Cisco Security Advisory: TCP Vulnerabilities in Multiple Non-IOS-Based Cisco Products
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: TCP Vulnerabilities in Multiple Non-IOS Cisco
Products
Revision 1.0
For Public Release 2004 April 20 21:00 UTC (GMT)
- -------------------------------------------------------------------------
Summary
=======
A vulnerability in the Transmission Control Protocol (TCP) specification
(RFC793) has been discovered by an external researcher. The successful
exploitation enables an adversary to reset any established TCP connection
in a much shorter time than was previously discussed publicly. Depending
on the application, the connection may get automatically re-established.
In other cases, a user will have to repeat the action (for example, open
a new Telnet or SSH session). Depending upon the attacked protocol, a
successful attack may have additional consequences beyond terminated
connection which must be considered. This attack vector is only
applicable to the sessions which are terminating on a device (such as a
router, switch, or computer), and not to the sessions that are only
passing through the device (for example, transit traffic that is being
routed by a router). In addition, the attack vector does not directly
compromise data integrity or confidentiality.
All Cisco products which contain a TCP stack are susceptible to this
vulnerability.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml,
and it describes this vulnerability as it applies to Cisco products that
do not run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that
run Cisco IOS software is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml.
Affected Products
=================
Products which contain a TCP stack are susceptible to this vulnerability.
All Cisco products and models are affected. The severity of the exposure
depends upon the protocols and applications that utilize TCP.
The nonexhaustive list of vulnerable non-IOS based Cisco products is as
follows:
* Access Registrar
* BPX, IGX, MGX WAN switches, and the Service Expansion Shelf
* BR340, WGB340, AP340, AP350, BR350 Cisco/Aironet wireless products
* Cache Engine 505 and 570
* CallManager
* Catalyst 1200, 1900, 28xx, 29xx, 3000, 3900, 4000, 5000, 6000
* Cisco 8110 Broadband Network Termination Unit
* Cisco Element Management Framework
* Cisco Info Center
* Cisco Intelligent Contact Management
* Cisco MDS 9000
* Cisco ONS 15190/15194 IP Transport Concentrator
* Cisco ONS 15327 Metro Edge Optical Transport Platform
* Cisco ONS 15454 Optical Transport Platform
* Cisco ONS 15531/15532 T31 OMDS Metro WDM System
* Cisco ONS 15800/15801/15808 Dense Wave Division Multiplexing Platform
* Cisco ONS 15830 T30 Optical Amplification System
* Cisco ONS 15831/15832 T31 DWDM System
* Cisco ONS 15863 T31 Submarine WDM System
* Content Router 4430 and Content Delivery Manager 4630 and 4650
* Cisco Secure Intrusion Detection System (NetRanger) appliance and IDS
Module
* Cisco Secure PIX firewall
* Cisco ws-x6608 and ws-x6624 IP Telephony Modules
* CiscoWorks Windows
* Content Engine 507, 560, 590, and 7320
* CSS11000 (Arrowpoint) Content Services Switch
* Hosting Solution Engine
* User Registration Tool VLAN Policy Server
* Cisco FastHub 300 and 400
* CR-4430-B
* Device Fault Manager
* Internet CDN Content Engine 590 and 7320, Content Distribution
Manager 4670, and Content Router 4450
* IP Phone (all models including ATA and VG248)
* IP/TV
* LightStream 1010
* LightStream 100 ATM Switches
* LocalDirector
* ME1100 series
* MicroHub 1500,MicroSwitch 1538/1548
* Voice Manager
* RTM
* SN5400 series storage routers
* Switch Probe
* Unity Server
* VG248 Analog Phone Gateway
* Traffic Director
* WAN Manager
Products Confirmed Not Vulnerable
=================================
The following products are not vulnerable:
* Cisco VPN 3000 Series Concentrators
* Cisco Firewall Services Module for Cisco Catalyst 6500 Series and
Cisco 7600 Series (FWSM)
Details
======
TCP is the transport layer protocol designed to provide
connection-oriented reliable delivery of a data stream. To accomplish
this, TCP uses a mixture of flags to indicate state and sequence numbers
to identify the order in which the packets are to be reassembled. TCP
also provides a number, called an acknowledgement number, that is used to
indicate the sequence number of the next packet expected. The packets are
reassembled by the receiving TCP implementation only if their sequence
numbers fall within a range of the acknowledgement number (called a
"window"). The acknowledgement number is not used in a packet with the
reset (RST) flag set because a reset does not expect a packet in return.
