__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Cisco TCP Vulnerabilities in Multiple Cisco Products [Cisco Security Advisory 50960: TCP Vulnerabilities in Multiple IOS-Based Products] [Cisco Security Advisory 50961: TCP Vulnerabilities in Multiple Non-IOS Cisco Products] April 21, 2004 01:00 GMT Number O-124 [REVISED 22 Apr 2004] [REVISED 23 Apr 2004] [REVISED 26 Apr 2004] [REVISED 30 Apr 2004] [REVISED 5 May 2004] [REVISED 17 May 2004] [REVISED 18 Jun 2004] [REVISED 14 Jul 2004] [REVISED 06 Oct 2004] [REVISED 1 Mar 2006] [REVISED 10 Jan 2008] ______________________________________________________________________________ PROBLEM: A vulnerability in the TCP protocol specification allows an intruder to terminate TCP sessions causing a denial of service. By continually closing sessions, an intruder can prevent routers and other network devices from operating. This attack is only applicable to sessions that terminate on a device and not to sessions that pass through a device. The Border Gateway Protocol (BGP) which is used for routers to communicate routes among themselves does terminate on each router and is susceptible. Because IOS FW firewalls examine individual packets, the sessions passing through the firewalls effectively terminate on the firewall and are susceptible. PLATFORM: All products which contain a TCP stack. All Cisco products and models are affected. DAMAGE: An intruder can cause a continuous denial of service on network devices and stop the operation of a network. SOLUTION: Apply the patches listed in the Cisco bulletins. There are no satisfactory workarounds for most systems though anti-spoofing measures can mitigate the problem. For the BGP protocol, configuring the MD5 secret for peer to peer sessions blocks the attack. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. An intruder can stop the operation of a ASSESSMENT: network by causing a continuous denial of service on the network devices. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-124.shtml ORIGINAL BULLETIN: CISCO Security Advisory, Doc. ID 50960 http://www.cisco.com/warp/public/707/ cisco-sa-20040420-tcp-ios.shtml CISCO Security Advisory, Doc. ID 50961 http://www.cisco.com/warp/public/707/ cisco-sa-20040420-tcp-nonios.shtml ______________________________________________________________________________ REVISION HISTORY: 4/22/04 - revised to reflect the following changes: - CISCO #50960, rev. 1.1: Changes in some software version fixes. Workaround section, Packet rate limiting subsection. - configuration changes - CISCO #50961, rev. 1.1: Affected Products: added Catalyst 2948G-GE-TX. Changes in some software version fixes. See CISCO's Revision History sections for specific updated information. 4/23/04 - revised to reflect the following changes: - CISCO #50960, rev. 1.2: Software Versions and Fixes: - updated Cisco IOS Firewall table for 12.1E entry - updated Cisco IOS Software Releases and Migration Path table for entries 12.2SXA, 12.2SXB, 12.1EW, 12.2S, 12.3T, 12.2JA, 12.1EA. - CISCO #50961, rev. 1.2: Affected Products: updated BPX entry, and added CiscoSecure ACS for Windows and Unix and CiscoSecure ACS 1111 Appliance. Software Versions and Fixes: added WAN Switching section in table. 4/26/04 - revised to reflect the following changes: - CISCO #50960, rev. 1.3: Workarounds: updated the command sequence for the "Configure anti-spoofing measures on the network edge" entry. Software Versions and Fixes: - updated Cisco IOS Software Releases and Migration Path table for entries 12.1AY, 12.2BX, 12.2XB, 12.2T, and 12.2SXB. - CISCO #50961, rev. 1.3: Affected Products (added): - CSS 11050, CSS 11100, CSS 11150, CSS 11500, and CSS11800. - GSS, CSM - Cisco Channel Interface Processor (CIP) - Cisco Channel Port Adapter (CPA) - Cisco Systems ESCON Channel Port Adapter (ECPA) - Cisco Systems Parallel Channel Port Adapter (PCPA) Workarounds: updated the command sequence to enable uRPF. Software Versions and Fixes: updated Network Storage section 4/30/04 - revised to reflect the following changes: - CISCO #50960, rev. 1.5: Software Versions and Fixes: - updated entries: 12.1DA - new entries: > for 12.1 - 12.1(22b) and 12.1(22c) > for 12.2DA > for 12.3T - 12.3(4)T6 - deleted entry: for 12.1 - 12.1(22a) - CISCO #50961, rev. 1.5: Software Versions and Fixes: - updated entry: > Security Products - Cisco PIX Firewall - new entry: > Optical Products - Cisco ONS 15501 Optical Transport Platform 5/4/04 - revised to reflect the following changes: - CISCO #50960, rev. 1.6: Software Versions and Fixes: - updated entries: 12.0W5 and 12.2SX Workarounds section: added new information about disabling TCP sequence randomization. - CISCO #50961, rev. 1.6: Software Versions and Fixes: - Security Products - Cisco PIX Firewall added 3 new "Defect ID" entries 5/17/04 - revised to reflect the following changes: - CISCO #50960, rev. 1.7: Software Versions and Fixes: - updated the Fixed Cisco IOS Software Images for Cisco IOS Firewall table maintenance revisions for: 12.0(28), 12.0(27)S, 12.2(23, 12.2(22)S, 12.3(6), and 12.2JA. - CISCO #50961, rev. 1.7: Affected Products: - added CiscoWorks Wireless LAN Solution Appliance. Software Versions and Fixes: - Security Products - LAN Switching added the Catalyst 6500 Series SSL Services Module 6/18/04 - revised to reflect the following changes: - CISCO #50960, rev. 1.9: Software Release and Migration Path: - Updated Fixed Cisco IOS with a new line in section 12.OS. - CISCO #50960, rev. 1.8: Status changed to final. 7/14/04 - revised to reflect the following changes: - CISCO #50960, rev. 2.0: Software Release and Migration Path: - Updated Fixed Cisco IOS with a new line in section 12.OSL. 10/06/04 - revised to reflect the following changes: - CISCO #50961 (Non-IOS), rev. 2.1: Software Versions and Fixes: - Added Cisco SN5428 and SN5428-2 Storage Routers information under Network Storage heading. 12/29/05 - revised to reflect the following changes: - CISCO #50961 (Non-IOS), rev. 2.5: - Moved Cisco VPN 3000 Series Concentrators to the Affected Products section; added VPN Concentrators to the Software Versions and Fixes section. 03/01/06 - reivsed to reflect new CISCO information: - CISCO #50961 rev. 2.6: - Added release 4.1.7.K to list of fixed releases for the VPN 3000 Series Concentrators. 01/10/08 - revised O-124 to reflect changes Cisco has made in Document ID: 50961 where they removed CSCee07451 and CSCee07450 as Cisco FWSM itself is not affected. Added fixed software releases for the following MGX models: 8230, 8250, 8830, 8850 and 8950. MGX8220 reached End-of-Support. Added fixed software releases for BPX 8600 and IGX 8400. [***** Start Cisco Security Advisory 50960: TCP Vulnerabilities in Multiple IOS-Based Products *****] Cisco Security Advisory: TCP Vulnerabilities in Multiple IOS-Based Cisco Products Document ID: 50960 Revision 2.9 Last Updated 2008 January 08 1500 UTC (GMT) For Public Release 2004 April 20 21:00 UTC (GMT) ----------------------------------------------------------------------------- Please provide your feedback on this document. ----------------------------------------------------------------------------- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: INTERIM Distribution Revision History Cisco Security Procedures -------------------------------------------------------------------------------- Summary A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality. All Cisco products which contain TCP stack are susceptible to this vulnerability. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software. A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml. Affected Products Vulnerable Products Products which contain a TCP stack are susceptible to this vulnerability. All Cisco products and models are affected. The severity of the exposure depends upon the protocols and applications that utilize TCP. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer), and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). Details TCP is the transport layer protocol designed to provide connection-oriented reliable delivery of a data stream. To accomplish this, TCP uses a mixture of flags to indicate state and sequence numbers to identify the order in which the packets are to be reassembled. TCP also provides a number, called an acknowledgement number, that is used to indicate the sequence number of the next packet expected. The packets are reassembled by the receiving TCP implementation only if their sequence numbers fall within a range of the acknowledgement number (called a "window"). The acknowledgement number is not used in a packet with the reset (RST) flag set because a reset does not expect a packet in return. The full specification of the TCP protocol can be found at http://www.ietf.org/rfc/rfc0793.txt . According to the RFC793 specification, it is possible to reset an established TCP connection by sending a packet with the RST or synchronize (SYN) flag set. In order for this to occur, the 4-tuple must be known or guessed (source and destination IP address and ports) together with a sequence number. However, the sequence number does not have to be an exact match; it is sufficient to fall within the advertised window. This significantly decreases the effort required by an adversary: the larger the window, the easier it is to reset the connection. While source and destination IP addresses may be relatively easy to determine, the source TCP port must be guessed. The destination TCP port is usually known for all standard services (for example, 23 for Telnet, 80 for HTTP). Cisco IOS software uses predictable ephemeral ports for known services with a predictable increment (the next port which will be used for a subsequent connection). These values, while constant for a particular Cisco IOS software version and protocol, can vary from one release to another. Here is an example of a normal termination of a TCP session: Host(1) Host(2) | | | | | ACK ack=1001, window=5000 | |<----------------------------| | | Host(1) is closing the session | RST seq=1001 | |---------------------------->| | | Host(2) is closing the session In addition, the following scenario is also permitted: Host(1) Host(2) | | | | | ACK ack=1001, window=5000 | |<----------------------------| | | Host(1) is closing the session | RST seq=4321 | |---------------------------->| | | Host(2) is closing the session Note how, in the second example, the RST packet was able to terminate the session although the sequence number was not the next expected one (which is 1001). It was sufficient for the sequence number to fall within the advertised "window". In this example, Host(2) was accepting sequence numbers from 1001 to 6001 and 4321 is clearly within the acceptable range. Cisco fixed this vulnerability in accordance with the http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt. As a general rule, all protocols where a TCP connection stays established for longer than one minute should be considered exposed. The exposure on this vulnerability can be described as follows: Cisco IOS - All devices running Cisco IOS software are vulnerable. Only TCP sessions that are terminating on the device itself are affected since this vulnerability only affects the endpoints of a session. Sessions passing through the device are vulnerable only if the originating or receiving device is vulnerable, but they cannot be attacked on the router itself. This vulnerability does not compromise data integrity or confidentiality. It only affects availability. This vulnerability is documented in the Cisco Bug Toolkit as Bug IDs CSCed27956 ( registered customers only) and CSCed38527 ( registered customers only) . Cisco IOS Firewall (IOS FW) - The Cisco IOS FW monitors packets passing throughout the router and maintains the session state internally. This way, it is possible to "open" required ports and allow traffic to pass and then close them after the session has finished. Since Cisco IOS FW intercepts and examines all packets passing through the device, all TCP sessions passing through the Cisco IOS FW are vulnerable to this attack. This is valid even if the originating and receiving devices themselves are not vulnerable. This vulnerability is documented in the Cisco Bug Toolkit as Bug ID CSCed93836 ( registered customers only) . Network Address Translation (NAT) - This vulnerability does not have any effect on NAT. The NAT functionality simply rewrites ports and IP addresses. This feature does not interprete TCP flags and therefore is not vulnerable to this attack. However, the attacking packet will be passed through the router and the receiving device can be affected. Impact The impact will be different for each specific protocol. While in the majority of cases a TCP connection will be automatically re-established, in some specific protocols a second order of consequences may have a larger impact than tearing down the connection itself. Border Gateway Protocol (BGP) The Cisco PSIRT has identified BGP as the protocol which has the greatest potential for impact. Both external and internal (eBGP and iBGP) sessions are equally vulnerable. If an adversary tears down a BGP session between two routers, then all routes which were advertised between these two peers will be withdrawn. This would occur immediately for the router which has been attacked and after the next update/keepalive packet is sent by the other router. The BGP peering session itself will be re-established within a minute after the attack. Depending upon the exact routing configuration, withdrawal of the routes may have any of the following consequences: No adverse effects at all if an appropriate static route(s) has(have) been defined on both sides of the affected session. The traffic will be rerouted along other paths. This may cause some congestion along these paths. A portion of the network will be completely isolated and unreachable. If a BGP peering session is broken a few times within a short time interval, then BGP route dampening may be invoked. Dampening means that affected routes will be withdrawn from the Internet routing table for some period of time. By default that time is 45 minutes. During that time, all of the traffic whose route was advertised over the attacked BGP session will either be rerouted or a portion of the network will be unreachable. Route dampening is not enabled by default. Cisco IOS Firewall Feature Set It is possible to terminate an established TCP-based connection even if both endpoints are not vulnerable to this attack. Software Versions and Fixes Be advised that Cisco released multiple advisories on 2004-April-20. When considering software upgrades, please also consult http://www.cisco.com/warp/public/707/advisory.html and any subsequent advisories to determine exposure and a complete upgrade solution. Each row of the table describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix and the anticipated date of availability for each are listed in the Rebuild, Interim, and Maintenance columns. In some cases, no rebuild of a particular release is planned; this