Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - CISCO bi-annual patch day InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

CISCO bi-annual patch day

Published: 2008-09-25
Last Updated: 2008-09-26 03:16:41 UTC
by donald smith (Version: 1)
0 comment(s)

With the numerous CISCO vulnerabilities announced today we thought you might appreciate a table summarising the issues.

The table shows that many of the issues have a work around.  Unfortunately, typically this is in the form of disabling the functionality which may not be an option for many of you.   CISCO uses the CVSS scoring system which relates the score to the core Confidentiality, Integrity and Availability principles.  The higher the score the more important the vendor believes the issue is.  

#

Impact/CVE(s)

Exploit

Cisco Rating

Workaround/Fix

ISC Rating*

Base

Temp

cisco-sa-20080924-iosips

The Cisco IOS Intrusion Prevention System (IPS) feature contains a vulnerability in the processing of certain IPS signatures that use the SERVICE.DNS engine. This vulnerability may cause a router to crash or hang, resulting in a denial of service condition.

IOS IPS
CVE-2008-2739

none known

7.8

6.4

Y/Y

Critical

Handler Comments

CISCO IDS is not affected

cisco-sa-20080924-ssl

A Cisco IOS device may crash while processing an SSL packet. This can happen during the termination of an SSL-based session. The offending packet is not malformed and is normally received as part of the packet exchange.

Disable services (secure-server, webvpn, or OSP settlement) Limit exposure via ACL

IOS SSL CVE-2008-3798

none Known

7.8

6.4

Y/Y

Critical

Handler Comments

This affects managed using SSL as well. The workaround will disable this.

cisco-sa-20080924-sip

Multiple vulnerabilities exist in the Session Initiation Protocol (SIP) implementation in Cisco IOS that can be exploited remotely to trigger a memory leak or to cause a reload of the IOS device.

Disable services if not needed or limit exposure via ACL

DOS
CVE-2008-3800
CVE-2008-3801
CVE-2008-3802

none known

7.8

6.4

Y/Y

Important

Handler Comments

SIP can use UDP -> the src_IP is spoofable which may negate the effects of an ACL intended to limit your exposure.

cisco-sa-20080924-cucm

Cisco Unified Communications Manager, formerly Cisco Unified CallManager, contains two denial of service (DoS) vulnerabilities in the Session Initiation Protocol (SIP) service. An exploit of these vulnerabilities may cause an interruption in voice services.

DOS
CVE-2008-3800
CVE-2008-3801

None known

7.1

7.8

5.9

6.4

Y/Y

Critical

Handler Comments

SIP can use UDP -> the src_IP is spoofable which may negate the effects of an ACL intended to limit your exposure. Can be triggered with valid SIP msgs. CUCM Versions > 5.x have SIP enabled by default and it can not be disabled.

cisco-sa-20080924-vpn

Devices running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and configured for Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs) or VPN Routing and Forwarding Lite (VRF Lite) and using Border Gateway Protocol (BGP) between Customer Edge (CE) and Provider Edge (PE) devices may permit information to propagate between VPNs

Data Leak
CVE-2008-3803

none known

5.1

4.3

Y/Y

Important

Handler Comments

A bug exists when processing extended communities with MPLS VPNs. If extended communities are used, MPLS VPN may incorrectly use a corrupted route target (RT) to forward traffic. If this occurs, traffic can leak from one MPLS VPN to another

cisco-sa-20080924-mfi

Cisco IOS Software Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) is vulnerable to a Denial of Service (DoS) attack from specially crafted packets. Only the MFI is affected by this vulnerability. Older Label Forwarding Information Base (LFIB) implementation, which is replaced by MFI, is not affected.

DOS
CVE-2008-3804

None known

7.8

6.4

N/Y

Critical

Handler Comments

An attacker needs to have access to the MPLS network through an MPLS-enabled interface. MPLS packets are dropped on interfaces that are not configured for MPLS.

No workaround.

cisco-sa-20080924-ipc

Cisco 10000, uBR10012 and uBR7200 series devices use a User Datagram Protocol (UDP) based Inter-Process Communication (IPC) channel that is externally reachable. An attacker could exploit this vulnerability to cause a denial of service (DoS) condition on affected devices.

Filter packets that are sent to 127.0.0.0/8 and towards UDP port 1975

DOS
CVE-2008-3805

None known

8.5

7

Y/Y

Critical

Handler Comments

An attacker needs to get a packet with destination address in the 127./8 range to the router which implies directly connected or use of a default route.

cisco-sa-20080924-ubr

Cisco uBR10012 series devices automatically enable Simple Network Management Protocol (SNMP) read/write access to the device if configured for linecard redundancy. This can be exploited by an attacker to gain complete control of the device

Change Community String

DOS
CVE-2008-3807

None known

10

8.3

Y/Y

PATCH NOW

Handler Comments

When linecard redundancy is enabled on a Cisco uBR10012 series device, SNMP is also automatically enabled with a default community string of private that has read/write privileges. Since there are no access restrictions on this community string, it may be exploited by an attacker to gain complete control of the device. SNMP can use UDP -> the src_IP is spoofable which may negate the effects of an ACL intended to limit your exposure.

cisco-sa-20080924-multicast

Two crafted Protocol Independent Multicast (PIM) packet vulnerabilities exist in Cisco IOS software that may lead to a denial of service (DoS) condition

Specify trusted PIM neighbors AND/or enable infrastructure acls to limit exposure

DOS
CVE-2008-3809

none known

7.8

6.4

Y/Y

PATCH NOW

Handler Comments

PIM src_IP is spoofable which may negate the effects of an ACL intended to limit your exposure

cisco-sa-20080924-sccp

A series of segmented Skinny Call Control Protocol (SCCP) messages may cause a Cisco IOS device that is configured with the Network Address Translation (NAT) SCCP Fragmentation Support feature to reload.

DOS
CVE-2008-3810
CVE-2008-3811

None known

7.8

6.4

Y/Y

PATCH NOW

Handler Comments

Infrastructure acls and on device acl’s should be viable mitigations but are not mentioned in the cisco advisory. Moving the port from the default of 2000 would also make this a bit harder to exploit. You would need to modify the port on both the call manager and the IOS device supporting sccp.

cisco-sa-20080924-iosfw

Cisco IOS software configured for IOS firewall Application Inspection Control (AIC) with a HTTP configured application-specific policy are vulnerable to a Denial of Service when processing a specific malformed HTTP transit packet. Successful exploitation of the vulnerability may result in a reload of the affected device.

DOS
CVE-2008-3812

None known

7.8

6.4

N/Y

PATCH NOW

Handler Comments

No workaround other than disabling HTTP Deep Packet Inspection

cisco-sa-20080924-l2tp

Several features enable the L2TP mgmt daemon process within Cisco IOS software, including but not limited to Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP) and Cisco Virtual Private Dial-Up Networks (VPDN). Once this process is enabled the device is vulnerable.

Enable infrastructure acls to limit exposure

DOS
CVE-2008-3813

None known

7.8

6.4

Y/Y

Critical

Handler Comments

L2TP can use UDP -> the src_IP is spoofable which may negate the effects of an ACL intended to limit your exposure.

(*): ISC rating

  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

Happy Patching

Don & Mark

Keywords:
0 comment(s)
Diary Archives