Cisco Security Advisory-
Cisco has fixed multiple malformed packet vulnerabilities in the TCP/IP stacks of Cisco ONS 15327 Edge Optical Transport Platform, the Cisco ONS 15454 Optical Transport Platform, the Cisco ONS 15454 SDH Multiplexer Platform, and the Cisco ONS 15600 Multiservice Switching Platform.
These vulnerabilities are documented as the following Cisco bug IDs
-
CSCed06531 (IP)
-
CSCed86946 (ICMP)
-
CSCec88426/CSCec88508/CSCed85088/CSCeb07263/CSCec21429
(TCP)
-
CSCec59739/CSCed02439/CSCed22547 (Last-ACK)
-
CSCec88402/CSCed31918/CSCed83309/CSCec85982/CSCec21435/CSCee03697
(UDP)
-
CSCea16455/CSCea37089/CSCea37185 (SNMP)
-
CSCee27329 (passwd)
There are workarounds available to mitigate the exposure to these vulnerabilities in the workaround section of this advisory. Cisco is providing fixed software, and recommends that customers upgrade to it.
This advisory will be posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20040721-ons.
-
CSCed06531 (IP)
-
This section provides details on affected products.
Vulnerable Products
These products are vulnerable:
-
CSCed06531 (IP)
Product
Affected Releases
15327
4.6(0) and 4.6(1)
4.1(0) to 4.1(3)
4.0(0) to 4.0(2)
3.x(x) and earlier
15454, 15454 SDH
4.6(0) and 4.6(1)
4.5(x)
4.1(0) to 4.1(3)
4.0(0) to 4.0(2)
3.x(x)
earlier than 2.3(5)
15600
Not Affected
-
CSCed86946 (ICMP)
Product
Affected Releases
15327
4.6(0) and 4.6(1)
4.1(0) to 4.1(3)
4.0(0) to 4.0(2)
3.x(x) and earlier
15454, 15454 SDH
4.6(0) and 4.6(1)
4.5(x)
4.1(0) to 4.1(3)
4.0(0) to 4.0(2)
3.x(x)
earlier than 2.3(5)
15600
Not Affected
-
CSCec88426/CSCec88508/CSCed85088/CSCeb07263/CSCec21429
(TCP)
Product
Affected Releases
15327
4.6(0) and 4.6(1)
4.1(0) to 4.1(3)
4.0(0) to 4.0(2)
3.x(x) and earlier
15454, 15454 SDH
4.6(0) and 4.6(1)
4.5(x)
4.1(0) to 4.1(3)
4.0(0) to 4.0(2)
3.x(x)
earlier than 2.3(5)
15600
1.x(x)
-
CSCec59739/CSCed02439/CSCed22547 (Last-ACK)
Product
Affected Releases
15327
4.6(0) and 4.6(1)
4.1(0) to 4.1(3)
4.0(0) to 4.0(2)
3.x(x) and earlier
15454, 15454 SDH
4.6(0) and 4.6(1)
4.5(x)
4.1(0) to 4.1(3)
4.0(0) to 4.0(2)
3.x(x)
earlier than 2.3(5)
15600
Not Affected
-
CSCec88402/CSCed31918/CSCed83309/CSCec85982/CSCec21435/CSCee03697
(UDP)
Product
Affected Releases
15327
4.6(0) and 4.6(1)
4.1(0) to 4.1(3)
4.0(0) to 4.0(2)
3.x(x) and earlier
15454, 15454 SDH
4.6(0) and 4.6(1)
4.5(x)
4.1(0) to 4.1(3)
4.0(0) to 4.0(2)
3.x(x)
earlier than 2.3(5)
15600
1.x(x)
-
CSCea16455/CSCea37089/CSCea37185 (SNMP)
Product
Affected Releases
15327
4.1(0) to 4.1(2)
4.0(0) to 4.0(2)
3.x(x) and earlier
15454, 15454 SDH
4.5(x)
4.1(0) to 4.1(2)
4.0(0) to 4.0(2)
3.x(x)
earlier than 2.3(5)
15600
Not Affected
-
CSCee27329 (passwd)
Product
Affected Releases
15327
4.6(0) and 4.6(1)
15454, 15454 SDH
4.6(0) and 4.6(1)
15600
Not Affected
Products Confirmed Not Vulnerable
For clarification, the following products are not affected by these vulnerabilities.
-
Cisco ONS 15800 series
-
ONS 15500 series extended service platform
-
ONS 15302, ONS 15305, ONS 15200 series metro DWDM systems
-
ONS 15190 series IP transport concentrator
No other Cisco products are currently known to be affected by these vulnerabilities.
