Cisco has fixed multiple malformed packet vulnerabilities in the TCP/IP stacks of Cisco ONS 15327 Edge Optical Transport Platform, the Cisco ONS 15454 Optical Transport Platform, the Cisco ONS 15454 SDH Multiplexer Platform, and the Cisco ONS 15600 Multiservice Switching Platform. These vulnerabilities are documented as the following Cisco bug IDs CSCed06531 (IP) CSCed86946 (ICMP) CSCec88426/CSCec88508/CSCed85088/CSCeb07263/CSCec21429 (TCP) CSCec59739/CSCed02439/CSCed22547 (Last-ACK) CSCec88402/CSCed31918/CSCed83309/CSCec85982/CSCec21435/CSCee03697 (UDP) CSCea16455/CSCea37089/CSCea37185 (SNMP) CSCee27329 (passwd) There are workarounds available to mitigate the exposure to these vulnerabilities in the workaround section of this advisory. Cisco is providing fixed software, and recommends that customers upgrade to it. This advisory will be posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20040721-ons.
Cisco has fixed multiple malformed packet vulnerabilities in the TCP/IP stacks of Cisco ONS 15327 Edge Optical Transport Platform, the Cisco ONS 15454 Optical Transport Platform, the Cisco ONS 15454 SDH Multiplexer Platform, and the Cisco ONS 15600 Multiservice Switching Platform.
These vulnerabilities are documented as the following Cisco bug IDs
There are workarounds available to mitigate the exposure to these vulnerabilities in the workaround section of this advisory. Cisco is providing fixed software, and recommends that customers upgrade to it.
This advisory will be posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20040721-ons.
This section provides details on affected products.
These products are vulnerable:
Product |
Affected Releases |
---|---|
15327 |
4.6(0) and 4.6(1) 4.1(0) to 4.1(3) 4.0(0) to 4.0(2) 3.x(x) and earlier |
15454, 15454 SDH |
4.6(0) and 4.6(1) 4.5(x) 4.1(0) to 4.1(3) 4.0(0) to 4.0(2) 3.x(x) earlier than 2.3(5) |
15600 |
Not Affected |
Product |
Affected Releases |
---|---|
15327 |
4.6(0) and 4.6(1) 4.1(0) to 4.1(3) 4.0(0) to 4.0(2) 3.x(x) and earlier |
15454, 15454 SDH |
4.6(0) and 4.6(1) 4.5(x) 4.1(0) to 4.1(3) 4.0(0) to 4.0(2) 3.x(x) earlier than 2.3(5) |
15600 |
Not Affected |
Product |
Affected Releases |
---|---|
15327 |
4.6(0) and 4.6(1) 4.1(0) to 4.1(3) 4.0(0) to 4.0(2) 3.x(x) and earlier |
15454, 15454 SDH |
4.6(0) and 4.6(1) 4.5(x) 4.1(0) to 4.1(3) 4.0(0) to 4.0(2) 3.x(x) earlier than 2.3(5) |
15600 |
1.x(x) |
Product |
Affected Releases |
---|---|
15327 |
4.6(0) and 4.6(1) 4.1(0) to 4.1(3) 4.0(0) to 4.0(2) 3.x(x) and earlier |
15454, 15454 SDH |
4.6(0) and 4.6(1) 4.5(x) 4.1(0) to 4.1(3) 4.0(0) to 4.0(2) 3.x(x) earlier than 2.3(5) |
15600 |
Not Affected |
Product |
Affected Releases |
---|---|
15327 |
4.6(0) and 4.6(1) 4.1(0) to 4.1(3) 4.0(0) to 4.0(2) 3.x(x) and earlier |
15454, 15454 SDH |
4.6(0) and 4.6(1) 4.5(x) 4.1(0) to 4.1(3) 4.0(0) to 4.0(2) 3.x(x) earlier than 2.3(5) |
15600 |
1.x(x) |
Product |
Affected Releases |
---|---|
15327 |
4.1(0) to 4.1(2) 4.0(0) to 4.0(2) 3.x(x) and earlier |
15454, 15454 SDH |
4.5(x) 4.1(0) to 4.1(2) 4.0(0) to 4.0(2) 3.x(x) earlier than 2.3(5) |
15600 |
Not Affected |
Product |
Affected Releases |
---|---|
15327 |
4.6(0) and 4.6(1) |
15454, 15454 SDH |
4.6(0) and 4.6(1) |
15600 |
Not Affected |
For clarification, the following products are not affected by these vulnerabilities.
No other Cisco products are currently known to be affected by these vulnerabilities.
To determine your software revision, view the Help > About window on the CTC management software.
The affected Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 hardware is managed through the XTC, TCC/TCC+/TCC2, TCCi/TCC2, and TSC control cards respectively. These control cards are usually connected to a network isolated from the Internet and local to the customer's environment. This limits the exposure to the exploitation of the vulnerabilities from the Internet.
