SecurityvulnsSECURITYVULNS:DOC:96Security Advisory: Cisco IOS Software TELNET Option Handling Vulnerability
Cisco IOS Software TELNET Option Handling Vulnerability
Revision 1.0
For public release Thursday 2000/04/20 at 09:00 AM US/Eastern (UTC-0400).
Summary
A defect in multiple Cisco IOS software versions will cause a Cisco router
to reload unexpectedly when the router is tested for security
vulnerabilities by security scanning software programs. The defect can be
exploited repeatedly to produce a consistent denial of service (DoS) attack.
Customers using the affected Cisco IOS software releases are urged to
upgrade as soon as possible to later versions that are not vulnerable to
this defect. Vulnerable products and releases are listed in detail below.
The security scanner is testing for the presence of two specific
vulnerabilities that affect certain UNIX-based systems. The vulnerabilities
are unrelated to Cisco IOS software and Cisco IOS software is not directly
at risk from them. However, a side-effect of the tests exposes the defect
described in this security advisory, and the router will reload unexpectedly
as soon as it receives any subsequent traffic.
This defect is documented as Cisco Bug ID CSCdm70743.
Affected Products
The following Major Releases of Cisco IOS software are vulnerable to this
defect:
- 11.3AA
- 12.0 releases: 12.0(2) up to and including 12.0(6)
- 12.0(7), except that 12.0(7)S, 12.0(7)T, and 12.0(7)XE are not
vulnerable
Cisco customers running Cisco IOS software versions 11.3, 11.3T, 11.2 or
lower, and 12.0(8) or 12.1 or higher are not affected. Details regarding
specific releases of Cisco IOS software and suggested upgrade paths are
provided below in the section "Software Versions and Fixes".
This vulnerability affects the following Cisco hardware products if they are
running affected software:
- AS5200, AS5300, and AS5800 series access servers
- 7200 and 7500 series routers
- ubr7200 series cable routers
- 7100 series routers
- 3660 series routers
- SC3640 System Controllers (see the explanation below)
- AS5800 series Voice Gateway products
- AccessPath LS-3, TS-3, and VS-3 Access Solutions products
The SC3640 System Controller is a Cisco 3640 router customized to provide
local management of multiple access servers. The Cisco SC3640 binary image
contains the defect and thus is vulnerable if it is possible for the
attacker to telnet to the device. However, the original Cisco 3640 router
does not contain the defect and is not vulnerable to the denial of service
attack described in this notice.
No other Cisco products are affected by this vulnerability.
Description
Software packages are available from various commercial and free sites that
perform automated remote tests for computer security vulnerabilities by
scanning computers on a network for known security flaws. Two security
vulnerabilities associated with several UNIX-based platforms are the subject
of two specific tests that have the same effect on vulnerable Cisco routers.
The scanning program is asserting the Telnet ENVIRON option, #36, before the
router indicates that it is willing to accept it, and this causes the router
to reload unexpectedly.
Impact
The described defect can be used to mount a consistent and repeatable denial
of service (DoS) attack on any vulnerable Cisco product, which may result in
violations of the availability aspects of a customer's security policy. This
defect by itself does not cause the disclosure of confidential information
nor allow unauthorized access.
Software Versions and Fixes
For the affected Cisco IOS software Major Release version shown in the first
column of the table below, customers should upgrade to the known
invulnerable releases listed to the right in the same row. In general,
customers should upgrade to the release in the column furthest to the right
within the same row. For example, any customer running 12.0 "mainline"
(Major Release) should upgrade at least to 12.0(7.1), but preferably to
12.0(8).
Any release not specifically listed in the left-most column below is
unaffected by the vulnerability.
The projected release date is shown with the software release version number
for those releases that are not yet complete or available on CCO.*
An "interim release" is scheduled and contains numerous fixes and occasional
enhancements that carry forward into all later versions.** A "maintenance
release" is a regularly scheduled event that incorporates significant
enhancements and cumulative fixes; it may be the entry point for support of
noteworthy new technology in Cisco IOS software.
==========================================================================
Major Projected Fixed Projected Fixed
Release Description Regular or Interim** Regular Maintenance
Releases Releases
Unaffected Earlier Releases
11.2 and
earlier,
all Multiple releases Unaffected Unaffected
variants
11.3-based Releases
AS5800 support
11.3AA and - 11.3(11a)AA
other dial
platforms
12.0-based Releases
12.0 12.0 mainline 12.0(7.1) 12.0(8)
ISP support: 12.0(6.6)S 12.0(7)S
12.0S 7200, RSP, -------------------------------------------
GSR12000 12.0(7.1)S 12.0(8)S
12.0SC Cable ISP 12.0(6.6)SC1 12.0(8)SC***
support: ubr7200 12.0(7.1)SC or 12.0(9)SC
12.0 new 12.0(6.5)T3
12.0T technology early --------------------- 12.0(7)T
deployment release 12.0(6.5)T4
12.0W 12.0 for Catalyst 12.0(6.5)W5(16.0.9) 12.0(6.5)W5(17),
8500 and LS1010 2000/04/18*
Short-life
release for
12.0XE selected Unavailable 12.0(7)XE1
enterprise
features, 7200 &
7500
Short-life
release for
12.0XJ Dial/Voice, 5200, Unavailable 12.0(4)XJ4
5300, 5800, 2600,
& 3600
12.1-based Releases
12.1 and
later, all Multiple releases Unaffected Unaffected
variants
- All dates are tentative and subject to change
** Interim releases are subjected to less internal testing and verification
than are regular releases, may have serious bugs, and should be installed
with great care.
