From psirt@cisco.com Sat Mar 27 01:48:17 1999 From: psirt@cisco.com To: BUGTRAQ@netspace.org Date: Wed, 24 Mar 1999 19:39:53 -0000 Subject: Cisco security notice: Cisco Catalyst Supervisor Remote Reload -----BEGIN PGP SIGNED MESSAGE----- Cisco Catalyst Supervisor Remote Reload Revision 1.2 For release Wednesday, March 24, 1999, 12:00 PM US/Pacific Cisco internal use only until release ================================================================= Summary ======= A software bug (Cisco bug ID CSCdi74333) allows remote TCP/IP users to cause reloads of Cisco Catalyst LAN switches running Catalyst 5000 supervisor software versions from 1.0 through 2.1(5). The affected software was last shipped with new units in early 1997. In addition to the Catalyst 5xxx series, some, but not all, Catalyst 29xx family switches may run the affected software; see "Who is Affected" for more information. A similar bug, Cisco bug ID CSCdj71684, exists in the supervisor software for the older, and now discontinued, Catalyst 12xx family, up through software version 4.29. Fixes are available for both bugs. The fixes have been in the field for some time. Most Catalyst switch users have probably already installed the fixes. Who Is Affected =============== The following Cisco Catalyst LAN switch models are affected by this vulnerability-- * The Catalyst 12xx family, running supervisor software versions up to and including 4.29. * The Catalyst 29xx family (but not the Catalyst 2900XL), running supervisor software versions up to and including 2.1(5), 2.1(501), and 2.1(502). This includes the Catalyst 2901, 2902, and 2903 switches. Catalyst 2926 switches are not affected, because the Catalyst 2926 was not released until after the software fix was made. Catalyst 2900XL switches run unrelated software, and are not affected by this vulnerability. * The Catalyst 5xxx series (including the Catalyst 55xx family), running supervisor software versions up to and including 2.1(5), 2.1(501), and 2.1(502). Catalyst 5xxx and 29xx switches running versions 2.1(6) and later are not affected. Catalyst 12xx switches running versions 4.30 and later are not affected. Some Cisco Catalyst switches include intelligent modules that run software independent of the supervisor software. These modules, which include a variety of media controllers as well as the route switch module (RSM), are not affected. Fixed software for the Catalyst 5xxx and Catalyst 29xx series began shipping with new switches in mid-1997. Sales of the Catalyst 12xx family were stopped before the release of software version 4.30; if you have not upgraded your software since installing your Catalyst 12xx switch, you are affected by this vulnerability. The affected Cisco Catalyst LAN switches are rack-mountable units typically found in data centers and cable closets. Impact ====== A remote attacker who knows how to exploit this vulnerability, and who can make a connection to TCP port 7161 on an affected switch, can cause the supervisor module of that switch to reload. While the supervisor is reloading, the switch will not forward traffic, and the attack will therefore deny service to the equipment attached to the switch. The switch will recover automatically, but repeated attacks can extend the denial of service indefinitely. Software Details ================ For the Catalyst 29xx and Catalyst 5xxx switches, this vulnerability has Cisco bug ID CSCdi74333. The bug is present in all supervisor software versions through 2.1(5), including the spot fix releases 2.1(501) and 2.1(502). The bug is fixed in 2.1(6) and later versions, including all 2.2, 2.3, and 2.4 versions, and all 3.x, 4.x, and later versions. For the Catalyst 1200, this vulnerability has Cisco bug ID CSCdj71684. The bug is present in all software versions through 4.29, and is fixed in 4.30 and later versions. Getting Fixed Software - -------------------- Cisco is offering free software upgrades to remedy this vulnerability for all vulnerable Catalyst 5xxx, Catalyst 29xx, and Catalyst 12xx customers, regardless of contract status. Customers with service contracts may upgrade to any software version. Catalyst 5xxx and Catalyst 29xx customers without contracts may upgrade either to any 2.1 version from 2.1(6) onward; 2.1(12) is suggested. Catalyst 12xx customers without contracts may upgrade to version 4.30. Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained via the Software Center on Cisco's Worldwide Web site at http://www.cisco.com. Customers without contracts should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows: * +1 800 553 2447 (toll-free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades. Workarounds =========== This vulnerability may be worked around by assigning no IP addresses to affected Cisco Catalyst switches. However, this workaround will have the effect of disabling all remote management of those switches. Another possible workaround is to use the filtering capabilities of surrounding routers and/or dedicated firewall devices to prevent untrusted hosts from making connections to TCP port 7161 on affected switches. Exploitation and Public Announcements ===================================== Cisco knows of no public announcements or discussion of this vulnerability before the date of this notice. Cisco has had no reports of malicious exploitation of this vulnerability. These bugs were identified and reported by outside companies conducting laboratory testing. No special tools, and only the most basic of skills, are needed to exploit this vulnerability. It would not be difficult for a person with minimal sophistication to find a way to exploit this vulnerability. Status of This Notice ===================== This is a final field notice. Although Cisco cannot guarantee the accuracy of all statements in this notice, all of the facts have been checked to the best of our ability. Cisco does not anticipate issuing updated versions of this notice unless there is some material change in the facts. Should there be a significant change in the facts, Cisco may update this notice. Distribution - ---------- This notice will be posted on Cisco's Worldwide Web site at http://www.cisco.com/warp/public/770/cat7161-pub.shtml . In addition to Worldwide Web posting, the initial version of this notice is being sent to the following e-mail and Usenet news recipients: * cust-security-announce@cisco.com * bugtraq@netspace.org * first-teams@first.org (includes CERT/CC) * Various internal Cisco mailing lists Future updates of this notice, if any, will be placed on Cisco's Worldwide Web server, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the URL given above for any updates. Acknowledgements - -------------- Cisco thanks the Internet Security Systems (ISS) X-Force, for independently discovering this matter and bringing it to the attention of Cisco's Product Security Incident Response Team (PSIRT). The initial report of CSCdi74333 was received before the establishment of the PSIRT, from a customer who has neither requested credit nor given permission to be named in this notice. Cisco security notices do not name or credit third parties without their specific permission. Revision History - -------------- Revision 1.0, Initial release candidate version 17:45 US/Pacific 22-MAR-1999 Revision 1.1, Cosmetic changes 09:30 US/Pacific 23-MAR-1999 Revision 1.2, Remove erroneous mention of unaffected products. 