Fun stuff! Not really Linux related, but since many of you are dsl. > Cisco Security Advisory: More multiple vulnerabilities in CBOS > > Revision 1.0 > > For public release 2001 May 22 08:00 (GMT -0800) > ______________________________________________________________________ > > Summary > > Multiple vulnerabilities have been identified and fixed in CBOS, an > operating system for the Cisco 600 family of routers. > * Cisco CBOS Software contains a flaw that permits the successful > prediction of TCP Initial Sequence Numbers. It only affects the > security of TCP connections that originate or terminate on the > affected Cisco device itself; it does not apply to TCP traffic > forwarded through the affected device in transit between two other > hosts. > This vulnerability is documented as Cisco bug ID CSCds16078. > * A Cisco 600 router may stop passing the traffic and responding to > the console when an ECHO REQUEST packet with the record route > option is routed through it. > This vulnerability is documented as Cisco bug ID CSCds30150. > * Passwords, exec and enable, are stored in the cleartext in the > NVRAM. > This vulnerability is documented as Cisco bug ID CSCdt04882. > * When multiple, large ECHO REPLY packets are routed through an > affected Cisco 600 router, it will enter the ROMMON mode and stop > passing any further traffic. > This vulnerability is documented as Cisco bug ID CSCds74567. > > The following releases of CBOS are containing all of mentioned > vulnerabilities: 2.0.1, 2.1.0, 2.1.0a, 2.2.0, 2.2.1, 2.2.1a, 2.3, > 2.3.2, 2.3.5, 2.3.7 and 2.3.8. > > These vulnerabilities are fixed in the following CBOS releases: 2.3.9, > 2.4.1 and 2.4.2. Customers are urged to upgrade to releases that are > not vulnerable as shown in detail in the section Software Versions and > Fixes below. > > This advisory is available at the > http://www.cisco.com/warp/public/707/CBOS-multiple2-pub.html. > > Affected Products > > The affected models are: 627, 633, 673, 675, 675E, 677, 677i and 678. > > These models are vulnerable if they run any of the following, or > earlier, CBOS releases: 2.0.1, 2.1.0, 2.1.0a, 2.2.0, 2.2.1, 2.2.1a, > 2.3, 2.3.2, 2.3.5, 2.3.7 and 2.3.8. > > No other releases of CBOS software are affected by these > vulnerabilities. No other Cisco products are affected by these > vulnerabilities. > > These vulnerabilities are fixed in the following CBOS releases: 2.3.9, > 2.4.1 and 2.4.2. > > Details > > CSCds16078 > See also > http://www.cisco.com/warp/public/707/ios-tcp-isn-random-pub. > shtml > > TCP sequence numbers are 32-bit integers in the circular range > of 0 to 4,294,967,295. The host devices at both ends of a TCP > connection exchange an Initial Sequence Number (ISN) selected > at random from that range as part of the setup of a new TCP > connection. > > This method provides reasonably good protection against > accidental receipt of unintended data. However, to guard > against malicious use, it should not be possible for an > attacker to infer a particular number in the sequence. If the > initial sequence number is not chosen randomly or if it is > incremented in a non-random manner between the initialization > of subsequent TCP sessions, then it is possible, with varying > degrees of success, to forge one half of a TCP connection with > another host in order to gain access to that host, or hijack an > existing connection between two hosts in order to compromise > the contents of the TCP connection. To guard against such > compromises, ISNs should be generated as randomly as possible. > > CSCds30150 > By sending ICMP ECHO REQUEST packets (ping) with the IP Record > Route option set it is possible to freeze a Cisco 600 router. > This can be done either by sending the specially crafted packet > or by specifying the "-r" option on the most ping programs. > > The packet should not be destined to a router itself. > > CSCdt04882 > The exec and enable passwords are stored in the cleartext in > NVRAM. Similarly, they are also stored in the cleartext in the > configuration file if one is stored on a computer. Anyone who > is in a position to see a router's configuration, either > directly from the device or in the file on a computer, can > learn the passwords. > > This vulnerability is corrected by storing only an MD5 hash of > the password in both NVRAM and in the configuration file, and > the plaintext password itself is never retained. > > CSCds74567 > When multiple ICMP ECHO REPLY packets, non standard size, are > passed through the affected device the device will stop passing > any further traffic. Packets must be larger than the usual size > (64 bytes) but that can be easily accomplished either by > crafting packets or by adjusting the response size, either via > command line or by modifying the program source. > > Impact > > CSCds16078 > Forged packets can be injected into a network from a location > outside its boundary so that they are trusted as authentic by > the receiving host, thus resulting in a failure of integrity. > Such packets could be crafted to gain access or make some other > modification to the receiving system in order to attain some > goal, such as gaining unauthorized interactive access to a > system or compromising stored data. From a position within the > network where it is possible to receive the return traffic (but > not necessarily in a position that is directly in the traffic > path), a greater range of violations is possible. For example, > the contents of a message could be diverted, modified, and then > returned to the traffic flow again, causing a failure of > integrity and a possible failure of confidentiality. NOTE: Any > compromise using this vulnerability is only possible for TCP > sessions that originate or terminate on the affected Cisco > device itself. It does not apply to TCP traffic that is merely > forwarded through the device. > > CSCds30150 > It is possible to cause the Denial-of-Service. > > CSCdt04882 > Anyone who is in a position to see a router's configuration, > either directly from the device or in the file on a computer, > can learn the exec and enable passwords. Armed with that > knowledge, an attacker can log into the device and change the > router's configuration. > > This vulnerability can be even more dangerous if the ISP is > using the same passwords for all of the devices which it > manages. Such practice, using the same passwords for multiple > devices, is strongly discouraged. > > CSCds74567 > It is possible to cause the Denial-of-Service to many affected > devices. > > Software Versions and Fixes > > The following table summarizes the CBOS software releases affected by > the vulnerabilities described in this notice and scheduled dates on > which the earliest corresponding fixed releases will be available. > > +===========+================+=====================================+ > | | | | > | Release | Description or | Availability of Repaired Releases | > | | Platform |=====================================+ > | | | General Availability (GA) | > +===========+================+=====================================+ > | All | All platforms | 2.3.9 | > | releases | | 2001-Mart-19 | > +-----------+----------------+-------------------------------------+ > | All | All platforms | 2.4.1 | > | releases | | 2000-December-11 | > +-----------+----------------+-------------------------------------+ > | All | All platforms | 2.4.2 | > | releases | | 2001-May-14 | > +===========+================+=====================================+ > > Obtaining Fixed Software > > Cisco is offering free software upgrades to eliminate this > vulnerability for all affected customers. > > Customers with contracts should obtain upgraded software through their > regular update channels. For most customers, this means that upgrades > should be obtained via the point-of-sale or, if they posses a Cisco > Connection Online account, they can download it from the Software > Center on Cisco's Worldwide Web site at http://www.cisco.com. > > Customers without contracts should get their upgrades by contacting > the Cisco Technical Assistance Center (TAC). TAC contacts are as > follows: > * +1 800 553 2447 (toll-free from within North America) > * +1 408 526 7209 (toll call from anywhere in the world) > * e-mail: tac at cisco.com > > Give the URL of this notice as evidence of your entitlement to a > free upgrade. Free upgrades for non-contract customers must be > requested through the TAC. > > Please do not contact either "psirt at cisco.com" or > "security-alert at cisco.com" for software upgrades. > > Workarounds > > CSCds16078 > There is no workaround. > > CSCds30150 > There is no workaround. > > CSCdt04882 > There is no workaround. > > CSCds74567 > There is no workaround. > > Exploitation and Public Announcements > > Vulnerabilitiy CSCds30150 has been made public on VULN-DEV list. > > Altough we have not seen public discussion of vulnerability CSCdt04882 > we understand that it is commonly known among users. > > Vulnerability CSCds74567 has been reported to us by a customer. > > Status of This Notice: FINAL > > This is a final notice. Although Cisco cannot guarantee the accuracy > of all statements in this notice, all of the facts have been checked > to the best of our ability. Cisco does not anticipate issuing updated > versions of this notice unless there is some material change in the > facts. Should there be a significant change in the facts, Cisco may > update this notice. > > Distribution > > This notice will be posted on Cisco's Worldwide Web site at > http://www.cisco.com/warp/public/707/CBOS-multiple2-pub.html. In > addition to Worldwide Web posting, a text version of this notice is > clear-signed with the Cisco PSIRT PGP key and is posted to the > following e-mail and Usenet news recipients: > * cust-security-announce at cisco.com > * bugtraq at securityfocus.com > * first-teams at first.org (includes CERT/CC) > * cisco at spot.colorado.edu > * comp.dcom.sys.cisco > * firewalls at lists.gnac.com > * Various internal Cisco mailing lists > > Future updates of this notice, if any, will be placed on Cisco's > Worldwide Web server, but may or may not be actively announced on > mailing lists or newsgroups. Users concerned about this problem are > encouraged to check the URL given above for any updates. > > Revision History > > Revision 1.0 2001-May-22 08:00 GMT-0800 Public release > > Cisco Security Procedures > > Complete information on reporting security vulnerabilities in Cisco > products, obtaining assistance with security incidents, and > registering to receive security information from Cisco, is available > on Cisco's Worldwide Web site at > http://www.cisco.com/warp/public/707/sec_incident_response.shtml. > This includes instructions for press inquiries regarding Cisco > security notices. > _________________________________________________________________ > > This notice is Copyright 2000 by Cisco Systems, Inc. This notice may > be redistributed freely after the release date given at the top of the > text, provided that redistributed copies are complete and unmodified, > and include all date and version information. -- Bob Tanner <tanner at real-time.com> | Phone : (952)943-8700 http://www.mn-linux.org | Fax : (952)943-8500 Key fingerprint = 6C E9 51 4F D5 3E 4C 66 62 A9 10 E5 35 85 39 D9