Cisco IOS® Software contains a vulnerability when the Cisco IOS SSL VPN feature is configured with an HTTP redirect. Exploitation could allow a remote, unauthenticated user to cause a memory leak on the affected devices, that could result in a memory exhaustion condition that may cause device reloads, the inability to service new TCP connections, and other denial of service (DoS) conditions. Cisco has released software updates that address this vulnerability. There is a workaround to mitigate this vulnerability. This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20100922-sslvpn. Note: The September 22, 2010, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. Five of the advisories address vulnerabilities in Cisco IOS Software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each advisory lists the releases that correct the vulnerability or vulnerabilities detailed in the advisory. The table at the following URL lists releases that correct all Cisco IOS Software vulnerabilities that have been published on September 22, 2010, or earlier: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20100922-bundle Individual publication links are in "Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication" at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep10.html
Cisco IOS® Software contains a vulnerability when the Cisco IOS SSL VPN feature is configured with an HTTP redirect. Exploitation could allow a remote, unauthenticated user to cause a memory leak on the affected devices, that could result in a memory exhaustion condition that may cause device reloads, the inability to service new TCP connections, and other denial of service (DoS) conditions.
Cisco has released software updates that address this vulnerability. There is a workaround to mitigate this vulnerability.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20100922-sslvpn.
Note: The September 22, 2010, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. Five of the advisories address vulnerabilities in Cisco IOS Software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each advisory lists the releases that correct the vulnerability or vulnerabilities detailed in the advisory. The table at the following URL lists releases that correct all Cisco IOS Software vulnerabilities that have been published on September 22, 2010, or earlier:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20100922-bundle
Individual publication links are in "Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication" at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep10.html
Devices running affected versions of Cisco IOS Software are vulnerable if configured with SSL VPN and HTTP port redirection.
The following methods may be used to confirm if the device is configured for Cisco IOS SSL VPNs and is vulnerable:
If the output from show running-config | include
webvpn contains "webvpn gateway
Router#show running | section webvpn webvpn gateway Gateway ip address 10.1.1.1 port 443 http-redirect port 80 ssl trustpoint Gateway-TP inservice ! Router#
A device that supports the Cisco IOS SSL VPN is not vulnerable if "webvpn gateway" is not configured.
To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software." The image name displays in parentheses, followed by "Version" and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output.
The following example identifies a Cisco product that is running Cisco IOS Software Release 12.4(20)T with an installed image name of C2800NM-ADVSECURITYK9-M:
Vulmon
Router#show version
Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 22:00 by prod_rel_team
! --- output truncated
Additional information about Cisco IOS Software release naming conventions is available in "White Paper: Cisco IOS Reference Guide" at the following link: http://www.cisco.com/warp/public/620/1.html
The following products are not affected by this vulnerability:
No other Cisco products are currently known to be affected by this vulnerability.
The Cisco IOS SSL VPN feature provides remote access to enterprise sites to users anywhere on the Internet. The SSL VPN provides users with secure access to specific enterprise applications, such as e-mail and web browsing, without requiring them to have VPN client software installed on their end-user devices.
Further information about Cisco IOS SSL VPN is available in the "Cisco IOS Software Release 12.4T SSL VPN feature guide" at the following link: http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htwebvpn.html
A device configured for SSL VPN with HTTP port redirection may leak transmission control blocks (TCBs) when processing an abnormally disconnected SSL session. Continued exploitation may cause the device to deplete memory resources, which could result in device reloads, the inability to service new TCP connections, and other DoS conditions. Authentication is not required to exploit this vulnerability.
