CISCO bi-annual patch day
With the numerous CISCO vulnerabilities announced today we thought you might appreciate a table summarising the issues.
The table shows that many of the issues have a work around. Unfortunately, typically this is in the form of disabling the functionality which may not be an option for many of you. CISCO uses the CVSS scoring system which relates the score to the core Confidentiality, Integrity and Availability principles. The higher the score the more important the vendor believes the issue is.
|
# |
Impact/CVE(s) |
Exploit |
Cisco Rating |
Workaround/Fix |
ISC Rating* |
|
|
Base |
Temp |
|||||
|
The Cisco IOS Intrusion Prevention System (IPS) feature contains a vulnerability in the processing of certain IPS signatures that use the SERVICE.DNS engine. This vulnerability may cause a router to crash or hang, resulting in a denial of service condition. |
||||||
|
IOS IPS |
none known |
7.8 |
6.4 |
Y/Y |
Critical |
|
|
Handler Comments CISCO IDS is not affected |
||||||
|
A Cisco IOS device may crash while processing an SSL packet. This can happen during the termination of an SSL-based session. The offending packet is not malformed and is normally received as part of the packet exchange. Disable services (secure-server, webvpn, or OSP settlement) Limit exposure via ACL |
||||||
|
IOS SSL CVE-2008-3798 |
none Known |
7.8 |
6.4 |
Y/Y |
Critical |
|
|
Handler Comments This affects managed using SSL as well. The workaround will disable this. |
||||||
|
Multiple vulnerabilities exist in the Session Initiation Protocol (SIP) implementation in Cisco IOS that can be exploited remotely to trigger a memory leak or to cause a reload of the IOS device. Disable services if not needed or limit exposure via ACL |
||||||
|
DOS |
none known |
7.8 |
6.4 |
Y/Y |
Important |
|
|
Handler Comments SIP can use UDP -> the src_IP is spoofable which may negate the effects of an ACL intended to limit your exposure. |
||||||
|
Cisco Unified Communications Manager, formerly Cisco Unified CallManager, contains two denial of service (DoS) vulnerabilities in the Session Initiation Protocol (SIP) service. An exploit of these vulnerabilities may cause an interruption in voice services. |
||||||
|
DOS |
None known |
7.1
7.8 |
5.9
6.4 |
Y/Y |
Critical |
|
|
Handler Comments SIP can use UDP -> the src_IP is spoofable which may negate the effects of an ACL intended to limit your exposure. Can be triggered with valid SIP msgs. CUCM Versions > 5.x have SIP enabled by default and it can not be disabled. |
||||||
|
Devices running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and configured for Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs) or VPN Routing and Forwarding Lite (VRF Lite) and using Border Gateway Protocol (BGP) between Customer Edge (CE) and Provider Edge (PE) devices may permit information to propagate between VPNs |
||||||
|
Data Leak |
none known |
5.1 |
4.3 |
Y/Y |
Important |
|
|
Handler Comments A bug exists when processing extended communities with MPLS VPNs. If extended communities are used, MPLS VPN may incorrectly use a corrupted route target (RT) to forward traffic. If this occurs, traffic can leak from one MPLS VPN to another |
||||||
|
Cisco IOS Software Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) is vulnerable to a Denial of Service (DoS) attack from specially crafted packets. Only the MFI is affected by this vulnerability. Older Label Forwarding Information Base (LFIB) implementation, which is replaced by MFI, is not affected. |
||||||
|
DOS |
None known |
7.8 |
6.4 |
N/Y |
Critical |
|
|
Handler Comments An attacker needs to have access to the MPLS network through an MPLS-enabled interface. MPLS packets are dropped on interfaces that are not configured for MPLS. No workaround. |
||||||
|
cisco-sa-20080924-ipc |
Cisco 10000, uBR10012 and uBR7200 series devices use a User Datagram Protocol (UDP) based Inter-Process Communication (IPC) channel that is externally reachable. An attacker could exploit this vulnerability to cause a denial of service (DoS) condition on affected devices. Filter packets that are sent to 127.0.0.0/8 and towards UDP port 1975 |
|||||
|
DOS |
None known |
8.5 |
7 |
Y/Y |
Critical |
|
|
Handler Comments An attacker needs to get a packet with destination address in the 127./8 range to the router which implies directly connected or use of a default route. |
||||||
|
Cisco uBR10012 series devices automatically enable Simple Network Management Protocol (SNMP) read/write access to the device if configured for linecard redundancy. This can be exploited by an attacker to gain complete control of the device Change Community String |
||||||
|
DOS |
None known |
10 |
8.3 |
Y/Y |
PATCH NOW |
|
|
Handler Comments When linecard redundancy is enabled on a Cisco uBR10012 series device, SNMP is also automatically enabled with a default community string of private that has read/write privileges. Since there are no access restrictions on this community string, it may be exploited by an attacker to gain complete control of the device. SNMP can use UDP -> the src_IP is spoofable which may negate the effects of an ACL intended to limit your exposure. |
||||||
|
Two crafted Protocol Independent Multicast (PIM) packet vulnerabilities exist in Cisco IOS software that may lead to a denial of service (DoS) condition Specify trusted PIM neighbors AND/or enable infrastructure acls to limit exposure |
||||||
|
DOS |
none known |
7.8 |
6.4 |
Y/Y |
PATCH NOW |
|
|
Handler Comments PIM src_IP is spoofable which may negate the effects of an ACL intended to limit your exposure |
||||||
|
A series of segmented Skinny Call Control Protocol (SCCP) messages may cause a Cisco IOS device that is configured with the Network Address Translation (NAT) SCCP Fragmentation Support feature to reload. |
||||||
|
DOS |
None known |
7.8 |
6.4 |
Y/Y |
PATCH NOW |
|
|
Handler Comments Infrastructure acls and on device acl’s should be viable mitigations but are not mentioned in the cisco advisory. Moving the port from the default of 2000 would also make this a bit harder to exploit. You would need to modify the port on both the call manager and the IOS device supporting sccp. |
||||||
|
Cisco IOS software configured for IOS firewall Application Inspection Control (AIC) with a HTTP configured application-specific policy are vulnerable to a Denial of Service when processing a specific malformed HTTP transit packet. Successful exploitation of the vulnerability may result in a reload of the affected device. |
||||||
|
DOS |
None known |
7.8 |
6.4 |
N/Y |
PATCH NOW |
|
|
Handler Comments No workaround other than disabling HTTP Deep Packet Inspection |
||||||
|
Several features enable the L2TP mgmt daemon process within Cisco IOS software, including but not limited to Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP) and Cisco Virtual Private Dial-Up Networks (VPDN). Once this process is enabled the device is vulnerable. Enable infrastructure acls to limit exposure |
||||||
|
DOS |
None known |
7.8 |
6.4 |
Y/Y |
Critical |
|
|
Handler Comments L2TP can use UDP -> the src_IP is spoofable which may negate the effects of an ACL intended to limit your exposure. |
||||||
(*): ISC rating
- We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
- The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
- Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
- All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.
Happy Patching
Don & Mark
Comments