CERT-In Advisory
CIAD-2009-0047
Cisco IOS Multiple Vulnerabilities
Original Issue Date: October 07, 2009
Severity Rating: High
Systems Affected
- Cisco IOS 12.x
- Cisco IOS R12.x
- Cisco IOS XE 2.1.x
- Cisco IOS XE 2.2.x
- Cisco IOS XE 2.3.x
Overview
Multiple vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to cause a DoS Denial of Service , bypass certain security restrictions, disclose sensitive information, or compromise a vulnerable device.
Description
1. IP Tunnels Remote Denial of Service Vulnerability
(
CVE-2009-2873
)
This vulnerability exists in the Cisco Express Forwarding feature when a device is configured to use IP-based tunnels. An unauthenticated, remote attacker could exploit this vulnerability by sending crafted malformed packets to the affected device. Such requests could cause the system to reload, resulting in Denial of Service condition.
2. Crafted Encryption Packet Remote Denial of Service Vulnerability
(
CVE-2009-2871
)
The vulnerability is due to an unspecified error that could occur when the vulnerable device handles encryption packets for SSL VPN, SSH, or IKE security nonces. An unauthenticated, remote attacker could send specially crafted packets to TCP ports 22 for SSH or 443 for SSLVPN or UDP ports 500 and 4500 for IKE Encrypted Nonces , which could cause the device to reload, resulting in Denial of Service condition.
3. NTPv4 Remote Denial of Service Vulnerability
(
CVE-2009-2869
)
Cisco IOSŪ Software with support for Network Time Protocol NTP version v4 contains a vulnerability processing specific NTP packets. An unauthenticated, remote attacker could send a crafted NTP packet to UDP port 123, for which the affected device attempt to create a reply packet, which in turn reload the device causing Denial of Service DoS condition.
4. Zone-Based Policy Firewall Session Initiation Protocol Inspection Remote Denial of Service Vulnerability
(
CVE-2009-2867
)
The vulnerability exists due to an unspecified error in the handling of transiting Session Initiation Protocol SIP packets on systems that are configured with Cisco IOS Zone-Based Policy Firewall SIP Inspection enabled. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted SIP packet through the affected firewall. When the affected device inspect the packet, the device may reload, resulting in a DoS condition.
5. Object Groups for Access Control Lists Security Bypass Vulnerability
(
CVE-2009-2862
)
The vulnerability exists in the implementation of the Object Groups for Access Control Lists ACLs feature. An unauthenticated, remote attacker could make crafted requests to the affected device to bypass security ACLs and gain unauthorized access to protected networks.
6. Authentication Proxy Bypass Vulnerability
(
CVE-2009-2863
)
This vulnerability is due to an error within the Cisco IOS Software authentication proxy feature. A race condition exists when processing requests to the proxy. An unauthenticated, remote attacker could exploit this vulnerability by sending a malicious request to the affected system with another active proxy session. Upon successful exploitation, the attacker could establish a proxy session with the privileges of another user, which could allow the attacker to access restricted resources.
7.H.323 Remote Denial of Service Vulnerability
(
CVE-2009-2866
)
H.323 is the ITU standard for real-time multimedia communications and conferencing over packet-based IP networks.
The vulnerability is in the H.323 processing component of the affected systems when it handles crafted H.323 packets on TCP port 1720. When the system tries to process these packets, it may reload, resulting in a DoS condition.
8. Internet Key Exchange Resource Exhaustion Vulnerability
(
CVE-2009-2868
)
IKE is a key management protocol that implements the Oakley and SKEME key exchanges inside the Internet Security Association and Key Management Protocol (ISAKMP) framework
This vulnerability is due to an error that may occur when the IKE protocol is configured for certificate-based authentication. Crafted requests to the system could cause the system to expend all available Phase 1 security associations (SAs) that are used to create new IPsec sessions.
Successful exploitation leads a DoS condition on IPsec as no new IPsec sessions can be created until Phase 1 SAs have been de-allocated.
9. SIP Remote Denial of Service Vulnerability
(
CVE-2009-2870
)
SIP is a popular signaling protocol that is used to manage voice and video calls across IP networks such as the Internet
The vulnerability exists in the SIP processing component of the Cisco IOS Software when devices are running a Cisco IOS image that contains the Cisco Unified Border Element(Cisco IOS Software image that runs on Cisco multiservice gateway platforms) feature. This vulnerability is triggered by processing a series of crafted SIP messages to the affected system on TCP or UDP port 5060 or TCP port 5061 resulting in a DOS condition.
10. Bad Packet Tunnel-to-Tunnel Remote Denial of Service Vulnerability
(
CVE-2009-2872
)
A tunnel protocol encapsulates a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link between internetworking devices over an IP network.
The vulnerability is in the Cisco Express Forwarding feature when a device is configured to use Generic Routing Encapsulation (GRE), IPinIP, Generic Packet Tunneling in IPv6 or IPv6 over IP tunnels.
An unauthenticated, remote attacker could exploit this vulnerability by sending crafted malformed packets to the affected device leading to system to reload, resulting in a DoS condition.
Solution
The vendor has issued a fix. Details are available at
Cisco Security Advisory
Workaround
- Administrators may consider disabling Cisco Express Forwarding.
- Administrators may consider disabling all of the affected features.
- Administrators may mitigate this vulnerability for SSH by using access control lists ACLs in local firewalls to restrict access to TCP port 22 to trusted IP addresses.
- Administrators may consider disabling NTP.
- Administrators may consider using only broadcast-based association on affected systems.
- Administrators may considering enabling Unicast Reverse Path Forwarding Unicast RPF and implement IP-based access control lists ACLs to restrict access to UDP port 123 to trusted systems.
- Administrators may consider disabling Cisco IOS Zone-Based Policy Firewall SIP inspection.
- Administrators may consider disabling the Object Groups for ACLs feature.
- Administrators are advised to implement an intrusion prevention system IPS or intrusion detection system IDS to help detect and prevent attacks.
- Administrators may consider disabling Cisco Express Forwarding.
- Administrators may consider d isabling Cisco Express Forwarding on Tunnel Interfaces
Vendor Information
CISCO
http://securityvulns.com/?gohttp://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep09.html
References
CISCO
http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml
http://www.vupen.com/english/reference-2009-2759-5.php
http://www.cisco.com/warp/public/707/cisco-sa-20090923-ios-fw.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20090923-ipsec.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20090923-auth-proxy.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20090923-sip.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20090923-tls.shtml
http://securitytracker.com/alerts/2009/Sep/1022935.html
VUPEN
http://www.vupen.com/english/advisories/2009/2759
Secunia
http://secunia.com/advisories/36835/
SecurityTracker
http://securitytracker.com/alerts/2009/Sep/1022930.html
http://securitytracker.com/alerts/2009/Sep/1022933.html
http://securitytracker.com/alerts/2009/Sep/1022934.html
CVE Name
CVE-2009-2862
CVE-2009-2863
CVE-2009-2866
CVE-2009-2867
CVE-2009-2868
CVE-2009-2869
CVE-2009-2870
CVE-2009-2871
CVE-2009-2872
CVE-2009-2873
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|