Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Cisco IOS Software and Cisco IOS XE Software EnergyWise Crafted Packet Denial of Service Vulnerability

Related Vulnerabilities: CVE-2014-3327  

A vulnerability in the EnergyWise module of Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of the affected device. The vulnerability is due to improper parsing of crafted EnergyWise packets destined to an affected device. An attacker could exploit this vulnerability by sending a crafted EnergyWise packet to be processed by an affected device. An exploit could allow the attacker to cause a reload of the affected device. Cisco has released software updates that address this vulnerability. There are no workarounds for this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140806-energywise

Source

Summary

  • A vulnerability in the EnergyWise module of Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of the affected device.

    The vulnerability is due to improper parsing of crafted EnergyWise packets destined to an affected device. An attacker could exploit this vulnerability by sending a crafted EnergyWise packet to be processed by an affected device. An exploit could allow the attacker to cause a reload of the affected device.

    Cisco has released software updates that address this vulnerability.

    There are no workarounds for this vulnerability.

    This advisory is available at the following link:
    http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140806-energywise

Affected Products

  • Vulnerable Products

    Cisco devices that are running an affected release of Cisco IOS and Cisco IOS XE Software and configured for EnergyWise operation are affected by this vulnerability.

    The EnergyWise feature is not enabled by default on Cisco IOS and Cisco IOS XE devices.

    To determine whether a Cisco IOS device is configured with EnergyWise, use the show run | include energywise command. The following example is the output of the show run | include energywise command on a Cisco IOS device configured with the minimum EnergyWise configuration needed to enable its operation:

    Router#show run | include energywise 
    energywise domain test_domain security shared-secret 0 test123

    Note: The EnergyWise domain configuration is the minimum configuration required to enable the EnergyWise feature on a Cisco IOS device.

    To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software." The image name displays in parentheses, followed by "Version" and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output.

    The following example identifies a Cisco product that is running Cisco IOS Software Release 15.0(1)M1 with an installed image name of C3900-UNIVERSALK9-M:

    Router>show version 
    Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1) 
    Technical Support: http://www.cisco.com/techsupport 
    Copyright (c) 1986-2009 by cisco Systems, Inc. 
    Compiled Wed 02-Dec-09 17:17 by prod_rel_team


    Products Confirmed Not Vulnerable

    Products and services included in the Cisco EnergyWise Suite, formerly known as JouleX Energy Manager solutions, are not affected by this vulnerability.

    The Cisco EnergyWise Management for Data Center, Cisco EnergyWise Management for Distributed Office, Cisco EnergyWise Discovery Service, and Cisco EnergyWise Optimization Service are not affected by this vulnerability.

    Cisco IOS XR is not affected by this vulnerability.

    No other Cisco products are currently known to be affected by this vulnerability.

Details

  • Cisco EnergyWise began as a Cisco IOS Software-based protocol used to measure and control the energy use of an enterprise IT network.

    In a Cisco EnergyWise network, EnergyWise monitors and manages the power usage of powered devices in a domain including Cisco networking devices, Power over Ethernet (PoE) endpoints, and endpoints running agents built using the software development kit (SDK).

    A vulnerability in the EnergyWise module of Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of the affected device.

    The vulnerability is due to improper parsing of crafted EnergyWise packets destined to an affected device. An attacker could exploit this vulnerability by sending a crafted EnergyWise packet to be processed by an affected device. An exploit could allow the attacker to cause a reload of the affected device.

    Both UDP and TCP packets destined to an affected device can be used to exploit this vulnerability. Traffic transiting an affected device cannot be used to exploit this vulnerability.

    Cisco IOS Software and Cisco IOS XE Software support EnergyWise for IP version 4 (IPv4) communication.

    Only IPv4 packets destined to a device configured as an EnergyWise domain member can trigger this vulnerability. IPv6 packets cannot be used to trigger this vulnerability.

    An attacker could exploit this vulnerability using IPv4 packets sent on TCP or UDP port 43440.

    An exploit could cause Cisco IOS and Cisco IOS XE Software to reload, leading to a denial of service (DoS) condition.

    This vulnerability is documented in Cisco bug ID CSCup52101 (registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2014-3327.

    Protocol and Port Details

    Cisco EnergyWise domain members communicate with other EnergyWise-enabled devices over three independent communication channels:
    • Cisco Discovery Protocol or UDP messages for neighbor discovery
    • TCP packets for management applications
    • TCP packets for control messages sent to EnergyWise-enabled endpoints

    Cisco Discovery Protocol or UDP Messages


    Cisco EnergyWise domain members use Cisco Discovery Protocol when it is enabled or EnergyWise UDP messages to automatically discover neighbors. By default, UDP port 43440 is enabled on an EnergyWise domain member.

    Only packets sent on UDP port 43440 for neighbor discovery can be used to exploit this vulnerability.

    Note: You have the option to change the default UDP port number (43440) that the EnergyWise device will listen to by using the energywise domain domain security shared-secret 0 secret protocol udp port udp-port-number command.

