Thursday, October 8, 2009

CERT-In Advisory CIAD-2009-47

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Cisco IOS Multiple Vulnerabilities
http://www.cert-in.org.in/advisory/ciad-2009-47.htm
Original Issue Date: October 07, 2009

Severity Rating:High

System Affected

Cisco IOS 12.x
Cisco IOS R12.x
Cisco IOS XE 2.1.x
Cisco IOS XE 2.2.x
Cisco IOS XE 2.3.x

Overview

Multiple vulnerabilities have been reported in Cisco IOS, which can be
exploited by malicious people to cause a DoS (Denial of Service), bypass
certain security restrictions, disclose sensitive information, or
compromise a vulnerable device.

Description

1. IP Tunnels Remote Denial of Service Vulnerability
    (CVE-2009-2873)

This vulnerability exists in the Cisco Express Forwarding feature when a
device is configured to use IP-based tunnels.  An unauthenticated, remote
attacker could exploit this vulnerability by sending crafted malformed
packets to the affected device.  Such requests could cause the system to
reload, resulting in Denial of Service condition.

Workaround

Administrators may consider disabling Cisco Express Forwarding. 
2. Crafted Encryption Packet Remote Denial of Service     Vulnerability
(CVE-2009-2871)

The vulnerability is due to an unspecified error that could occur when the
vulnerable device handles encryption packets for SSL VPN, SSH, or IKE
security nonces. An unauthenticated, remote attacker could send specially
crafted packets to TCP ports 22 (for SSH) or 443 (for SSLVPN) or UDP ports
500 and 4500 (for IKE Encrypted Nonces), which could cause the device to
reload, resulting in Denial of Service condition.

Workarounds

Administrators may consider disabling all of the affected features.
Administrators may mitigate this vulnerability for SSH by using access
control lists (ACLs) in local firewalls to restrict access to TCP port 22
to trusted IP addresses.
3. NTPv4 Remote Denial of Service Vulnerability
    (CVE-2009-2869)

Cisco IOS® Software with support for Network Time Protocol (NTP) version
(v4) contains a vulnerability processing specific NTP packets. An
unauthenticated, remote attacker could send a crafted NTP packet to UDP
port 123, for which the affected device attempt to create a reply packet,
which in turn reload the device causing Denial of Service (DoS) condition.

Workarounds

Administrators may consider disabling NTP.
Administrators may consider using only broadcast-based association on
affected systems.
Administrators may considering enabling Unicast Reverse Path Forwarding
(Unicast RPF) and implement IP-based access control lists (ACLs) to
restrict access to UDP port 123 to trusted systems.
4. Zone-Based Policy Firewall Session Initiation Protocol     Inspection
Remote Denial of Service Vulnerability
    (CVE-2009-2867)

The vulnerability exists due to an unspecified error in the handling of
transiting Session Initiation Protocol (SIP) packets on systems that are
configured with Cisco IOS Zone-Based Policy Firewall SIP Inspection
enabled. An unauthenticated, remote attacker could exploit this
vulnerability by sending a crafted SIP packet through the affected
firewall. When the affected device inspect the packet, the device may
reload, resulting in a DoS condition.

Workaround

Administrators may consider disabling Cisco IOS Zone-Based Policy Firewall
SIP inspection.
5. Object Groups for Access Control Lists Security Bypass     Vulnerability
(CVE-2009-2862)

The vulnerability exists in the implementation of the Object Groups for
Access Control Lists (ACLs) feature.  An unauthenticated, remote attacker
could make crafted requests to the affected device to bypass security ACLs
and gain unauthorized access to protected networks.

Workarounds

Administrators may consider disabling the Object Groups for ACLs feature.
Administrators are advised to implement an intrusion prevention system
(IPS) or intrusion detection system (IDS) to help detect and prevent
attacks.
6. Authentication Proxy Bypass Vulnerability
    (CVE-2009-2863)

This vulnerability is due to an error within the Cisco IOS Software
authentication proxy feature. A race condition exists when processing
requests to the proxy. An unauthenticated, remote attacker could exploit
this vulnerability by sending a malicious request to the affected system
with another active proxy session. Upon successful exploitation, the
attacker could establish a proxy session with the privileges of another
user, which could allow the attacker to access restricted resources.

7. H.323 Remote Denial of Service Vulnerability
    (CVE-2009-2866)

H.323 is the ITU standard for real-time multimedia communications and
conferencing over packet-based (IP) networks.

The vulnerability is in the H.323 processing component of the affected
systems when it handles crafted H.323 packets on TCP port 1720.  When the
system tries to process these packets, it may reload, resulting in a DoS
condition.

8. Internet Key Exchange Resource Exhaustion Vulnerability
    (CVE-2009-2868)

IKE is a key management protocol that implements the Oakley and SKEME key
exchanges inside the Internet Security Association and Key Management
Protocol (ISAKMP) framework

This vulnerability is due to an error that may occur when the IKE protocol
is configured for certificate-based authentication. Crafted requests to the
system could cause the system to expend all available Phase 1 security
associations (SAs) that are used to create new IPsec sessions.

Successful exploitation leads a DoS condition on IPsec as no new IPsec
sessions can be created until Phase 1 SAs have been de-allocated.

9. SIP Remote Denial of Service Vulnerability
    (CVE-2009-2870)

SIP is a popular signaling protocol that is used to manage voice and video
calls across IP networks such as the Internet

The vulnerability exists in the SIP processing component of the Cisco IOS
Software when devices are running a Cisco IOS image that contains the Cisco
Unified Border Element(Cisco IOS Software image that runs on Cisco
multiservice gateway platforms) feature. This vulnerability is triggered by
processing a series of crafted SIP messages to the affected system on TCP
or UDP port 5060 or TCP port 5061 resulting in a DOS condition.

Workarounds

Administrators are advised to implement anti-spoofing techniques at the
network edge.
Administrators may consider using IP-based access control lists (ACLs) to
allow only trusted systems to access the affected systems on the affected
ports.
10. Bad Packet Tunnel-to-Tunnel Remote Denial of Service     
Vulnerability (CVE-2009-2872)

A tunnel protocol encapsulates a wide variety of protocol packet types
inside IP tunnels, creating a virtual point-to-point link between
internetworking devices over an IP network.

The vulnerability is in the Cisco Express Forwarding feature when a device
is configured to use Generic Routing Encapsulation (GRE), IPinIP, Generic
Packet Tunneling in IPv6 or IPv6 over IP tunnels.

An unauthenticated, remote attacker could exploit this vulnerability by
sending crafted malformed packets to the affected device leading to system
to reload, resulting in a DoS condition.

Workarounds

Administrators may consider disabling Cisco Express Forwarding.
Administrators may consider d isabling Cisco Express Forwarding on Tunnel
Interfaces


Solution

The vendor has issued a fix. Details are available at Cisco Security
Advisory

Vendor Information

CISCO
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP
_sep09.html

References

CISCO
http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20090923-auth-proxy.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20090923-h323.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20090923-ios-fw.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20090923-ipsec.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20090923-ntp.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20090923-sip.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20090923-tls.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml

VUPEN
http://www.vupen.com/english/advisories/2009/2759

Secunia
http://secunia.com/advisories/36835/

SecurityTracker
http://securitytracker.com/alerts/2009/Sep/1022930.html
http://securitytracker.com/alerts/2009/Sep/1022933.html
http://securitytracker.com/alerts/2009/Sep/1022934.html
http://securitytracker.com/alerts/2009/Sep/1022935.html

CVE Name
CVE-2009-2862
CVE-2009-2863
CVE-2009-2866
CVE-2009-2867
CVE-2009-2868
CVE-2009-2869
CVE-2009-2870
CVE-2009-2871
CVE-2009-2872
CVE-2009-2873

Disclaimer

The information provided herein is on "as is" basis, without warranty of
any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003

 

Note: Please do not reply to this e-mail. For further queries contact
CERT-In Information Desk. Email: info@cert-in.org.in


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSsyFf3WXeYNsoT30AQq51ggAu0RUq+S7pWCxXLOkhf198DjyET7UWc+e
hxgFfj0cokqZ1CHNlJFR+KSoXx+6GkahkL1hxtg0wQrLdJ8TuuuZv7nhsJZ2kKxX
CXGAydhXx57PwUvf4nTUSsV4f4pQuFlBIiiQaxOpYLlo85yenrhYiqmKwRT2GIAw
peyfFuOM0lzNjUQ3sHw2GidylutSDuIPMX0v6tt6LDtWQZDuPm9Td4NzyqYe1+E8
Rrm7RoGjO9YliLmnaqXYVLd6l2diSZ5Pen8EKSTBpcbjmMOpGT7y57rE67tOmioK
ve5Phon3Z2GxrLguDo/HMfePkMWWOZUv45Vk6C2vmZeOvBOr69l+5w==
=M8SF
-----END PGP SIGNATURE-----

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)