11:00 US/Pacific 24-MAR-1999 Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's Worlwide Web site at http://www.cisco.com/warp/public/791/sec_incident_response.shtml . This includes instructions for press inquiries regarding Cisco security notices. - ------------------------------------------------------------------------ This notice is copyright 1999 by Cisco Systems, Inc. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. - ------------------------------------------------------------------------ -----BEGIN PGP SIGNATURE----- Version: Big secret iQEVAwUBNvk9/3LSeEveylnrAQHf9wf/U4xZAlW6mX4xI7cbz2Iyc5R5B78hm0NI i6o2iVMCrrHZN1g+vcEP+QOaDo3ZMxWcbcdSQNi5+f+qsrd+v354kKCpNrr1fhWU YUny3NINKIkBLjrO9R6QR/nuzVcDrC2XIBin9enGz4njTs9nBGvXdPZBcxy0C685 yKp/ti/mt7t+vH05pBJLFFZKcuMg3EdOHgLHhD70Iz6V6LnzSKl1YHhHW727lsEv bk/5gHwUnaZHMII32MpM0SDErXNVCd8MyjUN2O/zM9bno9h6yHrNrrgt56tNBpfw ihip4rk3HepH9zOgSQOQw4QRFoyx4QU4DVI6w9BMDjFpUd1Cd2Eo6g== =KeRG -----END PGP SIGNATURE----- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: Big secret mQENAzXPH5oC2wEIAMeLeBbPlxIznjaMMKWFlhVgQ85n4wm6A1ZeVCm0D8zRzATl IKC365xXRKx8bwTn5XjKxZ5/XVuZjhsMS/CCa7B4FfxqjYBpEvfWEYDmPfzipTC3 nPAEc3T4yNWfaDKPxqv85WK+3yn0rpygWEgqw8+/n8QvoSbBEA9DU+5RTHIDEfOF vmqtDYB/2luIubN4X2jazwLeGhocarrbZmEW4fKsOpQ1xS1IuWbn9AWXjchMfL8z i+ow9p6BA2I0eqmP/c1Ld+cL/befk3/l8rPA7UUFOn1je7Fng0WAAUvjoHU56fO2 oF6rO5jfHFu6yBt2ouRem/KMzx6WctJ4S97KWesABRG0R0Npc2NvIFN5c3RlbXMg UHJvZHVjdCBTZWN1cml0eSBJbmNpZGVudCBSZXNwb25zZSBUZWFtIDxwc2lydEBj aXNjby5jb20+iQEVAwUTNeY8KkZi51ggEbh5AQE64Af9HKKrj19Z5URxpZu1J/IG LpIJUsix8IHAudPCw/sNc7yipqwHVSDUGu1UKIEnQHP0jeAX98seyMCFdFzxChzc ZbUMXoa0H8nDhlHrAHUKWY66slfdDTBDV8ICdGTOZ9XcQOvoOAL8xhZJ0HTBcdM4 b2w3ECgEdxPiPhL0+gBbqZ4c1YQzVnxKG20G1Vs/NtIJW1nQrapCI5EysQO/srUL u1J/BHsVKfSjayROrQVGWU5pnpxiCr8PRivWFOEXu1xcJLs05wiVvuWmA3x8v8Bt c9xPx3bnpAiiaKOKDqZh0eja6+7/pYWnTdpXwXdS+lwNBneVLLF4I1IOs412BNpa TIkBFQMFEDXPH5py0nhL3spZ6wEBPzgH/Axh9Q8T4Gviyhcqn+pSk+Ug55nkzrvQ +IZx3v9eFbvgBX5q16pRifhniuppTUzkklvOKeQ0Oz7MG6ekDSQcP9PAAJL8Kik5 6MB1HbQTNxkr3qTBJELmXBRT7a6G4F2KzoEbphtS27p4v1MrJ2MWcc5HHrUpD8mE s4x9WhxXfPQSTRmJ9XcvIbv852y1bVMXwISt7TzpQuxH8oBLDhdlQu51ANd7hlAa 7N+M8CYvxmpYCgxlPh8XhAuZZmMSVbtX7TMvoPtFRkwaV0kitxvfch36JMrGK/0b AedGRFGSqa8+bZmCBFABsn+pziHwuXLZhsJ14e8V+zqacxZe2apOQ4mIPwMFEDXP IpCWgad8PVLgfxECuK8AoNBJNor02wuTI9mVACgaknKdSqn9AJ9vZg3u0d5lx3l+ QmkupOtBU40us4kBFQMFEDXPJBwMj7Lhmx7xKQEBhscIAJEkpzdvpzjHfETEZyml eUvq9IO1mVDQDQiyG02akI2PUe39Tl57jKjQ8Lyus0cfvHs7qVc8jj2e1+mUyXA1 AwWOZaJsgVdkZIFKJnU9MfN3XIxwwkg7g3dB99oPrAbTgWkKdodJmTnKsXntAYcm g7/4a5UYujJ2+J/7z1ZmiMtqHu4hU7B36DoxZadmaOPe1cIzsy+5vBgg5vesDLb4 O+3dae6BgsCay0eSLdfLkxI9hTGGiFTHrkgBaxOvQn6oUxVxnJC3EWfasJzFjjxS rXxNuUqL9fRXDNOYH2P9tcQtjOypZPOGgtLvwCf0rQl/6jNxIWTJHk/WXKbunvRK DIS0USBDaXNjbyBTeXN0ZW1zIHByb2R1Y3Qgc2VjdXJpdHkgaW5jaWRlbnQvYnVn IHJlcG9ydGluZyA8c2VjdXJpdHktYWxlcnRAY2lzY28uY29tPokBFQMFEDXPIS9y 0nhL3spZ6wEBGHEH/2CYREeuDDx1lrlqKcTuSn13eyuVasAC4nIRkuY5T+ipAHq0 p2fwQ0QyxGvMD8naoEiTwtO4tHWEfqaqG/txt0draa+//mX/qr865K/4qtDe2n6d Dz3uBy/wUn5i76302dthoUnbHpxug1NkKqop/FHYk9GztBMFlF+5COlBk5fYtYzD 2Nrhc5oA8lPBmJNAcM9ifVIEzYHEnJIcdoqrwGKCz91xxAjW+XnyWtiJ80mRDJx8 88qF5lmmmkopgrxrRwikHprFMsSzT9Vqt3Rts7PtPPOaSBlEcGgKOhN5PcWnpIar MeytrOkctsTjrqMaOEKudgaGgDrIgsBc6iYHwaaIPwMFEDXPIuWWgad8PVLgfxEC L9wAoOo4XEm03MsnyprNhw85ALRew0gZAKD6eXHl1C1ywrNTiWDH0SfR0j9qdokB FQMFEDXPJG8Mj7Lhmx7xKQEBcEQH/2mE5RbDsiZ++EAtWleejNT720qAEUQCtPdj yFRFiNhbc0yUhmoQ9dZKdujxKQWpZJt/5h7ax4VtPm3JtbQz8jgrugJYPYeERQSA qyimvjXwa4AFDsGwC1chtN+HnJwsixpLiHqx8k4CxKtPiKCVjLmZI3n+jZYXtlqb 73pMXOEzOMuKNkM8eteUO29b/h++rN6WPGlS4Ua9t4/sxy7yz6m6FLHzwudub6wl ZfDrBZJuhsOq81j7P+QJ0pAi9fjsyn0Kh4LfjFefcp+9AmRgYFW4N/RTcKLlakkq rj6iCGUMm174zA4vYEohi1ottOEfAxDtF+uLVM5+ONUc6s+1kns= =l8tP -----END PGP PUBLIC KEY BLOCK-----