<<< Date Index >>>     <<< Thread Index >>>

Cisco Security Advisory: Cisco Telnet Denial of Service Vulnerability



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: Cisco Telnet Denial of Service Vulnerability

Revision 1.0

For Public Release 2004 August 27 1000 UTC

- -------------------------------------------------------------------------

Contents

    Summary
    Affected Products
    Details
    Impact
    Software Versions and Fixes
    Obtaining Fixed Software
    Workarounds
    Exploitation and Public Announcements
    Status of This Notice: INTERIM
    Distribution
    Revision History
    Cisco Security Procedures

- -------------------------------------------------------------------------

Summary
=======

A specifically crafted Transmission Control Protocol (TCP) connection to
a telnet or reverse telnet port of a Cisco device running Internetwork
Operating System (IOS) may block further telnet, reverse telnet, Remote
Shell (RSH), Secure Shell (SSH), and in some cases Hypertext Transport
Protocol (HTTP) access to the Cisco device. Telnet, reverse telnet, RSH
and SSH sessions established prior to exploitation are not affected.

All other device services will operate normally. Services such as packet
forwarding, routing protocols and all other communication to and through
the device are not affected.

Cisco will make free software available to address this vulnerability.
Workarounds, identified below, are available that protect against this
vulnerability.

This vulnerability is documented in Cisco bug ID CSCef46191 ( registered
customers only) .

This Advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040827-telnet.shtml.

Affected Products
=================

Vulnerable Products
- -------------------

This vulnerability affects all Cisco devices that permit access via
telnet or reverse telnet and are running an unfixed version of IOS.

Products Confirmed Not Vulnerable
- ---------------------------------

Cisco products that do not run IOS are not affected.

Details
=======

Telnet, RSH and SSH are used for remote management of Cisco IOS devices.
The SSH protocol is also used for Secure Copy (SCP), which allows an
encryption-protected transfer of files to and from Cisco devices.

HTTP is also used for management of certain Cisco devices. IOS versions
prior to12.2(15)T include HTTP server version 1.0, which, if configured,
will be unresponsive on a device that is under exploitation. IOS
versions after and including 12.2(15)T include HTTP server version 1.1,
which is unaffected.

Reverse telnet is a feature that allows you to telnet to a Cisco
device and then connect to a third device through an asynchronous
serial connection. For more information on reverse telnet, consult the
following documents:

http://cisco.com/en/US/products/sw/iosswrel/ps1828/products_configuration_guide_chapter09186a00800871ec.html

http://cisco.com/en/US/products/sw/iosswrel/ps1826/products_configuration_guide_chapter09186a00800d9bd8.html

Cisco devices that are operating as a reverse telnet server may have
ports open in the ranges of:

  * 2001 to 2999
  * 3001 to 3099
  * 6001 to 6999
  * 7001 to 7099

After a specially crafted TCP connection to an IOS device on TCP port 23
or the reverse telnet ports listed above, all subsequent telnet, reverse
telnet, RSH (TCP port 514), SSH, SCP (SSH and SCP use TCP port 22), and
in some cases HTTP (TCP port 80) connections to the device experiencing
exploitation will be unsuccessful. Any telnet, reverse telnet, RSH, SSH,
SCP and HTTP sessions that are already established with the device will
continue to function properly.

In Cisco IOS, telnet, reverse telnet, RSH, SSH, SCP and some HTTP
sessions are handled by a virtual terminal (VTY). Each telnet, reverse
telnet, RSH, SSH and SCP session consumes a VTY. After successful
exploitation, the Cisco device can no longer accept any subsequent VTY
connections.

Though it is not possible to establish new telnet, reverse telnet,
RSH, SSH, SCP or HTTP connections to the device after a successful
exploitation, the device is only vulnerable on TCP port 23 and the
reverse telnet ports listed above.

A successful exploitation of this vulnerability requires a complete
3-way TCP handshake, which makes it very difficult to spoof the source
IP address.

Only remote access services that use VTYs are affected. This includes
telnet, reverse telnet, RSH, SSH, SCP and version 1.0 of the HTTP
server. Other device services including, but not limited to, routing
protocols, TACACS/RADIUS, Voice over IP (VoIP) and packet forwarding are
not affected.

This vulnerability is addressed by Cisco bug ID:

  * CSCef46191 ( registered customers only)

To determine the software running on a Cisco product, log in to the
device and issue the show version command to display the system banner.
Cisco IOS software will identify itself as "Internetwork Operating
System Software" or simply "IOS ®". On the next line of output, the
image name will be displayed between parentheses, followed by "Version"
and the IOS release name. Other Cisco devices will not have the show
version command or will give different output.

