[AusNOG] Cisco Security Advisory: Cisco Content Services Gateway Vulnerabilities

Shaun Dwyer shaun at dwyer.id.au
Thu Jan 27 12:14:24 EST 2011


Not to mention the fact that these security advisories are entirely *on*-topic for this list.

If you don't want to receive them via this list, you can always filter them to /dev/null.

Cheers!
-Shaun


On 27/01/2011, at 9:07 AM, Skeeve Stevens wrote:

> Phil,
> 
> AusNOG is relatively low volume compared to Cisco-NSP.
> 
> ...Skeeve
> 
> --
> Skeeve Stevens, CEO
> eintellego Pty Ltd - The Networking Specialists
> skeeve at eintellego.net / www.eintellego.net
> Phone: 1300 753 383, Fax: (+612) 8572 9954
> Cell +61 (0)414 753 383 / skype://skeeve
> www.linkedin.com/in/skeeve ; facebook.com/eintellego
> --
> eintellego - The Experts that the Experts call
> - Juniper - HP Networking - Cisco - Brocade - Arista - Allied Telesis
> 
> Disclaimer: Limits of Liability and Disclaimer: This message is for the
> named person's use only. It may contain sensitive and private proprietary
> or legally privileged information. You must not, directly or indirectly,
> use, disclose, distribute, print, or copy any part of this message if you
> are not the intended recipient. eintellego Pty Ltd and each legal entity
> in the Tefilah Pty Ltd group of companies reserve the right to monitor all
> e-mail communications through its networks.  Any views expressed in this
> message are those of the individual sender, except where the message
> states otherwise and the sender is authorised to state them to be the
> views of any such entity. Any reference to costs, fee quotations,
> contractual transactions and variations to contract terms is subject to
> separate confirmation in writing signed by an authorised representative of
> eintellego. Whilst all efforts are made to safeguard inbound and outbound
> e-mails, we cannot guarantee that attachments are virus-free or compatible
> with your systems and do not accept any liability in respect of viruses or
> computer problems experienced.
> 
> 
> 
> 
> 
> 
> -----Original Message-----
> From: Phil Pierotti <phil.pierotti at platformnetworks.net>
> Date: Thu, 27 Jan 2011 09:19:31 +1100
> To: "ausnog at ausnog.net" <ausnog at ausnog.net>
> Subject: Re: [AusNOG] Cisco Security Advisory: Cisco Content Services
> Gateway Vulnerabilities
> 
>> Seriously folks, is this *really* necessary?
>> 
>> Are there AUSnogERs out there who do not know about the cisco-nsp mailing
>> list?
>> 
>> Regards,
>> 
>> Phil Pierotti
>> Network Operations Manager
>> Platform Networks
>> www.platformnetworks.net
>> ph. 1300 854 678
>> 
>> -----Original Message-----
>> From: ausnog-bounces at lists.ausnog.net
>> [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Cisco Systems
>> Product Security Incident Response Team
>> Sent: Thursday, 27 January 2011 2:39 AM
>> To: ausnog at ausnog.net
>> Cc: psirt at cisco.com
>> Subject: [AusNOG] Cisco Security Advisory: Cisco Content Services Gateway
>> Vulnerabilities
>> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>> 
>> Cisco Security Advisory: Cisco Content Services Gateway Vulnerabilities
>> 
>> Advisory ID: cisco-sa-20110126-csg2
>> 
>> http://www.cisco.com/warp/public/707/cisco-sa-20110126-csg2.shtml
>> 
>> Revision 1.0
>> 
>> For Public Release 2011 January 26 1600 UTC (GMT)
>> 
>> +---------------------------------------------------------------------
>> 
>> Summary
>> =======
>> 
>> A service policy bypass vulnerability exists in the Cisco Content
>> Services Gateway - Second Generation (CSG2), which runs on the
>> Cisco Service and Application Module for IP (SAMI). Under certain
>> configurations this vulnerability could allow:
>> 
>> * Customers to access sites that would normally match a billing
>>   policy to be accessed without being charged to the end customer
>> * Customers to access sites that would normally be denied based on
>>   configured restriction policies
>> 
>> Additionally, Cisco IOS Software Release 12.4(24)MD1 on the Cisco
>> CSG2 contains two vulnerabilities that can be exploited by a remote,
>> unauthenticated attacker to create a denial of service condition that
>> prevents traffic from passing through the CSG2. These vulnerabilities
>> require only a single content service to be active on the Cisco CSG2 and
>> can be exploited via crafted TCP packets. A three-way handshake is not
>> required to exploit either of these vulnerabilities.
