Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormPacket StormPACKETSTORM:12104
HistoryAug 17, 1999 - 12:00 a.m.

cisco.catalyst.switches.txt

1999-08-1700:00:00
Packet Storm
packetstormsecurity.com
38
JSON
`Date: Wed, 24 Mar 1999 19:39:53 -0000  
From: [email protected]  
To: [email protected]  
Subject: Cisco security notice: Cisco Catalyst Supervisor Remote Reload  
  
-----BEGIN PGP SIGNED MESSAGE-----  
  
Cisco Catalyst Supervisor Remote Reload  
  
Revision 1.2  
For release Wednesday, March 24, 1999, 12:00 PM US/Pacific  
  
Cisco internal use only until release  
=================================================================  
  
Summary  
=======  
A software bug (Cisco bug ID CSCdi74333) allows remote TCP/IP users to cause  
reloads of Cisco Catalyst LAN switches running Catalyst 5000 supervisor  
software versions from 1.0 through 2.1(5). The affected software was last  
shipped with new units in early 1997. In addition to the Catalyst 5xxx  
series, some, but not all, Catalyst 29xx family switches may run the  
affected software; see "Who is Affected" for more information.  
  
A similar bug, Cisco bug ID CSCdj71684, exists in the supervisor software  
for the older, and now discontinued, Catalyst 12xx family, up through  
software version 4.29.  
  
Fixes are available for both bugs. The fixes have been in the field for some  
time. Most Catalyst switch users have probably already installed the fixes.  
  
Who Is Affected  
===============  
The following Cisco Catalyst LAN switch models are affected by this  
vulnerability--  
  
* The Catalyst 12xx family, running supervisor software versions up to  
and including 4.29.  
* The Catalyst 29xx family (but not the Catalyst 2900XL), running  
supervisor software versions up to and including 2.1(5), 2.1(501), and  
2.1(502). This includes the Catalyst 2901, 2902, and 2903 switches.  
Catalyst 2926 switches are not affected, because the Catalyst 2926 was  
not released until after the software fix was made. Catalyst 2900XL  
switches run unrelated software, and are not affected by this  
vulnerability.  
* The Catalyst 5xxx series (including the Catalyst 55xx family), running  
supervisor software versions up to and including 2.1(5), 2.1(501), and  
2.1(502).  
  
Catalyst 5xxx and 29xx switches running versions 2.1(6) and later are not  
affected. Catalyst 12xx switches running versions 4.30 and later are not  
affected. Some Cisco Catalyst switches include intelligent modules that run  
software independent of the supervisor software. These modules, which  
include a variety of media controllers as well as the route switch module  
(RSM), are not affected.  
  
Fixed software for the Catalyst 5xxx and Catalyst 29xx series began shipping  
with new switches in mid-1997. Sales of the Catalyst 12xx family were  
stopped before the release of software version 4.30; if you have not  
upgraded your software since installing your Catalyst 12xx switch, you are  
affected by this vulnerability.  
  
The affected Cisco Catalyst LAN switches are rack-mountable units typically  
found in data centers and cable closets.  
  
Impact  
======  
A remote attacker who knows how to exploit this vulnerability, and who can  
make a connection to TCP port 7161 on an affected switch, can cause the  
supervisor module of that switch to reload. While the supervisor is  
reloading, the switch will not forward traffic, and the attack will  
therefore deny service to the equipment attached to the switch. The switch  
will recover automatically, but repeated attacks can extend the denial of  
service indefinitely.  
  
Software Details  
================  
For the Catalyst 29xx and Catalyst 5xxx switches, this vulnerability has  
Cisco bug ID CSCdi74333. The bug is present in all supervisor software  
versions through 2.1(5), including the spot fix releases 2.1(501) and  
2.1(502). The bug is fixed in 2.1(6) and later versions, including all 2.2,  
2.3, and 2.4 versions, and all 3.x, 4.x, and later versions.  
  
For the Catalyst 1200, this vulnerability has Cisco bug ID CSCdj71684. The  
bug is present in all software versions through 4.29, and is fixed in 4.30  
and later versions.  
  