The full specification of the TCP protocol can be found at
http://www.ietf.org/rfc/rfc0793.txt leavingcisco.com .
According to the RFC793 specification, it is possible to reset an
established TCP connection by sending a packet with the RST or
synchronize (SYN) flag set. In order for this to occur, the 4-tuple must
be known or guessed (source and destination IP address and ports)
together with a sequence number. However, the sequence number does not
have to be an exact match; it is sufficient to fall within the advertised
window. This significantly decreases the effort required by an adversary:
the larger the window, the easier it is to reset the connection. While
source and destination IP addresses may be relatively easy to determine,
the source TCP port must be guessed. The destination TCP port is usually
known for all standard services (for example, 23 for Telnet, 80 for
HTTP). Many operating systems (OSs) use predictable ephemeral ports for
known services with a predictable increment (the next port which will be
used for a subsequent connection). These values, while constant for a
particular OS and protocol, do vary from one OS release to another.
Here is an example of a normal termination of a TCP session:
Host(1) Host(2)
| |
| |
| ACK ack=1001, window=5000 |
|<----------------------------|
| |
Host(1) is
closing the session
| RST seq=1001 |
|---------------------------->|
| |
Host(2) is
closing the session
In addition, the following scenario is also permitted:
Host(1) Host(2)
| |
| |
| ACK ack=1001, window=5000 |
|<----------------------------|
| |
Host(1) is
closing the session
| RST seq=4321 |
|---------------------------->|
| |
Host(2) is
closing the session
Note how the RST packet was able to terminate the session although the
sequence number was not the next expected one (which is 1001). It was
sufficient for the sequence number to fall within the advertised
"window". In this example, Host(2) was accepting sequence numbers from
1001 to 6001 and 4321 is clearly within the acceptable range.
As a general rule, all protocols where a TCP connection stays established
for longer than one minute should be considered exposed.
Impact
======
The impact is different for each specific protocol. While, in the
majority of cases, a TCP connection will be automatically re-established,
in some specific protocols a second order of consequences may have a
larger impact than tearing down the connection itself. The Cisco PSIRT
has analyzed multiple TCP-based protocols, as they are used within our
offering, and we believe that this vulnerability does not have a
significant impact on them. We will present our analysis for a few
protocols which have the potential for higher impact due to the long
lived connections.
Voice signaling H.225, H.245 (part of H.323 suite)
- --------------------------------------------------
H.225 and H.245 protocols are used in voice signaling. Their purpose is
to negotiate parameters for content transfer (voice or video). The
established sessions persist for the duration of a call. Any call in
progress is terminated when the signaling session is broken. A new
signaling session will be established immediately for the new call, but
terminated calls cannot be re-established.
Each call from an IP telephone or softphone will result in the creation
of a single signaling session. Terminating that signaling session affects
only a single user. It is possible that a single signaling session is
responsible for multiple calls, but that setup is used deeper within the
Service Provider's network. Determining all necessary parameters for
mounting an attack is deemed a non-trivial task if the network is
designed according to the current best practices.
Network Storage (iSCSI, FCIP)
- -----------------------------
Network Storage products use two TCP-based protocols: SCSI over IP
(iSCSI) and Fiber Channel over IP (FCIP).
* SCSI over IP (iSCSI)
iSCSI is used in a client/server environment. The client is your
computer and it is only the client that initiates a connection. This
connection is not shared with any other users. A separate session is
established for each virtual device used. Terminating the session
will not have any adverse consequences if people are using current
drivers from Microsoft for Windows and from Cisco for Linux. These
drivers will re-establish the session and continue transfer from the
point where it was disconnected. Drivers from other vendors may
behave differently.