A complete TCP 3-way handshake is required to exploit this vulnerability. The memory leak can be detected by running the command show tcp brief as shown in the following example:
Router#show tcp brief TCB Local Address Foreign Address (state) 468BBDC0 192.168.0.22.80 192.168.0.33.19794 CLOSEWAIT 482D4730 192.168.0.22.80 192.168.0.33.22092 CLOSEWAIT 482779A4 192.168.0.22.80 192.168.0.33.16978 CLOSEWAIT 4693DEBC 192.168.0.22.80 192.168.0.33.21580 CLOSEWAIT 482D3418 192.168.0.22.80 192.168.0.33.17244 CLOSEWAIT 482B8ACC 192.168.0.22.80 192.168.0.33.16564 CLOSEWAIT 46954EB0 192.168.0.22.80 192.168.0.33.19532 CLOSEWAIT 468BA9B8 192.168.0.22.80 192.168.0.33.15781 CLOSEWAIT 482908C4 192.168.0.22.80 192.168.0.33.19275 CLOSEWAIT 4829D66C 192.168.0.22.80 192.168.0.33.19314 CLOSEWAIT 468A2D94 192.168.0.22.80 192.168.0.33.14736 CLOSEWAIT 4688F590 192.168.0.22.80 192.168.0.33.18786 CLOSEWAIT 4693CBA4 192.168.0.22.80 192.168.0.33.12176 CLOSEWAIT 4829ABC4 192.168.0.22.80 192.168.0.33.39629 CLOSEWAIT 4691206C 192.168.0.22.80 192.168.0.33.17818 CLOSEWAIT 46868224 192.168.0.22.80 192.168.0.33.16774 CLOSEWAIT 4832BFAC 192.168.0.22.80 192.168.0.33.39883 CLOSEWAIT 482D10CC 192.168.0.22.80 192.168.0.33.13677 CLOSEWAIT 4829B120 192.168.0.22.80 192.168.0.33.20870 CLOSEWAIT 482862FC 192.168.0.22.80 192.168.0.33.17035 CLOSEWAIT 482EC13C 192.168.0.22.80 192.168.0.33.16053 CLOSEWAIT 482901D8 192.168.0.22.80 192.168.0.33.16200 CLOSEWAIT
In the output above, the Transmission Control Blocks (TCBs) in the state CLOSEWAIT will not transition and represent a memory leak. Note that only TCP connections with a local TCP port of 80 (the well-known port for HTTP), as evidenced in the above example by a Local Address of 192.168.0.22.80, are relevant.
This vulnerability is documented in Cisco bug ID CSCtg21685 ( registered customers only) and Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-2836 has been assigned to this vulnerability.
Disabling HTTP redirection for SSL VPN connections can be used as a workaround for this vulnerability. HTTP redirection for SSL VPN connections is disabled by executing the command no http-redirect port in webvpn gateway configuration mode.
In addition, manually clearing the hung TCBs with the command clear tcp tcb * will transition the TCBs into a CLOSED state. After a time they will clear the CLOSED state and the memory will be released.
Note: Clearing the TCB will clear both legitimate and hung connections, including remote connections to the device such as Telnet and SSH connections.
The Cisco Applied Mitigation Bulletin (AMB) "Identifying and Mitigating Exploitation of the TCP State Manipulation Denial of Service Vulnerabilities in Multiple Cisco Products", available at http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20090908-tcp24, contains two mitigations (EEM scripts and SNMP) that can be used to detect and clear hung TCP connections.
A Cisco IOS Embedded Event Manager (EEM) policy that is based on Tool Command Language (Tcl) can be used on vulnerable Cisco IOS devices to identify and detect a hung, extended, or indefinite TCP connection that is caused by this vulnerability. The policy allows administrators to monitor TCP connections on a Cisco IOS device. When Cisco IOS EEM detects potential exploitation of this vulnerability, the policy can trigger a response by sending a syslog message or a Simple Network Management Protocol (SNMP) trap to clear the TCP connection. The example policy provided in this document is based on a Tcl script that monitors and parses the output from two commands at defined intervals, produces a syslog message when the monitor threshold reaches its configured value, and can reset the TCP connection.
The Tcl script is available for download at the "Cisco Beyond: Embedded Event Manager (EEM) Scripting Community" at the following link: http://forums.cisco.com/eforum/servlet/EEM?page=eem&fn=script&scriptId=2041. A sample device configuration is provided below.
