Multiple Vulnerabilities in Cisco IPS Software

Summary

• Cisco Intrusion Prevention System (IPS) Software is affected by the following vulnerabilities:
  

  • Cisco IPS Analysis Engine Denial of Service Vulnerability
  • Cisco IPS Control-Plane MainApp Denial of Service Vulnerability
  • Cisco IPS Jumbo Frame Denial of Service Vulnerability

  The Cisco IPS Analysis Engine Denial of Service Vulnerability and the Cisco IPS Jumbo Frame Denial of Service Vulnerability could allow an unauthenticated, remote attacker to cause the Analysis Engine process to become unresponsive or crash. When this occurs, the Cisco IPS will stop inspecting traffic.
  
  The Cisco IPS Control-Plane MainApp Denial of Service Vulnerability could allow an unauthenticated, remote attacker to cause the MainApp process to become unresponsive and prevent it from executing several tasks including alert notification, event store management, and sensor authentication. The Cisco IPS web server will also be unavailable while the MainApp process is unresponsive, and other processes such as the Analysis Engine process may not work properly.
  
  Cisco has released software updates that address these vulnerabilities. Workarounds that mitigate some of the vulnerabilities are available. This advisory is available at the following link:
  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140219-ips

Affected Products

• Vulnerable Products

  Cisco IPS Analysis Engine Denial of Service Vulnerability
  
  The following products are affected by the Cisco IPS Analysis Engine Denial of Service Vulnerability:

  • Cisco ASA 5500-X Series IPS Security Services Processor (IPS SSP) software and hardware modules
  • Cisco ASA 5500 Series Advanced Inspection and Prevention Security Services Module (AIP SSM)
  • Cisco IPS 4200 Series Sensors
  • Cisco IPS 4300 Series Sensors
  • Cisco IPS 4500 Series Sensors

  This vulnerability does not affect Cisco IPS Software releases prior to 7.1(4)E4.
  
  This vulnerability affects only Cisco IPS Software configured with a signature with the produce-verbose-alert action enabled or systems on which an event action override (EAO) is configured to add this action.
  
  To determine whether the produce-verbose-alert option is used in any of the active signatures or in an EAO configuration use the show configuration command.
  
  The following example shows signature ID 1475/0 modified to enable the produce-verbose-alert option:

  
  sensor# show configuration
  ! ------------------------------
  ! Current configuration last modified Wed Feb 05 16:21:00 2014
  ! ------------------------------
  ! Version 7.1(8)
  ! Host:
  !     Realm Keys          key1.0
  [...]
  
  variables WEBPORTS web-ports 24326-24326,3128-3128,80-80,8000-8000,8010-8010,8080-8080,8888-8888
  signatures 1475 0
  engine string-tcp
  event-action produce-alert|produce-verbose-alert
  exit
  
  [...]
  
  

  The following example shows the rules0 event action rules policy with an override enabled with the produce-verbose-alert option:
  
  

  sensor# show configuration
  ! ------------------------------
  ! Current configuration last modified Wed Feb 05 16:21:00 2014
  ! ------------------------------
  ! Version 7.1(8)
  ! Host:
  !     Realm Keys          key1.0
  [...]
  
  ! ------------------------------
  service event-action-rules rules0
  overrides deny-packet-inline
  override-item-status Enabled
  risk-rating-range 90-100
  exit
  overrides produce-verbose-alert
  override-item-status Enabled
  risk-rating-range 90-100
  exit
  exit
  ! ------------------------------
  
  [...]

  
  
  Alternatively, to determine wheter any active signature has the produce-verbose-alert option enabled, use the Cisco IPS Device Manager (IDM) to connect to the Cisco IPS and navigate to Configuration > Policies > Signature Definitions > -Sig-Definition-Name- > Active Signatures and filter by using Filter: Action Produce Verbose Alert.
  
  The produce-verbose-alert option is not enabled by default on any active signatures nor in any EAO rules.
  