The user may notice that access to a virtual device is slightly
slower than usual.
* Fiber Channel over IP (FCIP)
FCIP is a peer-to-peer protocol. It is used for mirroring data
between switches. Each peer can initiate the session. Switches can,
and should be in practice, configured in a mesh. Bringing one link
down will cause traffic to be re-routed over other link(s). If an
adversary can manage to terminate the session multiple times in a
row, the user's application may terminate with a "Device unreachable"
or similar error message. This does not have any influence on the
switch itself and the user can retry the operation.
The user may notice that access to a virtual device is slightly
slower than usual. An occasional error message is possible.
Transport Layer Security/Secure Socket Layer (TLS/SSL)
- ------------------------------------------------------
Since this vulnerability operates on a TCP layer, encryption does not
provide any protection. SSL/TLS connections can be used to encapsulate
various kinds of traffic and these sessions can be long lived. A
successful exploitation does not impact confidentiality of the data. An
encrypted session can be attacked either on the originating or
terminating host or on the firewalls in front of them (if they exist).
Software Versions and Fixes
===========================
+----------------+------------+--------------+
| Product | Defect ID | Intended |
| | | First Fixed |
| | | Release |
+----------------+------------+--------------+
| LAN Switching |
+----------------+------------+--------------+
| Catalyst 1200, | CSCed32349 | No software |
| 1900, 28xx, | ( | availability |
| 29xx, 3000, | registered | date has |
| 3900, 4000, | customers | been |
| 5000, 6000 | only) | determined |
| | | yet. |
+----------------+------------+--------------+
| Catalyst 1900 | | 9.00.07 |
| and 2820 | | Available on |
| | | 2004-Apr-27 |
+----------------+------------+--------------+
| Network Storage |
+----------------+------------+--------------+
| Cisco MDS 9000 | CSCed45453 | 1.3(3.8), |
| Family | ( | 2.0(0.51) |
| | registered | |
| | customers | |
| | only) | |
+----------------+------------+--------------+
| Voice Products |
+----------------+------------+--------------+
| WS-6624 analog | CSCee22691 | No software |
| station | ( | availability |
| gateway module | registered | date has |
| for the | customers | been |
| Catalyst 6500 | only) | determined |
| | | yet. |
+----------------+------------+--------------+
| Wireless Products |
+----------------+------------+--------------+
| Cisco Aironet | CSCee22526 | No software |
| Access Point | ( | availability |
| 340, 350, 1200 | registered | date has |
| Series (only | customers | been |
| VxWorks-based) | only) | determined |
| | | yet. |
| | | Customers |
| | | are |
| | | encouraged |
| | | to migrate |
| | | to IOS. |
+----------------+------------+--------------+
| Security Products |
+----------------+------------+--------------+
| Cisco PIX | CSCed91445 | 6.3.3.132, |
| Firewall | ( | 6.2.3.109, |
| | registered | and |
| | customers | 6.1.5.103 |
| | only) | availability |
| | | estimate: |
| | | 2004-Apr-21 |
+----------------+------------+--------------+
| Optical Products |
+----------------+------------+--------------+
| Cisco ONS | CSCed73026 | 4.62, 4.14, |
| 15327, 15454, | ( | 2.25, |
| 15454SDH and | registered | Available |
| 15600 Optical | customers | 2004-Apr-27 |
| Transport | only) | |
| Platform | | |
+----------------+------------+--------------+
Obtaining Fixed Software
========================
Customers with Service Contracts
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.
Customers using Third-party Support Organizations
Customers whose Cisco products are provided or maintained through prior
or existing agreement with third-party support organizations such as
Cisco Partners, authorized resellers, or service providers should contact
that support organization for assistance with the upgrade, which should
be free of charge.
Customers without Service Contracts
Customers who purchase direct from Cisco but who do not hold a Cisco
service contract and customers who purchase through third-party vendors
but are unsuccessful at obtaining fixed software through their point of
sale should get their upgrades by contacting the Cisco Technical
Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@xxxxxxxxx
See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for
additional TAC contact information, including special localized telephone
numbers and instructions and e-mail addresses for use in various
languages.
