Cisco IOS Subject to DoS

 
Cisco IOS Subject to DoS
Reported April 20, 2000 by
Cisco Systems
VERSIONS EFFECTED
  • Cisco IOS versions 11.3AA, 12.0 releases: 12.0(2) up to and including 12.0(6), 12.0(7), except that 12.0(7)S, 12.0(7)T, and 12.0(7)XE are not vulnerable
  • Hardware:
    • AS5200, AS5300, and AS5800 series access servers
    • 7200 and 7500 series routers
    • ubr7200 series cable routers
    • 7100 series routers
    • 3660 series routers
    • SC3640 System Controllers
    • AS5800 series Voice Gateway products
    • AccessPath LS-3, TS-3, and VS-3 Access Solutions

DESCRIPTION

Some security scanners test for two particular security vulnerabilities associated with several UNIX-based platforms, and when those tests are run against certain Cisco hardware and software it can lead to a denial of service attack against the device.

During the tests, the security scanner program would assert the Telnet ENVIRON option, #36, before the router indicates that it is willing to accept it, which causes the router to reload unexpectedly.

VENDOR RESPONSE

According to Cisco"s bulletin, "Cisco is offering free software upgrades to remedy this vulnerability for all affected customers. Customers with service contracts may upgrade to any software version. Customers without contracts may upgrade only within a single row of the table above, except that any available fixed software will be provided to any customer who can use it and for whom the standard fixed software is not yet available. Customers may install only the feature sets they have purchased.

Workarounds
===========

The vulnerability described in this notice can only be exploited if the
Telnet service is configured on the affected system and reachable from the attacker"s computer. The following recommendations provide an interactive login capability without using the Telnet service, thus mitigating the threat in lieu of a software upgrade while preserving remote access to the router for administrative purposes:

  • Prevent access using the Telnet service by defining an appropriate access control list and applying it to the vty line or the router"s interfaces using the "access-group" keyword. Security can be increased further by restricting both the virtual terminal lines and the router"s physical interfaces with two access-groups, one to control who can connect to the vtys, and the other on the interfaces to control from where those connections can be attempted.
  • Disable Telnet and use SSH (if it is available to you) to connect to the router for administrative purposes.. After "line vty 0 4" in the router"s configuration, add "transport input ssh". This stipulates that only the SSH protocol may be used for interactive logins to the router. As of the date of this notice, SSH is only available on certain products: 7200, 7500, and 12000 series running Cisco IOS software releases such as 12.0S, 12.1S, and 12.1T.
  • Disable interactive network logins to the router completely by removing the "line" command such that virtual consoles are never enabled. Use an out-of-band method to login to and administer the router such as a hard-wired console. Consider connecting the console to a terminal server which itself is only reachable via a separate parallel network that in turn is restricted by site policy exclusively for administrative purposes.

The wide variety of customer configurations make it impossible to judge the effectiveness and relative merits of these workarounds in lieu of a software upgrade. Customers are cautioned to evaluate these recommendations carefully with regard to their specific network configurations."

Cisco"s original bulletin can be found at this URL.

CREDITS
Discovered and reported by
Cisco Systems
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish