Cisco Intrusion Prevention System (IPS) Software is affected by the following vulnerabilities: Cisco IPS Analysis Engine Denial of Service Vulnerability Cisco IPS Control-Plane MainApp Denial of Service Vulnerability Cisco IPS Jumbo Frame Denial of Service Vulnerability The Cisco IPS Analysis Engine Denial of Service Vulnerability and the Cisco IPS Jumbo Frame Denial of Service Vulnerability could allow an unauthenticated, remote attacker to cause the Analysis Engine process to become unresponsive or crash. When this occurs, the Cisco IPS will stop inspecting traffic. The Cisco IPS Control-Plane MainApp Denial of Service Vulnerability could allow an unauthenticated, remote attacker to cause the MainApp process to become unresponsive and prevent it from executing several tasks including alert notification, event store management, and sensor authentication. The Cisco IPS web server will also be unavailable while the MainApp process is unresponsive, and other processes such as the Analysis Engine process may not work properly. Cisco has released software updates that address these vulnerabilities. Workarounds that mitigate some of the vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140219-ips
Cisco IPS Analysis Engine Denial of Service Vulnerability
The following products are affected by the Cisco IPS Analysis Engine Denial of Service Vulnerability:
This vulnerability does not affect Cisco IPS Software releases prior to 7.1(4)E4.
This vulnerability affects only Cisco IPS Software configured with a signature with the produce-verbose-alert action enabled or systems on which an event action override (EAO) is configured to add this action.
To determine whether the produce-verbose-alert option is used in any of the active signatures or in an EAO configuration use the show configuration command.
The following example shows signature ID 1475/0 modified to enable the produce-verbose-alert option:
sensor# show configuration
! ------------------------------
! Current configuration last modified Wed Feb 05 16:21:00 2014
! ------------------------------
! Version 7.1(8)
! Host:
! Realm Keys key1.0
[...]
variables WEBPORTS web-ports 24326-24326,3128-3128,80-80,8000-8000,8010-8010,8080-8080,8888-8888
signatures 1475 0
engine string-tcp
event-action produce-alert|produce-verbose-alert
exit
[...]
The following example shows the rules0 event action rules policy with an override enabled with the produce-verbose-alert option:
sensor# show configuration
! ------------------------------
! Current configuration last modified Wed Feb 05 16:21:00 2014
! ------------------------------
! Version 7.1(8) ! Host: ! Realm Keys key1.0 [...] ! ------------------------------ service event-action-rules rules0 overrides deny-packet-inline override-item-status Enabled risk-rating-range 90-100 exit overrides produce-verbose-alert override-item-status Enabled risk-rating-range 90-100 exit exit ! ------------------------------
[...]
Cisco IPS Control-Plane MainApp Denial of Service Vulnerability
The following products are affected by the Cisco IPS Control-Plane MainApp Denial of Service Vulnerability:
Note: The Advanced Inspection and Prevention Security Services Card (AIP SSC) for Cisco ASA 5505 has reached End of Software Maintenance Releases
milestone. Customers are encouraged to contact their Cisco
representative for an available replacement.
Cisco IPS Jumbo Frame Denial of Service Vulnerability
The following products are affected by the Cisco IPS Jumbo Frame Denial of Service Vulnerability:
Customers who use Cisco Intrusion Prevention System Device Manager (IDM) to manage devices can locate the software version in the table that is displayed in the login window or top left corner of the Cisco IDM window.sensor# show version
Application Partition:
Cisco Intrusion Prevention System, Version 7.1(3)E4
Host:
Realm Keys key1.0
Signature Definition:
Signature Update S605.0 2011-10-25
OS Version: 2.6.29.1
Platform: IPS-4345-K9
Cisco IPS Jumbo Frame Denial of Service Vulnerability
A vulnerability in Cisco IPS code that handles jumbo frames could allow an unauthenticated, remote attacker to cause the Analysis Engine process to become unresponsive.Alternatively, an administrator can use the Cisco Intrusion Prevention System Device Manager (IDM) to connect to the Cisco IPS and navigate to Configuration > Policies > Signature Definitions > -Sig-Definition-Name- > Active Signatures and filter by using Filter: Action Produce Verbose Alert in order to verify any active signatures with the produce-verbose-alert option enabled.sensor(config)# service signature-definition sig0
sensor(config-sig)# signatures 1475 0
sensor(config-sig-sig)# engine string-tcp
sensor(config-sig-sig-str)# event-action produce-alert
sensor(config-sig-sig-str)# exit
sensor(config-sig-sig)# exit
sensor(config-sig)# exit
Apply Changes?[yes]: yes
sensor(config)#
sensor(config)# service event-action-rules rules0
sensor(config-eve)# no overrides produce-verbose-alert
sensor(config-eve)# exit
Apply Changes?[yes]: yes
sensor(config)#
sensor(config-hos-net)# show settings
network-settings
-----------------------------------------------
[...]
access-list (min: 0, max: 512, current: 1)
-----------------------------------------------
network-address: 192.168.1.0/24
-----------------------------------------------
-----------------------------------------------
ftp-timeout: 300 seconds
login-banner-text:
[...]
Note: make sure that if this is the only allowed host, it is also the one from which you are executing the configuration commands to avoid losing connectivity to the Cisco IDSM-2 Module.
sensor(config-hos-net)#access-list 192.168.1.1/32
sensor(config-hos-net)#no access-list 192.168.1.0/24
sensor(config-hos-net)# show settings
network-settings
-----------------------------------------------
[...]
access-list (min: 0, max: 512, current: 1)
-----------------------------------------------
network-address: 192.168.1.1/32
-----------------------------------------------
-----------------------------------------------
ftp-timeout: 300 seconds
login-banner-text:
[...]
sensor(config-hos-net)# exit
sensor(config-hos)# exit
Apply Changes:?[yes]:
When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
The following table summarizes the first fixed release for each vulnerability and for each major release version. The last row gives information on the recommended releases that resolves all the vulnerabilities in this security advisory.
6.x |
7.0 |
7.1 |
7.2 |
7.3 |
|
Cisco IPS Analysis Engine Denial of Service Vulnerability - CSCui91266 |
Not Affected |
Not Affected |
7.1(8)E41 |
7.2(2)E4 | Not Affected |
Cisco IPS Control-Plane MainApp Denial of Service Vulnerability - CSCui67394 |
Affected, move to 7.1 or later2 |
Affected, move to 7.1 or later |
7.1(8p2)E4 | 7.2(2)E4 |
Not Affected |
Cisco IPS Jumbo Frame Denial of Service Vulnerability - CSCuh94944 |
Not Affected |
Not Affected |
7.1(8)E4 |
7.2(2)E4 |
Not Affected |
Recommended Release |
Affected, move to 7.1 or later |
Affected, move to 7.1 or later |
7.1(8p2)E4 or later | 7.2(2)E4 or later |
Not Affected |
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.
The Cisco IPS Analysis Engine Denial of Service Vulnerability and the Cisco IPS Control-Plane MainApp Denial of Service Vulnerability were found during the resolution of customer service requests. The Cisco IPS Jumbo Frame Denial of Service Vulnerability was found during internal testing.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Revision 1.0 | 2014-February-19 | Initial public release |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.