CISCO bi-annual patch day - SANS Internet Storm Center

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Handler on Duty: Johannes Ullrich

Threat Level: green

CISCO bi-annual patch day

With the numerous CISCO vulnerabilities announced today we thought you might appreciate a table summarising the issues.

The table shows that many of the issues have a work around. Unfortunately, typically this is in the form of disabling the functionality which may not be an option for many of you. CISCO uses the CVSS scoring system which relates the score to the core Confidentiality, Integrity and Availability principles. The higher the score the more important the vendor believes the issue is.

#	Impact/CVE(s)	Exploit	Cisco Rating		Workaround/Fix	ISC Rating*
			Base	Temp
cisco-sa-20080924-iosips	The Cisco IOS Intrusion Prevention System (IPS) feature contains a vulnerability in the processing of certain IPS signatures that use the SERVICE.DNS engine. This vulnerability may cause a router to crash or hang, resulting in a denial of service condition.
	IOS IPS CVE-2008-2739	none known	7.8	6.4	Y/Y	Critical
Handler Comments CISCO IDS is not affected
cisco-sa-20080924-ssl	A Cisco IOS device may crash while processing an SSL packet. This can happen during the termination of an SSL-based session. The offending packet is not malformed and is normally received as part of the packet exchange. Disable services (secure-server, webvpn, or OSP settlement) Limit exposure via ACL
	IOS SSL CVE-2008-3798	none Known	7.8	6.4	Y/Y	Critical
Handler Comments This affects managed using SSL as well. The workaround will disable this.
cisco-sa-20080924-sip	Multiple vulnerabilities exist in the Session Initiation Protocol (SIP) implementation in Cisco IOS that can be exploited remotely to trigger a memory leak or to cause a reload of the IOS device. Disable services if not needed or limit exposure via ACL
	DOS CVE-2008-3800 CVE-2008-3801 CVE-2008-3802	none known	7.8	6.4	Y/Y	Important
Handler Comments SIP can use UDP -> the src_IP is spoofable which may negate the effects of an ACL intended to limit your exposure.
cisco-sa-20080924-cucm	Cisco Unified Communications Manager, formerly Cisco Unified CallManager, contains two denial of service (DoS) vulnerabilities in the Session Initiation Protocol (SIP) service. An exploit of these vulnerabilities may cause an interruption in voice services.
	DOS CVE-2008-3800 CVE-2008-3801	None known	7.1 7.8	5.9 6.4	Y/Y	Critical
Handler Comments SIP can use UDP -> the src_IP is spoofable which may negate the effects of an ACL intended to limit your exposure. Can be triggered with valid SIP msgs. CUCM Versions > 5.x have SIP enabled by default and it can not be disabled.
cisco-sa-20080924-vpn	Devices running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and configured for Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs) or VPN Routing and Forwarding Lite (VRF Lite) and using Border Gateway Protocol (BGP) between Customer Edge (CE) and Provider Edge (PE) devices may permit information to propagate between VPNs
	Data Leak CVE-2008-3803	none known	5.1	4.3	Y/Y	Important
Handler Comments A bug exists when processing extended communities with MPLS VPNs. If extended communities are used, MPLS VPN may incorrectly use a corrupted route target (RT) to forward traffic. If this occurs, traffic can leak from one MPLS VPN to another
cisco-sa-20080924-mfi	Cisco IOS Software Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) is vulnerable to a Denial of Service (DoS) attack from specially crafted packets. Only the MFI is affected by this vulnerability. Older Label Forwarding Information Base (LFIB) implementation, which is replaced by MFI, is not affected.
	DOS CVE-2008-3804	None known	7.8	6.4	N/Y	Critical
Handler Comments An attacker needs to have access to the MPLS network through an MPLS-enabled interface. MPLS packets are dropped on interfaces that are not configured for MPLS. No workaround.
cisco-sa-20080924-ipc	Cisco 10000, uBR10012 and uBR7200 series devices use a User Datagram Protocol (UDP) based Inter-Process Communication (IPC) channel that is externally reachable. An attacker could exploit this vulnerability to cause a denial of service (DoS) condition on affected devices. Filter packets that are sent to 127.0.0.0/8 and towards UDP port 1975
	DOS CVE-2008-3805	None known	8.5	7	Y/Y	Critical
Handler Comments An attacker needs to get a packet with destination address in the 127./8 range to the router which implies directly connected or use of a default route.
cisco-sa-20080924-ubr	Cisco uBR10012 series devices automatically enable Simple Network Management Protocol (SNMP) read/write access to the device if configured for linecard redundancy. This can be exploited by an attacker to gain complete control of the device Change Community String
	DOS CVE-2008-3807	None known	10	8.3	Y/Y	PATCH NOW
Handler Comments When linecard redundancy is enabled on a Cisco uBR10012 series device, SNMP is also automatically enabled with a default community string of private that has read/write privileges. Since there are no access restrictions on this community string, it may be exploited by an attacker to gain complete control of the device. SNMP can use UDP -> the src_IP is spoofable which may negate the effects of an ACL intended to limit your exposure.
cisco-sa-20080924-multicast	Two crafted Protocol Independent Multicast (PIM) packet vulnerabilities exist in Cisco IOS software that may lead to a denial of service (DoS) condition Specify trusted PIM neighbors AND/or enable infrastructure acls to limit exposure
	DOS CVE-2008-3809	none known	7.8	6.4	Y/Y	PATCH NOW
Handler Comments PIM src_IP is spoofable which may negate the effects of an ACL intended to limit your exposure
cisco-sa-20080924-sccp	A series of segmented Skinny Call Control Protocol (SCCP) messages may cause a Cisco IOS device that is configured with the Network Address Translation (NAT) SCCP Fragmentation Support feature to reload.
	DOS CVE-2008-3810 CVE-2008-3811	None known	7.8	6.4	Y/Y	PATCH NOW
Handler Comments Infrastructure acls and on device acl’s should be viable mitigations but are not mentioned in the cisco advisory. Moving the port from the default of 2000 would also make this a bit harder to exploit. You would need to modify the port on both the call manager and the IOS device supporting sccp.
cisco-sa-20080924-iosfw	Cisco IOS software configured for IOS firewall Application Inspection Control (AIC) with a HTTP configured application-specific policy are vulnerable to a Denial of Service when processing a specific malformed HTTP transit packet. Successful exploitation of the vulnerability may result in a reload of the affected device.
	DOS CVE-2008-3812	None known	7.8	6.4	N/Y	PATCH NOW
Handler Comments No workaround other than disabling HTTP Deep Packet Inspection
cisco-sa-20080924-l2tp	Several features enable the L2TP mgmt daemon process within Cisco IOS software, including but not limited to Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP) and Cisco Virtual Private Dial-Up Networks (VPDN). Once this process is enabled the device is vulnerable. Enable infrastructure acls to limit exposure
	DOS CVE-2008-3813	None known	7.8	6.4	Y/Y	Critical
Handler Comments L2TP can use UDP -> the src_IP is spoofable which may negate the effects of an ACL intended to limit your exposure.

(*): ISC rating

We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

Happy Patching

Don & Mark

donald

206 Posts

Sep 26th 2008

Thread locked Subscribe

Sep 26th 2008
1 decade ago