! !-- Location where the Tcl script will be stored ! event manager directory user policy disk0:/eem ! !-- Define variable and set the monitoring interval !-- as an integer (expressed in seconds) ! event manager environment EEM_MONITOR_INTERVAL 60 ! !-- Define variable and set the threshold value as !-- an integer for the number of retransmissions !-- that determine if the TCP connection is hung !-- (a recommended value to use is 15) ! event manager environment EEM_MONITOR_THRESHOLD 15 ! !-- Define variable and set the value to "yes" to !-- enable the clearing of hung TCP connections ! event manager environment EEM_MONITOR_CLEAR yes ! !-- Define variable and set to the TCP connection !-- state or states that script will monitor, which !-- can be a single state or a space-separated list !-- of states ! event manager environment EEM_MONITOR_STATES CLOSEWAIT ! !-- Register the script as a Cisco EEM policy ! event manager policy monitor-sockets.tcl !
For more details, refer to the sections "EEM Detecting And Clearing Hung TCP Connection" and "Identification: Detecting and Clearing Hung TCP Connection Using SNMP" of this AMB at the following link: http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20090908-tcp24.
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
Each row of the following Cisco IOS Software table corresponds to a Cisco IOS Software train. If a particular train is vulnerable, the earliest releases that contain the fix are listed in the First Fixed Release For This Advisory column. The First Fixed Release for All Advisories in the September 2010 Bundle Publication column lists the earliest possible releases that correct all the published vulnerabilities in the Cisco IOS Software Security Advisory bundled publication. Cisco recommends upgrading to the latest available release, where possible.
|
Major Release |
Availability of Repaired Releases |
|
|---|---|---|
|
Affected 12.0-Based Releases |
First Fixed Release for This Advisory |
First Fixed Release for All Advisories in the September 2010 Bundle Publication |
|
There are no affected 12.0 based releases |
||
|
Affected 12.1-Based Releases |
First Fixed Release for This Advisory |
First Fixed Release for All Advisories in the September 2010 Bundle Publication |
|
There are no affected 12.1 based releases |
||
|
Affected 12.2-Based Releases |
First Fixed Release for This Advisory |
First Fixed Release for All Advisories in the September 2010 Bundle Publication |
|
There are no affected 12.2 based releases |
||
|
Affected 12.3-Based Releases |
First Fixed Release for This Advisory |
First Fixed Release for All Advisories in the September 2010 Bundle Publication |
|
There are no affected 12.3 based releases |
||
|
Affected 12.4-Based Releases |
First Fixed Release for This Advisory |
First Fixed Release for All Advisories in the September 2010 Bundle Publication |
|
Not Vulnerable |
12.4(25d) |
|
|
Not Vulnerable |
12.4(24)GC2 |
|
|
Not Vulnerable |
Not Vulnerable |
|
|
Not Vulnerable |
Not Vulnerable |
|
|
Not Vulnerable |
Not Vulnerable |
|
|
Not Vulnerable |
Not Vulnerable |
|
|
Not Vulnerable |
Not Vulnerable |
|
|
Not Vulnerable |
Not Vulnerable |
|
|
Not Vulnerable |
Not Vulnerable |
|
|
Not Vulnerable |
Not Vulnerable |
|
|
Not Vulnerable |
Not Vulnerable |
|
|
Not Vulnerable |
Not Vulnerable |
|
|
Not Vulnerable |
Not Vulnerable |
|
|
Not Vulnerable |
Not Vulnerable |
|
|
Not Vulnerable |
12.4(24)MD2 |
|
|
Not Vulnerable |
12.4(22)MDA4 12.4(24)MDA1 |
|
|
Not Vulnerable |
Vulnerable; first fixed in 12.4MRA |
|
|
Not Vulnerable |
12.4(20)MRA1 |
|
|
Not Vulnerable |
Vulnerable; first fixed in 12.4T |
|
|
Releases Prior to 12.4(15)T13 are not vulnerable. First fixed 12.4(15)T14 Releases Prior to 12.4(20)T5 are not vulnerable. First fixed 12.4(20)T6 Releases Prior to 12.4(24)T2 are not vulnerable. First fixed 12.4(24)T4 |
