Cisco IOS Software Network Address Translation Denial of Service Vulnerability

Summary

• A vulnerability in the Network Address Translation (NAT) feature of Cisco IOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper translation of IP version 4 (IPv4) packets.
  
  Cisco has released software updates that address this vulnerability.
  
  This advisory is available at the following link:
  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-nat
  
  Note: The September 24, 2014, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication at the following link:

  http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep14.html

Affected Products

• 
  

  Vulnerable Products

  Cisco devices that are running affected Cisco IOS Software releases are vulnerable when configured with NAT and the NAT application layer gateway (NAT ALG) for multipart Session Description Protocol (SDP) in Session Initiation Protocol (SIP) has been enabled. The NAT ALG for multipart SDP in SIP is not enabled by default.
  
  There are two methods to determine whether a Cisco IOS device is configured for NAT:

  • Determine whether NAT is active on a device
  • Determine whether NAT commands are included in the device configuration

  The preferred method to verify whether NAT is enabled on a Cisco IOS device is to determine whether NAT is active on a device.
  
  One method is available to determine whether the NAT ALG for multipart SDP in SIP is enabled.

  Determine Whether NAT Is Active on a Device

  To determine whether NAT is active on a Cisco device running Cisco IOS Software, log in to the device and issue the show ip nat statistics command. If NAT is active, the "Outside interfaces" and "Inside interfaces" sections will each include at least one interface. The following example shows a device where NAT is active:

  Router#show ip nat statistics
  Total active translations: 0 (0 static, 0 dynamic; 0 extended)
  Peak translations: 10, occurred 00:24:01 ago
  Outside interfaces:
    FastEthernet0/0
  Inside interfaces: 
    FastEthernet0/1
  Hits: 134280  Misses: 0
  CEF Translated packets: 134270, CEF Punted packets: 10
  Expired translations: 11
  Dynamic mappings:
  -- Inside Source
  [Id: 1] access-list NET-192.168.20.0_24 pool POOL-NET-192.168.1.0_24 refcount 0
   pool POOL-NET-192.168.1.0_24: netmask 255.255.255.0
  start 192.168.1.120 end 192.168.1.128
  type generic, total addresses 9, allocated 0 (0%), misses 0
  
  Total doors: 0
  Appl doors: 0
  Normal doors: 0
  Queued Packets: 0
  Router#
  

  If no interfaces are listed on the output of the show ip nat statistics command, NAT may still be active on the device through the NAT Virtual Interface feature. To determine whether NAT is active through this feature, issue the show ip nat nvi statistics command. If NAT is active, the "NAT Enabled interfaces" section will include at least one interface. The following example shows a device where NAT is active:

  Router#show ip nat nvi statistics
  Total active translations: 1 (0 static, 1 dynamic; 1 extended)
  NAT Enabled interfaces:
    FastEthernet0/0, FastEthernet0/1
  Hits: 81373  Misses: 3
  CEF Translated packets: 44371, CEF Punted packets: 8
  Expired translations: 3
  Dynamic mappings:
  -- Source [Id: 1] access-list NET-192.168.20.0_24 pool POOL-NET-192.168.1.0_24 refcount 1
   pool POOL-NET-192.168.1.0_24: netmask 255.255.255.0
  start 192.168.1.120 end 192.168.1.128
  type generic, total addresses 9, allocated 1 (11%), misses 0
  Router#
  

  Determine Whether NAT Commands Are Present in the Device Configuration

  To determine whether NAT has been enabled in the Cisco IOS Software configuration, log in to the device and issue the show running-config command. If NAT is active, the ip nat inside and ip nat outside interface commands must be present. Alternatively, in the case of the NAT Virtual Interface, the ip nat enable interface command will be present.
  
  Note: The Cisco Easy VPN Remote client feature configuration present on the device will automatically enable NAT. The NAT and Port Address Translation (PAT) configurations that are created by the Cisco Easy VPN Remote feature are not written to the startup or running configuration files. These configurations, however, can be displayed using the show ip nat statistics command.

  Determine Whether the NAT ALG for Multipart SDP in SIP Is Enabled in the Device Configuration

  For the NAT ALG for multipart SDP in SIP traffic to be enabled on a Cisco IOS device running Cisco IOS Software, the ip nat service allow-multipart command must be present on the device configuration. The following example shows a device on which the NAT ALG for multipart SDP in SIP is enabled:

  Router#show running-config | include ip nat service allow-multipart
  ip nat service allow-multipart
  Router#
  

  Determine the Cisco IOS Software Release on a Device

  To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software." The image name displays in parentheses, followed by "Version" and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output.