The following example identifies a Cisco product running IOS release
12.0(3) with an installed image name of C2500-IS-L:

    Cisco Internetwork Operating System Software IOS (TM)
        
    2500 Software (C2500-IS-L), Version 12.0(3), RELEASE SOFTWARE

The release train label is "12.0".

The next example shows a product running IOS release 12.0(2a)T1 with an
image name of C2600-JS-MZ:

    Cisco Internetwork Operating System Software IOS (tm)
    
    C2600 Software (C2600-JS-MZ), Version 12.0(2a)T1, RELEASE SOFTWARE (fc1)

Additional information about Cisco IOS Banners is available at
http://www.cisco.com/en/US/products/sw/iosswrel/ios_abcs_ios_networking_the_enterprise0900aecd800a4e15.html.

Impact
======

Exploitation of this vulnerability may result in the denial of new
telnet, reverse telnet, RSH, SSH, SCP and HTTP connections to a device
running IOS. Other access to the device via the console or SNMP is not
affected. The device will remain in this state until the problematic
TCP connection is cleared, or the device is reloaded (which will clear
the problematic session). If no other access methods are available,
exploitation of this vulnerability could deny remote access to the
device.

Depending on your network architecture, workarounds may be available to
mitigate this vulnerability. Software will be available to repair this
vulnerability.

Software Versions and Fixes
===========================

Cisco is working to release fixes for this vulnerability in all
currently maintained IOS releases. No software upgrade is required
in order to mitigate this vulnerability. See the information below
regarding the available configuration workarounds. The software fixes
will appear in regularly scheduled maintenance releases of IOS software.

As fixed software becomes available for public release, Cisco will
update this section of the advisory.

Obtaining Fixed Software
========================

Customers with Service Contracts
- --------------------------------

As fixed software becomes available, customers with contracts
should obtain the fixed software through their regular update
channels. For most customers, this means that such software should be
obtained through the Software Center on Cisco's worldwide website at
http://www.cisco.com.

Customers using Third-party Support Organizations
- -------------------------------------------------

Customers whose Cisco products are provided or maintained through prior
or existing agreement with third-party support organizations such as
Cisco Partners, authorized resellers, or service providers should
contact that support organization for assistance with the upgrade or
fixed software, which should be free of charge.

Customers without Service Contracts
- -----------------------------------

Customers who purchase direct from Cisco but who do not hold a Cisco
service contract and customers who purchase through third-party vendors
but are unsuccessful at obtaining fixed software through their point of
sale should get their fixed software by contacting the Cisco Technical
Assistance Center (TAC). TAC contacts are as follows.

  * +1 800 553 2447 (toll free from within North America)
  * +1 408 526 7209 (toll call from anywhere in the world)
  * e-mail: tac@xxxxxxxxx

Please have your product serial number available and give the URL of
this notice as evidence of your entitlement to a free upgrade. Free
upgrades for non-contract customers must be requested through the TAC.

Please do not contact either "psirt@xxxxxxxxx" or
"security-alert@xxxxxxxxx" for software upgrades.

See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for
additional TAC contact information, including special localized
telephone numbers and instructions and e-mail addresses for use in
various languages.

Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to
be bound by the terms of Cisco's software license terms found
at http://www.cisco.com/public/sw-license-agreement.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

Workarounds
===========

The effectiveness of any workaround is dependent on specific customer
situations such as product mix, network topology, traffic behavior, and
organizational mission. Customers should consult with their service provider or
support organization to ensure any applied workaround is the most appropriate
for use in the intended network before it is deployed.

Mitigation Strategies
- ---------------------

Not all of the mitigation strategies listed will work for all customers. Some
of the workarounds listed are dependent on which versions and feature-sets of
IOS you have in your network.

Enabling SSH and disabling telnet
- ---------------------------------

Note: SSH support is only available in certain IOS feature sets and
platforms

Cisco devices that support SSH can enable it by following the steps
listed here:

http://cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7d5.html#1001167

To disable telnet access to the device, configure the following on all
your VTY lines:

    Router(config)# line vty 0 4
    Router(config-line)# transport input ssh 

Note: Even if SSH is enabled, the IOS device is not protected until
telnet access is disabled.

Configuring a VTY Access Class
- ------------------------------

It is possible to limit the exposure of the Cisco device by applying a
VTY access class to permit only known, trusted devices to connect to the
device via telnet, reverse telnet, RSH, SSH or SCP.