Please have your product serial number available and give the URL of this
notice as evidence of your entitlement to a free upgrade. Free upgrades
for non-contract customers must be requested through the TAC.
Please do not contact either "psirt@xxxxxxxxx" or
"security-alert@xxxxxxxxx" for software upgrades.
Workarounds
===========
The effectiveness of any workaround is dependent on specific customer
situations such as product mix, network topology, traffic behavior, and
organizational mission. Due to the variety of affected products and
releases, customers should consult with their service provider or support
organization to ensure any applied workaround is the most appropriate for
use in the intended network before it is deployed.
There are no workarounds available to mitigate the effects of this
vulnerability.
It is possible to mitigate the exposure on this vulnerability by applying
anti-spoofing measures on the edge of the network.
By enabling Unicast Reverse Path Forwarding (uRPF), all spoofed packets
will be dropped at the first device. To enable uRPF, use the following
commands.
router(config)#ip cef
router(config)#ip verify unicast reverse-path
Please consult http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/
products_configuration_guide_chapter09186a00800ca7d4.html and ftp://
ftp-eng.cisco.com/cons/isp/security/URPF-ISP.pdf for further descriptions
of how uRPF works and how to configure it in various scenarios. This is
especially important if you are using asymmetric routing.
Access control lists (ACLs) should also be deployed as close to the edge
as possible. Unlike uRPF, you must specify the exact IP range that is
permitted. Specifying which addresses should be blocked is not the
optimal solution because it tends to be harder to maintain.
Caution: In order for anti-spoofing measures to be effective,
they must be deployed at least one hop away from the devices which are
being protected. Ideally, they will be deployed at the network edge.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious use
of the vulnerability described in this advisory.
The exploitation of the vulnerability with packets having RST flag set
(reset packets) was discovered by Paul (Tony) Watson of OSVDB.org. The
extension of the attack vector to packets with SYN flag set and data
injection was discovered by the vendors cooperating on the resolution of
this issue.
Status of This Notice: INTERIM
==============================
This is a INTERIM advisory. Although Cisco cannot guarantee the accuracy of
all statements in this advisory, all of the facts have been checked to
the best of our ability. Cisco does not anticipate issuing updated
versions of this advisory unless there is some material change in the
facts. Should there be a significant change in the facts, Cisco may
update this advisory.
A stand-alone copy or Paraphrase of the text of this Security Advisory
that omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain factual
errors.
Distribution
============
This advisory will be posted on Cisco's worldwide website at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients:
* cust-security-announce@xxxxxxxxx
* first-teams@xxxxxxxxx (includes CERT/CC)
* bugtraq@xxxxxxxxxxxxxxxxx
* vulnwatch@xxxxxxxxxxxxx
* cisco@xxxxxxxxxxxxxxxxx
* cisco-nsp@xxxxxxxxxxxxxxx
* full-disclosure@xxxxxxxxxxxxxxxx
* comp.dcom.sys.cisco@xxxxxxxxxxxxxxxxxx
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged to
check the above URL for any updates.
Revision History
================
+----------+-------------+----------------+
| Revision | 2004-Apr-20 | Initial public |
| 1.0 | | release. |
+----------+-------------+----------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering
to receive security information from Cisco, is available on Cisco's
worldwide website at http://www.cisco.com/warp/public/707/
sec_incident_response.shtml. This includes instructions for press
inquiries regarding Cisco security notices. All Cisco security advisories
are available at http://www.cisco.com/go/psirt.
- -------------------------------------------------------------------------
All contents are Copyright © 1992-2004 Cisco Systems, Inc. All rights
reserved. Important Notices and Privacy Statement.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Cygwin)
iD8DBQFAhZkLezGozzK2tZARAqOPAJ93E8YhxvOmTOKONt2dmS7MaKAuZwCgpM4v
dYZpMVhISXLJDR2jwY4dfuU=
=8VGK
-----END PGP SIGNATURE-----