12.4(15)T14 12.4(20)T6 12.4(24)T4 |
|
|
Not Vulnerable |
Vulnerable; first fixed in 12.4T |
|
|
Not Vulnerable |
Vulnerable; first fixed in 12.4T |
|
|
Not Vulnerable |
Vulnerable; first fixed in 12.4T |
|
|
Not Vulnerable |
Vulnerable; first fixed in 12.4T |
|
|
Not Vulnerable |
Releases prior to 12.4(6)XE5 are vulnerable, release 12.4(6)XE5 and later are not vulnerable; first fixed in 12.4T |
|
|
Not Vulnerable |
Vulnerable; first fixed in 12.4T |
|
|
Not Vulnerable |
Vulnerable; first fixed in 12.4T |
|
|
Not Vulnerable |
Vulnerable; first fixed in 12.4T |
|
|
Not Vulnerable |
Vulnerable; first fixed in 12.4T |
|
|
Not Vulnerable |
Vulnerable; Contact your support organization per the instructions in Obtaining Fixed Software section of this advisory |
|
|
Not Vulnerable |
Vulnerable; first fixed in 12.4T |
|
|
Not Vulnerable |
Vulnerable; Contact your support organization per the instructions in Obtaining Fixed Software section of this advisory |
|
|
Not Vulnerable |
Vulnerable; Contact your support organization per the instructions in Obtaining Fixed Software section of this advisory |
|
|
Not Vulnerable |
12.4(15)XQ6; Available on 22-SEP-10 |
|
|
Not Vulnerable |
12.4(15)XR9 12.4(22)XR7 |
|
|
Not Vulnerable |
Vulnerable; first fixed in 12.4T |
|
|
Not Vulnerable |
Vulnerable; Contact your support organization per the instructions in Obtaining Fixed Software section of this advisory |
|
|
Not Vulnerable |
Vulnerable; first fixed in 12.4T |
|
|
Not Vulnerable |
Vulnerable; first fixed in 12.4T |
|
|
Not Vulnerable |
Vulnerable; first fixed in 12.4T |
|
|
Not Vulnerable |
Vulnerable; first fixed in 12.4T |
|
|
Not Vulnerable |
Vulnerable; Contact your support organization per the instructions in Obtaining Fixed Software section of this advisory |
|
|
Not Vulnerable |
Vulnerable; Contact your support organization per the instructions in Obtaining Fixed Software section of this advisory |
|
|
Not Vulnerable |
12.4(24)YE1 |
|
|
Not Vulnerable |
12.4(24)YG3 |
|
|
Affected 15.0-Based Releases |
First Fixed Release for This Advisory |
First Fixed Release for All Advisories in the September 2010 Bundle Publication |
|
15.0(1)M3 |
15.0(1)M3 |
|
|
Cisco 7600 and 10000 Series routers: Not vulnerable Please see Cisco IOS-XE Software Availability |
Cisco 7600 and 10000 Series routers: 15.0(1)S1 (available early October 2010) Please see Cisco IOS-XE Software Availability |
|
|
Not Vulnerable |
Vulnerable; first fixed in 15.1T |
|
|
Not Vulnerable |
Not Vulnerable |
|
|
Affected 15.1-Based Releases |
First Fixed Release for This Advisory |
First Fixed Release for All Advisories in the September 2010 Bundle Publication |
|
15.1(1)T1 15.1(2)T0a |
15.1(2)T1 |
|
|
Vulnerability limited to 15.1(1)XB1. |
Vulnerable; first fixed in 15.1T |
|
|
Cisco IOS XE Release |
First Fixed Release for This Advisory |
First Fixed Release for All Advisories in the September 2010 Bundle Publication |
|---|---|---|
|
2.1.x |
Not Vulnerable |
Not Vulnerable |
|
2.2.x |
Not Vulnerable |
Not Vulnerable |
|
2.3.x |
Not Vulnerable |
Not Vulnerable |
|
2.4.x |
Not Vulnerable |
Not Vulnerable |
|
2.5.x |
Not Vulnerable |
Vulnerable; migrate to 2.6.2 or later |
|
2.6.x |
Not Vulnerable |
2.6.2 |
|
3.1.xS |
Not Vulnerable |
Not Vulnerable |
For mapping of Cisco IOS XE Software to Cisco IOS Software releases, please refer to the Cisco IOS XE 2 and Cisco IOS XE 3S Release Notes.
Cisco IOS XR Software is not affected by the vulnerabilities disclosed in the September 22, 2010, Cisco IOS Software Security Advisory bundled publication.
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
This vulnerability was found during the troubleshooting of a customer service request.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
|
Revision 1.0 |
2010-September-22 |
Initial public release. |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.