  

  Cisco IPS Control-Plane MainApp Denial of Service Vulnerability

  The following products are affected by the Cisco IPS Control-Plane MainApp Denial of Service Vulnerability:

  • Cisco ASA 5505 Advanced Inspection and Prevention Security Services Card (AIP SSC)
  • Cisco ASA 5500 Series Advanced Inspection and Prevention Security Services Module (AIP SSM)
  • Cisco ASA 5500-X Series IPS Security Services Processor (IPS SSP) software and hardware modules

  Note: The Advanced Inspection and Prevention Security Services Card (AIP SSC) for Cisco ASA 5505 has reached End of Software Maintenance Releases milestone. Customers are encouraged to contact their Cisco representative for an available replacement.
  
  Cisco IPS Jumbo Frame Denial of Service Vulnerability

  The following products are affected by the Cisco IPS Jumbo Frame Denial of Service Vulnerability:

  • Cisco IPS 4500 Series Sensors

  How to Determine the Running Software Version

  To determine whether a vulnerable version of Cisco IPS Software is running on an appliance, administrators can issue the show version command. The following example shows a Cisco IPS 4345 that is running software version 7.1(3)E4:

  sensor# show version
  Application Partition:
  
  Cisco Intrusion Prevention System, Version 7.1(3)E4
  
  Host:
      Realm Keys          key1.0
  Signature Definition:
      Signature Update    S605.0        2011-10-25
  OS Version:             2.6.29.1
  Platform:               IPS-4345-K9

  Customers who use Cisco Intrusion Prevention System Device Manager (IDM) to manage devices can locate the software version in the table that is displayed in the login window or top left corner of the Cisco IDM window.
  

  Products Confirmed Not Vulnerable

  No other Cisco products are currently known to be affected by these vulnerabilities.

Details

• The Cisco IPS is a family of network security devices that provide network-based threat prevention services. Cisco IPS Software includes several applications that are used by the system to run different tasks. In particular, the MainApp process is responsible for multiple critical tasks, including reading the configuration, starting and stopping applications, and authentication service, while the Analysis Engine process is responsible for the analysis and inspection of traffic passing through the sensor.
  
  Additional information about the MainApp and Analysis Engine processes is in the "System Architecture" section of the product configuration guide:
  http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/idm/idm_system_architecture.html#wp1126061
  
  Cisco IPS Analysis Engine Denial of Service Vulnerability
  
  A vulnerability in the produce-verbose-alert code of Cisco Intrusion Prevention System (IPS) Software could allow an unauthenticated, remote attacker to cause the Analysis Engine process to become unresponsive.
  
  The vulnerability is due to improper handling of fragmented packets by the Analysis Engine process when the produce-verbose-alert action is enabled. An attacker could exploit this vulnerability by sending fragmented packets through the affected system. To trigger the vulnerability, the attacker could cause a signature with the produce-verbose-alert action to fire, or trigger an event for which produce-verbose-alert has been configured as an event action override. An exploit could allow the attacker to cause the Analysis Engine process to become unresponsive. This will cause the affected system to stop inspecting traffic.
  
  The vulnerability can be triggered by IP version 4 (IPv4) and IP version 6 (IPv6) fragmented packets passing through the affected system. Traffic directed to the management IP address of the Cisco IPS will not trigger this vulnerability.
  
  This vulnerability is documented in Cisco bug ID CSCui91266 (registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2014-0718.
  
  
  Cisco IPS Control-Plane MainApp Denial of Service Vulnerability
  
  A vulnerability in the implementation of the control-plane access list of the Cisco IPS Software could allow an unauthenticated, remote attacker to cause the MainApp process to become unresponsive.
  
  The vulnerability is due to a failure to properly handle malformed TCP packets sent to the management IP address of the affected system. An attacker could exploit this vulnerability by sending crafted TCP packets to TCP port 7000 of the IP address of the management interface. An exploit could allow the attacker to make the MainApp process unresponsive. This creates a denial of service (DoS) condition because the Cisco IPS sensor is not able to execute several critical tasks including alert notification, event store management, and sensor authentication. The Cisco IPS web server will also be unavailable while the MainApp process is unresponsive. Additionally, due to this general system failure, other processes such as the Analysis Engine may not work properly.
  