is marked with the label "Not scheduled." A device running any release in the given train that is earlier than the release in a specific column (less than the earliest fixed release) is known to be vulnerable, and it should be upgraded at least to the indicated release or a later version (greater than the earliest fixed release label). When selecting a release, keep in mind the following definitions: Maintenance Most heavily tested and highly recommended release of any label in a given row of the table. Rebuild Constructed from the previous maintenance or major release in the same train, it contains the fix for a specific vulnerability. Although it receives less testing, it contains only the minimal changes necessary to effect the repair. Cisco has made available several rebuilds of mainline trains to address this vulnerability, but strongly recommends running only the latest maintenance release on mainline trains. Interim Built at regular intervals between maintenance releases and receives less testing. Interims should be selected only if there is no other suitable release that addresses the vulnerability, and interim images should be upgraded to the next available maintenance release as soon as possible. Interim releases are not available through manufacturing, and usually they are not available for customer download from CCO without prior arrangement with the Cisco Technical Assistance Center (TAC). In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco TAC for assistance, as shown in the section following this table. Fixed Cisco IOS Software Images for Cisco IOS Firewall Major Release Availability of Repaired Releases* Affected 12.1-Based Release Rebuild Interim** Maintenance 12.1 12.1(22c) 12.1E 12.1(19)E7 12.1(13)E14 Affected 12.2-Based Release Rebuild Interim** Maintenance 12.2 12.2(21b) 12.2(23a) 12.2T 12.2(11)T11 12.2(13)T12 12.2(15)T12 Affected 12.3-Based Release Rebuild Interim** Maintenance 12.3 12.3(5c) 12.3(6a) 12.3T 12.3(4)T4 Fixed Cisco IOS Software Releases and Migration Path Major Release Availability of Repaired Releases* Affected 11.1-Based Release Rebuild Interim** Maintenance 11.1 11.1 Vulnerable. Migrate to 11.2 11.1AA 11.1AA Vulnerable. Migrate to 11.2P 11.1CC 11.1CC Vulnerable. Migrate to 12.0 Affected 11.2-Based Release Rebuild Interim** Maintenance 11.2 11.2(26f) Available on 2004-Apr-21 11.2P 11.2(26)P6 Available on 2004-Apr-21 11.2SA 11.2(8)SA6 Affected 11.3-Based Release Rebuild Interim** Maintenance 11.3 11.3 Vulnerable. Migrate to 12.0 11.3(11b)T4 Available on 2004-Apr-21 11.3(11e) Available on 2004-Apr-21 Affected 12.0-Based Release Rebuild Interim** Maintenance 12.0 12.0(28) 12.0DA 12.0DA Vulnerable. Migrate to 12.2DA 12.0DB 12.0DB Vulnerable. Migrate to 12.1DB 12.0DC 12.0DC Vulnerable. Migrate to 12.1DC 12.0S 12.0(21)S8 12.0(27)S 12.0(26)S2 12.0(16)S11 12.0(24)S5 12.0(25)S3 12.0(23)S6 12.0SL 12.0SL Vulnerable. Migrate to 12.0(23)S6 12.0ST 12.0ST Vulnerable. Migrate to 12.0(26)S2 12.0SX 12.0(25)SX4 Not built - contact TAC 12.0SZ 12.0SZ Vulnerable. Migrate to 12.0(26)S2 12.0T 12.0T Vulnerable. Migrate to 12.1 12.0W5 12.0(25)W5(27b) Available 2004-May 12.0WC 12.0(5)WC9a Available on 2004-Apr-21 12.0WT 12.0(13)WT Vulnerable. End of Engineering 12.0WX 12.0(4)WX Vulnerable. Migrate to 12.0W5 12.0XA 12.0(1)XA Vulnerable. Migrate to 12.1 Latest 12.0XB 12.0(1)XB Vulnerable. Migrate to 12.2(15)T12 12.0XC 12.0(2)XC Vulnerable. Migrate to 12.1 Latest 12.0XD 12.0(2)XD Vulnerable. Migrate to 12.1 Latest 12.0XE 12.0(7)XE Vulnerable. Migrate to 12.1E Latest 12.0XG 12.0(3)XG Vulnerable. Migrate to 12.1 Latest 12.0XH 12.0(4)XH Vulnerable. Migrate to 12.1 12.0XI 12.0(4)XI Vulnerable. Migrate to 12.1 12.0XJ 12.0(4)XJ Vulnerable. Migrate to 12.1 Latest 12.0XK 12.0(7)XK Vulnerable. Migrate to 12.1T Latest 12.0XL 12.0(4)XL Vulnerable. Migrate to 12.2 Latest 12.0XM 12.0(4)XM Vulnerable. Migrate to 12.2(15)T12 12.0XN 12.0(5)XN Vulnerable. Migrate to 12.1 Latest 12.0XP 12.0(5.1)XP Vulnerable. Migrate to 12.0(5)WC9a 12.0XQ 12.0(5)XQ Vulnerable. Migrate to 12.1 Latest 12.0XR 12.0(7)XR Vulnerable. Migrate to 12.2 Latest 12.0XS 12.0(5)XS Vulnerable. Migrate to 12.1E Latest 12.0XU 12.0(5)XU Vulnerable. Migrate to 12.0(5)WC 12.0XV 12.0(7)XV Vulnerable. Migrate to 12.2(15)T12 Affected 12.1-Based Release Rebuild Interim** Maintenance 12.1 12.1(20a) 12.1(4c) 12.1(22b) Without IOS FW fix 12.1(22c) With IOS FW fix 12.1AA 12.1(10)AA Vulnerable. Migrate to 12.2 Latest 12.1AX 12.1(14)AX 12.1AY 12.1(13)AY Vulnerable. Migrate to 12.1EA 12.1DA 12.1DA Vulnerable. Migrate to 12.2DA 12.1DB 12.1(5)DB Vulnerable. Migrate to 12.2B 12.1E 12.1(19)E7 12.1(22)E1 12.1(11b)E14 12.1(20)E2 12.1(19)E6 12.1(13)E13 Without IOS FW fix 12.1(8b)E18 12.1(14)E10 12.1(13)E14 With IOS FW fix 12.1EA 12.1(19)EA1b (Catalyst 3560 only) 12.1(19)EA1c (Catalyst 2940, 2950, 2950-LRE, 2955, 2970, 3550, 3560, and 3750) 12.1EB 12.1(20)EB 12.1EC 12.1(20)EC 12.1EO 12.1(20)EO 12.1(19)EO2 Available on 2004-Apr-25 12.1EU 12.1(20)EU 12.1EV 12.1(12c)EV Vulnerable. Migrate to 12.2(RLS4)S 12.1EW 12.1(20)EW2 12.1EX 12.1EX Vulnerable. Migrate to 12.1(14)E 12.1EY 12.1(10)EY Vulnerable. Migrate to 12.1(14)E 12.1T 12.1(5)T17 12.1XA 12.1(1)XA Vulnerable. Migrate to 12.1(5)T18 12.1XB 12.1(1)XB Vulnerable. Migrate to 12.2(15)T12 12.1XC 12.1(1)XC Vulnerable. Migrate to 12.2 12.1XD 12.1(1)XD Vulnerable. Migrate to 12.2 12.1XE 12.1(1)XE Vulnerable. Migrate to 12.1E Latest 12.1XF 12.1(2)XF Vulnerable. Migrate to 12.2(15)T12 12.1XG 12.1(3)XG Vulnerable. Migrate to 12.2(15)T12 12.1XH 12.1(2a)XH Vulnerable. Migrate to 12.2 12.1XI 12.1(3a)XI Vulnerable. Migrate to 12.2 Latest 12.1XJ 12.1(3)XJ Vulnerable. Migrate to 12.2(15)T12 12.1XL 12.1(3)XL Vulnerable. Migrate to 12.2T Latest 12.1XM 12.1(5)XM Vulnerable. Migrate to 12.2T Latest 12.1XP 12.1(3)XP Vulnerable. Migrate to 12.2(15)T12 12.1XQ 12.1(3)XQ Vulnerable. Migrate to 12.2T Latest 12.1XR 12.1(5)XR Vulnerable. Migrate to 12.2T Latest 12.1XT 12.1(3)XT Vulnerable. Migrate to 12.2(15)T12 12.1XU 12.1(5)XU Vulnerable. Migrate to 12.2T Latest 12.1XV 12.1(5)XV Vulnerable. Migrate to 12.2XB 12.1YA 12.1(5)YA Vulnerable. Migrate to 12.2(8)T 12.1YB 12.1(5)YB Vulnerable. Migrate to 12.2(15)T12 12.1YC 12.1(5)YC Vulnerable. Migrate to 12.2(15)T12 12.1YD 12.1(5)YD Vulnerable. Migrate to 12.2(8)T 12.1YE 12.1(5)YE5 Vulnerable. Migrate to 12.2(2)YC 12.1YF 12.1(5)YF2 Vulnerable. Migrate to 12.2(2)YC 12.1YH 12.1(5)YH2 Vulnerable. Migrate to 12.2(13)T 12.1YI 12.1(5)YI2 Vulnerable. Migrate to 12.2(2)YC 12.1YJ 12.1(11)YJ Vulnerable. Migrate to 12.1EA Latest Affected 12.2-Based Release Rebuild Interim** Maintenance 12.2 12.2(19b) 12.2(16f) 12.2(21a) 12.2(23) 12.2(12i) 12.2(10g) 12.2(13e) 12.2(17d) 12.2(21b) 12.2(23a) 12.2B 12.2(2)B - 12.2(4)B7 Vulnerable. Migrate to 12.2(13)T12 12.2(4)B8 AND FWD Vulnerable. Migrate to 12.3(5a)B1 12.2BC 12.2(15)BC1C 12.2BW 12.2(4)BW Vulnerable. Migrate to 12.2(15)T12 12.2BX 12.2(16)BX3 Available mid-May 12.2BY 12.2(4)BY Vulnerable. Migrate to 12.2(15)B 12.2(8)BY Vulnerable. Migrate to 12.2(8)ZB 12.2(2)BY Vulnerable. Migrate to 12.2(8)BZ 12.2BZ 12.2(15)BZ Vulnerable. Migrate to 12.2(16)BX 12.2CX 12.2(11)CX Vulnerable. Migrate to 12.2(15)BC 12.2CY 12.2(11)CY Vulnerable. Migrate to 12.2(13)BC1C 12.2DA 12.