Getting Fixed Software  
- --------------------  
Cisco is offering free software upgrades to remedy this vulnerability for  
all vulnerable Catalyst 5xxx, Catalyst 29xx, and Catalyst 12xx customers,  
regardless of contract status. Customers with service contracts may upgrade  
to any software version. Catalyst 5xxx and Catalyst 29xx customers without  
contracts may upgrade either to any 2.1 version from 2.1(6) onward; 2.1(12)  
is suggested. Catalyst 12xx customers without contracts may upgrade to  
version 4.30.  
  
Customers with contracts should obtain upgraded software through their  
regular update channels. For most customers, this means that upgrades should  
be obtained via the Software Center on Cisco's Worldwide Web site at  
http://www.cisco.com.  
  
Customers without contracts should get their upgrades by contacting the  
Cisco Technical Assistance Center (TAC). TAC contacts are as follows:  
  
* +1 800 553 2447 (toll-free from within North America)  
* +1 408 526 7209 (toll call from anywhere in the world)  
* e-mail: [email protected]  
  
Give the URL of this notice as evidence of your entitlement to a free  
upgrade. Free upgrades for non-contract customers must be requested through  
the TAC. Please do not contact either "[email protected]" or  
"[email protected]" for software upgrades.  
  
Workarounds  
===========  
This vulnerability may be worked around by assigning no IP addresses to  
affected Cisco Catalyst switches. However, this workaround will have the  
effect of disabling all remote management of those switches.  
  
Another possible workaround is to use the filtering capabilities of  
surrounding routers and/or dedicated firewall devices to prevent untrusted  
hosts from making connections to TCP port 7161 on affected switches.  
  
Exploitation and Public Announcements  
=====================================  
Cisco knows of no public announcements or discussion of this vulnerability  
before the date of this notice. Cisco has had no reports of malicious  
exploitation of this vulnerability. These bugs were identified and reported  
by outside companies conducting laboratory testing.  
  
No special tools, and only the most basic of skills, are needed to exploit  
this vulnerability. It would not be difficult for a person with minimal  
sophistication to find a way to exploit this vulnerability.  
  
Status of This Notice  
=====================  
This is a final field notice. Although Cisco cannot guarantee the accuracy  
of all statements in this notice, all of the facts have been checked to the  
best of our ability. Cisco does not anticipate issuing updated versions of  
this notice unless there is some material change in the facts. Should there  
be a significant change in the facts, Cisco may update this notice.  
  
Distribution  
- ----------  
This notice will be posted on Cisco's Worldwide Web site at  
http://www.cisco.com/warp/public/770/cat7161-pub.shtml . In addition to  
Worldwide Web posting, the initial version of this notice is being sent to  
the following e-mail and Usenet news recipients:  
  
* [email protected]  
* [email protected]  
* [email protected] (includes CERT/CC)  
* Various internal Cisco mailing lists  
  
Future updates of this notice, if any, will be placed on Cisco's Worldwide  
Web server, but may or may not be actively announced on mailing lists or  
newsgroups. Users concerned about this problem are encouraged to check the  
URL given above for any updates.  
  
Acknowledgements  
- --------------  
Cisco thanks the Internet Security Systems (ISS) X-Force, for independently  
discovering this matter and bringing it to the attention of Cisco's Product  
Security Incident Response Team (PSIRT).  
  
The initial report of CSCdi74333 was received before the establishment of  
the PSIRT, from a customer who has neither requested credit nor given  
permission to be named in this notice. Cisco security notices do not name or  
credit third parties without their specific permission.  
  
Revision History  
- --------------  
Revision 1.0, Initial release candidate version  
17:45 US/Pacific  
22-MAR-1999  
  
Revision 1.1, Cosmetic changes  
09:30 US/Pacific  
23-MAR-1999  
  
Revision 1.2, Remove erroneous mention of unaffected products.  
11:00 US/Pacific  
24-MAR-1999  
  
Cisco Security Procedures  
=========================  
Complete information on reporting security vulnerabilities in Cisco  
products, obtaining assistance with security incidents, and registering to  
receive security information from Cisco, is available on Cisco's Worlwide  
Web site at http://www.cisco.com/warp/public/791/sec_incident_response.shtml .  
This includes instructions for press inquiries regarding Cisco security  
notices.  
  