  The vulnerability can be triggered only by TCP traffic directed to TCP port 7000 of the IP address of the management interface. Traffic passing through the sensing interfaces will not trigger this vulnerability. If the Cisco IPS is configured in promiscuous mode, mitigation actions that require MainApp processing such as shun or rate-limit may be unavailable. If the Cisco IPS is configured in inline mode, the sensor may not correctly perform inspection and mitigation actions because the Analysis Engine process may not work properly.
  
  This vulnerability affects only Cisco IPS Software running on hardware and software module for Cisco ASA 5500 Series and Cisco ASA 5500-X Series.
  
  This vulnerability is documented in Cisco bug ID CSCui67394 (registered customers only) and has been assigned CVE ID CVE-2014-0719.
  
  

  Cisco IPS Jumbo Frame Denial of Service Vulnerability

  A vulnerability in Cisco IPS code that handles jumbo frames could allow an unauthenticated, remote attacker to cause the Analysis Engine process to become unresponsive.
  
  The vulnerability is due to improper handling of jumbo frames sent a high rate. An attacker could exploit this vulnerability by sending jumbo frames through the sensing interface of the affected device. An exploit could allow the attacker to cause the Analysis Engine process to become unresponsive. This will cause the affected system to stop inspecting traffic.
  
  The vulnerability can be triggered by IPv4 and IPv6 based jumbo frames passing through the affected system. Traffic directed to the management IP address of the Cisco IPS will not trigger this vulnerability.
  
  This vulnerability is documented in Cisco bug ID CSCuh94944 (registered customers only) and has been assigned CVE ID CVE-2014-0720.

Workarounds

• To work around the Cisco IPS Analysis Engine Denial of Service Vulnerability administrator can disable the produce-verbose-alert action.
  
  Use show configuration command to determine which signature has the produce-verbose-alert option enabled or wheter the produce-verbose-alert option is enabled as EAO.
  
  If the produce-verbose-alert has been configured at the signature level, the value can be modified by entering the signature configuration prompt and modifying the event action for each signature that needs modification to use produce-alert instead of the produce-verbose-alert action. The following example shows the procedure to change the event action from produce-verbose-alert to produce-alert for signature 1475/0:
  
  

  sensor(config)# service signature-definition sig0
  sensor(config-sig)# signatures 1475 0 
  sensor(config-sig-sig)# engine string-tcp 
  sensor(config-sig-sig-str)# event-action produce-alert
  sensor(config-sig-sig-str)# exit
  sensor(config-sig-sig)# exit
  sensor(config-sig)# exit
  Apply Changes?[yes]: yes
  sensor(config)#

  
  

  Alternatively, an administrator can use the Cisco Intrusion Prevention System Device Manager (IDM) to connect to the Cisco IPS and navigate to Configuration > Policies > Signature Definitions > -Sig-Definition-Name- > Active Signatures and filter by using Filter: Action Produce Verbose Alert in order to verify any active signatures with the produce-verbose-alert option enabled.
  
  For each of the signatures, right-click and choose Edit Action. From the panel, uncheck the Produce Verbose Alert check box, click the OK and apply the changes.
  
  If the produce-verbose-alert action is enabled as EAO, this can be disable by modifying the settings for the event action rules policy.
  
  The following example shows how to disable the override with produce-verbose-alert configured in the rules0 event action rules policy:
  
  

  sensor(config)# service event-action-rules rules0
  sensor(config-eve)# no overrides produce-verbose-alert 
  sensor(config-eve)# exit
  Apply Changes?[yes]: yes
  sensor(config)# 

  
  
  There is no workaround for the Cisco IPS Control-Plane MainApp Denial of Service Vulnerability , however restricting the number of allowed hosts may reduce the exposure of this vulnerability.
  
