Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Malformed Packet Vulnerabilities

Related Vulnerabilities: CVE-2004-1432   CVE-2004-1433   CVE-2004-1434   CVE-2004-1435  

Cisco has fixed multiple malformed packet vulnerabilities in the TCP/IP stacks of Cisco ONS 15327 Edge Optical Transport Platform, the Cisco ONS 15454 Optical Transport Platform, the Cisco ONS 15454 SDH Multiplexer Platform, and the Cisco ONS 15600 Multiservice Switching Platform. These vulnerabilities are documented as the following Cisco bug IDs CSCed06531 (IP) CSCed86946 (ICMP) CSCec88426/CSCec88508/CSCed85088/CSCeb07263/CSCec21429 (TCP) CSCec59739/CSCed02439/CSCed22547 (Last-ACK) CSCec88402/CSCed31918/CSCed83309/CSCec85982/CSCec21435/CSCee03697 (UDP) CSCea16455/CSCea37089/CSCea37185 (SNMP) CSCee27329 (passwd) There are workarounds available to mitigate the exposure to these vulnerabilities in the workaround section of this advisory. Cisco is providing fixed software, and recommends that customers upgrade to it. This advisory will be posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20040721-ons.

Source

Summary

  • Cisco has fixed multiple malformed packet vulnerabilities in the TCP/IP stacks of Cisco ONS 15327 Edge Optical Transport Platform, the Cisco ONS 15454 Optical Transport Platform, the Cisco ONS 15454 SDH Multiplexer Platform, and the Cisco ONS 15600 Multiservice Switching Platform.

    These vulnerabilities are documented as the following Cisco bug IDs

    • CSCed06531 (IP)
    • CSCed86946 (ICMP)
    • CSCec88426/CSCec88508/CSCed85088/CSCeb07263/CSCec21429 (TCP)
    • CSCec59739/CSCed02439/CSCed22547 (Last-ACK)
    • CSCec88402/CSCed31918/CSCed83309/CSCec85982/CSCec21435/CSCee03697 (UDP)
    • CSCea16455/CSCea37089/CSCea37185 (SNMP)
    • CSCee27329 (passwd)

    There are workarounds available to mitigate the exposure to these vulnerabilities in the workaround section of this advisory. Cisco is providing fixed software, and recommends that customers upgrade to it.

    This advisory will be posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20040721-ons.

Affected Products

  • This section provides details on affected products.

    Vulnerable Products

    These products are vulnerable:

    • CSCed06531 (IP)
      Product
      		 Affected Releases
      15327
      		 4.6(0) and 4.6(1)
      4.1(0) to 4.1(3)
      4.0(0) to 4.0(2)
      3.x(x) and earlier
      15454, 15454 SDH
      		 4.6(0) and 4.6(1)
      4.5(x)
      4.1(0) to 4.1(3)
      4.0(0) to 4.0(2)
      3.x(x)
      earlier than 2.3(5)
      15600
      		 Not Affected

    • CSCed86946 (ICMP)
      Product
      		 Affected Releases
      15327
      		 4.6(0) and 4.6(1)
      4.1(0) to 4.1(3)
      4.0(0) to 4.0(2)
      3.x(x) and earlier
      15454, 15454 SDH
      		 4.6(0) and 4.6(1)
      4.5(x)
      4.1(0) to 4.1(3)
      4.0(0) to 4.0(2)
      3.x(x)
      earlier than 2.3(5)
      15600
      		 Not Affected

    • CSCec88426/CSCec88508/CSCed85088/CSCeb07263/CSCec21429 (TCP)
      Product
      		 Affected Releases
      15327
      		 4.6(0) and 4.6(1)
      4.1(0) to 4.1(3)
      4.0(0) to 4.0(2)
      3.x(x) and earlier
      15454, 15454 SDH
      		 4.6(0) and 4.6(1)
      4.5(x)
      4.1(0) to 4.1(3)
      4.0(0) to 4.0(2)
      3.x(x)
      earlier than 2.3(5)
      15600
      		 1.x(x)