- ------------------------------------------------------------------------  
This notice is copyright 1999 by Cisco Systems, Inc. This notice may be  
redistributed freely after the release date given at the top of the text,  
provided that redistributed copies are complete and unmodified, including  
all date and version information.  
- ------------------------------------------------------------------------  
  
-----BEGIN PGP SIGNATURE-----  
Version: Big secret  
  
iQEVAwUBNvk9/3LSeEveylnrAQHf9wf/U4xZAlW6mX4xI7cbz2Iyc5R5B78hm0NI  
i6o2iVMCrrHZN1g+vcEP+QOaDo3ZMxWcbcdSQNi5+f+qsrd+v354kKCpNrr1fhWU  
YUny3NINKIkBLjrO9R6QR/nuzVcDrC2XIBin9enGz4njTs9nBGvXdPZBcxy0C685  
yKp/ti/mt7t+vH05pBJLFFZKcuMg3EdOHgLHhD70Iz6V6LnzSKl1YHhHW727lsEv  
bk/5gHwUnaZHMII32MpM0SDErXNVCd8MyjUN2O/zM9bno9h6yHrNrrgt56tNBpfw  
ihip4rk3HepH9zOgSQOQw4QRFoyx4QU4DVI6w9BMDjFpUd1Cd2Eo6g==  
=KeRG  
-----END PGP SIGNATURE-----  
  