>> 
>> Workarounds that mitigate these vulnerabilities are not available.
>> 
>> This advisory is posted at
>> http://www.cisco.com/warp/public/707/cisco-sa-20110126-csg2.shtml.
>> 
>> Affected Products
>> =================
>> 
>> The service policy bypass vulnerability affects all versions of the
>> Cisco IOS Software for the CSG2 prior to the first fixed release, as
>> indicated in the "Software Versions and Fixes" section of this advisory.
>> 
>> The two denial of service vulnerabilities only affect Cisco IOS Software
>> Release 12.4(24)MD1 on the Cisco CSG2. No other Cisco IOS Software
>> releases are affected.
>> 
>> Vulnerable Products
>> +------------------
>> 
>> To determine the version of Cisco IOS Software that is running on the
>> Cisco CSG2, issue the "show module" command from Cisco IOS Software on
>> the switch on which the Cisco CSG2 module is installed to identify what
>> modules and sub-modules are installed on the system.
>> 
>> Cisco CSG2 runs on the Cisco Service and Application Module for IP
>> (SAMI) card, and is identified in the following example in slot 2 via
>> the WS-SVC-SAMI-BB-K9 identification:
>> 
>>   C7600#show module
>>   Mod Ports Card Type                              Model
>> Serial No.
>>   --- ----- -------------------------------------- ------------------
>> -----------
>>     1    2  Supervisor Engine 720 (Active)         WS-SUP720-3BXL
>> JAF1226ARQS
>>     2    1  SAMI Module (csgk9)                    WS-SVC-SAMI-BB-K9
>> SAD113906P1
>>     4   48  CEF720 48 port 10/100/1000mb Ethernet  WS-X6748-GE-TX
>> SAL1127T6XY
>> 
>>   Mod MAC addresses                       Hw    Fw           Sw
>> Status
>>   --- ---------------------------------- ------ ------------
>> ------------ -------
>>     1  001e.be6e.a018 to 001e.be6e.a01b   5.6   8.5(2)
>> 12.2(33)SRC5 Ok
>>     2  001d.45f8.f3dc to 001d.45f8.f3e3   2.1   8.7(0.22)FW1
>> 12.4(2010040 Ok
>>     4  001c.587a.ef20 to 001c.587a.ef4f   2.6   12.2(14r)S5
>> 12.2(33)SRC5 Ok
>> 
>>   Mod  Sub-Module                  Model              Serial       Hw
>> Status
>>   ---- --------------------------- ------------------ -----------
>> ------- -------
>>     1  Policy Feature Card 3       WS-F6K-PFC3BXL     JAF1226BNQM  1.8
>> Ok
>>     1  MSFC3 Daughterboard         WS-SUP720          JAF1226BNMC  3.1
>> Ok
>>     2  SAMI Daughterboard 1        SAMI-DC-BB         SAD114400L9  1.1
>> Other
>>     2  SAMI Daughterboard 2        SAMI-DC-BB         SAD114207FU  1.1
>> Other
>>     4  Centralized Forwarding Card WS-F6700-CFC       SAL1029VGFK  2.0
>> Ok
>> 
>>   Mod  Online Diag Status
>>   ---- -------------------
>>     1  Pass
>>     2  Pass
>>     4  Pass
>>   C7600#
>> 
>> After locating the correct slot, issue the "session slot <module number>
>> processor <3-9>" command to open a console connection to the respective
>> Cisco CSG2. Once connected to the Cisco CSG2, perform the "show version"
>> command:
>> 
>> The following example shows that the Cisco CSG2 is running software
>> Release 12.4(24)MD1:
>> 
>>   CSG2#show version
>>   Cisco IOS Software, SAMI Software (SAMI-CSGK9-M), Version
>> 12.4(24)MD1, RELEASE SOFTWARE (fc2)
>>   Technical Support: http://www.cisco.com/techsupport
>>   Copyright (c) 1986-2010 by Cisco Systems, Inc.
>>   Compiled Wed 07-Apr-10 09:50 by prod_rel_team
>> 
>> 
>>   --- output truncated ---
>> 
>> Products Confirmed Not Vulnerable
>> +--------------------------------
>> 
>> The Cisco Content Services Gateway - 1st Generation (CSG) is not
>> affected by these vulnerabilities.
>> 
>> No other Cisco products are currently known to be affected by these
>> vulnerabilities.
>> 
>> Details
>> =======
>> 
>> The Cisco Content Services Gateway - Second Generation (CSG2) provides
>> intelligent network capabilities such as flexible policy management
>> and billing based on deep-packet inspection, as well as subscriber and
>> application awareness capabilities that enable mobile operators to
>> quickly and easily offer value-added, differentiated services over their
>> mobile data networks.
