Cisco Internetwork Operating System (IOS) Software release trains 12.0S, 12.1E, 12.2, 12.2S, 12.3, 12.3B and 12.3T may contain a vulnerability in processing SNMP requests which, if exploited, could cause the device to reload. The vulnerability is only present in certain IOS releases on Cisco routers and switches. This behavior was introduced via a code change and is resolved with CSCed68575. This vulnerability can be remotely triggered. A successful exploitation of this vulnerability may cause a reload of the device and could be exploited repeatedly to produce a Denial of Service (DoS). This advisory is available at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20040420-snmp .
Cisco Internetwork Operating System (IOS) Software release trains 12.0S, 12.1E, 12.2, 12.2S, 12.3, 12.3B and 12.3T may contain a vulnerability in processing SNMP requests which, if exploited, could cause the device to reload.
The vulnerability is only present in certain IOS releases on Cisco routers and switches. This behavior was introduced via a code change and is resolved with CSCed68575.
This vulnerability can be remotely triggered. A successful exploitation of this vulnerability may cause a reload of the device and could be exploited repeatedly to produce a Denial of Service (DoS).
This advisory is available at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20040420-snmp .
This section provides details on affected products.
This vulnerability was introduced by a code change for CSCeb22276. This change was committed to the following releases, causing these releases to be vulnerable.
Cisco Catalyst ATM modules running Cisco IOS software are not affected.
The ONS 15454 and 15454E, when configured with an ML-series line card and running release 4.60 are vulnerable. The ONS 15454 and 15454E software bundles a vulnerable version of Cisco IOS software that runs on the ML-series line card. Configurations without an ML-series line card running the affected releases are not vulnerable. Release 4.60 bundles 12.1(20)EO, which is vulnerable.
The following CCO posted releases are known to be vulnerable to the SNMP issue. To Cisco's best knowledge, no other posted releases are affected. Cisco may modify this list, however, in the event of any updates. Interim or custom releases that were published by Cisco may also be vulnerable. For more information on Interim builds, see section 3.6 of http://www.cisco.com/warp/public/620/1.html.
Please see the Software Versions and Fixes section of this advisory for the complete Cisco IOS software upgrade table.
To determine the software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS®". On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the IOS release name. Other Cisco devices will not have the show version command or will give different output.
The following example identifies a Cisco product running IOS release 12.0(3) with an installed image name of C2500-IS-L:
Cisco Internetwork Operating System Software IOS (TM) 2500 Software (C2500-IS-L), Version 12.0(3), RELEASE SOFTWARE
The release train label is "12.0".
The next example shows a product running IOS release 12.0(2a)T1 with an image name of C2600-JS-MZ:
Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-JS-MZ), Version 12.0(2a)T1, RELEASE SOFTWARE (fc1)
Additional information about Cisco IOS release naming can be found at http://www.cisco.com/warp/public/620/1.html.
No other Cisco products are currently known to be affected by these vulnerabilities.
The Simple Network Management Protocol (SNMP) defines a standard mechanism for remote management and monitoring of devices in an Internet Protocol (IP) network. A device or host that supports SNMP is an SNMP entity. There are two classes of SNMP entities: SNMP managers that request information and receive unsolicited messages and SNMP agents that respond to requests and send unsolicited messages. SNMP entities that support SNMP proxy functions combine the functions of both SNMP manager and SNMP agent.
There are two classes of SNMP operations: solicited operations such as 'get' or 'set', with which the SNMP manager requests or changes the value of a managed object on an SNMP agent; and unsolicited operations such as 'trap' or 'inform' messages with which the SNMP agent provides an unsolicited notification or alarm message to the SNMP manager. The 'inform' operation is essentially an acknowledged 'trap'.
All SNMP operations are transported over the User Datagram Protocol (UDP). Solicited operations are sent by the SNMP manager to the UDP destination port 161 on the agent. Unsolicited operations are sent by the SNMP agent to the UDP destination port 162. In IOS, The acknowledgement sent by the SNMP manager to an SNMP agent in reply to an 'inform' operation is sent to a randomly chosen high port that is chosen when the SNMP process is started.