(12)DA6 Available 2004-May-13 12.2DD 12.2DD Vulnerable. Migrate to 12.2(4)B1 12.2DX 12.2(1)DX Vulnerable. Migrate to 12.2DD 12.2(2)DX Vulnerable. Migrate to 12.2B Latest 12.2EW 12.2(18)EW 12.2JA 12.2(11)JA3 12.2(13)JA4 12.2(15)JA 12.2MC 12.2(15)MC1B 12.2S 12.2(22)S 12.2(14)S7 12.2(20)S1 12.2(20)S3 Available on 2004-May-25 12.2(18)S3 12.2SE 12.2(18)SE 12.2SW 12.2(21)SW 12.2SX 12.2(17a)SX2 Without IOS FW fix, 12.2(17a)SX4 With IOS FW fix 12.2SXA 12.2(17b)SXA2 12.2SXB 12.2(17d)SXB1 With IOS FW fix 12.2(17d)SXB Without IOS FW fix 12.2SY 12.2(14)SY3 12.2SZ 12.2(14)SZ6 12.2T 12.2(15)T11 12.2(13)T12 With IOS FW fix 12.2(11)T11 Available on 2004-Apr-26 12.2(13)T11 Without IOS FW fix 12.2XA 12.2(2)XA Vulnerable. Migrate to 12.2(11)T 12.2XB 12.2(2)XB Vulnerable. Migrate to 12.3 12.2XC 12.2(2)XC Vulnerable. Migrate to 12.2(8)ZB 12.2XD 12.2(1)XD Vulnerable. Migrate to 12.2(15)T12 12.2XE 12.2(1)XE Vulnerable. Migrate to 12.2(15)T12 12.2XF 12.2(1)XF1 Vulnerable. Migrate to 12.2(4)BC1C 12.2XG 12.2(2)XG Vulnerable. Migrate to 12.2(8)T 12.2XH 12.2(2)XH Vulnerable. Migrate to 12.2(15)T12 12.2XI 12.2(2)XI2 Vulnerable. Migrate to 12.2(15)T12 12.2XJ 12.2(2)XJ Vulnerable. Migrate to 12.2(13)T12 12.2XK 12.2(2)XK Vulnerable. Migrate to 12.2(15)T12 12.2XL 12.2(4)XL Vulnerable. Migrate to 12.2(15)T12 12.2XM 12.2(4)XM Vulnerable. Migrate to 12.2(15)T12 12.2XN 12.2(2)XN Vulnerable. Migrate to 12.2(11)T 12.2XQ 12.2(2)XQ Vulnerable. Migrate to 12.2(15)T12 12.2XS 12.2(1)XS Vulnerable. Migrate to 12.2(11)T 12.2XT 12.2(2)XT Vulnerable. Migrate to 12.2(11)T 12.2XU 12.2(2)XU Vulnerable. Migrate to 12.2(15)T12 12.2XW 12.2(4)XW Vulnerable. Migrate to 12.2(13)T12 12.2YA 12.2(4)YA Vulnerable. Migrate to 12.2(15)T12 12.2YB 12.2(4)YB Vulnerable. Migrate to 12.2(15)T12 12.2YC 12.2(2)YC Vulnerable. Migrate to 12.2(11)T11 12.2YD 12.2(8)YD Vulnerable. Migrate to 12.2(8)YY 12.2YE 12.2(9)YE Vulnerable. Migrate to 12.2S 12.2YF 12.2(4)YF Vulnerable. Migrate to 12.2(15)T12 12.2YG 12.2(4)YG Vulnerable. Migrate to 12.2(13)T12 12.2YH 12.2(4)YH Vulnerable. Migrate to 12.2(15)T12 12.2YJ 12.2(8)YJ Vulnerable. Migrate to 12.2(15)T12 12.2YK 12.2(2)YK Vulnerable. Migrate to 12.2(13)ZC 12.2YL 12.2(8)YL Vulnerable. Migrate to 12.3(2)T 12.2YM 12.2(8)YM Vulnerable. Migrate to 12.3(2)T 12.2YN 12.2(8)YN Vulnerable. Migrate to 12.3(2)T 12.2YO 12.2(9)YO Vulnerable. Migrate to 12.2(14)SY 12.2YP 12.2(11)YP Vulnerable. Migrate to 12.2T Latest 12.2YQ 12.2(11)YQ Vulnerable. Migrate to 12.3(2)T 12.2YR 12.2(11)YR Vulnerable. Migrate to 12.3(2)T 12.2YS 12.2(11)YS Vulnerable. Migrate to 12.3T 12.2YT 12.2(11)YT Vulnerable. Migrate to 12.2(15)T 12.2YU 12.2(11)YU Vulnerable. Migrate to 12.3(2)T 12.2YV 12.2(11)YV Vulnerable. Migrate to 12.3(4)T 12.2YW 12.2(8)YW Vulnerable. Migrate to 12.3(2)T 12.2YX 12.2(11)YX Vulnerable. Migrate to 12.2(RLS3)S 12.2YY 12.2(8)YY Vulnerable. Migrate to 12.3(1)T 12.2YZ 12.2(11)YZ Vulnerable. Migrate to 12.2(14)SZ 12.2ZA 12.2(14)ZA6 12.2ZB 12.2(8)ZB Vulnerable. Migrate to 12.3T 12.2ZC 12.2(13)ZC Vulnerable. Migrate to 12.3T 12.2ZD 12.2(13)ZD1 12.2ZE 12.2(13)ZE Vulnerable. Migrate to 12.3 12.2ZF 12.2(13)ZF Vulnerable. Migrate to 12.3(4)T 12.2ZG 12.2(13)ZG Vulnerable. Migrate to 12.3(4)T 12.2ZH 12.2(13)ZH Vulnerable. Migrate to 12.3(4)T 12.2ZI 12.2(11)ZI Vulnerable. Migrate to 12.2(18)S 12.2ZJ 12.2(15)ZJ5 12.2(15)ZJ4 12.2ZK 12.2ZK 12.2(15)ZK Vulnerable. Migrate to 12.3T 12.2ZL 12.2(15)ZL Vulnerable. Migrate to 12.3(7)T 12.2ZN 12.2(15)ZN Vulnerable. Migrate to 12.3(2)T 12.2ZP 12.2(13)ZP3 Affected 12.3-Based Release Rebuild Interim** Maintenance 12.3 12.3(3e) 12.3(6) 12.3(5b) 12.3B 12.3(5a)B 12.3(3)B1 12.3BW 12.3(1a)BW Vulnerable. Migrate to 12.3B 12.3T 12.3(2)T4 12.3(7)T1 Available on 2004-Apr-26 12.3(4)T3 12.3(4)T6 With IOS FW fix, available 2004-May-31 12.3XA 12.3(2)XA Vulnerable. Contact TAC. 12.3XB 12.3(2)XB2 12.3XC 12.3(2)XC2 12.3XD 12.3(4)XD1 12.3XE 12.3(2)XE Vulnerable. Migrate to 12.3T 12.3XF 12.3(2)XF Vulnerable. Contact TAC if needed. 12.3XG 12.3(4)XG 12.3XH 12.3(4)XH 12.3XI 12.3(7)XI Vulnerable. Migrate to 12.3T 12.3XJ 12.3(7)XJ Vulnerable. Contact TAC if needed 12.3XK 12.3(4)XK 12.3XL 12.3(7)XL Vulnerable. Contact Tac if needed 12.3XM 12.3(9)XM Vulnerable. Contact TAC if needed. 12.3XN 12.3(4)XN Vulnerable. Contact TAC if needed. 12.3XQ 12.3(4)XQ Vulnerable. Contact TAC if needed. * All dates are estimated and subject to change. ** Interim releases are subjected to less rigorous testing than regular maintenance releases, and may have serious bugs. Obtaining Fixed Software Customers with Service Contracts Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third-party Support Organizations Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with the upgrade, which should be free of charge. Customers without Service Contracts Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. +1 800 553 2447 (toll free from within North America) +1 408 526 7209 (toll call from anywhere in the world) e-mail: tac@cisco.com See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Please have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades. Workarounds The effectiveness of any workaround is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround is the most appropriate for use in the intended network before it is deployed. There are no workarounds available to mitigate the effects of this vulnerability on Cisco IOS Firewall. For BGP, we will present the workaround and only a few mitigation techniques. For additional information regarding BGP security risk assessment, mitigation techniques, and deployment best practices, please consult ftp://ftp-eng.cisco.com/cons/isp/security/BGP-Risk-Assesment-v.pdf. BGP MD5 secret The workaround for BGP is to configure MD5 secret for each session between peers. This can be configured as shown in the following example: router(config)#router bgp router(config-router)#neighbor password It is necessary to configure the same shared MD5 secret on both peers and at the same time. Failure to do so will break the existing BGP session and the new session will not get established until the exact same secret is configured on both devices. For a detailed discussion on how to configure BGP, refer to the following document http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/ products_configuration_guide_chapter09186a00800ca571.html Once the secret is configured, it is prudent to change it periodically. The exact period must fit within your company security policy but it should not be longer than a few months. When changing the secret, again it must be done at the same time on both devices. Failure to do so will break your existing BGP session. The exception is if your Cisco IOS software release contains the integrated CSCdx23494 ( registered customers only) fix. With this fix, the BGP session will not be terminated when the MD5 secret is changed only on one side. The BGP updates, however, will not be processed until either the same secret is configured on both devices or the secret is removed from both devices. If the BGP session is passing through a firewall, it is important to disable TCP sequence randomization. Some firewalls modify the TCP sequence numbers in order to protect hosts behind them. If you do not disable that feature, the BGP session will not be established, and the following error message will be displayed on the router's console: %TCP-6-BADAUTH: Invalid MD5 digest from to If you are using PIX Firewall, add the norandomseq keyword to the command as shown in the example: static (inside,outside) netmask 255.255.255.0 norandomseq It is possible to mitigate the exposure for BGP on this vulnerability by applying one or more of the following measures which will lessen the potential for the necessary spoofing required to implement a successful attack: Blocking access to the core infrastructure Although it is often difficult