-----BEGIN PGP PUBLIC KEY BLOCK-----  
Version: Big secret  
  
mQENAzXPH5oC2wEIAMeLeBbPlxIznjaMMKWFlhVgQ85n4wm6A1ZeVCm0D8zRzATl  
IKC365xXRKx8bwTn5XjKxZ5/XVuZjhsMS/CCa7B4FfxqjYBpEvfWEYDmPfzipTC3  
nPAEc3T4yNWfaDKPxqv85WK+3yn0rpygWEgqw8+/n8QvoSbBEA9DU+5RTHIDEfOF  
vmqtDYB/2luIubN4X2jazwLeGhocarrbZmEW4fKsOpQ1xS1IuWbn9AWXjchMfL8z  
i+ow9p6BA2I0eqmP/c1Ld+cL/befk3/l8rPA7UUFOn1je7Fng0WAAUvjoHU56fO2  
oF6rO5jfHFu6yBt2ouRem/KMzx6WctJ4S97KWesABRG0R0Npc2NvIFN5c3RlbXMg  
UHJvZHVjdCBTZWN1cml0eSBJbmNpZGVudCBSZXNwb25zZSBUZWFtIDxwc2lydEBj  
aXNjby5jb20+iQEVAwUTNeY8KkZi51ggEbh5AQE64Af9HKKrj19Z5URxpZu1J/IG  
LpIJUsix8IHAudPCw/sNc7yipqwHVSDUGu1UKIEnQHP0jeAX98seyMCFdFzxChzc  
ZbUMXoa0H8nDhlHrAHUKWY66slfdDTBDV8ICdGTOZ9XcQOvoOAL8xhZJ0HTBcdM4  
b2w3ECgEdxPiPhL0+gBbqZ4c1YQzVnxKG20G1Vs/NtIJW1nQrapCI5EysQO/srUL  
u1J/BHsVKfSjayROrQVGWU5pnpxiCr8PRivWFOEXu1xcJLs05wiVvuWmA3x8v8Bt  
c9xPx3bnpAiiaKOKDqZh0eja6+7/pYWnTdpXwXdS+lwNBneVLLF4I1IOs412BNpa  
TIkBFQMFEDXPH5py0nhL3spZ6wEBPzgH/Axh9Q8T4Gviyhcqn+pSk+Ug55nkzrvQ  
+IZx3v9eFbvgBX5q16pRifhniuppTUzkklvOKeQ0Oz7MG6ekDSQcP9PAAJL8Kik5  
6MB1HbQTNxkr3qTBJELmXBRT7a6G4F2KzoEbphtS27p4v1MrJ2MWcc5HHrUpD8mE  
s4x9WhxXfPQSTRmJ9XcvIbv852y1bVMXwISt7TzpQuxH8oBLDhdlQu51ANd7hlAa  
7N+M8CYvxmpYCgxlPh8XhAuZZmMSVbtX7TMvoPtFRkwaV0kitxvfch36JMrGK/0b  
AedGRFGSqa8+bZmCBFABsn+pziHwuXLZhsJ14e8V+zqacxZe2apOQ4mIPwMFEDXP  
IpCWgad8PVLgfxECuK8AoNBJNor02wuTI9mVACgaknKdSqn9AJ9vZg3u0d5lx3l+  
QmkupOtBU40us4kBFQMFEDXPJBwMj7Lhmx7xKQEBhscIAJEkpzdvpzjHfETEZyml  
eUvq9IO1mVDQDQiyG02akI2PUe39Tl57jKjQ8Lyus0cfvHs7qVc8jj2e1+mUyXA1  
AwWOZaJsgVdkZIFKJnU9MfN3XIxwwkg7g3dB99oPrAbTgWkKdodJmTnKsXntAYcm  
g7/4a5UYujJ2+J/7z1ZmiMtqHu4hU7B36DoxZadmaOPe1cIzsy+5vBgg5vesDLb4  
O+3dae6BgsCay0eSLdfLkxI9hTGGiFTHrkgBaxOvQn6oUxVxnJC3EWfasJzFjjxS  
rXxNuUqL9fRXDNOYH2P9tcQtjOypZPOGgtLvwCf0rQl/6jNxIWTJHk/WXKbunvRK  
DIS0USBDaXNjbyBTeXN0ZW1zIHByb2R1Y3Qgc2VjdXJpdHkgaW5jaWRlbnQvYnVn  
IHJlcG9ydGluZyA8c2VjdXJpdHktYWxlcnRAY2lzY28uY29tPokBFQMFEDXPIS9y  
0nhL3spZ6wEBGHEH/2CYREeuDDx1lrlqKcTuSn13eyuVasAC4nIRkuY5T+ipAHq0  
p2fwQ0QyxGvMD8naoEiTwtO4tHWEfqaqG/txt0draa+//mX/qr865K/4qtDe2n6d  
Dz3uBy/wUn5i76302dthoUnbHpxug1NkKqop/FHYk9GztBMFlF+5COlBk5fYtYzD  
2Nrhc5oA8lPBmJNAcM9ifVIEzYHEnJIcdoqrwGKCz91xxAjW+XnyWtiJ80mRDJx8  
88qF5lmmmkopgrxrRwikHprFMsSzT9Vqt3Rts7PtPPOaSBlEcGgKOhN5PcWnpIar  
MeytrOkctsTjrqMaOEKudgaGgDrIgsBc6iYHwaaIPwMFEDXPIuWWgad8PVLgfxEC  
L9wAoOo4XEm03MsnyprNhw85ALRew0gZAKD6eXHl1C1ywrNTiWDH0SfR0j9qdokB  
FQMFEDXPJG8Mj7Lhmx7xKQEBcEQH/2mE5RbDsiZ++EAtWleejNT720qAEUQCtPdj  
yFRFiNhbc0yUhmoQ9dZKdujxKQWpZJt/5h7ax4VtPm3JtbQz8jgrugJYPYeERQSA  
qyimvjXwa4AFDsGwC1chtN+HnJwsixpLiHqx8k4CxKtPiKCVjLmZI3n+jZYXtlqb  
73pMXOEzOMuKNkM8eteUO29b/h++rN6WPGlS4Ua9t4/sxy7yz6m6FLHzwudub6wl  
ZfDrBZJuhsOq81j7P+QJ0pAi9fjsyn0Kh4LfjFefcp+9AmRgYFW4N/RTcKLlakkq  
rj6iCGUMm174zA4vYEohi1ottOEfAxDtF+uLVM5+ONUc6s+1kns=  
=l8tP  
-----END PGP PUBLIC KEY BLOCK-----  
  
--------------------------------------------------------------------------  
  
Date: Wed, 24 Mar 1999 11:46:38 -0500  
From: X-Force <[email protected]>  
To: [email protected]  
Subject: ISS Security Advisory: Remote Denial of Service Vulnerability in Cisco Catalyst Series Ethernet Switches  
  
-----BEGIN PGP SIGNED MESSAGE-----  
  
ISS Security Advisory  
March 24, 1999  
  
  
Remote Denial of Service Vulnerability in Cisco Catalyst Series Ethernet  
Switches  
  
Internet Security Systems (ISS) X-Force has discovered several  
vulnerabilities in Cisco Catalyst Series Ethernet Switches running the Cisco  
fixed configuration switch software. Cisco Catalyst switches are commonly  
used in high volume production environments supporting high-end servers and  
"virtual LAN" configurations.  
  