  To restrict the number of allowed hosts, the administrator should use the access-list command. The no access-list command should be used to remove any hosts or networks from the list.
  The following example shows the sequence of commands to remove access to the full 192.168.1.0/24 network and allow access only to the host with IP address 192.168.1.1:

  • Use the show settings command in network-setting configuration mode to see the current allowed hosts or networks. The following example shows that the Cisco IDSM-2 is configured to allow all the hosts in the 192.168.1.0/24 network:

  sensor(config-hos-net)# show settings
     network-settings
     -----------------------------------------------
        [...]
        access-list (min: 0, max: 512, current: 1)
        -----------------------------------------------
           network-address: 192.168.1.0/24
           -----------------------------------------------
        -----------------------------------------------
        ftp-timeout: 300 seconds 
        login-banner-text: 
        [...]

  • Use the access-list command in network-setting configuration mode to add the 192.168.1.1 hosts.

  Note: make sure that if this is the only allowed host, it is also the one from which you are executing the configuration commands to avoid losing connectivity to the Cisco IDSM-2 Module.

  sensor(config-hos-net)#access-list 192.168.1.1/32

  • Use the no access-list command in network-setting configuration mode to remove the 192.168.1.0/32 network for the allowed hosts list:

  sensor(config-hos-net)#no access-list 192.168.1.0/24

  • Use the show settings command in network-setting configuration mode to check that the list of allowed hosts is correct:

  sensor(config-hos-net)# show settings
     network-settings
     -----------------------------------------------
        [...]
        access-list (min: 0, max: 512, current: 1)
        -----------------------------------------------
           network-address: 192.168.1.1/32
           -----------------------------------------------
        -----------------------------------------------
        ftp-timeout: 300 seconds 
        login-banner-text: 
        [...]

  • Exit and apply the configuration:

  sensor(config-hos-net)# exit
  sensor(config-hos)# exit
  Apply Changes:?[yes]: 

  
  There is no workaround for the Cisco IPS Jumbo Frame Denial of Service Vulnerability.
  
  
  Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this Advisory: http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=32605
  

Fixed Software

• When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

  In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
  
  The following table summarizes the first fixed release for each vulnerability and for each major release version. The last row gives information on the recommended releases that resolves all the vulnerabilities in this security advisory.

  	6.x	7.0	7.1	7.2	7.3
  Cisco IPS Analysis Engine Denial of Service Vulnerability - CSCui91266	Not Affected	Not Affected	7.1(8)E41	7.2(2)E4	Not Affected
  Cisco IPS Control-Plane MainApp Denial of Service Vulnerability - CSCui67394	Affected, move to 7.1 or later2	Affected, move to 7.1 or later	7.1(8p2)E4	7.2(2)E4	Not Affected
  Cisco IPS Jumbo Frame Denial of Service Vulnerability - CSCuh94944	Not Affected	Not Affected	7.1(8)E4	7.2(2)E4	Not Affected
  Recommended Release	Affected, move to 7.1 or later	Affected, move to 7.1 or later	7.1(8p2)E4 or later	7.2(2)E4 or later	Not Affected

  
  ¹This vulnerability does not affect Cisco IPS Software versions prior to 7.1(4)E4
  ² Cisco ASA 5505 Advanced Inspection and Prevention Security Services Card (AIP SSC) supports only Cisco IPS Software version 6.2 and prior. Advanced Inspection and Prevention Security Services Card (AIP SSC) for Cisco ASA 5505 has reached End of Software Maintenance Releases milestone.
  

Exploitation and Public Announcements

• The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.

  The Cisco IPS Analysis Engine Denial of Service Vulnerability and the Cisco IPS Control-Plane MainApp Denial of Service Vulnerability were found during the resolution of customer service requests. The Cisco IPS Jumbo Frame Denial of Service Vulnerability was found during internal testing.

URL

• http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140219-ips

Revision History

• Revision 1.0

  2014-February-19

  Initial public release

  Show Less