to block traffic transiting your network, it is possible to identify traffic which should never be allowed to target your infrastructure devices and block that traffic at the border of your network. Infrastructure access control lists (ACLs) are considered a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The white paper entitled "Protecting Your Core: Infrastructure Protection Access Control Lists", available at http://www.cisco.com/warp/public/707/iacl.html, presents guidelines and recommended deployment techniques for infrastructure protection ACLs. Exceptions would include any devices which have a legitimate reason to access your infrastructure (for example, BGP peers, NTP sources, DNS serves, and so on). All other traffic must be able to traverse your network without terminating on any of your devices. Configure anti-spoofing measures on the network edge In order for an adversary to use the attack vector described in this advisory, it must send packets with the source IP address equal to one of the BGP peers. You can block spoofed packets either using the Unicast Reverse Path Forwarding (uRPF) feature or by using access control lists (ACLs). By enabling uRPF, all spoofed packets will be dropped at the first device. To enable uRPF, use the following commands: router(config)#ip cef router(config)# interface router(config)#ip verify unicast reverse-path Please consult http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/ products_configuration_guide_chapter09186a00800ca7d4.html and ftp://ftp-eng.cisco.com/cons/isp/security/URPF-ISP.pdf for further details on how uRPF works and how to configure it in various scenarios. This is especially important if you are using asymmetric routing. ACLs should also be deployed as close to the edge as possible. Unlike uRPF, you must specify the exact IP range that is permitted. Specifying which addresses should be blocked is not the optimal solution because it tends to be harder to maintain. Caution: In order for anti-spoofing measures to be effective, they must be deployed at least one hop away from the devices which are being protected. Ideally, they will be deployed at the network edge facing your customers. Packet rate limiting RST packets are rate-limited in Cisco IOS software by default. This feature is introduced in Cisco IOS Software Release 10.2. In the case of a storm of RST packets, they are effectively limited to one packet per second. In order to be successful, an attacker must terminate connection with the first few packets. Otherwise, the attack is deemed to be impracticably long. On the other hand, SYN packets are not rate-limited in any way. Rate limiting can be accomplished either by using Committed Access Rate (CAR) or by Control Plane Policing (CPP). While CPP is the recommended approach, it is available only for Cisco IOS Software Releases 12.2(18)S and 12.3(4)T. It is currently supported only on the following routers: 1751, 2600/2600-XM, 3700, 7200, and 7500 Series. CAR can be configured as follows: router(config)#access-list 103 deny tcp any host 10.1.1.1 established router(config)#access-list 103 permit tcp any host 10.1.1.1 router(config)#interface router(config-if)#rate-limit input access-group 103 8000 8000 8000 conform-action transmit exceed-action drop For details on how to configure and deploy CPP, please consult the following document http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/ products_white_paper09186a0080211f39.shtml Exploitation and Public Announcements This vulnerability was presented at the public conference. The Cisco PSIRT is not aware malicious use of the vulnerability described in this advisory. The exploitation of the vulnerability with packets having RST flag set (reset packets) was discovered by Paul (Tony) Watson of OSVDB.org. The extension of the attack vector to packets with SYN flag was discovered by the vendors cooperating on the resolution of this issue. Status of This Notice: FINAL This is a final advisory. Although Cisco cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Cisco does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Cisco may update this advisory. A stand-alone copy or Paraphrase of the text of this Security Advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution This advisory will be posted on Cisco's worldwide website at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml. In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. cust-security-announce@cisco.com first-teams@first.org (includes CERT/CC) bugtraq@securityfocus.com vulnwatch@wulnwatch.org cisco@spot.colorado.edu cisco-nsp@puck.nether.net full-disclosure@lists.netsys.com comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History Revision 1.9 2004-June-16 Updated Fixed Cisco IOS Software Release and Migration Path table with new line in section 12.0S Revision 1.8 2004-May-20 Status changed to final. Revision 1.7 2004-May-10 Updated the Fixed Cisco IOS Software Images for Cisco IOS Firewall table maintenance revisions for 12.0(28, 12.0(27)S, 12.2(23), 12.2(22)S, 12.3(6), and 12.2JA. Revision 1.6 2004-May-04 In Software Versions and Fixes section, updated entries for 12.0W5 and 12.2SX. Updated Workarounds section with information on BGP MD5 secret. Revision 1.5 2004-Apr-30 In Software Versions and Fixes section, updated entries for 12.1, 12.3T FW, and 12.1DA. Added new sections in 12.3T IOS main and 12.2-based releases. Revision 1.4 2004-Apr-28 In the Details section added link to the DoD Draft TCP protocol. In Software Versions and Fixes section, updated entries for 11.2SA, 12.0XP, 12.0(5.1)XP, 12.1EA, 12.2XJ, and 12.0W5. In the Exploitation and Public Announcement section, changed wording of initial sequence. Revision 1.3 2004-Apr-25 In Software Versions and Fixes section, added introductory paragraphs with advisory. In Software Versions and Fixes section, updated Cisco IOS Software Releases and Migration Path table for entries 12.1AY, 12.2BX, 12.2XB, 12.2T, and 12.2SXB. In Workarounds section, updated the command sequence for the Configure anti-spoofing measures on the network edge entry. Revision 1.2 2004-Apr-22 In Software Versions and Fixes section, updated Cisco IOS Firewall table for 12.1E entry. In Software Versions and Fixes section, updated Cisco IOS Software Releases and Migration Path table for entries 12.2SXA, 12.2SXB, 12.1EW, 12.2S, 12.3T, 12.2JA, 12.1EA. Revision 1.1 2004-Apr-21 In Software Versions and Fixes section, Cisco IOS Software Releases and Migration Path table, updated 12.1(20)E2 entry. In Software Versions and Fixes section, Cisco IOS Software Releases and Migration Path table, 12.1E section, updated 12.1(13)E13 entry. In Software Versions and Fixes section, Cisco IOS Software Releases and Migration Path table, 12.1E section, updated 12.1(13)E14 entry. In Software Versions and Fixes section, Cisco IOS Software Releases and Migration Path table, 12.2T section, updated 12.2(13)T12 entry. In Software Versions and Fixes section, Cisco IOS Software Releases and Migration Path table, 12.2T section, updated 12.2(13)T11 entry. In Workaround section, Packet rate limiting sub-section, updated this line: access-list 103 permit tcp any host 10.1.1.1 Revision 1.0 2004-Apr-20 Initial public release. [***** End Cisco Security Advisory 50960: TCP Vulnerabilities in Multiple IOS-Based Products *****] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [***** Start Cisco Security Advisory 50961: TCP Vulnerabilities in Multiple Non-IOS Cisco Products *****] Cisco Security Advisory: TCP Vulnerabilities in Multiple Non-IOS Cisco Products Document ID: 50961 Revision 2.5 Last Updated 2005 December 29 00:00 UTC (GMT) For Public Release 2004 April 20 21:00 UTC (GMT) ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: INTERIM Distribution Revision History Cisco Security Procedures ------------------------------------------------------------------------------- Summary A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer), and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, the attack vector does not directly compromise data integrity or confidentiality. All Cisco products which contain a TCP stack are susceptible to this vulnerability. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa- 20040420-tcp-nonios.shtml, and it describes this vulnerability as it applies to Cisco products that do not run Cisco IOS® software. A companion advisory that describes this vulnerability for products that run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco- sa-20040420-tcp-ios.shtml. Affected Products Products which contain a TCP stack are susceptible to this vulnerability. All Cisco products and models are affected. The severity of the exposure depends upon the protocols and applications that utilize TCP. The nonexhaustive list of vulnerable non-IOS based Cisco products is as follows: Access Registrar BPX 8600, IGX 8400, MGX 82xx, 88xx and 8950 WAN Switches, and the Service Expansion Shelf BR340, WGB340, AP340, AP350, BR350 Cisco/Aironet wireless products Cache Engine 505 and 570 CallManager Catalyst 1200, 1900, 28xx, 2948G-GE-TX, 3000, 3900, 4000, 5000, 6000 Cisco 8110 Broadband Network Termination Unit Cisco Element Management Framework Cisco Info Center Cisco Intelligent Contact Management Cisco MDS 9000 Cisco ONS 15190/15194 IP Transport Concentrator Cisco ONS 15327 Metro Edge Optical Transport Platform Cisco ONS 15454 Optical Transport Platform Cisco ONS 15531/15532 T31 OMDS Metro WDM System Cisco ONS 15800/15801/15808 Dense Wave Division Multiplexing Platform Cisco ONS 15830 T30 Optical Amplification System Cisco ONS 15831/15832 T31 DWDM System Cisco ONS 15863 T31 Submarine WDM System Content Router 4430 and Content Delivery Manager 4630 and 4650 CiscoSecure ACS for Windows and Unix, and CiscoSecure ACS 1111 Appliance Cisco Secure Intrusion Detection System (NetRanger) appliance and IDS Module Cisco Secure PIX firewall Cisco ws-x6608 and ws-x6624 IP Telephony Modules CiscoWorks Windows Content Engine 507, 560, 590, and 7320 CSS11000 (Arrowpoint) Content Services Switch Hosting Solution Engine User Registration Tool VLAN Policy Server Cisco FastHub 300 and 400 CR-4430-B Device Fault Manager Internet CDN Content Engine 590 and 7320, Content Distribution Manager 4670, and Content Router 4450 IP Phone (all models including ATA and VG248) IP/TV LightStream 1010 LightStream 100 ATM Switches LocalDirector ME1100 series MicroHub 1500,MicroSwitch 1538/1548 Voice Manager RTM SN5400 series storage routers Switch Probe Unity Server VG248 Analog Phone Gateway VPN5000 - VPN Concentrator Traffic Director WAN Manager CSS 11050, CSS 11100, CSS 11150, CSS 11500 and CSS 11800 GSS, CSM Cisco Channel Interface Processor (CIP) and Channel Port Adapter (CPA) Cisco Systems ESCON Channel Port Adapter (ECPA) Cisco Systems Parallel Channel Port Adapter (PCPA) Cisco Firewall Services Module for Cisco Catalyst 6500 Series and Cisco 7600 Series (FWSM) Cisco ACNS CiscoWorks Wireless LAN Solution Appliance Cisco VPN 3000 Series Concentrators Details TCP is the transport layer protocol designed to provide connection-oriented reliable delivery of a data stream. To accomplish this, TCP uses a mixture of flags to indicate state and sequence numbers to identify the order in which the packets are to be reassembled. TCP also provides a number, called an acknowledgement number, that is used to indicate the sequence number of the next packet expected. The packets are reassembled by the receiving TCP implementation only if their sequence numbers fall within a range of the acknowledgement number (called a "window"). The acknowledgement number is not used in a packet with the reset (RST) flag set because a reset does not expect a packet in return. The full specification of the TCP protocol can be found at http://www.ietf.org/rfc/rfc0793.txt . According to the RFC793 specification, it is possible to reset an established TCP connection by sending a packet with the RST or synchronize (SYN) flag set. In order for this to occur, the 4-tuple must be known or guessed (source and destination IP address and ports) together with a sequence number. However, the sequence number does not have to be an exact match; it is sufficient to fall within the advertised window. This significantly decreases the effort required by an adversary: the larger the window, the easier it is to reset the connection. While source and destination IP addresses may be relatively easy to determine, the source TCP port must be guessed. The destination TCP port is usually known for all standard services (for example, 23 for Telnet, 80 for HTTP). Many operating systems (OSs) use predictable ephemeral ports for known services with a predictable increment (the next port which will be used for a subsequent connection). These values, while constant for a particular OS and protocol, do vary from one OS release to another. Here is an example of a normal termination of a TCP session: Host(1) Host(2) | | | | | ACK ack=1001, window=5000 | |<----------------------------| | | Host(1) is closing the session | RST seq=1001 | |---------------------------->| | | Host(2) is closing the session In addition, the following scenario is also permitted: Host(1) Host(2) | | | | | ACK ack=1001, window=5000 | |<----------------------------| | | Host(1) is closing the session | RST seq=4321 | |---------------------------->| | | Host(2) is closing the session Note how the RST packet was able to terminate the session although the sequence number was not the next expected one (which is 1001). It was sufficient for the sequence number to fall within the advertised "window". In this example, Host(2) was accepting sequence numbers from 1001 to 6001 and 4321 is clearly within the acceptable range. Cisco fixed this vulnerability in accordance with the http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-02.txt . As a general rule, all protocols where a TCP connection stays established for longer than one minute should be considered exposed. Impact The impact is different for each specific protocol. While, in the majority of cases, a TCP connection will be automatically re-established, in some specific protocols a second order of consequences may have a larger impact than tearing down the connection itself. The Cisco PSIRT has analyzed multiple TCP-based protocols, as they are used within our offering, and we believe that this vulnerability does not have a significant impact on them. We will present our analysis for a few protocols which have the potential for higher impact due to the long lived connections. Voice signaling H.225, H.245 (part of H.323 suite) H.225 and H.245 protocols are used in voice signaling. Their purpose is to negotiate parameters for content transfer (voice or video). The established sessions persist for the duration of a call. Any call in progress is terminated when the signaling session is broken. A new signaling session will be established immediately for the new call, but terminated calls cannot be re- established. Each call from an IP telephone or softphone will result in the