To determine your software revision, view the Help > About window on the CTC management software.
-
CSCed06531 (IP)
-
The affected Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 hardware is managed through the XTC, TCC/TCC+/TCC2, TCCi/TCC2, and TSC control cards respectively. These control cards are usually connected to a network isolated from the Internet and local to the customer's environment. This limits the exposure to the exploitation of the vulnerabilities from the Internet.
-
CSCed06531 (IP)
Malformed IP packets may potentially cause the XTC, TCC/TCC+/TCC2 and TCCi/TCC2 control cards to reset. Repeated transmission of these malformed packets could cause both the control cards to be resetting at the same time.
The Cisco ONS 15600 hardware is not affected by this issue.
-
CSCed86946 (ICMP)
Malformed ICMP packets may potentially cause the XTC, TCC/TCC+/TCC2 and TCCi/TCC2 control cards to reset. Repeated transmission of these malformed packets could cause both the control cards to be resetting at the same time.
The Cisco ONS 15600 hardware is not affected by this issue.
-
CSCec88426/CSCec88508/CSCed85088/CSCeb07263/CSCec21429
(TCP)
Malformed TCP packets may potentially cause the XTC, TCC/TCC+/TCC2, TCCi/TCC2 and TSC control cards to reset. Repeated transmission of these malformed packets could cause both the control cards to be resetting at the same time.
Cisco bug IDs CSCec88426, CSCec88508, and CSCed85088 document the issue on the Cisco ONS 15327, ONS 15454 and ONS 15454 SDH, and Cisco bug IDs CSCeb07263 and CSCec21429 documents the issue on the Cisco ONS 15600 hardware.
There is no traffic impact on the Cisco ONS 15600 hardware; only manageability functions are affected because of this issue.
-
CSCec59739/CSCed02439/CSCed22547 (Last-ACK)
The XTC, TCC/TCC+/TCC2 and TCCi/TCC2 control cards are susceptible to a TCP-ACK Denial of Service (DoS) attack on open TCP ports. The controller card on the optical device will reset under such an attack.
A TCP-ACK DoS attack is conducted by not sending the regular final ACK required for a 3-way TCP handshake to complete, and instead sending an invalid response to move the connection to an invalid TCP state.
The Cisco ONS 15600 hardware is not affected by this issue.
-
CSCec88402/CSCed31918/CSCed83309/CSCec85982/CSCec21435/CSCee03697
(UDP)
Malformed UDP packets may potentially cause the XTC, TCC/TCC+/TCC2, TCCi/TCC2 and TSC control cards to reset. Repeated transmission of these malformed packets could cause both the control cards to be resetting at the same time.
Cisco bug IDs CSCec88402, CSCed31918, CSCed83309, and CSCec85982 document the issue on the Cisco ONS 15327, ONS 15454 and ONS 15454 SDH, and Cisco bug ID CSCec21435 and CSCee03697 document the issue on the Cisco ONS 15600 hardware.
There is no traffic impact on the Cisco ONS 15600 hardware; only manageability functions are affected because of this issue.
-
CSCea16455/CSCea37089/CSCea37185 (SNMP)
Malformed SNMP packets may potentially cause the XTC, TCC/TCC+/TCC2 and TCCi/TCC2 control cards to reset. Repeated transmission of these malformed packets could cause both the control cards to be resetting at the same time.
The Cisco ONS 15600 hardware is not affected by this issue.
-
CSCee27329 (passwd)
If an account has a blank password set, and an attempt was made to log into the device with a password greater than ten characters the attempt would be successful.
This vulnerability only affects the TL1 login interface. The CTC login interface is not vulnerable to this vulnerability.
The CTC and TL1 user interfaces prevent the setting of a blank password as the password. Only the CISCO15 userid, during initial install process has a blank password which is to be changed as part of the initial install process.
The Cisco ONS 15600 hardware is not affected by this issue.
The Internetworking Terms and Cisco Systems Acronyms online guides can be found at http://www.cisco.com/univercd/cc/td/doc/cisintwk/.
These vulnerabilities are documented in the Cisco Bug Toolkit as Bug IDs
CSCec88426/CSCec88508/CSCed85088/CSCeb07263/CSCec21429 (TCP),
CSCec59739/CSCed02439/CSCed22547 (Last-ACK),
CSCec88402/CSCed31918/CSCed83309/CSCec85982/CSCec21435/CSCee03697 (UDP),
CSCea16455/CSCea37089/CSCea37185 (SNMP), and
CSCee27329 (passwd) ( registered customers only) .