  The following example identifies a Cisco product that is running Cisco IOS Software Release 15.2(4)M5 with an installed image name of C3900-UNIVERSALK9-M:

  Router> show version 
  Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), 15.2(4)M5, RELEASE SOFTWARE (fc2)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2013 by Cisco Systems, Inc.
  Compiled Fri 13-Sep-13 16:44 by prod_rel_team

  !--- output truncated 

  Additional information about Cisco IOS Software release naming conventions is available in White Paper: Cisco IOS and NX-OS Software Reference Guide.

  Products Confirmed Not Vulnerable

  If the NAT feature is not configured on a Cisco device running Cisco IOS Software, the device is not vulnerable. If the NAT feature is configured on a Cisco device running Cisco IOS Software, but the NAT ALG for multipart SDP in SIP is not enabled, the device is not vulnerable.
  
  The following products have been confirmed not vulnerable:

  • Cisco IOS-XR Software
  • Cisco IOS-XE Software
  • Cisco NX-OS Software
  • Cisco ASA Software

  No other Cisco products are currently known to be affected by this vulnerability.

Details

• A vulnerability in the application-layer gateway (ALG) module of Cisco IOS Software could allow an unauthenticated, remote attacker to cause a reload of the affected device, which could lead to a denial of service (DoS) condition.
  
  The vulnerability is due to how Session Initiation Protocol (SIP) messages that require network address translation (NAT) are processed on an affected device. An attacker could exploit this vulnerability by sending crafted SIP messages to be processed and translated by an affected device. An exploit could allow the attacker to cause the affected device to reload, leading to a DoS condition.
  
  This vulnerability can be triggered when multipart SDP traffic (as defined in RFC 5621) undergoes NAT and the NAT ALG for multipart SDP in SIP is enabled on the device. The NAT ALG for multipart SDP in SIP is not enabled by default. This vulnerability can be triggered only by the traffic transiting an affected device and cannot be exploited with traffic destined to the device itself. This vulnerability cannot be exploited with IP version 6 (IPv6) traffic.
  
  This vulnerability is documented in Cisco bug ID CSCun54071 (registered customers only) and has been assigned the Common Vulnerabilities and Exposures (CVE) ID CVE-2014-3361.

Workarounds

• This vulnerability can be mitigated by disabling the NAT ALG for multipart SDP in SIP. To disable the NAT ALG for multipart SDP in SIP, use the no ip nat service allow-multipart in global configuration mode.
  
  Note: Disabling the NAT ALG for multipart SDP in SIP may negatively impact interoperability with third-party SIP gateways and devices.

Fixed Software

• When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
  
  In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
  
  

  Cisco IOS Software

  Cisco has provided a tool to help customers determine their exposure to vulnerabilities in Cisco IOS Software. The Cisco IOS Software Checker allows customers to perform the following tasks:

  • Initiate a search by selecting releases from the drop-down menu or uploading a file from a local system
  • Enter show version command output for the tool to parse
  • Create a customized search by including all previously published Cisco Security Advisories, a specific publication, or all advisories in the September 2015 bundled publication

  The tool will identify any Cisco Security Advisories that impact a queried software release and the earliest release that corrects all vulnerabilities in each Cisco Security Advisory ("First Fixed"). If applicable, the tool will also return the earliest possible release that corrects all vulnerabilities in all displayed advisories ("Combined First Fixed"). Please visit the Cisco IOS Software Checker or simply enter a Cisco IOS Software release in the following field to determine whether it is affected by any of the advisories in this bundled publication.

  (Example entry: 15.1(4)M2)

  Cisco IOS XE Software

  Cisco IOS XE Software is not affected by the vulnerability that is disclosed in this document.

  Cisco IOS XR Software

  Cisco IOS XR Software is not affected by any of the vulnerabilities that are disclosed in the September 2014 Cisco IOS Software Security Advisory Bundled Publication.

Exploitation and Public Announcements

• The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
  
  This vulnerability was identified during the handling of a customer service request.

URL

• http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-nat

Revision History

• Revision 1.0

  2014-September-24

  Initial public release.

  Show Less