creation of a single signaling session. Terminating that signaling session affects only a single user. It is possible that a single signaling session is responsible for multiple calls, but that setup is used deeper within the Service Provider's network. Determining all necessary parameters for mounting an attack is deemed a non-trivial task if the network is designed according to the current best practices. Network Storage (iSCSI, FCIP) Network Storage products use two TCP-based protocols: SCSI over IP (iSCSI) and Fiber Channel over IP (FCIP). SCSI over IP (iSCSI) iSCSI is used in a client/server environment. The client is your computer and it is only the client that initiates a connection. This connection is not shared with any other users. A separate session is established for each virtual device used. Terminating the session will not have any adverse consequences if people are using current drivers from Microsoft for Windows and from Cisco for Linux. These drivers will re-establish the session and continue transfer from the point where it was disconnected. Drivers from other vendors may behave differently. The user may notice that access to a virtual device is slightly slower than usual. Fiber Channel over IP (FCIP) FCIP is a peer-to-peer protocol. It is used for mirroring data between switches. Each peer can initiate the session. Switches can, and should be in practice, configured in a mesh. Bringing one link down will cause traffic to be re-routed over other link(s). If an adversary can manage to terminate the session multiple times in a row, the user's application may terminate with a "Device unreachable" or similar error message. This does not have any influence on the switch itself and the user can retry the operation. The user may notice that access to a virtual device is slightly slower than usual. An occasional error message is possible. Transport Layer Security/Secure Socket Layer (TLS/SSL) Since this vulnerability operates on a TCP layer, encryption does not provide any protection. SSL/TLS connections can be used to encapsulate various kinds of traffic and these sessions can be long lived. A successful exploitation does not impact confidentiality of the data. An encrypted session can be attacked either on the originating or terminating host or on the firewalls in front of them (if they exist). Software Versions and Fixes For all Cisco products that are based on a third party Operating System and when Cisco is not supplying the OS, please contact your respective vendor for the appropriate patches. Be advised that Cisco released multiple advisories on 2004-April-20. When considering software upgrades, please also consult http://www.cisco.com/warp/public/707/advisory.html and any subsequent advisories to determine exposure and a complete upgrade solution. Product Defect ID Intended First Fixed Release LAN Switching Catalyst 1200, 1900, 28xx, 29xx, 3000, 3900, 4000, 5000, 6000 CSCed32349 (registered customers only) 6.4(13), 6.4(12.3), 7.6(8.6), 8.3(2.8), 8.3(3.4), 8.4(0.47COC, 8.4(0.91)COC, 8.4(1.2)GLX, 8.4(2.1)GLX, 8.6(0.1)TAL, 8.6(0.21)TAL Catalyst 1900 and 2820 9.00.07 Available on 2004-Apr-27 Catalyst 6500 Series SSL Services Module CSCee35285 (registered customers only) 2.1(2) Network Storage Cisco MDS 9000 Family CSCed27956 (registered customers only) , CSCed38527 (registered customers only) , CSCed65607 (registered customers only) 1.3(4a) Cisco Channel Interface Processor (CIP) CSCee35335 (registered customers only) 27-x and 28-x, No software availability date has been determined yet. Cisco SN5428 and SN5428-2 Storage Routers CSCee36193 (registered customers only) 3.5(3)-K9 Voice Products WS-6624 analog station gateway module for the Catalyst 6500 CSCee22691 (registered customers only) No software availability date has been determined yet. Wireless Products Cisco Aironet Access Point 340, 350, 1200 Series (only VxWorks-based) CSCee22526 (registered customers only) No software availability date has been determined yet. Customers are encouraged to migrate to IOS. Security Products Cisco Intrusion Detection System (IDS) CSCee33732 (registered customers only) 5.0, No software availability date has been determined yet. Cisco Firewall Services Module for Cisco Catalyst 6500 and 7600 Series (FWSM) CSCee07450 (registered customers only) , CSCee07451 (registered customers only) , CSCee07453 (registered customers only) 1.1(3.17) Contact TAC Cisco PIX Firewall CSCed31689 (registered customers only) , CSCed91445 (registered customers only) , CSCed70062 (registered customers only) , CSCed91726 (registered customers only) 6.1.5(104), 6.2.3(110), and 6.3.3(133) Contact TAC Content Networking Cisco CSS11500 Family CSCee06117 (registered customers only) , SSL termination 07.30(00.09)S 07.20(03.10)S 07.30(00.08)S 07.10(05.07)S 07.20(03.09)S, 07.30(1.06), 07.20(4.05) Cisco CSS11000 and CSS11500 Family CSCee39336 (registered customers only) , TCP management connections 07.30(01.02), 07.30(01.06), 07.20(04.05), 05.00(05.05)S, 06.10(03.10)S Cisco Content Switching Module (CSM) CSCee33252 (registered customers only) 4.1(2) Available 2004-Jun, for 3.x releases contact TAC Cisco ACNS CSCee37496 (registered customers only) No Software availability date has been determined yet. Cisco 11000 Series Secure Content Accelerator (SCA) CSCee49634 (registered customers only) No Software availability date has been determined yet. Cisco LocalDirector CSCee08921 (registered customers only) 4.2(1), 4.2(2), 4.2(3), 4.2(4), 4.2(5), 4.2(6) Optical Products Cisco ONS 15327, 15454 and 15454SDH Optical Transport Platform CSCed73026 (registered customers only) R4.14 Available 2004-Apr-27, Future releases R4.62, R2.35 Cisco ONS 15501 Optical Transport Platform CSCee41687 (registered customers only) No software availability date has been determined yet. Cisco ONS 15600 Optical Transport Platform CSCed73026 (registered customers only) Future releases R5.0 WAN Switching MGX 8850, MGX 8830, MGX 8950 CSCee34615 (registered customers only) 5.0.X, 4.0.X, 3.0.X, No software availability date has been determined yet. SES CSCee34615 (registered customers only) 4.0.X, No software availability date has been determined yet. MGX 8230, MGX 8250 CSCee34620 (registered customers only) 1.3.X,1.2.X, No software availability date has been determined yet. MGX 8220 CSCee34624 (registered customers only) 5.0.X, No software availability date has been determined yet. BPX 8600, IGX 8400 CSCee34625 (registered customers only) 9.4.X, 9.3.X, No software availability date has been determined yet. VPN Concentrators VPN 3000 Series Concentrators CSCsc28894 (registered customers only) 04.7(02)C Obtaining Fixed Software Customers with Service Contracts Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third-party Support Organizations Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with the upgrade, which should be free of charge. Customers without Service Contracts Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. +1 800 553 2447 (toll free from within North America) +1 408 526 7209 (toll call from anywhere in the world) e-mail: tac@cisco.com See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Please have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades. Workarounds The effectiveness of any workaround is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround is the most appropriate for use in the intended network before it is deployed. There are no workarounds available to mitigate the effects of this vulnerability. It is possible to mitigate