ALERT-TSA03-008TSA 03-008 - Cisco IOS Denial of Service Vulnerability
Alert Type: VULNERABILITY ALERT
Threat Type: Unintended Weakness: Denial of Service
TS Action Alert ID: TSA 03-008
IntelliShield ID: 6317
Version: 5
Urgency: 3 - Possible Use
Credibility: 5 - Confirmed
Severity: 4 - Moderate Damage
TEP: 4 - Hot
Universal: Yes
First Published: Jul 16, 2003; 09:44 PM EDT
Last Published: Jul 17, 2003; 06:34 PM EDT
Status: UPDATED
CVE: Not Available
Version Summary:
This is a TruSecure Action Alert. The TruSecure Research Team has determined that this vulnerability presents a serious threat to its clients and has provided additional information describing the Ballistic Threat of this vulnerability, as well as additional safeguards.
Description:
All Cisco routers and switches running Cisco IOS software and processing Internet Protocol Version 4 (IPv4) contain a remotely exploitable denial of service (DoS) vulnerability. Cisco routers are configured by default to process and accept IPv4 packets. When a special series of IPv4 packets are sent directly to the vulnerable device, the input interface queue is incorrectly flagged as being full. The interface stops passing inbound traffic when the queue is full, which creates a DoS condition for all networks connected to the affected device. This could cause routing protocols to drop because of dead timers. Routers processing Internet Protocol version 6 (IPv6) only are not vulnerable.
A second vulnerability exists on Ethernet interfaces where Address Resolution Protocol (ARP) times out after four hours. After ARP times out, the router ceases to process traffic until the device is rebooted to clear the Input Queue on the interface. Once the Input Queue is clear, the device can be reloaded with user intervention. An attacker can perform this attack on all interfaces, preventing remote access to the device.
Updated software and a workaround are available.
Impact:
The first vulnerability could cause the input interface on the vulnerable device to stop processing inbound traffic. The second vulnerability causes ARP to time out and stop processing traffic after a default time out of four hours. An attacker can cause the device to be remotely inaccessible by repeating the second attack on all interfaces. Both of these vulnerabilities deny service to all networks connected to the router until it has been manually reloaded.
Warning Indicators:
All Cisco devices running IOS and processing IPv4 traffic are vulnerable.
Administrators can execute the show interfaces command to determine if a device has been exploited. The device has been attacked if the preceding command indicates that the Input Queue is larger than the maximum queue size.
Technical Information:
A particular series of IPv4 packets can force a device running IOS to mark the Input Queue of an interface as full, which will cause the interface to stop passing inbound traffic. By default, the Input Queue size is 75, but it can be increased. It is important to note that this attack will not generate any warning indicators, such as alarms or an automatic reload. This is in contrast to earlier reports that indicated the device would reload on its own, but the Cisco advisory states that this is not the case. The affected device must be manually reloaded to clear the Input Queue and restore functionality.
The workaround of applying ACLs may already be in place on many security-conscious sites. Other sites may be affected because, due to service requirements, they cannot apply these highly restrictive ACLs. The application of such ACLs is heavily dependent on the environment, network and service requirements. Network administrators who can not apply the workaround are advised to closely monitor their devices until they can be corrected. Administrators can determine if this exploit has occurred by using the show interface command and examining the Input Queue. If the current size of the queue (the first number), is larger than the maximum size setting (the second number), then the queue is blocked.
The following command will return the blocked interface information:
# show interface %interface 0/0%
Input queue: #/#/#/# (size/max/drops/flushes) ; Total output drops:
#
^^^^^^^^^^^ ----- blocked
TruSecure Comments:
Affected IOS devices can pass the malicious packets without impact. It is only when the malicious packets reach a destination address of an affected device that the vulnerability occurs. This exemplifies how ACLs can provide a reliable defense against the vulnerability.
Possibly the most difficult aspect of defending against this vulnerability is identifying that a device has been exploited. An exploited device gives no outward signal, such as an alarm or system reload, that it is not functioning properly. This could make an exploit difficult to identify the root cause of a unresponsive device. Administrators are encouraged to closely monitor their Cisco devices until the new version of IOS can be installed. This would not likely affect Cisco devices that are protected by ACLs or are not directly accessible. However, many sites, such as ISPs or sites that are poorly secured, allow a remote users to ping their routers and obtain their IP addresses. This can allow an attacker to direct the exploit to that particular device. Sites that are secured and do not allow this direct connection to the device are less vulnerable. Additionally, the attack is only likely to result in a temporary DoS. It does not allow access, compromise of the device, or a long-term DoS.