>> 
>> The service policy bypass vulnerability affects configurations that
>> allow end users to first access non-accounted or billed sites. After a
>> user accesses a non-accounted site, it is possible to access other sites
>> that are defined by a billing service policy or to access sites that may
>> be blocked by other policies by sending specially crafted HTTP packets.
>> This vulnerability only affects HTTP content traffic. HTTPS and other
>> traffic types are not affected.
>> 
>> Both denial of service vulnerabilities require only a single content
>> service to be active on the Cisco CSG2 and can be exploited via crafted
>> TCP packets. A three-way handshake is not required to exploit either of
>> these vulnerabilities. The vulnerabilities are triggered by TCP traffic
>> that transits the Cisco CSG2.
>> 
>> The service policy bypass vulnerability is documented in Cisco Bug ID
>> CSCtk35917 and has been assigned CVE ID CVE-2011-0348.
>> 
>> The denial of service bugs are documented in Cisco Bug ID CSCth17178 and
>> Cisco Bug ID CSCth41891 and have been assigned CVE IDs CVE-2011-0349 and
>> CVE-2011-0350 respectively.
>> 
>> Vulnerability Scoring Details
>> =============================
>> 
>> Cisco has provided scores for the vulnerabilities in this advisory based
>> on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
>> this Security Advisory is done in accordance with CVSS version 2.0.
>> 
>> CVSS is a standards-based scoring method that conveys vulnerability
>> severity and helps determine urgency and priority of response.
>> 
>> Cisco has provided a base and temporal score. Customers can then
>> compute environmental scores to assist in determining the impact of the
>> vulnerability in individual networks.
>> 
>> Cisco has provided an FAQ to answer additional questions regarding CVSS
>> at:
>> 
>> http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
>> 
>> Cisco has also provided a CVSS calculator to help compute the
>> environmental impact for individual networks at:
>> 
>> http://intellishield.cisco.com/security/alertmanager/cvss
>> 
>> 
>> * CSCtk35917 ("Service Policy Bypass Vulnerability")
>> 
>> CVSS Base Score - 6.4
>>   Access Vector -            Network
>>   Access Complexity -        Low
>>   Authentication -           None
>>   Confidentiality Impact -   Partial
>>   Integrity Impact -         Partial
>>   Availability Impact -      None
>> 
>> CVSS Temporal Score - 5.3
>>   Exploitability -           Functional
>>   Remediation Level -        Official-Fix
>>   Report Confidence -        Confirmed
>> 
>> * CSCth41891/CSCth17178 ("Crafted TCP packet causes CSG2 to restart")
>> 
>> CVSS Base Score - 7.8
>>   Access Vector -            Network
>>   Access Complexity -        Low
>>   Authentication -           None
>>   Confidentiality Impact -   None
>>   Integrity Impact -         None
>>   Availability Impact -      Complete
>> 
>> CVSS Temporal Score - 6.4
>>   Exploitability -           Functional
>>   Remediation Level -        Official-Fix
>>   Report Confidence -        Confirmed
>> 
>> 
>> Impact
>> ======
>> 
>> Successful exploitation of the service policy bypass can allow customers
>> to obtain access to sites that would normally be accounted and billed
>> according to the billing policy without the billing policy being
>> engaged. Additionally, customers could gain access to URLs that are
>> configured in the Cisco CSG2 to be explicitly denied.
>> 
>> Successful exploitation of either denial of service vulnerability could
>> result in the Cisco CSG2 reloading or potentially hanging. Due to Cisco
>> Bug ID CSCtg50821, the Cisco CSG2 may not automatically recover and
>> may require a manual reload of the SAMI card by issuing the "hw-module
>> module <x> reset" CLI command from the switch.
>> 
>> Software Versions and Fixes
>> ===========================
>> 
>> When considering software upgrades, also consult
>> http://www.cisco.com/go/psirt and any subsequent advisories to determine
>> exposure and a complete upgrade solution.
>> 
>> In all cases, customers should exercise caution to be certain the
>> devices to be upgraded contain sufficient memory and that current
>> hardware and software configurations will continue to be supported
>> properly by the new release. If the information is not clear, contact
>> the Cisco Technical Assistance Center (TAC) or your contracted
>> maintenance provider for assistance.