The Internetworking Terms and Cisco Systems Acronyms online guides can be found at http://www.cisco.com/univercd/cc/td/doc/cisintwk/.
These vulnerabilities are documented in the Cisco Bug Toolkit as Bug IDs
CSCec88426/CSCec88508/CSCed85088/CSCeb07263/CSCec21429 (TCP),
CSCec59739/CSCed02439/CSCed22547 (Last-ACK),
CSCec88402/CSCed31918/CSCed83309/CSCec85982/CSCec21435/CSCee03697 (UDP),
CSCea16455/CSCea37089/CSCea37185 (SNMP), and
CSCee27329 (passwd) ( registered customers only) .
Apply ACLs (access control lists) on routers / switches / firewalls installed in front of the vulnerable network devices such that TCP/IP traffic destined for the XTC, TCC/TCC+/TCC2, TCCi/TCC2, or TSC control cards on the switches is only allowed from the network management workstations. Refer to http://www.cisco.com/warp/public/707/tacl.html for examples on how to apply access control lists (ACLs) on Cisco routers.
Please note, these workarounds will not prevent spoofed IP packets with the source IP address set to that of the network management station from reaching the switch's management interface. For more information on anti-spoofing refer to /en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml#sec_ip and http://www.ietf.org/rfc/rfc2827.txt. The Unicast Reverse Path Forwarding (Unicast RPF) feature helps to mitigate problems that are caused by malformed or forged IP source addresses that are passing through a router, refer to http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fothersf/scfrpf.htm .
For the CSCee27329 (passwd) vulnerability ensure that there are no blank passwords set in the user database. Ensure that the CISCO15 userid has a strong password set.
The Cisco PSIRT recommends that affected users upgrade to a fixed software version of code.
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.
First fixed software release table for all vulnerabilities referenced in this Security Advisory
Product |
Fixed Releases |
---|---|
15327 |
4.6(2) and later 4.1(4) and later 4.0(3) and later |
15454, 15454 SDH |
4.6(2) and later 4.1(4) and later 4.0(3) and later 2.3(5) |
15600 |
5.0 and later |
Product |
Fixed Releases |
---|---|
15327 |
4.6(2) and later 4.1(4) and later 4.0(3) and later |
15454, 15454 SDH |
4.6(2) and later 4.1(4) and later 4.0(3) and later 2.3(5) |
15600 |
Not Affected |
Product |
Fixed Releases |
---|---|
15327 |
4.6(2) and later 4.1(4) and later 4.0(3) and later |
15454, 15454 SDH |
4.6(2) and later 4.1(4) and later 4.0(3) and later 2.3(5) |
15600 |
Not Affected |
Product |
Fixed Releases |
---|---|
15327 |
4.6(2) and later 4.1(4) and later 4.0(3) and later |
15454, 15454 SDH |
4.6(2) and later 4.1(4) and later 4.0(3) and later 2.3(5) |
15600 |
5.0 and later |
Product |
Fixed Releases |
---|---|
15327 |
4.6(2) and later 4.1(4) and later 4.0(3) and later |
15454, 15454 SDH |
4.6(2) and later 4.1(4) and later 4.0(3) and later 2.3(5) |
15600 |
Not Affected |
Product |
Fixed Releases |
---|---|
15327 |
4.6(2) and later 4.1(4) and later 4.0(3) and later |
15454, 15454 SDH |
4.6(2) and later 4.1(4) and later 4.0(3) and later 2.3(5) |
15600 |
5.0 and later |
Product |
Fixed Releases |
---|---|
15327 |
4.1(3) and later 4.0(3) and later |
15454, 15454 SDH |
4.6(0) and later 4.1(3) and later 4.0(3) and later 2.3(5) |
15600 |
Not Affected |
Product |
Fixed Releases |
---|---|
15327 |
4.6(2) and later |
15454, 15454 SDH |
4.6(2) and later |
15600 |
Not Affected |
The vulnerabilities for the Cisco ONS 15600 platforms are fixed in the Cisco ONS software Release 5.0, which will be available in September 2004.
Upgrade procedures can be found as indicated below:
The procedure to upgrade to the fixed software version on the Cisco ONS 15327 hardware is detailed at http://www.cisco.com/univercd/cc/td/doc/product/ong/15327/327doc41/index.htm.
The procedure to upgrade to the fixed software version on the Cisco ONS 15454 hardware is detailed at http://www.cisco.com/univercd/cc/td/doc/product/ong/15400/r46docs/index.htm .
The procedure to upgrade to the fixed software version on the Cisco ONS 15600 hardware is detailed at http://cisco.com/univercd/cc/td/doc/product/ong/15600/index.htm.
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory.
These vulnerabilities were uncovered during Internal stress testing by Cisco except for the malformed ICMP packet vulnerability, which was reported to Cisco by a customer.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Revision 1.0 |
2004-July-21 |
Initial public release. |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.