    TCP Packets for Management Applications


    In addition, a domain member may also have a management port configured for the Cisco EnergyWise management API (MAPI). Applications that use the MAPI can connect to the management port configured on a domain member and use that port for communication between the management workstation and domain members.

    The management port is not enabled by default. Administrators can configure this option with the energywise management security shared-secret 0 shared-secret command. The configuration defaults to TCP port 43440.

    If a management port is configured, management packets sent on TCP port 43440 can be used to exploit this vulnerability.

    Note: You have the option to change the TCP port number that the EnergyWise device will listen to for management communication by using the energywise management security shared-secret 0 shared-secret port tcp-port-number command. The default is TCP port 43440.

    TCP Packets for Control Messages


    Cisco EnergyWise domain members can also be configured to send queries and control messages to PoE endpoints and endpoints running agents built using the SDK.

    Domain members and endpoints receive power from an AC or DC power source or a power supply. PoE domain members and endpoints also receive power from PoE switches or Cisco EtherSwitch service modules.

    The Cisco EnergyWise domain member can be configured to communicate with endpoints with the following configuration command: energywise endpoint security shared-secret.

    If configured, EnergyWise endpoint communication uses TCP port 43440. EnergyWise endpoint communication is not enabled by default.

    If EnergyWise endpoint communication is configured, packets from endpoints sent on TCP port 43440 can be used to exploit this vulnerability.

    Note: EnergyWise domain members configured for endpoint communication listen on the same TCP socket used for management. If EnergyWise management functionality is not configured, the default TCP port used for endpoint communication cannot be changed.

Workarounds

Fixed Software

  • When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

    Cisco IOS Software


    Each row of the following Cisco IOS Software table corresponds to a Cisco IOS Software train. If a particular train is vulnerable, the earliest releases that contain the fix are listed in the First Fixed Release column. Cisco recommends upgrading to the latest available release where possible.

    The Cisco IOS Software Checker allows customers to search for Cisco Security Advisories that address specific Cisco IOS Software releases. This tool is available on the Cisco Security (SIO) portal at http://tools.cisco.com/security/center/selectIOSVersion.x

    Major Release Availability of Repaired Releases
    Affected 12.0-Based Releases First Fixed Release
    There are no affected 12.0 based releases
    Affected 12.2-Based Releases First Fixed Release
    12.2EX Vulnerable; migrate to any release in 12.2SEG
    Releases up to and including 12.2(55)EX2 are not vulnerable.
    12.2EY Vulnerable; migrate to any release in 15.1EY
    Releases up to and including 12.2(55)EY are not vulnerable.
    12.2EZ Releases up to and including 12.2(55)EZ are not vulnerable.
    12.2IRB Not vulnerable
    12.2IRC Not vulnerable
    12.2IRD Not vulnerable
    12.2IRE Not vulnerable
    12.2IRF Not vulnerable
    12.2IRG Not vulnerable
    12.2IRH Not vulnerable
    12.2IRI Not vulnerable
    12.2IXG Not vulnerable
    12.2IXH Not vulnerable
    12.2MC Not vulnerable
    12.2MRA Not vulnerable
    12.2MRB Not vulnerable
    12.2SB Not vulnerable
    12.2SCA Not vulnerable
    12.2SCB Not vulnerable
    12.2SCC Not vulnerable
    12.2SCD Not vulnerable
    12.2SCE Not vulnerable
    12.2SCF Not vulnerable
    12.2SCG Not vulnerable
    12.2SCH Not vulnerable
    12.2SCI Not vulnerable
    12.2SE Releases up to and including 12.2(55)SE9 are not vulnerable.
    12.2SEG Not vulnerable
    12.2SG Not vulnerable
    12.2SGA Not vulnerable
    12.2SM Not vulnerable
    12.2SQ Not vulnerable
    12.2SRA Not vulnerable
    12.2SRB Not vulnerable
    12.2SRC Not vulnerable
    12.2SRD Not vulnerable
    12.2SRE Not vulnerable
    12.2STE Not vulnerable
    12.2SV Not vulnerable
    12.2SVD Not vulnerable
    12.2SVE Not vulnerable
    12.2SW Not vulnerable
    12.2SXF Not vulnerable
    Please see IOS Software Modularity Patch
    12.2SXH Not vulnerable
    Please see IOS Software Modularity Patch
    12.2SXI Not vulnerable
    12.2SXJ Not vulnerable
    12.2SY Not vulnerable
    12.2WO Not vulnerable
    12.2XNA Please see Cisco IOS-XE Software Availability
    12.2XNB Please see Cisco IOS-XE Software Availability
    12.2XNC Please see Cisco IOS-XE Software Availability
    12.2XND Please see Cisco IOS-XE Software Availability
    12.2XNE Please see Cisco IOS-XE Software Availability
    12.2XNF Please see Cisco IOS-XE Software Availability
    12.2XO Not vulnerable
    12.2ZYA Not vulnerable
    Affected 12.3-Based Releases First Fixed Release
    There are no affected 12.3 based releases
    Affected 12.4-Based Releases First Fixed Release
    There are no affected 12.4 based releases
    Affected 15.0-Based Releases First Fixed Release
    15.0EA Not vulnerable
    15.0EB Not vulnerable
    15.0EC Not vulnerable
    15.0ED Vulnerable; First fixed in Release 15.2E
    15.0EH Vulnerable; First fixed in Release 15.2E
    15.0EJ Vulnerable; First fixed in Release 15.2E
    15.0EK Releases prior to 15.0(2)EK1 are vulnerable; Releases 15.0(2)EK1 and later are not vulnerable. First fixed in Release 15.2E
    15.0EX Not vulnerable
    15.0EY Not vulnerable
    15.0EZ Not vulnerable
    15.0M Not vulnerable
    15.0MR Not vulnerable
    15.0S Not vulnerable
    15.0SE Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.
    15.0SG Not vulnerable
    15.0SQC Not vulnerable
    15.0SY Not vulnerable
    15.0XA Not vulnerable
    15.0XO Not vulnerable
    Affected 15.1-Based Releases First Fixed Release
    15.1EY Not vulnerable
    15.1GC Not vulnerable
    15.1M Not vulnerable
    15.1MR Not vulnerable
    15.1MRA Not vulnerable
    15.1S Not vulnerable
    15.1SG Vulnerable; First fixed in Release 15.2E
    15.1SNG Not vulnerable
    15.1SNH Not vulnerable
    15.1SNI Not vulnerable
    15.1SY 15.1(1)SY4; Available on 31-OCT-14
    15.1T Not vulnerable
    15.1XO Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.
    Affected 15.2-Based Releases First Fixed Release
    15.2E 15.2(3)E; Available on 23-OCT-14
    15.2EA Not vulnerable
    15.2EB Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.
    15.2EY Not vulnerable
    15.2GC Not vulnerable
    15.2JA Not vulnerable
    15.2JAC Not vulnerable
    15.2JAX Not vulnerable
    15.2JB Not vulnerable
    15.2JN Not vulnerable
    15.2M Not vulnerable
    15.2S Not vulnerable
    15.2SA Not vulnerable
    15.2SNG Not vulnerable
    15.2SNH Not vulnerable
    15.2SNI Not vulnerable
    15.2T Not vulnerable
    Affected 15.3-Based Releases First Fixed Release
    There are no affected 15.3 based releases
    Affected 15.4-Based Releases First Fixed Release
    15.4CG Not vulnerable
    15.4M Not vulnerable
    15.4S Not vulnerable
    15.4T Not vulnerable

    Cisco IOS XE Software


    Affected Release First Fixed Release
    2.x Not vulnerable
    3.1.xSG Not vulnerable
    3.2.xSG
    		 Not vulnerable
    3.2.xSE
    		 Not vulnerable
    3.2.xSQ
    		 Not vulnerable
    3.2.xXO
    		 Vulnerable
    3.3.xXO Vulnerable
    3.3.xSG
    		 Vulnerable
    3.3.xSQ Not vulnerable
    3.4.xSG Vulnerable
    3.5.xE 3.5.3E
    3.6.xE Vulnerable
    3.2.xS Not vulnerable
    3.3.xS Not vulnerable
    3.4.xS Not vulnerable
    3.5.xS
    		 Not vulnerable
    3.6.xS
    		 Not vulnerable
    3.7.xS
    		 Not vulnerable
    3.8.xS
    		 Not vulnerable
    3.9.xS
    		 Not vulnerable
    3.10.xS
    		 Not vulnerable
    3.11.xS
    		 Not vulnerable
    3.12.xS
    		 Not vulnerable

    For mapping of Cisco IOS XE to Cisco IOS releases, please refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, and Cisco IOS XE 3SG Release Notes, available at http://www.cisco.com/en/US/docs/ios/ios_xe/2/release/notes/rnasr21.html#wp2310700,
    http://www.cisco.com/en/US/docs/ios/ios_xe/3/release/notes/asr1k_rn_3s_sys_req.html#wp2999052 and
    http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/release/note/OL_24726.html#wp2570252 respectively.

    Customers with service contracts should contact Cisco support organization per the instructions in the "Obtaining Fixed Software" section of this advisory.

Exploitation and Public Announcements

  • The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

    This vulnerability was found and reported to Cisco by Ayhan Koca and Matthias Luft of ERNW GmbH.

Cisco Security Vulnerability Policy

  • To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

Action Links for This Advisory

Related to This Advisory

URL

Revision History

  • Revision 1.2 2014-August-20 Added 3.3xXO to the list of vulnerable IOS XE releases. Marked 15.0EX, 15.0EZ, 15.2S, and 15.4S not vulnerable and removed from affected IOS releases.
    Revision 1.1 2014-August-15 Added 3.6xE to the list of vulnerable IOS XE releases.
    Revision 1.0 2014-August-06 Initial public release.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started