From psirt-support@cisco.com Sun Feb 17 16:52:04 2002 From: Cisco Systems Product Security Incident Response Team To: jericho@attrition.org Date: Thu, 14 Feb 2002 19:43:27 -0800 Reply-To: psirt@cisco.com Subject: Cisco Security Advisory: Malformed SNMP Message-Handling Vulnerabilities Due to technical difficulties, you might not have received the original posting of this security advisory. We apologize if you have received this message twice. Page one of two of today's updated advisory is enclosed. The second page is enclosed in a separate e-mail message. -----BEGIN PGP SIGNED MESSAGE----- Cisco Security Advisory: Malformed SNMP Message-Handling Vulnerabilities Revision 1.3 For Public Release 2002 February 12 20:00 GMT Last Updated 2002 February 14 - ------------------------------------------------------------------------------- Summary Multiple Cisco products contain vulnerabilities in the processing of Simple Network Management Protocol (SNMP) messages. The vulnerabilities can be repeatedly exploited to produce a denial of service. In most cases, workarounds are available that may mitigate the impact. These vulnerabilities are identified by various groups as VU#617947, VU#107186, OUSPG #0100, CAN-2002-0012, and CAN-2002-0013. This advisory is available at http://www.cisco.com/warp/public/707/ cisco-malformed-snmp-msgs-pub.shtml. Products Affected This security advisory applies to a broad range of Cisco products. To determine if a product is vulnerable, review the list below. If software versions or configuration information is included, then only those combinations are affected (or unaffected). If the product or series is listed without any qualifying software version information, then consult the Software Versions and Fixes section to determine if the product is running an affected version of software. Additional information per product is provided in the Details and Workarounds sections below. The following Cisco products are vulnerable if they are running an affected version of software: * 800, 1000, 1005, 1400, 1600, 1700, 2500, 2600, 3600, MC3810, 4000, 4500, 4700, 6200, 6400 NRP, 6400 NSP series Cisco routers * ubr900 and ubr920 universal broadband routers * Catalyst 1500, 290x, 292x, 2900XL, 2948g, 2948g-l3, 2950, 3000, 3200, 3500XL, 3550, 4000, 4232, 4232-l3, 4840g, 4908g-l3, 4912g, 5000, 6000 MSFC series switches * AS5200, AS5300, AS5350, AS5400, AS5800, and AS5850 series access servers * Catalyst 6000 MSM, 6000 Hybrid Mode, 6000 Native Mode, 6000 Supervisor Module, Catalyst ATM Blade, Catalyst 6000 Network Analysis Module (NAM) * RSM, 7000, 7010, 7100, 7200, ubr7200, 7300, 7400, 7500, 7600, 10700, 10000 ESR, and 12000 Series Internet Cisco routers * Lightstream 1010 ATM switches * DistributedDirector * Catalyst 8510CSR, 8510MSR, 8540CSR, 8540MSR series switches. * BPX, IGX, MGX WAN switches, and the Service Expansion Shelf * WAN Manager * Cisco Secure PIX firewall * CallManager (uses Microsoft SNMP) * Unity Server (uses Microsoft SNMP) * Cisco Secure Intrusion Detection System (NetRanger) appliance and IDS Module * BR340, WGB340, AP340, AP350, BR350 Cisco/Aironet wireless products * CSS11000 (Arrowpoint) Content Services Switch * Cache Engine 505 and 570 running 2.3 or 2.5 * Content Engine 507, 560, 590, and 7320 running 3.1, 4.0.1, or 4.0.3 * Content Router 4430 and Content Delivery Manager 4630 and 4650 running 4.0 * LocalDirector * Internet CDN Content Engine 590 and 7320, Content Distribution Manager 4670, and Content Router 4450 running ICDN software 1.0, 2.0, 2.1.0 * VPN3000 (Altiga) VPN Concentrator * Access Registrar (uses Solaris SNMP) * Cisco ws-x6608 and ws-x6624 IP Telephony Modules * Traffic Director * Cisco Info Center * Switch Probe * CiscoWorks Windows * Hosting Solution Engine * User Registration Tool VLAN Policy Server * Cisco Element Management Framework Products Not Affected The following Cisco products are not affected by this vulnerability in the specified configuration, either because they do not contain the associated defect or because they do not support SNMP. If software version information is provided, then only that specific combination of product and software version is not vulnerable. * Catalyst 1900s switch * FastHub 300 Ethernet repeater * Cache Engine 505 and 570 running versions 2.3 or 2.5.x * Content Engine 507, 560 and 590 running versions 2.3 or 2.5.x * Content Engine 507 and 560, Content Router 4430 and Content Delivery Manager 4630 and 4650 running E-CDN 3.0.x * CR-4430-B running Content Router software * IP/TV * Device Fault Manager * ME1100 series * Voice Manager * RTM * IP Phone (all models) * SN5400 series storage routers * VPN5000 VPN Concentrator No other Cisco product is known to be affected by this vulnerability. Details Simple Network Management Protocol (SNMP) defines a standard mechanism for remote management and monitoring of devices in an Internet Protocol (IP) network. There are three types of SNMP messages: "get" requests to request information, "set" requests which modify the configuration of the remote device, and "trap" messages which provide a monitoring function. An Object Identifier (OID) is the label employed by SNMP to uniquely specify an item to be managed. OIDs in human-readable format are displayed as long strings of decimal integers separated by periods, but they are packed into a more efficient binary form for use within SNMP. The largest group of vulnerabilities described in this advisory result from insufficient checking of SNMP messages as they are received and processed by an affected system. Malformed SNMP messages received by affected systems can cause various parsing and processing functions to fail, resulting in a system crash and a reload in most circumstances. Under some conditions, the affected device can not reload. In a specific combination with an unrelated software defect, the device reloads continuously and requires manual intervention to resume normal operation. These vulnerabilities can be easily and repeatedly demonstrated with the use of the University of Oulu Secure Programming Group (OUSPG) "PROTOS" Test Suite for SNMP. The test suite is generally used to analyze a protocol and produce messages that probe various design limits within an implementation of a protocol. Examples such as overly-long OIDs, malformed OIDs, and other combinations of values appropriate to SNMP can be programmatically generated and then transmitted to a network device under test. The test suite for SNMP, as distributed, contains approximately 53,000 individual test cases. The authors intend to make the SNMP test suite available to the public at the same time that this advisory is published. In regards to the CERT advisory references to Cisco SNMP on port 1993, this has not been enabled in Cisco IOS software versions since 11.0, and appears to be an erroneous report at this time. Port 1993 was previously used for TCP-based SNMP. Impact The vulnerability can be exploited to produce a Denial of Service (DoS) attack. When the vulnerability is exploited, it can cause an affected Cisco product to crash and reload. SNMP messages are transported using User Datagram Protocol (UDP) and are subject to IP source address spoofing. In any circumstance where ingress and egress source IP address filtering is lacking, it is more likely that an attacker could spoof the source IP address and circumvent access control mechanisms to cause a vulnerable system to fail. If an attacker is able to guess or otherwise obtain a read-only community string for an affected device, then he or she could bypass SNMP access control relying on the community string. Software Versions and Fixes Please review the information in the following link for details on Cisco non-IOS products: http://www.cisco.com/warp/public/707/ cisco-malformed-snmp-msgs-non-ios-pub.shtml Cisco IOS Software Each row of the Cisco IOS software table (below) describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix (the "First Fixed Release") and the anticipated date of availability for each are listed in the "Rebuild," "Interim," and "Maintenance" columns. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label). When selecting a release, keep in mind the following definitions: Maintenance Most heavily tested, stable, and highly recommended release of a release train in any given row of the table. Rebuild Constructed from the previous maintenance or major release in the same train, it contains the fix for a specific defect. Although it receives less testing, it contains only the minimal changes necessary to repair the vulnerability. Interim Built at regular intervals between maintenance releases and receives less testing. Interims should be selected only if there is no other suitable release that addresses the vulnerability. Interim images should be upgraded to the next available maintenance release as soon as possible. Interim releases are not available through manufacturing, and usually they are not available for customer download from CCO without prior arrangement with the Cisco TAC. In all cases, customers should exercise caution to confirm that the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new software release. If the information is not clear, contact the Cisco TAC for assistance as shown in the "Obtaining Fixed Software" section. More information on Cisco IOS software release names and abbreviations is available at http://www.cisco.com/warp/public/620/1.html. The fixes will be available at the Software Center located at http:// www.cisco.com/public/sw-center/. For software installation and upgrade procedures, go to http://www.cisco.com/ warp/public/130/upgrade_index.shtml. +---------------------------------------------------------------------------+ | Train | Image Description or | Availability of Fixed Releases | | | Platform | | |-------------------------------------+-------------------------------------| | 11.x Releases | Rebuild | Interim | Maintenance | |-------------------------------------+-------------+---------+-------------| | | | 11.0(22b) | | | |11.0 | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 11.1(24b) | | | |11.1 | |-------------| | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 11.1(20)AA4 | | | |11.1AA | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 11.1(36)CA2 | | | |11.1CA | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 11.1(36)CC4 | | | |11.1CC | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 11.1(28a)CT | | | |11.1CT | |-------------| | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 11.1(28a)IA | | | |11.1IA | |-------------| | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 11.2(26b) | | | | | |-------------| | | | 11.2 | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 11.2(23a) | | | | 11.2BC | | BC1 | | | | | |-------------| | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 11.2(19a) | | | | 11.2GS | | GS6 | | | | | |-------------| | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 11.2(26)P2 | | | |11.2P | |-------------| | | | | | 2002-FEB-14 | | | |--------------+----------------------+-------------+---------+-------------| | | | 11.2(8.9) | | | | | | SA6 | | | |11.2SA | |-------------| | | | | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 11.3(11c) | | | | | |-------------| | | | 11.3 | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 11.3(7)DB1 | | | |11.3DB | |-------------| | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 11.3(8)DB2 | | | |11.3DB | |-------------| | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 11.3(11b)T2 | | | | | |-------------| | | | 11.3T | | Now | | | | | | Available | | | | | | on CCO | | | |-------------------------------------+-------------+---------+-------------| | 12.0 Releases | Rebuild | Interim | Maintenance | |-------------------------------------+-------------+---------+-------------| | | | 12.0(7a) | | | | | |-------------| | | | 12.0 | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(6b) | | | | | |-------------| | | | 12.0 | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(8a) | | | |12.0 | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(9a) | | | | | |-------------| | | | 12.0 | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(10a) | | | | | |-------------| | | | 12.0 | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(11a) | | | | | |-------------| | | | 12.0 | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(12a) | | | | | |-------------| | | | 12.0 | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(13a) | | | | | |-------------| | | | 12.0 | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(14a) | | | | | |-------------| | | | 12.0 | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(15a) | | | | | |-------------| | | | 12.0 | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(16a) | | | |12.0 | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(17a) | | | | | |-------------| | | | 12.0 | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(19a) | | | | | |-------------| | | | 12.0 | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(20a) | | | | | |-------------| | | | 12.0 | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(21a) | | | | | |-------------| | | | 12.0 | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(2b) | | | | | |-------------| | | | 12.0 | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(18b) | | | |12.0 | |-------------| | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(3d) | | | | | |-------------| | | | 12.0 | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(13)WT6 | | | | 12.0WT | | (1) | | | | | |-------------| | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(2)XE? | | | |12.0(2)XE | |-------------| | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(21)SX | | | |12.0(20)SX | |-------------| | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(4)XE1 | | | |12.0(4)XE | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(4)XM1 | | | | | |-------------| | | | 12.0(4)XM | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | 12.0(5)WC | | 12.0(5)WC2b | | | |2900XL-LRE | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(5)XE? | | | |12.0(5)XE | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(5)XK2 | | | | | |-------------| | | | 12.0(5)XK | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(5)XN1 | | | |12.0(5)XN | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(5)XS? | | | |12.0(5)XS | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(7)WX5 | | | | | | (15a) | | | |12.0WX | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(7)XE1 | | | |12.0(7)XE | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(7)XF1 | | | |12.0(7)XF | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(7)XK3 | | | | | |-------------| | | | 12.0(7)XK | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(7)XV | | | |12.0(7)XV | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(7)DB2 | | | |12.0DB | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(7)DC1 | | | |12.0DC | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(8)S1 | | | | | |-------------| | | | 12.0S | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(9)S8 | | | |12.0S | |-------------| | | | | | 2002-FEB-14 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(10)S7 | | | | | |-------------| | | | 12.0S | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(11)S6 | | | | | |-------------| | | | 12.0S | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(12)S3 | | | | | |-------------| | | | 12.0S | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(13)S6 | | | | | |-------------| | | | 12.0S | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(14)S7 | | | | | |-------------| | | | 12.0S | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(15)S6 | | | | | |-------------| | | | 12.0S | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(16)S8 | | | | | |-------------| | | | 12.0S | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(17)S4 | | | | | |-------------| | | | 12.0S | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(18)S5 | | | | | |-------------| | | | 12.0S | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(19)S2 | | | | | |-------------| | | | 12.0S | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(21)S1 | | | |12.0S | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(16)SC3 | | | |12.0SC | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(17)SL6 | | | | | |-------------| | | | 12.0SL | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(19)SL4 | | | | | |-------------| | | | 12.0SL | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(20)SP1 | | | | | |-------------| | | | 12.0SP | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(11)ST4 | | | | | |-------------| | | | 12.0ST | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(14)ST3 | | | | | |-------------| | | | 12.0ST | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(16)ST1 | | | | | |-------------| | | | 12.0ST | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(17)ST5 | | | | | |-------------| | | | 12.0ST | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(18)ST1 | | | |12.0ST | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(19)ST2 | | | | | |-------------| | | | 12.0ST | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(20)ST2 | | | | | |-------------| | | | 12.0ST | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(21)ST | | | |12.0ST | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(7)T2 | | | | | |-------------| | | | 12.0T | | Now | | | | | | Available | | | | | | on CCO | | | |-------------------------------------+-------------+---------+-------------| | 12.1 Releases | Rebuild | Interim | Maintenance | |-------------------------------------+-------------+---------+-------------| | | | 12.1(13) | | | |12.1 | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(4a) | | | | | |-------------| | | | 12.1 | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(6a) | | | | | |-------------| | | | 12.1 | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(9a) | | | | | |-------------| | | | 12.1 | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(10a) | | | | | |-------------| | | | 12.1 | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(2b) | | | | | |-------------| | | | 12.1 | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(3b) | | | | | |-------------| | | | 12.1 | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(7b) | | | | | |-------------| | | | 12.1 | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(11b) | | | | | |-------------| | | | 12.1 | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(12b) | | | | | |-------------| | | | 12.1 | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(1c) | | | | | |-------------| | | | 12.1 | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(8c) | | | | | |-------------| | | | 12.1 | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(5e) | | | | | |-------------| | | | 12.1 | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(10)EX | | | |12.1(10)EX | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(10)EY | | | |12.1(10)EY | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(2)XF5 | | | |12.1(2)XF | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(3a)XI8 | | | |12.1(3)XI | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(3)XP | | | |12.1(3)XP | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(3)XQ | | | |12.1(3)XQ | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(3)XT3 | | | |12.1(3)XT | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(4)XY8 | | | | | |-------------| | | | 12.1(4)XY | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(4)XZ7 | | | |12.1(4)XZ | |-------------| | | | | | 2002-FEB-14 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(5)XM7 | | | |12.1(5)XM | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(5)XV4 | | | |12.1(5)XV | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(5)XV5 | | | |12.1(5)XV | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(5)XV5 | | | |12.1(5)XV | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(5)YA2 | | | |12.1(5)YA | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(5)YB5 | | | |12.1(5)YB | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(5)YC2 | | | |12.1(5)YC | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(5)YD6 | | | |12.1(5)YD | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(5)YF4 | | | |12.1(5)YF | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(5)YH3 | | | |12.1(5)YH | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | 12.1(5)YI | | 12.1(5)YI1 | | | |12.1(5)EY | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(6)EZ6 | | | | | |-------------| | | | 12.1(6)EZ | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(7a)EY3 | | | |12.1(7a)EY | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(8a)EW1 | | | |12.1(8a)EW | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(8b)EX4 | | | | | |-------------| | | | 12.1(8a)EX | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(9)EX3 | | | | | |-------------| | | | 12.1(9)EX | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(8)AA1 | | | |12.1AA | |-------------| | | | | | 2002-FEB-14 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(10)AA | | | |12.1AA | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(7)DA3 | | | |12.1DA | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(1)DB2 | | | |12.1DB | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(3)DB1 | | | |12.1DB | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(4)DB2 | | | |12.1DB | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(5)DB1 | | | |12.1DB | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(1)DC2 | | | |12.1DC | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(3)DC2 | | | |12.1DC | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(4)DC2 | | | |12.1DC | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(5)DC2 | | | |12.1DC | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(1)E5 | | | | | |-------------| | | | 12.1E | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(3a)E7 | | | |12.1E | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(3a)E8 | | | |12.1E | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(4)E3 | | | | | |-------------| | | | 12.1E | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(5c)E12 | | | |12.1E | |-------------| | | | | | 2002-FEB-14 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(5c)E12 | | | |12.1E | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(6)E8 | | | | | |-------------| | | | 12.1E | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(7a)E6 | | | |12.1E | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(8b)E9 | | | |12.1E | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(8b)E11 | | | |12.1E | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(9)E2 | | | | | |-------------| | | | 12.1E | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(9)E3 | | | |12.1E | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(10)E4 | | | | | |-------------| | | | 12.1E | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(11)E | | | |12.1E | |-------------| | | | | | 2002-FEB-25 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(10)EC1 | | | |12.1EC | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(11)EC | | | |12.1EC | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(5)T12 | | | | | |-------------| | | | 12.1T | | Now | | | | | | Available | | | | | | on CCO | | | |-------------------------------------+-------------+---------+-------------| | 12.2 Releases | Rebuild | Interim | Maintenance | |-------------------------------------+-------------+---------+-------------| | | | 12.2(7a) | | | |12.2 | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(6c) | | | | | |-------------| | | | 12.2 | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(1d) | | | | | |-------------| | | | 12.2 | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(3d) | | | | | |-------------| | | | 12.2 | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(5d) | | | | | |-------------| | | | 12.2 | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | Affected | | | |12.2(1)DX | |-------------| | | | | | Not | | | | | | scheduled | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(2)XA5 | | | | | |-------------| | | | 12.2(1)XA | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(1)XD3 | | | |12.2(1)XD | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(1)XE2 | | | |12.2(1)XE | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(1)XS1 | | | |12.2(1)XS | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(2)BY2 | | | |12.2(2)BY | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(2)XB3 | | | |12.2(2)XB | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(2)XB4 | | | |12.2(2)XB | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | Affected | | | |12.2(2)XF | |-------------| | | | | | Not | | | | | | scheduled | | | |--------------+----------------------+-------------+---------+-------------| | | | Affected | | | |12.2(2)XG | |-------------| | | | | | Not | | | | | | scheduled | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(2)XH2 | | | |12.2(2)XH | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(2)XI1 | | | |12.2(2)XI | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(2)XJ1 | | | |12.2(2)XJ | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(2)XK2 | | | |12.2(2)XK | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(2)XN | | | |12.2(2)XN | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(2)XT3 | | | |12.2(2)XT | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | Affected | | | |12.2(2)XT | |-------------| | | | | | Not | | | | | | scheduled | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(2)XU2 | | | |12.2(2)XU | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(2)XU1 | | | | | |-------------| | | | 12.2(2)XU | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(2)XU2 | | | |12.2(2)XU | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(2)YC | | | |12.2(2)YC | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(4)MX1 | | | |12.2(4)MX | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(4)XL4 | | | |12.2(4)XL | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(4)XM2 | | | | | |-------------| | | | 12.2(4)XM | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(4)XV4a | | | | | |-------------| | | | 12.2(4)XV | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(4)XW1 | | | |12.2(4)XW | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(4)YA1 | | | |12.2(4)YA | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(4)YB | | | |12.2(4)YB | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(2)B4 | | | |12.2B | |-------------| | | | | | 2002-FEB-1 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(4)B2 | | | |12.2B | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(4)B4 | | | |12.2B | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(4)BX | | | |12.2B | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(4)BC1a | | | |12.2BC | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(2)BX | | | |12.2BX | |-------------| | | | | | 2002-FEB-14 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(4)BX | | | |12.2BX | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(5)CA1 | | | |12.2DA | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(7)DA | | | |12.2DA | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(1b)DA1 | | | |12.2DA | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(2)DD3 | | | | | |-------------| | | | 12.2DD | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(4)MB3 | | | |12.2MB | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(9)S | | | |12.2S | |-------------| | | | | | week of | | | | | | 2002-FEB-18 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(2)T4 | | | | | |-------------| | | | 12.2T | | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(4)T3 | | | |12.2T | |-------------| | | | | | 2002-FEB-19 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(6.8) | | | | 12.2T | | T0a | | | | | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(6.8) | | | | 12.2T | | T1a | | | | | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.2(8)T | | | |12.2T | |-------------| | | | | | 2002-FEB-15 | | | |-------------------------------------+-------------+---------+-------------| | Switch Platform Releases | Rebuild | Interim | Maintenance | |-------------------------------------+-------------+---------+-------------| | | | 12.0(18)W5 | | | | 12.0W5 | cat2948g-L3,cat4232 | (22b) | | | | | |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.0(20)W5 | | | | | c5atm,cat8510[c,m] | (22b) | | | |12.0W5 |cat8540[c,m], |-------------| | | | | ls1010 | Now | | | | | | Available | | | | | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | 12.0(5.1)XP | | 12.0(5)WC3 | | | |12.0(5)XU | |-------------| | | | 12.0(5.2)XU | 2900XL/3500XL | Now | | | | 12.0(5.3) | | Available | | | | WC1 | | on CCO | | | |--------------+----------------------+-------------+---------+-------------| | 12.0(5)WC2, | | 12.0(5)WC2b | | | |12.0(5.4)WC1 |2900XL-LRE: |-------------| | | | | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | 12.0(5.3) | | 12.1(6)EA2b | | | |WC1 | 2950 |-------------| | | | 12.0(5.4) | | 2002-FEB-15 | | | |--------------+----------------------+-------------+---------+-------------| | | | 12.1(8)EA1b | | | |12.1(4)EA1e | |-------------| | | | 12.1(6)EA1 | 3550 | Now | | | | 12.1(6)EA1a | | Available | | | | | | on CCO | | | +---------------------------------------------------------------------------+ Obtaining Fixed Software Cisco is offering free software upgrades to remedy this vulnerability for all affected customers. Customers with service contracts may upgrade to any software release containing the feature sets they have purchased. Customers without contracts may upgrade only within a single row of the table above, except that any available fixed software release will be provided to any customer who can use it and for whom the standard fixed software release is not yet available. Customers may only install and expect support for the feature sets they have purchased. Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's Worldwide Web site at http:// www.cisco.com/. Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with the upgrade, which should be free of charge. Customers who purchased directly from Cisco but who do not hold a Cisco service contract, and customers who purchase through third party vendors but are unsuccessful at obtaining fixed software through their point of sale, should obtain fixed software by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows: * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com See http://www.cisco.com/warp/public/687/Directory.shtml for additional TAC contact information, including instructions and e-mail addresses for use in various languages. Please have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades. Workarounds The usefulness of any workaround is dependent on specific customer situations such as products, software versions, network topology, traffic behavior, and organizational mission. Due to the great variety of affected products and releases, customers should carefully evaluate each workaround to ensure it is appropriate for use in the intended network before it is deployed. General Measures * Turn SNMP off in the device. This is an effective workaround, but removes management capability to the device. This can be done using the following configure command: no snmp-server Removing the community string public with the configure command: no snmp-server community public ro is not sufficient as the SNMP server will still be running and the device will be vulnerable. The command no snmp server must be used instead. Verify SNMP server status by using the enable command show snmp. You should see a response of "%SNMP agent not enabled". * Apply an extended access list (ACL) to deny protocol UDP, port 161 and 162, at the interface level such that SNMP access to the device is allowed only from the network management workstations. This can be done using the following configure commands: access-list 100 permit ip host 1.1.1.1 any access-list 100 deny udp any any eq snmp access-list 100 deny udp any any eq snmptrap access-list 100 permit ip any any where 1.1.1.1 is the trusted network management station. This access list must be applied to all interfaces using the following configure commands: interface serial 0 ip access-group 100 in This will not prevent spoofed IP packets with the source IP address set to that of the network management station from reaching the switch's management interface. The access-list statement containing "snmptrap" will prevent notification messages from entering the network when it is applied at the network edge. The Cisco SAFE white papers cover techniques that can be used to control IP address spoofing. These papers can be found at: Cisco SAFE Solution Two white papers cover securing your network in general and controlling IP address spoofing specifically: SAFE: A Security Blueprint for Enterprise Networks SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks Workarounds with Caveats * Apply an SNMP community-based ACL to allow SNMP access to the device only from the network management workstations using the following configure commands: access-list 1 permit 1.1.1.1 snmp-server community string1 ro 1 In this case the trusted management station is at address 1.1.1.1. If community strings are also configured for notifications, they must be different than the community strings used for requests in order for this workaround to be effective. This is an SNMP configuration best practice, and it also avoids issues with some Cisco IOS software releases. You should not be able to discover the SNMP community strings for read-only or read-write access by receiving or sniffing a notification. Use the following configure commands to change community strings for notifications that are the same as community strings used for requests. no snmp-server host 1.1.1.1 string1 snmp-server community string1 ro 1 The second command above reapplies the access list to the community and must be re-entered after the snmp-server host command is entered to ensure the access list is applied correctly in some Cisco IOS software releases. Use the following configure command to tell the device to send notifications using the new community string: snmp-server host 1.1.1.1 anythingbutstring1 All community strings used for notifications, like the "anythingbutstring1" community string above, need to be set to deny all SNMP requests. Use the following configure commands to do this: access-list 2 deny any snmp-server community anythingbutstring1 ro 2 This is required because Cisco IOS software configures community strings used for notifications with no read or write view. You cannot see or change any information on the device using this string. However, requests using a community string with no view will still be processed by the device and an SNMP tool could exploit this processing and crash the device. Please note that in order for this to take effect, the commands must be issued in the following order: snmp-server host 1.1.1.1 anythingbutstring1 snmp-server community anythingbutstring1 ro 2 This configuration will not survive a reload. In certain releases, entering the snmp-server community command will delete the notify view required to send traps. This can be determined by running the command: show snmp group Look for two or more groups with the same name as the community string used for notifications. The output should look like this: groupname: anythingbutstring1 security model:v1 readview :v1default writeview: notifyview: *tv.FFFFFFFF.FFFFFFFF row status: active access-list: 2 groupname: anythingbutstring1 security model:v2c readview :v1default writeview: notifyview: row status: active access-list: 2 Ensure that the notifyview is set for the version of notifications