For more information on restricting traffic to VTYs, please consult:

http://cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a00800873c8.html#wp1017389

Configuring Interface Access Lists (ACLs)
- -----------------------------------------

In addition to configuring a VTY Access Class, it may be desirable to
block all telnet traffic from entering the network. The example below
demonstrates how to block TCP port 23 and the reverse telnet traffic
while permitting all other IP traffic.

    Router(config)# access-list 100 deny tcp any any eq telnet
    Router(config)# access-list 100 deny tcp any any range 2001 2999
    Router(config)# access-list 100 deny tcp any any range 3001 3099
    Router(config)# access-list 100 deny tcp any any range 6001 6999
    Router(config)# access-list 100 deny tcp any any range 7001 7099
    Router(config)# access-list 100 permit ip any any

The access list must then be configured to block inbound traffic on all
public-facing interfaces:

    Router(config)# interface Ethernet 0/0
    Router(config-if)# ip access-group 100 in

Telnet should be blocked as part of a Transit ACL controlling all
access to the trusted network. Transit ACLs are considered a network
security best practice and should be considered as a long-term addition
to good network security, as well as a workaround for this specific
vulnerability. The white paper entitled "Transit Access Control Lists:
Filtering at Your Edge" presents guidelines and recommended deployment
techniques for transit ACLs:

http://www.cisco.com/warp/public/707/tacl.html

Configuring Infrastructure Access Lists (iACLs)
- -----------------------------------------------

Although it is often difficult to block traffic transiting your
network, it is possible to identify traffic which should never be
allowed to target your infrastructure devices and block that traffic
at the border of your network. Infrastructure ACLs are considered a
network security best practice and should be considered as a long-term
addition to good network security as well as a workaround for this
specific vulnerability. The white paper entitled "Protecting Your Core:
Infrastructure Protection Access Control Lists" presents guidelines and
recommended deployment techniques for infrastructure protection ACLs:

http://www.cisco.com/warp/public/707/iacl.html

Configuring Receive Access Lists (rACLs)
- ----------------------------------------

For distributed platforms, rACLs may be an option starting in Cisco IOS
Software Versions 12.0(21)S2 for the 12000 series GSR and 12.0(24)S
for the 7500 series. The receive access lists protect the device from
harmful traffic before the traffic can impact the route processor.
Receive path ACLs are considered a network security best practice, and
should be considered as a long-term addition to good network security,
as well as a workaround for this specific vulnerability. The CPU load
is distributed to the line card processors and helps mitigate load on
the main route processor. The white paper entitled "GSR: Receive Access
Control Lists" will help identify and allow legitimate traffic to your
device and deny all unwanted packets:

http://www.cisco.com/warp/public/707/racl.html

Exploitation and Public Announcements
=====================================

The Cisco PSIRT is aware of exploitation of this vulnerability and is
recommending customers take action to protect themselves.

Status of This Notice: INTERIM
==============================

THIS ADVISORY IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY. YOUR USE OF THE INFORMATION ON THE
ADVISORY OR MATERIALS LINKED FROM THE ADVISORY IS AT YOUR OWN RISK.
CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS NOTICE AT ANY TIME.
CISCO EXPECTS TO UPDATE THIS NOTICE WITHIN 48 to 72 hours FROM THE
ORIGINAL DATE OF THIS NOTICE.

Distribution
============

This advisory will be posted on Cisco's worldwide website at
http://www.cisco.com/warp/public/707/cisco-sa-20040827-telnet.shtml.

In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.

  * cust-security-announce@xxxxxxxxx
  * first-teams@xxxxxxxxx (includes CERT/CC)
  * bugtraq@xxxxxxxxxxxxxxxxx
  * vulnwatch@xxxxxxxxxxxxx
  * cisco@xxxxxxxxxxxxxxxxx
  * cisco-nsp@xxxxxxxxxxxxxxx
  * full-disclosure@xxxxxxxxxxxxxxxx
  * comp.dcom.sys.cisco@xxxxxxxxxxxxxxxxxx

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.

Revision History
================

+---------------------------------------------+
| Revision | 2004-August-27 | Initial public  |
| 1.0      |                | release.        |
+---------------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities
in Cisco products, obtaining assistance with security
incidents, and registering to receive security information
from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml.
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBLxMAezGozzK2tZARAj6eAJ0VX9vmrTBin4Vxt3FchPLIddKAlQCgvt20
dDYTV+/GnsCSHsRfmUz5eJw=
=1fzl
-----END PGP SIGNATURE-----