure devices !--- Create a Class-Map for traffic to be policed by !--- the CoPP feature class-map match-all drop-snmpv3-class match access-group 111 !--- Create a Policy-Map that will be applied to the !--- Control-Plane of the device. policy-map drop-snmpv3-traffic class drop-snmpv3-class drop !--- Apply the Policy-Map to the !--- Control-Plane of the device control-plane service-policy input drop-snmpv3-trafficIn the above CoPP example, the access control list entries (ACEs) that match the potential exploit packets with the "permit" action result in these packets being discarded by the policy-map "drop" function, while packets that match the "deny" action (not shown) are not affected by the policy-map drop function. Please note that the policy-map syntax is different in the 12.2S and 12.0S Cisco IOS trains: policy-map drop-snmpv3-traffic class drop-snmpv3-class police 32000 1500 1500 conform-action drop exceed-action dropAdditional information on the configuration and use of the CoPP feature is available at the following links: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper 0900aecd804fa16a.html and http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/ gtrtlimt.html Transit Access Control Lists Filters that deny SNMP packets using UDP port 161 should be deployed throughout the network as part of a Transit Access Control List (tACL) policy for protection of traffic that enters the network at ingress access points. This policy should be configured to protect the network device where the filter is applied and other devices behind it. Filters for SNMP packets that use UDP port 161 should also be deployed in front of vulnerable network devices so that traffic is only allowed from trusted clients. Additional information about tACLs is available in "Transit Access Control Lists: Filtering at Your Edge:" http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml Hardening Guide Statement Customers are advised to review the "Fortifying the Simple Network Management Protocol" section of the "Cisco Guide to Harden Cisco IOS Devices" for information on configuring an IOS device for SNMPv3 authentication and privacy: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml#fortify Cisco IOS authPriv Configuration Enabling the SNMPv3 privacy subsystem (if it is not already in use) is a short-term workaround for users who are unable to upgrade in a timely fashion. This subsystem is used to encrypt SNMPv3 traffic using a shared secret. In Cisco IOS, administrators can enable this workaround by using the authPriv SNMPv3 feature. Only Cisco IOS crypto images can run the authPriv feature. Note: Ensure that the management application supports SNMPv3 authPriv before implementing this feature. Applied Mitigation Bulletin Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20080610-SNMPv3.shtml Top of the section Close Section Obtaining Fixed Software Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as o therwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. +1 800 553 2447 (toll free from within North America) +1 408 526 7209 (toll call from anywhere in the world) e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Top of the section Close Section Exploitation and Public Announcements Cisco is releasing this combined Cisco IOS and non-IOS product advisory out of our normal bi-yearly IOS security advisory cycle due to public disclosure of these vulnerabilities. Cisco is not aware of any malicious exploitation of these vulnerabilities. These vulnerabilities were reported to Cisco by Dr. Tom Dunigan of the University of Tennessee and Net-SNMP in cooperation with the CERT Coordination Center. Top of the section Close Section Status of this Notice: FINAL THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Top of the section Close Section Distribution This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. cust-security-announce@cisco.com first-teams@first.org bugtraq@securityfocus.com vulnwatch@vulnwatch.org cisco@spot.colorado.edu cisco-nsp@puck.nether.net full-disclosure@lists.grok.org.uk comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Top of the section Close Section Revision History Revision 1.0 2008-June-10 Initial public release [***** End Cisco Security Advisory Document ID: 107408 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Cisco for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) S-213: Nukedit 'email' Parameter Vulnerability S-214: SurgeMail and WebMail 'Page' Command Vulnerability S-215: Symantec Backup Exec Scheduler ActiveX Control Multiple Vulnerabilities S-216: Juniper Networks Secure Access 2000 'rdremediate.cgi' Vulnerability S-217: Drupal Multiple HTML Vulnerabilities S-218: gd Security Update S-219: Juniper Networks Secure Access 2000 Web Root Path Vulnerability S-220: PHP-Nuke My_eGallery Module 'gid' Parameter Vulnerability S-221: Learn2 STRunner ActiveX Control Vulnerabilities S-222: Evolution Security Update