>> 
>> Each row of the Cisco IOS Software table (below) names a Cisco IOS
>> release train. If a release train is vulnerable, then the earliest
>> possible releases that contain the fix (along with the anticipated date
>> of availability for each, if applicable) are listed in the "First Fixed
>> Release" column of the table. The "Recommended Release" column indicates
>> the releases which have fixes for all the published vulnerabilities
>> at the time of this Advisory. A device running a release in the given
>> train that is earlier than the release in a specific column (less than
>> the First Fixed Release) is known to be vulnerable. Cisco recommends
>> upgrading to a release equal to or later than the release in the
>> "Recommended Releases" column of the table.
>> 
>> +---------------------------------------------------------------+
>> |   Major    |        Availability of Repaired Releases         |
>> |  Release   |                                                  |
>> |------------+--------------------------------------------------|
>> |  Affected  |                                                  |
>> | 12.x-Based |               First Fixed Release                |
>> |  Releases  |                                                  |
>> |------------+--------------------------------------------------|
>> | 12.0 -     | 12.0 through 12.3 based releases are not         |
>> | 12.3       | affected                                         |
>> |------------+--------------------------------------------------|
>> |  Affected  |               First Fixed Release                |
>> | 12.4-Based |--------------------------------------------------|
>> |  Releases  |       DoS        |     Service Policy Bypass     |
>> |            | Vulnerabilities  |         Vulnerability         |
>> |------------+------------------+-------------------------------|
>> |            | All 12.4(11)MD   |                               |
>> |            | releases are not | All 12.4(11)MD releases are   |
>> |            | affected.        | affected. Migrate to a fixed  |
>> |            |                  | release.                      |
>> |            | All 12.4(15)MD   |                               |
>> |            | releases are not | All 12.4(15)MD releases are   |
>> |            | affected.        | affected. Migrate to a fixed  |
>> |            |                  | release.                      |
>> |            | All 12.4(22)MD   |                               |
>> | 12.4MD     | releases are not | All 12.4(22)MD releases are   |
>> |            | affected.        | affected. Migrate to a fixed  |
>> |            |                  | release.                      |
>> |            | Releases prior   |                               |
>> |            | to 12.4(24)MD1   | All 12.4(24)MD releases prior |
>> |            | are not          | to 12.4(24)MD3 are affected.  |
>> |            | affected.        |                               |
>> |            |                  | First fixed in 12.4(24)MD3    |
>> |            | First fixed in   |                               |
>> |            | 12.4(24)MD2      |                               |
>> |------------+------------------+-------------------------------|
>> |            |                  | All 12.4(22)MDA releases      |
>> |            |                  | prior to 12.4(22)MDA5 are     |
>> |            |                  | affected. First fixed in 12.4 |
>> |            | No releases      | (22)MDA5                      |
>> | 12.4MDA    | affected.        |                               |
>> |            |                  | All 12.4(24)MDA releases      |
>> |            |                  | prior to 12.4(24)MDA3 are     |
>> |            |                  | affected. First fixed in 12.4 |
>> |            |                  | (24)MDA3                      |
>> |------------+--------------------------------------------------|
>> |  Affected  |                                                  |
>> | 15.X-Based |               First Fixed Release                |
>> |  Releases  |                                                  |
>> |------------+--------------------------------------------------|
>> | 15.0 -     | 15.0 through 15.1 based releases are not         |
>> | 15.1       | affected                                         |
>> +---------------------------------------------------------------+
>> 
>> Cisco IOS Software for the CSG2 is located on Cisco Software Download
>> center at the following location: Cisco Interfaces and Modules --> Cisco
>> Services Modules --> Cisco Service Application Module for IP.
>> 
>> 
>> Workarounds
>> ===========
>> 
>> There are no workarounds for these vulnerabilities.
>> 
>> 
>> Obtaining Fixed Software
>> ========================
>> 
>> Cisco has released free software updates that address these
>> vulnerabilities. Prior to deploying software, customers should consult
>> their maintenance provider or check the software for feature set
>> compatibility and known issues specific to their environment.
>> 
>> Customers may only install and expect support for the feature
>> sets they have purchased. By installing, downloading, accessing
>> or otherwise using such software upgrades, customers agree to be
>> bound by the terms of Cisco's software license terms found at
>> http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
>> or as otherwise set forth at Cisco.com Downloads at
>> http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
>> 
>> Do not contact psirt at cisco.com or security-alert at cisco.com for software
>> upgrades.
>> 
>> Customers with Service Contracts
>> +-------------------------------
>> 
>> Customers with contracts should obtain upgraded software through their
>> regular update channels. For most customers, this means that upgrades
>> should be obtained through the Software Center on Cisco's worldwide
>> website at http://www.cisco.com.