As IOS implements both an SNMP agent and SNMP proxy functionality, the SNMP process in IOS starts listening for SNMP operations on UDP ports 161, 162 and the random UDP port at the time it is initialized. The SNMP process is started either at the time the device boots, or when SNMP is configured.
The high port is chosen via the following series of steps:
Therefore, the port chosen may be higher than 59152 although this is considered unlikely.
In this vulnerability, the IOS SNMP process is incorrectly attempting to process SNMP solicited operations on UDP port 162 and the random UDP port. Upon attempting to process a solicited SNMP operation on one of those ports, the device can experience memory corruption and may reload.
SNMPv1 and SNMPv2c solicited operations to the vulnerable ports will perform an authentication check against the SNMP community string, which may be used to mitigate attacks. Through best practices of hard to guess community strings and community string ACLs, this vulnerability may be mitigated for both SNMPv1 and SNMPv2c. However, any SNMPv3 solicited operation to the vulnerable ports will reset the device. If configured for SNMP, all affected versions will process SNMP version 1, 2c and 3 operations.
This vulnerability was introduced by DDTS CSCeb22276 and has been corrected with DDTS CSCed68575.
The effectiveness of any workarounds is dependent on specific customer situations such as product mix, network topology, traffic behavior and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround is the most appropriate for use in the intended network before it is deployed.
The following workarounds should only be considered as a long term solution if anti-spoofing methods consistently prevent spoofed source attacks from entering the network and access-lists provided below are configured on every potentially affected device.
Removing the public community string with the configure command no snmp-server communityno snmp-server
The access-list must then be applied to all interfaces using the following configuration commands:access-list 101 permit udp host 10.1.1.1 host 192.168.10.1 range 161 162 access-list 101 permit udp host 10.1.1.1 host 192.168.10.1 range 49152 65535 access-list 101 deny udp any host 192.168.10.1 range 161 162 access-list 101 deny udp any host 192.168.10.1 range 49152 65535 access-list 101 deny udp any host 172.16.1.1 range 161 162 access-list 101 deny udp any host 172.16.1.1 range 49152 65535 access-list 101 permit ip any any
Note that UDP traffic in the ranges specified above must be explicitly blocked to each IP address on the router to prevent the router from accepting and processing the SNMP packets. Additionally, while blocking traffic to port 161 from unknown hosts is a best practice, in this case, port 161 is not affected and need not be blocked to prevent exploitation.interface ethernet 0/0 ip access-group 101 in
The above example shows that there are 3 SNMP-related ports listening, and the high port is bound to 49212.Router#sh ip sockets Proto Remote Port Local Port In Out Stat TTY OutputIF [snip] 17 --listen-- 192.168.10.72 161 0 0 1 0 17 --listen-- 192.168.10.72 162 0 0 11 0 17 --listen-- 192.168.10.72 49212 0 0 11 0
Be advised that Cisco released multiple advisories on 2004-April-20.
When considering software upgrades, please also consult http://www.cisco.com/go/psirt">http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
Each row of the Cisco IOS software table (below) describes a release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (the "First Fixed Release") and the anticipated date of availability for each are listed in the "Rebuild," "Interim," and "Maintenance" columns. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label). When selecting a release, keep in mind the following definitions:
To find the information for a given IOS release, compare the release number as reported by the show version command to the major releases in the first column below. For example, if your device reports that it is running 12.3(5), find the row in the table for "12.3". Reading across to the right, you find 12.3(5c) in the Rebuild column, indicating that 12.3(5) through 12.3(5b) are vulnerable. Since 12.3(5c) is already available for download from CCO, you could upgrade to it as soon as possible.
If a release train is labeled "Vulnerable", then migration to another release train should be considered. Except where a release label in a different release train is explicitly identified in the table below, customers should contact the Cisco TAC for assistance to identify the appropriate migration path. If migration is not possible, then workarounds may be the only alternative.
