-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory:
Multiple Vulnerabilities in Firewall Services Module
Advisory ID: cisco-sa-20070214-fwsm
http://www.cisco.com/warp/public/707/cisco-sa-2
0070214-fwsm.shtml
Revision 1.0
For Public Release 2007 February 14 1600 UTC (GMT)
-
------------------------------------------------------------
-----------
Summary
=======
Multiple vulnerabilities exist in the Cisco Firewall
Services Module
(FWSM). These vulnerabilities occur in the processing of
specific
Hypertext Transfer Protocol (HTTP), Secure HTTP (HTTPS),
Session
Initiation Protocol (SIP), and Simple Network Management
Protocol
(SNMP) traffic. If verbose logging is enabled for debugging
purposes, a
vulnerability exists when the FWSM processes packets
destined to
itself. All of these vulnerabilities may result in a reload
of the
device.
An additional vulnerability is included in this advisory in
which the
manipulation of access control lists (ACLs) that make use of
object
groups may corrupt the ACL and create a situation where
unwanted
traffic may be permitted or desirable traffic may be
blocked.
These vulnerabilities are independent of each other; a
release that is
affected by one vulnerability is not necessarily affected by
the
others.
There are workarounds for some of the vulnerabilities
disclosed in this
advisory.
Cisco has made free software available to address this issue
for
affected customers.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-2
0070214-fwsm.shtml
Affected Products
=================
The vulnerabilities described in this document
apply to the FWSM. The companion advisory
http://www.cisco.com/warp/public/707/cisco-sa-20
070214-pix.shtml
contains information about similar vulnerabilities that
affect the
Cisco PIX 500 Series Security Appliances and the Cisco ASA
5500 Series
Adaptive Security Appliances.
Vulnerable Products
+------------------
The following table indicates which software releases for
the Cisco
FWSM are affected and under what conditions:
+-----------------------------------------------------------
----------+
| Vulnerability | Only affected | Vulnerable | Versions |
Cisco Bug |
| Name | if... | by | affected |
ID |
| | | default? | |
|
|---------------+----------------+------------+----------+--
----------|
| | Enhanced | | |
|
| 1. Enhanced | inspection of | | All 3.x |
|
| Inspection of | HTTP traffic | | software |
|
| Malformed | is enabled | No | releases |
CSCsd75794 |
| HTTP Traffic | through the | | prior to |
|
| May Cause | command | | 3.1 |
|
| Reload | "inspect http | | (3.24)
| |
| | <appfw>" | |
| |
|---------------+----------------+------------+----------+--
----------|
| | SIP inspection | | |
|
| | is enabled | | All |
|
| | through the | | software |
|
| | command "fixup | |
releases | |
| 2. Inspection | protocol sip" | | prior
to | |
| of Malformed | (in FWSM | Yes for | 2.3 |
|
| SIP Messages | software 2.x | 2.x and no | (4.12) |
CSCsg80915 |
| May Cause | and before) or | for 3.x | and all |
|
| Reload | through the | | 3.x |
|
| | command | | releases |
|
| | "inspect sip" | |
prior to | |
| | (in FWSM | | 3.1 |
|
| | software 3.x | | (3.24) |
|
| | and later) | | |
|
|---------------+----------------+------------+----------+--
----------|
| | Logging at | | |
|
| | "debugging" | |
| |
| 3. Processing | level | | All 3.x |
|
| of Packets | (regardless of | | software |
|
| Destined to | the logging | No | releases |
CSCse85707 |
| the FWSM May | destination) | | prior to |
|
| Cause Reload | and syslog | | 3.1(3.3) |
|
| | message 710006 | | |
|
| | is enabled | | |
|
|---------------+----------------+------------+----------+--
----------|
| | Network access | | |
|
| | authentication | | |
|
| 4. Processing | is enabled | | All 3.x |
|
| of Malformed | through the | | software |
|
| HTTPS Traffic | "aaa | No |
releases | CSCsg50228 |
| May Cause | authentication | | prior to |
|
| Reload | match" or "aaa | |
3.1 | |
| | authentication | | (3.18) |
|
| | include" | |
| |
| | commands | | |
|
|---------------+----------------+------------+----------+--
----------|
| | Network access | | |
|
| | authentication | | |
|
| | is enabled | | |
|
| 5. Processing | through the | | All 3.x |
|
| of Long HTTP | "aaa | No |
releases | CSCsd91268 |
| Requests May | authentication | | prior to |
|
| Cause Reload | match" or "aaa | |
3.1(2) | |
| | authentication | | |
|
| | include" | |
| |
| | commands | | |
|
|---------------+----------------+------------+----------+--
----------|
| 6. Processing | HTTPS server | | All 3.x |
|
| HTTPS Traffic | is enabled | | releases |
|
| May Cause a | through the | No | prior to |
CSCsf29974 |
| Reload | "http server | | 3.1
| |
| | enable" | | (3.11)
| |
| | command | | |
|
|---------------+----------------+------------+----------+--
----------|
| | SNMP traffic | | |
|
| | from a | | |
|
| | particular IP | | |
|
| | address is | | |
|
| 7. Processing | permitted | | All 3.x |
|
| of Malformed | through the | | releases |
|
| SNMP Requests | command | No | prior to |
CSCse52679 |
| May Cause a | "snmp-server | |
3.1(3.1) | |
| Reload | host | | |
|
| | <interface | |
| |
| | name> <IP | |
| |
| | address of | | |
|
| | SNMP server>" | |
| |
|---------------+----------------+------------+----------+--
----------|
| | | | All |
|
| | | | software |
|
| 8. | ACL makes use | | releases |
|
| Manipulation | of object | | prior to |
CSCse60868 |
| of ACL May | groups and ACL | No | 2.3(4.7) |
and |
| Cause ACL | is manipulated | | and all |
CSCse99740 |
| Corruption | by an | | 3.x |
|
| | administrator | | releases |
|
| | | | prior to |
|
| | | | 3.1(3.1) |
|
+-----------------------------------------------------------
----------+
The relationship between the vulnerabilities described in
this advisory
and the equivalent vulnerabilities in the Cisco PIX 500
Series Security
Appliances and Cisco ASA 5500 Series Adaptive Security
Appliances is
given in the following table. If a vulnerability discussed
in this
document is not present in this table, it does not affect
the Cisco PIX
500 Series Security Appliances and Cisco ASA 5500 Series
Adaptive
Security Appliances.