>> 
>> Customers using Third Party Support Organizations
>> +------------------------------------------------
>> 
>> Customers whose Cisco products are provided or maintained through prior
>> or existing agreements with third-party support organizations, such
>> as Cisco Partners, authorized resellers, or service providers should
>> contact that support organization for guidance and assistance with the
>> appropriate course of action in regards to this advisory.
>> 
>> The effectiveness of any workaround or fix is dependent on specific
>> customer situations, such as product mix, network topology, traffic
>> behavior, and organizational mission. Due to the variety of affected
>> products and releases, customers should consult with their service
>> provider or support organization to ensure any applied workaround or fix
>> is the most appropriate for use in the intended network before it is
>> deployed.
>> 
>> Customers without Service Contracts
>> +----------------------------------
>> 
>> Customers who purchase direct from Cisco but do not hold a Cisco service
>> contract, and customers who purchase through third-party vendors but are
>> unsuccessful in obtaining fixed software through their point of sale
>> should acquire upgrades by contacting the Cisco Technical Assistance
>> Center (TAC). TAC contacts are as follows.
>> 
>> * +1 800 553 2447 (toll free from within North America)
>> * +1 408 526 7209 (toll call from anywhere in the world)
>> * e-mail: tac at cisco.com
>> 
>> Customers should have their product serial number available and be
>> prepared to give the URL of this notice as evidence of entitlement to a
>> free upgrade. Free upgrades for non-contract customers must be requested
>> through the TAC.
>> 
>> Refer to
>> http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
>> for additional TAC contact information, including localized telephone
>> numbers, and instructions and e-mail addresses for use in various
>> languages.
>> 
>> Exploitation and Public Announcements
>> =====================================
>> 
>> The Cisco PSIRT is aware of public announcements of the service billing
>> bypass vulnerability on some external blog sites. However the Cisco
>> PSIRT is not aware of any malicious use of the vulnerabilities described
>> in this advisory.
>> 
>> These vulnerabilities were found by both internal testing and when
>> handling customer support calls.
>> 
>> Status of this Notice: FINAL
>> ============================
>> 
>> THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
>> ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
>> MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
>> INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
>> AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
>> DOCUMENT AT ANY TIME.
>> 
>> A stand-alone copy or Paraphrase of the text of this document that omits
>> the distribution URL in the following section is an uncontrolled copy,
>> and may lack important information or contain factual errors.
>> 
>> Distribution
>> ============
>> 
>> This advisory is posted on Cisco's worldwide website at:
>> 
>> http://www.cisco.com/warp/public/707/cisco-sa-20110126-csg2.shtml
>> 
>> In addition to worldwide web posting, a text version of this notice is
>> clear-signed with the Cisco PSIRT PGP key and is posted to the following
>> e-mail and Usenet news recipients.
>> 
>> * cust-security-announce at cisco.com
>> * first-bulletins at lists.first.org
>> * bugtraq at securityfocus.com
>> * vulnwatch at vulnwatch.org
>> * cisco at spot.colorado.edu
>> * cisco-nsp at puck.nether.net
>> * full-disclosure at lists.grok.org.uk
>> * comp.dcom.sys.cisco at newsgate.cisco.com
>> 
>> Future updates of this advisory, if any, will be placed on Cisco's
>> worldwide website, but may or may not be actively announced on mailing
>> lists or newsgroups. Users concerned about this problem are encouraged
>> to check the above URL for any updates.
>> 
>> Revision History
>> ================
>> 
>> +------------------------------------------------------------+
>> | Revision 1.0  | 2011-January-26  | Initial public release. |
>> +------------------------------------------------------------+
>> 
>> 
>> Cisco Security Procedures
>> =========================
>> 
>> Complete information on reporting security vulnerabilities
>> in Cisco products, obtaining assistance with security
>> incidents, and registering to receive security information
>> from Cisco, is available on Cisco's worldwide website at
>> http://www.cisco.com/en/US/products/products_security_vulnerability_policy
>> .html.
>> This includes instructions for press inquiries regarding
>> Cisco security notices. All Cisco security advisories are available at
>> http://www.cisco.com/go/psirt.
>> 
>> +--------------------------------------------------------------------
>> Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
>> +--------------------------------------------------------------------
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.10 (GNU/Linux)
>> 
>> iF4EAREIAAYFAk1APx0ACgkQQXnnBKKRMNBE4QD/WfH2GXgAJub+4ech0JhHizBO
>> 98PLNKENutVsJpa0eCUA/2hKwfofNSloEh7i5JZXrwKFcjgBYJcPnDa1W2JRHSfZ
>> =EZt9
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
> 
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog




More information about the AusNOG mailing list