    • CSCec59739/CSCed02439/CSCed22547 (Last-ACK)
      Product
      		 Affected Releases
      15327
      		 4.6(0) and 4.6(1)
      4.1(0) to 4.1(3)
      4.0(0) to 4.0(2)
      3.x(x) and earlier
      15454, 15454 SDH
      		 4.6(0) and 4.6(1)
      4.5(x)
      4.1(0) to 4.1(3)
      4.0(0) to 4.0(2)
      3.x(x)
      earlier than 2.3(5)
      15600
      		 Not Affected

    • CSCec88402/CSCed31918/CSCed83309/CSCec85982/CSCec21435/CSCee03697 (UDP)
      Product
      		 Affected Releases
      15327
      		 4.6(0) and 4.6(1)
      4.1(0) to 4.1(3)
      4.0(0) to 4.0(2)
      3.x(x) and earlier
      15454, 15454 SDH
      		 4.6(0) and 4.6(1)
      4.5(x)
      4.1(0) to 4.1(3)
      4.0(0) to 4.0(2)
      3.x(x)
      earlier than 2.3(5)
      15600
      		 1.x(x)

    • CSCea16455/CSCea37089/CSCea37185 (SNMP)
      Product
      		 Affected Releases
      15327
      		 4.1(0) to 4.1(2)
      4.0(0) to 4.0(2)
      3.x(x) and earlier
      15454, 15454 SDH
      		 4.5(x)
      4.1(0) to 4.1(2)
      4.0(0) to 4.0(2)
      3.x(x)
      earlier than 2.3(5)
      15600
      		 Not Affected

    • CSCee27329 (passwd)
      Product
      		 Affected Releases
      15327
      		 4.6(0) and 4.6(1)
      15454, 15454 SDH
      		 4.6(0) and 4.6(1)
      15600
      		 Not Affected

    Products Confirmed Not Vulnerable

    For clarification, the following products are not affected by these vulnerabilities.

    • Cisco ONS 15800 series
    • ONS 15500 series extended service platform
    • ONS 15302, ONS 15305, ONS 15200 series metro DWDM systems
    • ONS 15190 series IP transport concentrator

    No other Cisco products are currently known to be affected by these vulnerabilities.

    To determine your software revision, view the Help > About window on the CTC management software.

Details

  • The affected Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 hardware is managed through the XTC, TCC/TCC+/TCC2, TCCi/TCC2, and TSC control cards respectively. These control cards are usually connected to a network isolated from the Internet and local to the customer's environment. This limits the exposure to the exploitation of the vulnerabilities from the Internet.

    • CSCed06531 (IP)
      Malformed IP packets may potentially cause the XTC, TCC/TCC+/TCC2 and TCCi/TCC2 control cards to reset. Repeated transmission of these malformed packets could cause both the control cards to be resetting at the same time.
      The Cisco ONS 15600 hardware is not affected by this issue.
    • CSCed86946 (ICMP)
      Malformed ICMP packets may potentially cause the XTC, TCC/TCC+/TCC2 and TCCi/TCC2 control cards to reset. Repeated transmission of these malformed packets could cause both the control cards to be resetting at the same time.
      The Cisco ONS 15600 hardware is not affected by this issue.
    • CSCec88426/CSCec88508/CSCed85088/CSCeb07263/CSCec21429 (TCP)
      Malformed TCP packets may potentially cause the XTC, TCC/TCC+/TCC2, TCCi/TCC2 and TSC control cards to reset. Repeated transmission of these malformed packets could cause both the control cards to be resetting at the same time.
      Cisco bug IDs CSCec88426, CSCec88508, and CSCed85088 document the issue on the Cisco ONS 15327, ONS 15454 and ONS 15454 SDH, and Cisco bug IDs CSCeb07263 and CSCec21429 documents the issue on the Cisco ONS 15600 hardware.
      There is no traffic impact on the Cisco ONS 15600 hardware; only manageability functions are affected because of this issue.
    • CSCec59739/CSCed02439/CSCed22547 (Last-ACK)
      The XTC, TCC/TCC+/TCC2 and TCCi/TCC2 control cards are susceptible to a TCP-ACK Denial of Service (DoS) attack on open TCP ports. The controller card on the optical device will reset under such an attack.
      A TCP-ACK DoS attack is conducted by not sending the regular final ACK required for a 3-way TCP handshake to complete, and instead sending an invalid response to move the connection to an invalid TCP state.
      The Cisco ONS 15600 hardware is not affected by this issue.
    • CSCec88402/CSCed31918/CSCed83309/CSCec85982/CSCec21435/CSCee03697 (UDP)
      Malformed UDP packets may potentially cause the XTC, TCC/TCC+/TCC2, TCCi/TCC2 and TSC control cards to reset. Repeated transmission of these malformed packets could cause both the control cards to be resetting at the same time.
      Cisco bug IDs CSCec88402, CSCed31918, CSCed83309, and CSCec85982 document the issue on the Cisco ONS 15327, ONS 15454 and ONS 15454 SDH, and Cisco bug ID CSCec21435 and CSCee03697 document the issue on the Cisco ONS 15600 hardware.
      There is no traffic impact on the Cisco ONS 15600 hardware; only manageability functions are affected because of this issue.
    • CSCea16455/CSCea37089/CSCea37185 (SNMP)
      Malformed SNMP packets may potentially cause the XTC, TCC/TCC+/TCC2 and TCCi/TCC2 control cards to reset. Repeated transmission of these malformed packets could cause both the control cards to be resetting at the same time.
      The Cisco ONS 15600 hardware is not affected by this issue.
    • CSCee27329 (passwd)
      If an account has a blank password set, and an attempt was made to log into the device with a password greater than ten characters the attempt would be successful.
      This vulnerability only affects the TL1 login interface. The CTC login interface is not vulnerable to this vulnerability.
      The CTC and TL1 user interfaces prevent the setting of a blank password as the password. Only the CISCO15 userid, during initial install process has a blank password which is to be changed as part of the initial install process.
      The Cisco ONS 15600 hardware is not affected by this issue.

    The Internetworking Terms and Cisco Systems Acronyms online guides can be found at http://www.cisco.com/univercd/cc/td/doc/cisintwk/.

    These vulnerabilities are documented in the Cisco Bug Toolkit as Bug IDs

    CSCed06531 (IP),

    CSCed86946 (ICMP),

    CSCec88426/CSCec88508/CSCed85088/CSCeb07263/CSCec21429 (TCP),

    CSCec59739/CSCed02439/CSCed22547 (Last-ACK),

    CSCec88402/CSCed31918/CSCed83309/CSCec85982/CSCec21435/CSCee03697 (UDP),

    CSCea16455/CSCea37089/CSCea37185 (SNMP), and

    CSCee27329 (passwd) ( registered customers only) .

Workarounds

  • Apply ACLs (access control lists) on routers / switches / firewalls installed in front of the vulnerable network devices such that TCP/IP traffic destined for the XTC, TCC/TCC+/TCC2, TCCi/TCC2, or TSC control cards on the switches is only allowed from the network management workstations. Refer to http://www.cisco.com/warp/public/707/tacl.html for examples on how to apply access control lists (ACLs) on Cisco routers.

    Please note, these workarounds will not prevent spoofed IP packets with the source IP address set to that of the network management station from reaching the switch's management interface. For more information on anti-spoofing refer to /en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml#sec_ip and http://www.ietf.org/rfc/rfc2827.txt. The Unicast Reverse Path Forwarding (Unicast RPF) feature helps to mitigate problems that are caused by malformed or forged IP source addresses that are passing through a router, refer to http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fothersf/scfrpf.htm .

    For the CSCee27329 (passwd) vulnerability ensure that there are no blank passwords set in the user database. Ensure that the CISCO15 userid has a strong password set.

    The Cisco PSIRT recommends that affected users upgrade to a fixed software version of code.