The TruSecure Research Team has provided the following Risk Indices and their corresponding values:
Threat:
Currently low --
may rapidly trend to High - TruSecure is currently unaware of the spreading of exploit code throughout the malicious community. However, the TruSecure Ballistic Threat Model shows a moderate-to-high likelihood of rapid threat growth. Exploit code may become available, and active exploitation could occur within a week. The creation of exploit code is of very high value within underground circles, and chatter regarding this vulnerability is high.
Vulnerability Prevalence:
Very High --
Virtually all Cisco routers, and perhaps Cisco Switches, are vulnerable, depending upon ACLs. ISPs are currently working to reduce the prevalence of the vulnerability outside of corporations, and will likely continue to do so over the next few days.
Cost:
Medium High --
The attack triggers a denial of service - Successful exploitation will result in a DoS condition on the router. This particular DoS attack is remarkable because it does not appear to require persistent traffic, as is normally the case. In this instance, relatively few packets can cause a DoS for several hours, creating the need for a reboot, which may require physical access to the device.
Targeting:
Generally, DoS attacks are not of interest to the attacking community, although the relatively few packets required for such a long DoS may generate significant interest among the hacker community. We expect that attackers will prioritize their targets in the following manner:
1. Infrastructure targets, such as Internet Service Providers networks
2. Companies supporting politically unpopular issues
3. Larger technology and Internet players
Collateral Risk:
Expect that nearly every important router on the Internet will be rebooted with a new IOS between now and Monday. Expect intermittent outages related to route table errors, transit errors, and BGP table propagation disruption.
Safeguards:
Administrators should load the most current version of IOS on to affected devices.
Another option is to increase the size of the Input Queue, which will permit continued flow of traffic until the device can be reloaded.
Administrators can use ACLs to filter the router's IP to drop packets destined for the router itself that do not originate from authorized sources.
The TruSecure Essential Configuration (TEC) for Cisco Routers, Section G, which is available via the TruSecure Customer web portal, should protect against this attack. Due to the emphasis TruSecure places on a default deny perimeter, TruSecure SAS clients who manage their own border routers and restrict IP access from the Internet to these devices should have relatively good protection in place.
Companies should ensure that their Internet border routers and their core infrastructure and business partner network routers are protected. It would also be prudent to ensure that IP addressable Catalyst switches are not currently Internet-accessible.
Vendor Announcements:
Cisco has released a security advisory at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml cisco-sa-20030717-blocked.
CERT has released an advisory and a vulnerability note at the following links, respectively:
http://www.cert.org/advisories/CA-2003-15.html CA-2003-15 and
http://www.kb.cert.org/vuls/id/411332 VU#411332.
Patches/Software:
Cisco customers with active contracts can obtain updates through the Software Center at the following link:
http://www.cisco.com/tacpage/sw-center/sw-lan.shtml. Cisco customers without contracts can obtain upgrades by contacting the Cisco Technical Assistance Center at 1-800-553-2447 or 1-408-526-7209, or via e-mail at tac@cisco.com.
Alert History:
Version 4, July 17, 2003, 11:31 AM: Cisco has re-released a security advisory with additional information. CERT has also released an advisory and vulnerability note.
Version 3, July 17, 2003, 1:07 AM: Cisco has released a security advisory to address the denial of service vulnerability in IOS.
Version 2, July 16, 2003, 10:38 PM: Additional details regarding the DOS denial of service vulnerability are available.
Version 1, July 16, 2003, 9:44 PM: Increased chatter on the TruSecure Intelligence Network seems to indicate that a security issue in Cisco IOS has been identified, but not yet released to the public.
Product Sets:
The security vulnerability applies to the following combinations of products.