  
Affected Models:  
  
Catalyst 1200, 2900, 5000, and 5500 series switches are affected. The  
Catalyst 2900XL and Catalyst 2926 are not affected.  
  
  
Vulnerable Software Versions:  
  
Catalyst 1200 family supervisor software versions up to and including 4.29  
are vulnerable.  
  
Catalyst 2900 family supervisor software revisions up to and including  
2.1(5) are vulnerable.  
  
Catalyst 5000 and 5500 family supervisor software revisions up to and  
including 2.1(5) are vulnerable.  
  
For the 2900, 5000, and 5500 series, minor revisions 2.1(501) and 2.1(502)  
are also vulnerable.  
  
  
Recommendations:  
  
Upgrade your switch to the most recent version of the Catalyst switch  
software, or any version that is not vulnerable. All affected users are  
urged to review the "For More Information" section of this advisory.  
  
Free fixes are available from Cisco Systems. Service contract customers can  
download new versions of switch software at:  
  
http://www.cisco.com/kobayashi/sw-center/sw-switching.shtml  
  
Non-contract customers should contact the Cisco Technical Assistance Center  
(TAC). TAC contacts are:  
  
* +1 800 553 2447 (toll-free from within North America)  
* +1 408 526 7209 (toll call from anywhere in the world)  
e-mail: [email protected]  
  
An immediate workaround involves removing the IP address from the vulnerable  
switch hardware. This workaround has the negative effect of disabling remote  
management of the switch.  
  
ISS X-Force recommends that border routers and firewalls are configured to  
block all traffic to the vulnerable switches from untrusted sources.  
  
  
Description:  
  
The Cisco Catalyst 5000 Series Ethernet Switches run fixed configuration  
switch software. This software operates an undocumented TCP service. Sending  
a carriage return character to this port causes the switch to immediately  
reset. An attacker may repeat this action indefinitely, causing a denial of  
network services. The switch software does not provide any IP filtering  
options to prevent this type of attack.  
  
Credits:  
These vulnerabilities were primarily researched by Josh Sierles and Chris  
Stach of the ISS X-Force. ISS appreciates the assistance of the individuals  
at Cisco Systems.  
  
  
For more information:  
  
Cisco's public advisory including detailed fix and support information is  
located at: http://www.cisco.com/warp/public/770/cat7161-pub.shtml  
  
Documentation on Cisco Catalyst switches is available at:  
http://www.cisco.com/univercd/cc/td/doc/product/lan/index.htm  
  
___________  
  
Copyright (c) 1999 by Internet Security Systems, Inc.  
  
Permission is hereby granted for the redistribution of this alert  
electronically. It is not to be edited in any way without express  
consent of X-Force. If you wish to reprint the whole or any part of this  
alert in any other medium excluding electronic medium, please e-mail  
[email protected] for permission.  
  
Disclaimer:  
  
The information within this paper may change without notice. Use of this  
information constitutes acceptance for use in an AS IS condition. There  
are NO warranties with regard to this information. In no event shall the  
author be liable for any damages whatsoever arising out of or in  
connection with the use or spread of this information. Any use of this  
information is at the user's own risk.  
  
X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html,  
as well as on MIT's PGP key server and PGP.com's key server.  
  
X-Force Vulnerability and Threat Database: http://www.iss.net/xforce  
  
Please send suggestions, updates, and comments to: X-Force  
<[email protected]> of Internet Security Systems, Inc.  
  
-----BEGIN PGP SIGNATURE-----  
Version: 2.6.3a  
Charset: noconv  
  
iQCVAwUBNvkLHjRfJiV99eG9AQFuHQP/TfumLTSwGdkog2q15aWvV7ilcRBolfmD  
2zuM8clvNRRkr2GXKHp1z80IlSI6C1F+3XTPSoBiRXOR7uD2IV0SkFzvr0WC2tMx  
UmL5k9EUBBGhHtmQUm5UM2JcSnGEHrTR7WWoX7Xac1EThjbQqPrj91MairHhumT0  
qJWuMRUvr9Y=  
=4KdT  
-----END PGP SIGNATURE-----  
  
`
JSON