-
CSCed06531 (IP)
-
Apply ACLs (access control lists) on routers / switches / firewalls installed in front of the vulnerable network devices such that TCP/IP traffic destined for the XTC, TCC/TCC+/TCC2, TCCi/TCC2, or TSC control cards on the switches is only allowed from the network management workstations. Refer to http://www.cisco.com/warp/public/707/tacl.html for examples on how to apply access control lists (ACLs) on Cisco routers.
Please note, these workarounds will not prevent spoofed IP packets with the source IP address set to that of the network management station from reaching the switch's management interface. For more information on anti-spoofing refer to /en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml#sec_ip and http://www.ietf.org/rfc/rfc2827.txt. The Unicast Reverse Path Forwarding (Unicast RPF) feature helps to mitigate problems that are caused by malformed or forged IP source addresses that are passing through a router, refer to http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fothersf/scfrpf.htm .
For the CSCee27329 (passwd) vulnerability ensure that there are no blank passwords set in the user database. Ensure that the CISCO15 userid has a strong password set.
The Cisco PSIRT recommends that affected users upgrade to a fixed software version of code.
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.
First fixed software release table for all vulnerabilities referenced in this Security Advisory
Product
Fixed Releases
15327
4.6(2) and later
4.1(4) and later
4.0(3) and later
15454, 15454 SDH
4.6(2) and later
4.1(4) and later
4.0(3) and later
2.3(5)
15600
5.0 and later
-
CSCed06531 (IP)
Product
Fixed Releases
15327
4.6(2) and later
4.1(4) and later
4.0(3) and later
15454, 15454 SDH
4.6(2) and later
4.1(4) and later
4.0(3) and later
2.3(5)
15600
Not Affected
-
CSCed86946 (ICMP)
Product
Fixed Releases
15327
4.6(2) and later
4.1(4) and later
4.0(3) and later
15454, 15454 SDH
4.6(2) and later
4.1(4) and later
4.0(3) and later
2.3(5)
15600
Not Affected
-
CSCec88426/CSCec88508/CSCed85088/CSCeb07263/CSCec21429
(TCP)
Product
Fixed Releases
15327
4.6(2) and later
4.1(4) and later
4.0(3) and later
15454, 15454 SDH
4.6(2) and later
4.1(4) and later
4.0(3) and later
2.3(5)
15600
5.0 and later
-
CSCec59739/CSCed02439/CSCed22547 (Last-ACK)
Product
Fixed Releases
15327
4.6(2) and later
4.1(4) and later
4.0(3) and later
15454, 15454 SDH
4.6(2) and later
4.1(4) and later
4.0(3) and later
2.3(5)
15600
Not Affected
-
CSCec88402/CSCed31918/CSCed83309/CSCec85982/CSCec21435/CSCee03697
(UDP)
Product
Fixed Releases
15327
4.6(2) and later
4.1(4) and later
4.0(3) and later
15454, 15454 SDH
4.6(2) and later
4.1(4) and later
4.0(3) and later
2.3(5)
15600
5.0 and later
-
CSCea16455/CSCea37089/CSCea37185 (SNMP)
Product
Fixed Releases
15327
4.1(3) and later
4.0(3) and later
15454, 15454 SDH
4.6(0) and later
4.1(3) and later
4.0(3) and later
2.3(5)
15600
Not Affected
-
CSCee27329 (passwd)
Product
Fixed Releases
15327
4.6(2) and later
15454, 15454 SDH
4.6(2) and later
15600
Not Affected
The vulnerabilities for the Cisco ONS 15600 platforms are fixed in the Cisco ONS software Release 5.0, which will be available in September 2004.
Upgrade procedures can be found as indicated below:
The procedure to upgrade to the fixed software version on the Cisco ONS 15327 hardware is detailed at http://www.cisco.com/univercd/cc/td/doc/product/ong/15327/327doc41/index.htm.
The procedure to upgrade to the fixed software version on the Cisco ONS 15454 hardware is detailed at http://www.cisco.com/univercd/cc/td/doc/product/ong/15400/r46docs/index.htm .
The procedure to upgrade to the fixed software version on the Cisco ONS 15600 hardware is detailed at http://cisco.com/univercd/cc/td/doc/product/ong/15600/index.htm.
-
CSCed06531 (IP)
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory.
These vulnerabilities were uncovered during Internal stress testing by Cisco except for the malformed ICMP packet vulnerability, which was reported to Cisco by a customer.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.