the exposure on this vulnerability by applying anti- spoofing measures on the edge of the network. By enabling Unicast Reverse Path Forwarding (uRPF), all spoofed packets will be dropped at the first device. To enable uRPF, use the following commands. router(config)# ip cef router(config)# interface router(config-if)# ip verify unicast reverse-path Please consult http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_g uide_book09186a0080087df1.html and ftp://ftp- eng.cisco.com/cons/isp/security/URPF-ISP.pdf for further descriptions of how uRPF works and how to configure it in various scenarios. This is especially important if you are using asymmetric routing. Access control lists (ACLs) should also be deployed as close to the edge as possible. Unlike uRPF, you must specify the exact IP range that is permitted. Specifying which addresses should be blocked is not the optimal solution because it tends to be harder to maintain. Caution: In order for anti-spoofing measures to be effective, they must be deployed at least one hop away from the devices which are being protected. Ideally, they will be deployed at the network edge. Exploitation and Public Announcements This vulnerability was presented at the public conference. The Cisco PSIRT is not aware malicious use of the vulnerability described in this advisory. The exploitation of the vulnerability with packets having RST flag set (reset packets) was discovered by Paul (Tony) Watson of OSVDB.org. The extension of the attack vector to packets with SYN flag set and data injection was discovered by the vendors cooperating on the resolution of this issue. Status of This Notice: INTERIM This is an INTERIM advisory. Although Cisco cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Cisco does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Cisco may update this advisory. A stand-alone copy or Paraphrase of the text of this Security Advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution This advisory will be posted on Cisco's worldwide website at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml. In addition to worldwide web posting, a text version of this notice is clear- signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients: cust-security-announce@cisco.com first-teams@first.org (includes CERT/CC) bugtraq@securityfocus.com vulnwatch@vulnwatch.org cisco@spot.colorado.edu cisco-nsp@puck.nether.net full-disclosure@lists.netsys.com comp.dcom.sys.cisco@newsgate.cisco.com Various internal Cisco mailing lists Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History Revision 2.9 2008-January-08 Removed CSCee07451 and CSCee07450 as Cisco FWSM itself is not affected. Added fixed software releases for the following MGX models: 8230, 8250, 8830, 8850 and 8950. MGX8220 reached End-of-Support. Added fixed software releases for BPX 8600 and IGX 8400. Revision 2.8 2007-October-04 Added information for VG248. Revision 2.7 2007-April-03 Added information for CallManger Revision 2.6 2006-February -14 Added release 4.1.7.K to list of fixed releases for the VPN 3000 Series Concentrators. Revision 2.5 2005-December-29 Moved Cisco VPN 3000 Series Concentrators to the Affected Products section; added VPN Concentrators to the Software Versions and Fixes section. Revision 2.4 2004-December-6 Changed link to IETF draft in Details section. Revision 2.3 2004-December-3 Added Cisco LocalDirector information to the Software Versions and Fixes section, under the Content Network heading. Revision 2.2 2004-November 10 Updated first line of the table (under LAN Switching) in "Software Versions and Fixes" section. Revision 2.1 2004-October-06 Added Cisco SN5428 and SN5428-2 Storage Routers information to the Software Versions and Fixes section, under the Network Storage heading. Revision 2.0 2004-September-28 In "Software Versions and Fixes" section, added the following row in the table under "Security Products:" Cisco Intrusion Detection System (IDS)¦ CSCee33732 ¦ 5.0, No software availability date has been determined yet. Revision 1.9 2004-July-07 In the Software Versions and Fixes section in the Content Networking part of the table, removed the text "Contact TAC" and added: 07.30(1.06), 07.20(4.05) to the first row. In the Software Versions and Fixes section in the Content Networking part of the table, removed the text "No Software availability date has been determined yet." and added: 07.30(01.02), 07.30(01.06), 07.20(04.05), 05.00(05.05)S, 06.10(03.10)S to the second row. Revision 1.8 2004-Jun-03 In the Software Versions and Fixes section, added an entry for the Cisco 11000 Series Secure Content Accelerator (SCA). Revision 1.7 2004-May-10 In the Affected Products section, added CiscoWorks Wireless LAN Solution Appliance. In the Software Versions and Fixes section, added the Catalyst 6500 Series SSL Services Module entry under LAN Switching. Revision 1.6 2004-May-04 In the Software Versions and Fixes section, updated the entry for PIX in Security Products. Revision 1.5 2004-Apr-30 In the Software Versions and Fixes section, modified the entry for PIX in Security Products and added an entry under Optical Products. Revision 1.4 2004-Apr-28 In the Affected Products section, added another product and moved one from non-affected list. In the Details section added link to the DoD Draft TCP protocol. In the Software Versions and Fixes section, updated entry for Security Products and Content Networking. In the Exploitation and Public Announcement section, changed wording of initial sentence. Revision 1.3 2004-Apr-25 In Affected Products section, added more products to the end of the list. In Software Versions and Fixes section, added introductory paragraphs as advisories. In Software Versions and Fixes section, updated the Cisco MDS 9000 Family entry and added Cisco Channel Interface Processor (CIP) information. In Workarounds section, updated the command sequence to enable uRPF. Revision 1.2 2004-Apr-22 Under Affected Products section, updated BPX entry, and added CiscoSecure ACS for Windows and Unix and CiscoSecure ACS 1111 Appliance. In Software Versions and Fixes section, added WAN Switching section in table. Revision 1.1 2004-Apr-21 Affected Products section, list of Catalyst products updated. In Software Versions and Fixes section, Optical products updated. In Software Versions and Fixes section, Security products updated. Revision 1.0 2004-Apr-20 Initial public release. Cisco Security Procedures Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html . This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. ------------------------------------------------------------------------------- - ------------------------------------------------------------------------------- - Updated: Dec 28, 2005 Document ID: 50961 [***** End Cisco Security Advisory 50961: TCP Vulnerabilities in Multiple Non-IOS Cisco Products *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Cisco Systems, Inc. for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-114: Microsoft Security Update for Microsoft Windows O-115: Microsoft Cumulative Update for RPC/DCOM O-116: Microsoft Cumulative Security Update for Outlook Express O-117: Microsoft Jet Database Engine Buffer Overrun O-118: HP OpenView Operations Remote Unauthorized Access O-119: HP Tru64 UNIX WU-FTPD Security Vulnerabilities O-120: HP Web Jetadmin Security Vulnerabilities O-121: Debian linux-kernel-2.4.17 and 2.4.18 Vulnerabilities O-122: Red Hat Updated OpenOffice Packages Fix Security Vulnearbility in Neon O-123: Debian 483-1 MySQL