In all cases, customers should exercise caution to confirm that the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new software release. If the information is not clear, contact the Cisco TAC for assistance as shown in the "Obtaining Fixed Software" section below.
More information on Cisco IOS software release names and abbreviations is available at http://www.cisco.com/warp/public/620/1.html. The fixes will be available at the Software Center located at http://www.cisco.com/public/sw-center/.
Major Release |
Availability of Repaired Releases |
||
---|---|---|---|
Affected 12.0 -Based Release |
Rebuild |
Interim |
Maintenance |
12.0S |
12.0(23)S6 |
||
12.0(24)S6 |
|||
12.0(26)S2 |
|||
12.0(27)S1 |
|||
12.0SV |
12.0(27)SV2 - contact TAC. Available upon request. |
||
Affected 12.1 -Based Release |
Rebuild |
Interim |
Maintenance |
12.1E |
12.1(20)E3 |
||
12.1(22)E1 |
|||
12.1EA |
12.1(20)EA1a |
||
12.1EB |
12.1(22)EB |
||
12.1EC |
12.1(20)EC2 - contact TAC. Available upon request. |
||
12.1EO |
12.1(20)EO1 |
||
12.1EU |
12.1(20)EU1 due on CCO early May, 2004 |
||
12.1EW |
12.1(20)EW2 |
||
Affected 12.2 -Based Release |
Rebuild |
Interim |
Maintenance |
12.2 |
12.2(12i) |
||
12.2(21b) |
|||
12.2(23.6) - available upon request. |
12.2(24) |
||
12.2(23a) |
|||
12.2S |
12.2(20)S2 |
||
12.2(22)S |
|||
12.2SW |
12.2(23)SW - available mid-May 2004 |
||
Affected 12.3 -Based Release |
Rebuild |
Interim |
Maintenance |
12.3 |
12.3(5c) |
||
12.3(6a) |
|||
12.3(7.7) - available upon request. |
12.3(9) - due on CCO mid-June 2004. |
||
12.3B |
12.3(5)B1 - due on CCO mid-June 2004. |
||
12.3T |
12.3(4)T4 |
||
12.3(7)T |
|||
12.3XC |
Vulnerable, migrate to 12.3(8)T due on CCO mid-May 2004 |
||
12.3XD |
12.3(4)XD2 |
||
12.3XE |
Vulnerable, migrate to 12.3(8)T due on CCO mid-May 2004 |
||
12.3XF |
Contact TAC |
||
12.3XG |
12.3(4)XG1 |
||
12.3XH |
12.3(4)XH |
||
12.3XK |
12.3(4)XK |
||
12.3XQ |
12.3(4)XQ |
Optical Products |
|
---|---|
Product |
Availability of Repaired Release |
Cisco ONS 15454 and 15454E with an ML-series Line |
4.62, Available 2004-Apr-27 |
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Revision 1.5 |
2004-May-05 |
Updated software availability information for 12.0S, 12.1EB, 12.2, 12.2S, 12.2SW, 12.3, 12.3T, 12.3XH, 12.3XK, and 12.3XQ. No new releases added. |
Revision 1.4 |
2004-April-29 |
In the Software Versions and Fixes section, modified the entry for 12.3XC. |
Revision 1.3 |
2004-April-23 |
In the Affected Products section, listed each release on a separate line. |
Revision 1.2 |
2004-April-23 |
In the Affected Products section, modified 4th paragraph, and updated list of releases. In the Software Versions and Fixes section, modified/added entries for 12.1EB, 12.1EO, 12.1EU, 12.2SW, 12.2ZQ, 12.2XE, 12.2XF |
Revision 1.1 |
2004-April-22 |
In the Software Versions and Fixes section, added Optical products table, and updated IOS Release table. In the Affected Products section, added Catalyst and Optical products, and 12.1(20)EO. |
Revision 1.0 |
2004-April-20 |
Initial Public Release. |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.