Primary Products:
[Cisco Systems] IOS: 11.1, 11.0, 11.1AA, 11.1CA, 11.1CC, 11.1CT, 11.1IA, 11.1R, 11.2, 11.2BC, 11.2F, 11.2P, 11.2XA, 11.3, 11.3AA, 11.3DB, 11.3HA, 11.3NA, 11.3T, 11.3XA, 12.0, 12.0, 12.0(19), 12.0S, 12.0(5)S, 12.0SC, 12.0SP, 12.0ST, 12.0(16)ST, 12.0T, 12.0XA, 12.0XB, 12.0XC, 12.0XD, 12.0XE, 12.0XG, 12.0XI, 12.0XK, 12.0XM, 12.0XQ, 12.0XR, 12.0XV, 12.1, 12.1, 12.1, 12.1(5a)E, 12.1(1)EX, 12.1(5c)EX, 12.1(8a)EX, 12.1(9)EX, 12.1CX, 12.1E, 12.1EC, 12.1T, 12.1(1)T, 12.1XB, 12.1XC, 12.1XF, 12.1XG, 12.1XH, 12.1XI, 12.1XJ, 12.1XK, 12.1XL, 12.1XM, 12.1XP, 12.1XQ, 12.1XT, 12.1XU, 12.1YB, 12.1YC, 12.1YD, 12.1YE, 12.1YF, 12.1YI, 12.2, 12.2, 12.2(1), 12.2(1)T, 12.2(1)S, 12.2.10a, 12.2B, 12.2BC, 12.2DA, 12.2DD, 12.2S, 12.2T, 12.2XA, 12.2XB, 12.2XD, 12.2XE, 12.2XF, 12.2XG, 12.2XH, 12.2XI, 12.2XJ, 12.2XK, 12.2XL, 12.2XM, 12.2XN, 12.2XQ, 12.2XR, 12.2XS, 12.2XT, 12.2XW, 12.2YA, 12.2YB, 12.2YC, 12.2YD, 12.2YF, 12.2YG, 12.2YH, 12.1EZ, 12.1YA, 12.1XV, 12.1XA, 12.1XD, 12.1XE, 12.1XR, 12.1XS, 12.1EY, 12.1DB, 12.1DC, 12.1OS, 12.0DA, 12.0SL, 12.0W5, 12.0XH, 12.0XJ, 12.1AA, 12.1DA, 12.0SX, 12.1EX, 12.1EA, 12.0SY, 12.0SZ, 12.0WC, 12.0WT, 12.1AX, 12.1AY, 12.1EB, 12.1EV, 12.1EW, 12.1YJ, 12.1YH, 12.2BW, 12.2BX, 12.2BZ, 12.2CX, 12.2CY, 12.2DX, 12.2JA, 12.2MB, 12.2MC, 12.2MX, 12.2SX, 12.2SY, 12.2SZ, 12.2XU, 12.2YJ, 12.2YT, 12.2YN, 12.2YO, 12.2XC, 12.2YP, 12.2YK, 12.2YL, 12.2YM, 12.2YU, 12.2YV, 12.2YQ, 12.2YR, 12.2YS, 12.2YW, 12.2YX, 12.2YY, 12.2YZ, 12.2ZA, 12.2ZB, 12.2ZC, 12.2ZD, 12.2ZE, 12.2ZF, 12.2ZG, 12.2ZH, 12.2ZJ, 12.2ZL
[TruSecure] Action Alert: Original Release
Communication:
Please contact your TruSecure analyst if you have any questions or if you see actual attempts to exploit this vulnerability.
TruSecure Corporation provides information security assurance services including TruSecure (r) which significantly reduces the likelihood of participating companies having information security breaches in six areas of risk: Electronic (hacking and related) risk, Malicious Code risk (virus, Trojan worm and related), Privacy risk, Downtime risk, Physical risk and Human Factors risk. Visit Security Solutions for further information on these services.
Disclaimer:
Copyright (c) 2003 TruSecure Corporation. All rights reserved. This Alert is the property of the TruSecure Corporation. It may not be redistributed except within your own company or organization. This Alert is being provided for informational purposes only and is provided AS IS.“ The TruSecure Corporation makes no warranties of any kind, express or implied, including, but not limited to warranties of merchantability, fitness for a particular purpose, non-infringement, and warranties arising out of any course of dealing or course of conduct.
Impenetrable security is unattainable in real world environments; the TruSecure Corporation cannot and does not guarantee protection against breaches of security.
IN NO EVENT WILL THE TRUSECURE CORPORATION BE LIABLE FOR ANY BUSINESS INTERRUPTION, LOST REVENUE, PROFITS OR DATA, OR FOR DAMAGES OF ANY KIND, HOWEVER CAUSED, ARISING OUT OF YOUR USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS WARNING, OR YOUR FAILURE TO RECEIVE ANY PRIOR OR FUTURE ALERTS, WATCHES OR WARNINGS, EVEN IF THE TRUSECURE CORPORATION HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
- ---------------------------------------------------------------
Copyright @ 2003 by TruSecure: http://www.trusecure.com.
|