you want the device to send, and that the access-list is set correctly for all security models. If either fields are not correct, first reapply the configure command: snmp-server host 1.1.1.1 anythingbutstring1 Then look at the output of show snmp group again. Take the view listed as the notifyview, the correct access-list number, and the security model version and enter the following configure command: snmp-server group anythingbutstring1 v1 notify *tv.FFFFFFFF.FFFFFFFF access 2 Modify the above command to match your configuration. Verify this worked using the show snmp group enable command. If you are sending notifications using this community string with both SNMPv1 and SNMPv2c, then you'll need to enter this command twice - the first time specifying the version as "v1", and the second time as "v2c". Note: The snmp-server group command will show up in the configuration before the snmp-server host command, so this part of the workaround will not survive a reboot. After a reboot, the device will continue to send traps but the snmp-server group command will need to be re-entered to protect the device from exploits using this community string. * Change the community string from "public" to something more cryptic. The PROTOS test suite uses "public" in its tests as configured by OULU. Note: Even though the current version of the PROTOS tests will not crash the Cisco IOS device if the device community string is not public, it is very easy to modify the PROTOS code so that other community string values are used. Therefore, it is important to use a community ACL as described above to further mitigate the risk. Caveats The following workaround is effective in the following Cisco IOS software releases: 11.0, 11.1, 11.2 and derivatives 12.0(3)T and later 12.0()T 12.0(6)S and later 12.0S 12.0(8.6)ST through 12.0(19.1)ST, 12.0(19.6)ST and later 12.1 12.1(1)T up to 12.1(4.4)T 12.1(1)E up to 12.1(9.4)E 12.1(1)EC up to 12.1(9.4)EC to the best of our knowledge at this time based on testing and code inspection. These workarounds are NOT effective in: 11.3, 11.3T 12.0 12.0(1)S through 12.0(5.x)S 12.0(19.3)ST, 12.0(19.3)ST1, 12.0(19.3)ST2 12.1(4.4)T2 and later 12.1()T 12.1(9.5)E and later 12.1()E 12.1(9.5)EC and later 12.1()EC 12.2, 12.2T Troubleshooting Tips for Cisco IOS Software * Configure the startup-config with no SNMP and the running-config with the SNMP. In the event of a successful exploit due to this vulnerability, the affected device will reload with a new configuration in which SNMP is disabled. This will prevent additional, repeated exploit of the vulnerability. * Configure the SNMP Community ACLs with the "log" keyword. Monitor syslog for failed attempts. * Periodically check SNMP for errors. Configuration Notes show snmp Command output: router#show snmp Chassis: 21350479 17005 SNMP packets input 37 Bad SNMP version errors ** 15420 Unknown community name ** 0 Illegal operation for community name supplied 1548 Encoding errors ** 0 Number of requested variables 0 Number of altered variables 0 Get-request PDUs 0 Get-next PDUs 0 Set-request PDUs 0 SNMP packets output 0 Too big errors (Maximum packet size 1500) 0 No such name errors 0 Bad values errors 0 General errors 0 Response PDUs 0 Trap PDUs Watch the counters marked ** Exploitation and Public Announcements Cisco is not aware of any malicious exploitation of this vulnerability. The largest set of these vulnerabilities were reported by the OUSPG at the University of Oulu, Finland, in concert with the CERT Coordination Center. A small number were reported by Cisco customers and some were internally discovered. These vulnerabilities are present in other products not provided by Cisco, and this security advisory is being published simultaneously with announcements from the other affected organizations. Status of This Notice: Interim This is an interim Security Advisory notice. Cisco anticipates issuing updated versions of this notice at irregular intervals as there are material changes in the facts, and will continue to update this notice as necessary. The reader is warned that this notice may contain inaccurate or incomplete information. Although Cisco cannot guarantee the accuracy of all statements in this notice, all of the facts have been checked to the best of our ability. Cisco anticipates weekly updates of this notice until it reaches final status. A standalone copy or paraphrase of the text of this Security Advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution This notice will be posted on Cisco's Worldwide Web site at http:// www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-pub.shtml. In addition to Worldwide Web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients: * cust-security-announce@cisco.com * bugtraq@securityfocus.com * first-teams@first.org (includes CERT/CC) * cisco@spot.colorado.edu * comp.dcom.sys.cisco * firewalls@lists.gnac.com * Various internal Cisco mailing lists Future updates of this notice, if any, will be placed on Cisco's Worldwide Web server, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the URL given above for any updates. Revision History +-------------------------------------------------------------+ |Revision |2002-Feb-14 |Added Table of Contents; updated | |Number 1.3 | |table for Cisco IOS fixed images; | | | |"Workarounds" section updated | |-----------+------------+------------------------------------| |Revision |2002-Feb-13 |Lists of Products Affected and | |Number 1.2 | |Products Not Affected updated | |-----------+------------+------------------------------------| |Revision |2002-Feb-13 |Lists of Products Affected and | |Number 1.1 | |Products Not Affected updated; | | | |Details section updated; correction | | | |to "Applying extended access list" | |-----------+------------+------------------------------------| |Revision |2002-Feb-12 |Initial public release | |Number 1.0 |20:00 GMT | | +-------------------------------------------------------------+ Cisco Security Procedures Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's Worldwide Web site at http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This includes instructions for press inquiries regarding Cisco security notices. All Cisco Security Advisories are available at http://www.cisco.com/go/psirt. - ------------------------------------------------------------------------------- This notice is Copyright 2002 by Cisco Systems, Inc. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, and include all date and version information. - ------------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Signed by Sharad Ahlawat, Cisco Systems PSIRT iQEVAwUBPGxksQ/VLJ+budTTAQGIWAf+Mrkd6IaLZv1ArvzyKaxXINM49ML3jIr+ th14MJl0Ub+sshHYfoKJJZ1UNcoouTgzSaU5bdjaY5LyOUenZd0kMNSOsXzb8qi4 IFUtqb3IU/cxPwtZyHsCnTHSTBLwVlplji1z19FKfxTMICSH66IFhdqjbh2ALkwS h7QIb9JFq9HKXosWU6+3iUnh0PYUfcj9TbILOv1AFFdq/9kDJN/bTsgqrCs4+v6l IJPyrNwZqzun2riZCi1UwLLnSX+2cc5W5JRho5cWBdjrZ0Ktic/qX609Y/+jBwFj FAeVMl8I229EhKBa+b7HMe/hyr51R0blhdmWuvZGbvRsGtigffRD2g== =DRYf -----END PGP SIGNATURE----- From psirt-support@cisco.com Sun Feb 17 16:52:08 2002 From: Cisco Systems Product Security Incident Response Team To: jericho@attrition.org Date: Thu, 14 Feb 2002 19:43:47 -0800 Reply-To: psirt@cisco.com Subject: Cisco Security Advisory: Malformed SNMP Message-Handling Vulnerabilities for Cisco Non-IOS Products This is a re-send of the original advisory, page two of two; the first page will be arrive in a separate message. -----BEGIN PGP SIGNED MESSAGE----- Cisco Security Advisory: Malformed SNMP Message-Handling Vulnerabilities for Cisco Non-IOS Products Revision 1.1 For Public Release 2002 February 11 23:00 GMT Last Updated 2002 February 13 12:00 GMT - ------------------------------------------------------------------------------- Summary Multiple Cisco products contain vulnerabilities in the processing of Simple Network Management Protocol (SNMP) messages. The vulnerabilities can be repeatedly exploited to produce a denial of service. In most cases, workarounds are available that may mitigate the impact. These vulnerabilities are identified by various groups as VU#617947, VU#107186, OUSPG #0100, CAN-2002-0012, and CAN-2002-0013. This advisory is available at http://www.cisco.com/warp/public/707/ cisco-malformed-snmp-msgs-pub.shtml. This document details information on Cisco non-IOS products. This notice is part of "Cisco Security Advisory: Malformed SNMP Message-Handling Vulnerabilities" and cannot be used on its own without the primary advisory. It is available at http://www.cisco.com/warp/public/707/ cisco-malformed-snmp-msgs-non-ios-pub.shtml. Software Versions and Fixes Cisco Software - Non IOS Each row of the software table (below) describes a product platform set, and the first available fixed release. In all cases, customers should exercise caution to confirm that the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new software release. If the information is not clear, contact the Cisco TAC for assistance as shown in the "Obtaining Fixed Software" section. This information will be updated as more releases become available. +---------------------------------------------------------+ | CatOS Product | Defect ID | Availability | | | | of Fixed Releases | |-------------------+---------------+---------------------| | Catalyst 4000, | CSCdw67458 | 7.1(2) | | | |Catalyst 5000, | |---------------+--+--| | Catalyst 6000 | | 6.3(5) | | | |Family | |---------------+--+--| | | | 6.2(3a) | | | | | | (available | | | | | | soon) | | | | | |---------------+--+--| | | | 6.1(4b) | | | | | |---------------+--+--| | | | 5.5(13a) | | | | | |---------------+--+--| | | | 5.4(4a) | | | | | | (available | | | | | | soon) | | | | | |---------------+--+--| | | | 4.5(13a) | | | +---------------------------------------------------------+ Each row of the software table (below) describes a product and the defect identifier, and if available, the first fixed release. In all cases, customers should exercise caution to confirm that the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new software release. If the information is not clear, contact the Cisco TAC for assistance as shown in the "Obtaining Fixed Software" section. This information will be updated as more releases become available. +---------------------------------------------------------+ | Product | Defect ID | Intended First Fixed | | | | Releases* | |---------------------------------------------------------| | Content Networking | | | |---------------------------------------------------+--+--| | Arrowpoint | | 4.01.053s, | | | | CS11000 | CSCdw64236 | 5.01.013s, | | | | | | 5.02.005s | | | |------------------+--------------+-----------------+--+--| | Cache Engine 505 | | | | | | /570 | CSCdw65996 | | | | | Content 507/560/ | | | | | | 590/7320 | | | | | |------------------+--------------+-----------------+--+--| | Internet CDN | CSCdw69634 | 2.1.1 | | | |------------------+--------------+-----------------+--+--| | Local Director | CSCdw64918 | | | | |---------------------------------------------------+--+--| | Desktop Switching | | | |---------------------------------------------------+--+--| | MicroHub 1500 | CSCdw67327 | | | | |------------------+--------------+-----------------+--+--| | Catalyst 3900 | CSCdw71510 | | | | | Series | | | | | |---------------------------------------------------+--+--| | Consumer DSL | | | |---------------------------------------------------+--+--| | CBOS | CSCdw65068 | | | | |---------------------------------------------------+--+--| | Network Management | | | |---------------------------------------------------+--+--| | Cat6k NAM | CSCdw61011 | 1.2(3), 2.1(2) | | | |------------------+--------------+-----------------+--+--| | CiscoWorks | CSCdw64558 | | | | | Windows/WUG | | | | | |------------------+--------------+-----------------+--+--| | Hosting Solution | CSCdw60969 | | | | | Engine | | | | | |------------------+--------------+-----------------+--+--| | SNMPc | CSCdw64713 | | | | |------------------+--------------+-----------------+--+--| | Switch Probe | CSCdw62257 | | | | |------------------+--------------+-----------------+--+--| | Traffic Director | CSCdw64528 | | | | |------------------+--------------+-----------------+--+--| | User | | | | | | Registration | CSCdw61176 | | | | | Tool - VLAN | | | | | | Policy Server | | | | | |------------------+--------------+-----------------+--+--| | Access Registrar | CSCdw35595 | | | | |------------------+--------------+-----------------+--+--| | Cisco Info | CSCdw62590 | | | | | Center | | | | | |---------------------------------------------------+--+--| | Voice Products | | | |---------------------------------------------------+--+--| | WS-X6608 | CSCdw62862 | 003.002 | | | | | | (000.147) | | | |------------------+--------------+-----------------+--+--| | WS-X6624 | CSCdw62863 | 003.002 | | | | | | (000.147) | | | |---------------------------------------------------+--+--| | Carrier Class Products | | | |---------------------------------------------------+--+--| | BPX/IGX | CSCdw58704 | 9.2.41, 9.3.36 | | | |------------------+--------------+-----------------+--+--| | Cisco WAN | CSCdw69753, | 10.4.10 Patch | | | | Manager | CSCdw69736, | 2.1, 10.5.10 | | | | | CSCdw69954 | Patch 1 | | | |------------------+--------------+-----------------+--+--| | MGX-8220 | CSCdw63646 | 5.0.18 | | | |------------------+--------------+-----------------+--+--| | MGX-8230, | | | | | | MGX-8250, | CSCdw56886 | 1.2.01, 1.1.32a | | | | MGX-8850 R1 | | | | | |------------------+--------------+-----------------+--+--| | MGX-8850 R2 | CSCdw56907 | 2.1.75 | | | |------------------+--------------+-----------------+--+--| | Service | CSCdw56907 | 1.0.16 | | | | Expansion Shelf | | | | | |---------------------------------------------------+--+--| | Wireless Products | | | |---------------------------------------------------+--+--| | | | 11.05a, 11.06a, | | | | AP340 Series, | CSCdw63011 | 11.07a, | | | | AP352 | | 11.08T1, | | | | | | 11.10T1 | | | |------------------+--------------+-----------------+--+--| | | | 11.05a, 11.06a, | | | | AP352 | CSCdw63031 | 11.07a, | | | | | | 11.08T1, | | | | | | 11.10T1 | | | |------------------+--------------+-----------------+--+--| | BR340 Series, | CSCdw63248 | 8.24_2, 8.55_2, | | | | BR352 | | 8.65_2 | | | |------------------+--------------+-----------------+--+--| | | | 11.05a, 