*** 12.0(8)SC is not vulnerable to this defect, but due to other issues it
is no longer available on CCO as of the date of this notice. Upgrade instead
to 12.0(9)SC.
Obtaining Fixed Software
Cisco is offering free software upgrades to remedy this vulnerability for
all affected customers. Customers with service contracts may upgrade to any
software version. Customers without contracts may upgrade only within a
single row of the table above, except that any available fixed software will
be provided to any customer who can use it and for whom the standard fixed
software is not yet available. Customers may install only the feature sets
they have purchased.
Note that not all fixed software may be available as of the release date of
this notice.
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades should
be obtained via the Software Center on Cisco's Worldwide Web site at
http://www.cisco.com/.
Customers without contracts should get their upgrades by contacting the
Cisco Technical Assistance Center (TAC). TAC contacts are as follows:
- +1 800 553 2447 (toll-free from within North America)
- +1 408 526 7209 (toll call from anywhere in the world)
- e-mail: [email protected]
Give the URL of this notice as evidence of your entitlement to a free
upgrade. Free upgrades for non-contract customers must be requested through
the TAC. Please do not contact either "[email protected]" or
"[email protected]" for software upgrades.
Workarounds
The vulnerability described in this notice can only be exploited if the
Telnet service is configured on the affected system and reachable from the
attacker's computer. The following recommendations provide an interactive
login capability without using the Telnet service, thus mitigating the
threat in lieu of a software upgrade while preserving remote access to the
router for administrative purposes:
- Prevent access using the Telnet service by defining an appropriate
access control list and applying it to the vty line or the router's
interfaces using the "access-group" keyword. Security can be increased
further by restricting both the virtual terminal lines and the router's
physical interfaces with two access-groups, one to control who can
connect to the vtys, and the other on the interfaces to control from
where those connections can be attempted. - Disable Telnet and use SSH (if it is available to you) to connect to
the router for administrative purposes… After "line vty 0 4" in the
router's configuration, add "transport input ssh". This stipulates that
only the SSH protocol may be used for interactive logins to the router.
As of the date of this notice, SSH is only available on certain
products: 7200, 7500, and 12000 series running Cisco IOS software
releases such as 12.0S, 12.1S, and 12.1T. - Disable interactive network logins to the router completely by removing
the "line" command such that virtual consoles are never enabled. Use an
out-of-band method to login to and administer the router such as a
hard-wired console. Consider connecting the console to a terminal
server which itself is only reachable via a separate parallel network
that in turn is restricted by site policy exclusively for
administrative purposes.
The wide variety of customer configurations make it impossible to judge the
effectiveness and relative merits of these workarounds in lieu of a software
upgrade. Customers are cautioned to evaluate these recommendations carefully
with regard to their specific network configurations.
Exploitation and Public Announcements
As of the date of this notice, Cisco knows of no publicity, discussion, nor
reports of malicious exploitation of this specific vulnerability applied
directly against a Cisco product.
The denial of service (DoS) aspect of this vulnerability was reported to
Cisco by several different customers who found it while conducting security
scans of their networks. The defect that causes this vulnerability,
documented in CSCdm70743, was discovered internally by a Cisco development
engineer.
Status of This Notice: FINAL
This is a final field notice. Although Cisco cannot guarantee the accuracy
of all statements in this notice, all of the facts have been checked to the
best of our ability. Cisco does not anticipate issuing updated versions of
this notice unless there is some material change in the facts. Should there
be a significant change in the facts, Cisco may update this notice. Please
make note of the posting details in the next section and periodically check
for changes.
Notice Distribution
This notice is posted at
http://www.cisco.com/warp/public/707/iostelnetopt-pub.shtml.
In addition to posting on the World-Wide Web, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail lists and Usenet newsgroups:
- [email protected]
- [email protected] (includes CERT/CC)
- [email protected]
- [email protected]
- comp.dcom.sys.cisco
- [email protected]
- Various internal Cisco mailing lists
Future updates of this notice, if any, will be placed on Cisco's World-Wide
Web server, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
URL given above for any updates.
Revision History
1.0 2000/04/20 Initial public release
Cisco Product Security Procedures
The web page at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml describes
how to report security vulnerabilities in Cisco products, obtain assistance
with security incidents, and register to receive product security
information from Cisco. This includes instructions for press inquiries
regarding Cisco Security Advisories and notices. This advisory is Cisco's
complete public statement regarding this vulnerability.
This notice is copyright 2000 by Cisco Systems, Inc. This notice may be
redistributed freely after the release date given at the top of the text,
provided that redistributed copies are complete and unmodified, including
all date and version information.
All contents copyright © 1992–2000 Cisco Systems Inc. Important notices.