Fixed Software

  • When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.

    In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.

    First fixed software release table for all vulnerabilities referenced in this Security Advisory

    Product

    Fixed Releases

    15327

    4.6(2) and later

    4.1(4) and later

    4.0(3) and later

    15454, 15454 SDH

    4.6(2) and later

    4.1(4) and later

    4.0(3) and later

    2.3(5)

    15600

    5.0 and later

    • CSCed06531 (IP)
      Product
      		 Fixed Releases
      15327
      		 4.6(2) and later
      4.1(4) and later
      4.0(3) and later
      15454, 15454 SDH
      		 4.6(2) and later
      4.1(4) and later
      4.0(3) and later
      2.3(5)
      15600
      		 Not Affected

    • CSCed86946 (ICMP)
      Product
      		 Fixed Releases
      15327
      		 4.6(2) and later
      4.1(4) and later
      4.0(3) and later
      15454, 15454 SDH
      		 4.6(2) and later
      4.1(4) and later
      4.0(3) and later
      2.3(5)
      15600
      		 Not Affected

    • CSCec88426/CSCec88508/CSCed85088/CSCeb07263/CSCec21429 (TCP)
      Product
      		 Fixed Releases
      15327
      		 4.6(2) and later
      4.1(4) and later
      4.0(3) and later
      15454, 15454 SDH
      		 4.6(2) and later
      4.1(4) and later
      4.0(3) and later
      2.3(5)
      15600
      		 5.0 and later

    • CSCec59739/CSCed02439/CSCed22547 (Last-ACK)
      Product
      		 Fixed Releases
      15327
      		 4.6(2) and later
      4.1(4) and later
      4.0(3) and later
      15454, 15454 SDH
      		 4.6(2) and later
      4.1(4) and later
      4.0(3) and later
      2.3(5)
      15600
      		 Not Affected

    • CSCec88402/CSCed31918/CSCed83309/CSCec85982/CSCec21435/CSCee03697 (UDP)
      Product
      		 Fixed Releases
      15327
      		 4.6(2) and later
      4.1(4) and later
      4.0(3) and later
      15454, 15454 SDH
      		 4.6(2) and later
      4.1(4) and later
      4.0(3) and later
      2.3(5)
      15600
      		 5.0 and later

    • CSCea16455/CSCea37089/CSCea37185 (SNMP)
      Product
      		 Fixed Releases
      15327
      		 4.1(3) and later
      4.0(3) and later
      15454, 15454 SDH
      		 4.6(0) and later
      4.1(3) and later
      4.0(3) and later
      2.3(5)
      15600
      		 Not Affected

    • CSCee27329 (passwd)
      Product
      		 Fixed Releases
      15327
      		 4.6(2) and later
      15454, 15454 SDH
      		 4.6(2) and later
      15600
      		 Not Affected

    The vulnerabilities for the Cisco ONS 15600 platforms are fixed in the Cisco ONS software Release 5.0, which will be available in September 2004.

    Upgrade procedures can be found as indicated below:

    The procedure to upgrade to the fixed software version on the Cisco ONS 15327 hardware is detailed at http://www.cisco.com/univercd/cc/td/doc/product/ong/15327/327doc41/index.htm.

    The procedure to upgrade to the fixed software version on the Cisco ONS 15454 hardware is detailed at http://www.cisco.com/univercd/cc/td/doc/product/ong/15400/r46docs/index.htm .

    The procedure to upgrade to the fixed software version on the Cisco ONS 15600 hardware is detailed at http://cisco.com/univercd/cc/td/doc/product/ong/15600/index.htm.

Exploitation and Public Announcements

  • The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory.

    These vulnerabilities were uncovered during Internal stress testing by Cisco except for the malformed ICMP packet vulnerability, which was reported to Cisco by a customer.

Cisco Security Vulnerability Policy

  • To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

Related to This Advisory

URL

Revision History

  • Revision 1.0

    2004-July-21

    Initial public release.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started