11.06a, | | | | BR352 | CSCdw63032 | 11.07a, | | | | | | 11.08T1, | | | | | | 11.10T1 | | | |------------------+--------------+-----------------+--+--| | WGB340 Series | CSCdw63264 | 8.24_2, 8.55_2, | | | | | | 8.65_2 | | | |------------------+--------------+-----------------+--+--| | WGB352 | CSCdw63264 | 8.55_2, 8.65_2 | | | |---------------------------------------------------+--+--| | Security Products | | | |---------------------------------------------------+--+--| | NetRanger | CSCdw44477 | 03.0(04)S16 | | | |------------------+--------------+-----------------+--+--| | NetRanger Sensor | CSCdw47000 | | | | |------------------+--------------+-----------------+--+--| | PIX | CSCdw63021 | | | | |------------------+--------------+-----------------+--+--| | VPN 3000 | CSCdw64623 | | | | +---------------------------------------------------------+ Workarounds for Cisco Non-IOS Products CAT OS * Apply IP Permit List for SNMP to enable access to the switch's management interface only from the network management workstations. For instructions on how to do this, please refer to http://www.cisco.com/ univercd/cc/td/doc/product/lan/cat5000/rel_6_3/config/ip_perm.htm. Please note that this will not prevent spoofed IP packets with the source IP address set to that of the network management station from reaching the switch's management interface. Configuration Notes The following command enables an ip permit list based on SNMP: set ip permit enable snmp The following command enables a specific IP addresses to have SNMP access: set ip permit 192.168.0.100 255.255.255.255 snmp In CatOS versions prior to 5.4(1), IP permit lists based on port number are not supported. The following command enables an ip permit list that affects both Telnet and SNMP access: set ip permit enable or set ip permit 192.168.0.100 255.255.255.255 * On the Catalyst 6000 series switches, if the Virtual LAN (VLAN) Access Control List (ACL) (VACL) feature is available in the code base, you can use VACLs instead of the IP Permit List workaround above. For instructions on how to do this, please refer to http://www.cisco.com/ univercd/cc/td/doc/product/lan/cat6000/sft_6_1/configgd/acc_list.htm. Please note that this will not prevent spoofed IP packets with the source IP address set to that of the network management station from reaching the switch's management interface. PIX SNMP is DISABLED by default, and warnings are displayed to administrator when SNMP is configured to listen on the OUTSIDE interface. * Disable SNMP - you can do this by removing all snmp-server host commands. Example: vpn-pix506B#show snmp no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps * Change the snmp-server community string to something else other than "public". Example: vpn-pix506B#show snmp snmp-server host inside 172.18.123.68 no snmp-server location no snmp-server contact snmp-server community blahblah no snmp-server enable traps * The PIX is not vulnerable if the PROTO test suite is run from a server whose IP address is not explicitly defined in the snmp-server host command. * Review the configuration for lines such as the following, with the keyword "outside", which indicates that the PIX is configured to accept SNMP queries from the unprotected interface: snmp-server host outside 172.18.123.68 LocalDirector SNMP is not on by default. Access lists can and should be applied. * Disable SNMP, you can do this by removing all snmp-server host commands. Example: vpn-pix506B#show snmp no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps * Change the snmp-server community string to something else other than "public". Example: LD#show snmp snmp-server host 172.18.123.68 no snmp-server location no snmp-server contact snmp-server community blahblah no snmp-server enable traps * The LocalDirector is not vulnerable if the PROTO test suite is run from a server whose IP address is not explicitly defined in the snmp-server host command. ArrowPoint/CSS11000 snmp community public read-write is the command that is vulnerable to the suite. By issuing the show run global command, you can search for "read-write" to determine if the CSS is vulnerable. Configure STRONG community string for read-write, and use access lists on the box for additional control. Cisco Cache Engine Disable SNMP with the following command: no snmp-server host Status of This Notice: Interim This is an interim Security Advisory notice. Cisco anticipates issuing updated versions of this notice at irregular intervals as there are material changes in the facts, and will continue to update this notice as necessary. The reader is warned that this notice may contain inaccurate or incomplete information. Although Cisco cannot guarantee the accuracy of all statements in this notice, all of the facts have been checked to the best of our ability. Cisco anticipates weekly updates of this notice until it reaches final status. A standalone copy or paraphrase of the text of this Security Advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. This notice is part of "Cisco Security Advisory: Malformed SNMP Message-Handling Vulnerabilities" and cannot be used on its own without the primary advisory. Distribution This notice will be posted on Cisco's Worldwide Web site at http:// www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-non-ios-pub.shtml. In addition to Worldwide Web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients: * cust-security-announce@cisco.com * bugtraq@securityfocus.com * first-teams@first.org (includes CERT/CC) * cisco@spot.colorado.edu * comp.dcom.sys.cisco * firewalls@lists.gnac.com * Various internal Cisco mailing lists Future updates of this notice, if any, will be placed on Cisco's Worldwide Web server, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the URL given above for any updates. Revision History +------------------------------------------------+ |Revision |2002-Feb-13 |Table updates | |Number 1.1|12:00 GMT | | |----------+--------------+----------------------| |Revision |2002-Feb-12 |Initial public release| |Number 1.0|23:00 GMT | | +------------------------------------------------+ Cisco Security Procedures Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's Worldwide Web site at http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This includes instructions for press inquiries regarding Cisco security notices. All Cisco Security Advisories are available at http://www.cisco.com/go/psirt. - ------------------------------------------------------------------------------- This notice is Copyright 2002 by Cisco Systems, Inc. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, and include all date and version information. - ------------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Signed by Sharad Ahlawat, Cisco Systems PSIRT iQEVAwUBPGxkxw/VLJ+budTTAQG+zAgArJHNgXu9sqPnyge8KS5jmnI+6aOxb4wA Q15y0k5JdOvu1VKRceeSVqG4mKjEurjT2Y6NHS5ytd4vp6UFzHdQ8od5Ah0jFuwp JMVtTmKRUmCBvzwbMOTjF/KZK4u6fEBwGDqKww/2O5e3P3uti7WDE6C6PaAB7wsr wrCtmccSIE0N1BnL53eTa23T0dwpvhBUjdBlhA4mGV0nvSOU/OTwexEkpy6k0x0u /YWyyqZ55AB/7eLHw+qX8UURRV/rLm6oC4KkO0qUgLaWXPlLwiwyVeASKyN9uMgH I5WelD1ZksTyS+LDK69xzOE8iDCnGQy9xk+NxdSyOxYg11VSw1EiIg== =kdvb -----END PGP SIGNATURE-----