+-----------------------------------------------------------
--+
| Vulnerability | PIX/ASA Bug | FWSM Bug
|
| | ID | ID
|
|---------------------------------+--------------+----------
--|
| Enhanced Inspection of | |
|
| Malformed HTTP Traffic May | CSCsd75794 |
CSCsd75794 |
| Cause Reload | |
|
|---------------------------------+--------------+----------
--|
| Inspection of Malformed SIP | CSCse27708 |
|
| Messages May Cause Reload | and |
CSCsg80915 |
| | CSCsd97077 |
|
+-----------------------------------------------------------
--+
To determine if you are running a vulnerable version of FWSM
software,
issue the "show module" command in IOS or CatOS to
identify what modules
and sub-modules are installed in the system.
The example below shows a system with a Firewall Service
Module
(WS-SVC-FWM-1) installed in slot 4.
6506-B#show module
Mod Ports Card Type Model
Serial No.
--- ----- --------------------------------------
------------------ -----------
1 48 SFM-capable 48 port 10/100/1000mb RJ45
WS-X6548-GE-TX SAxxxxxxxxx
4 6 Firewall Module
WS-SVC-FWM-1 SAxxxxxxxxx
5 2 Supervisor Engine 720 (Active)
WS-SUP720-BASE SAxxxxxxxxx
6 2 Supervisor Engine 720 (Hot)
WS-SUP720-BASE SAxxxxxxxxx
After locating the correct slot, issue the "show module
<slot number>"
command to identify the version of software running:
6506-B#sho module 4
Mod Ports Card Type Model
Serial No.
--- ----- --------------------------------------
------------------ -----------
4 6 Firewall Module
WS-SVC-FWM-1 SAxxxxxxxxx
Mod MAC addresses Hw Fw
Sw Status
--- ---------------------------------- ------
------------ ------------ -------
4 0003.e4xx.xxxx to 0003.e4xx.xxxx 3.0 7.2(1)
2.3(1) Ok
In this example, the FWSM is running version 2.3(1) as
indicated by the
column under "Sw" above.
Note: recent versions of IOS will show the software version
of each
module in the output from the "show module"
command so executing the
"show module <slot number>" command is not
necessary.
Alternatively, the information may also be gained directly
from the
FWSM through the "show version" command:
FWSM#show version
FWSM Firewall Version 2.3(1)
For customers managing their FWSM through the PIX Device
Manager (PDM)
or the Cisco Adaptive Security Device Manager (ASDM), log
into the
application, and the version may be found either in the
table in the
login window or in the upper left hand corner of the
PDM/ASDM window
indicated by a label similar to:
FWSM Version: 2.3(1)
Products Confirmed Not Vulnerable
+--------------------------------
With the exception of the Cisco PIX 500 Series Security
Appliances and
the Cisco ASA 5500 Series Adaptive Security Appliances, no
other Cisco
products are known to be vulnerable to the issues described
in this
advisory.
Details
=======
The Cisco Firewall Services Module is a high-speed,
integrated firewall
module for Catalyst 6500 series switches and Cisco 7600
series routers.
It offers firewall services with stateful packet filtering
and deep
packet inspection.
Multiple vulnerabilities exist in certain versions of the
FWSM software
that may cause the device to unexpectedly reload or that may
cause
traffic to be permitted or denied contrary to the security
policy in
place.
1. Enhanced Inspection of Malformed HTTP Traffic May Cause
Reload
+-----------------------------------------------------------
-----
This vulnerability may cause a FWSM to reload when the FWSM
performs
enhanced inspection of HTTP requests, and a malformed HTTP
request is
inspected by the FWSM. The FWSM only performs enhanced
inspection of
HTTP traffic when the command "inspect http
<appfw>" is present in the
configuration (appfw is the name of a specific HTTP map.)
This command
is disabled by default.
Note: Enhanced inspection of HTTP traffic is what makes a
configuration affected. Regular inspection of HTTP traffic
(through the
command "inspect http" without an HTTP map) will
not make a configuration
affected by this vulnerability.
For information on what enhanced inspection of HTTP traffic
does, and
how to configure it, please refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000
/mod_icn/fwsm/fwsm_3_1/fwsm_cfg/inspct_f.htm#wp1390330
This vulnerability is documented in Cisco Bug ID CSCsd75794.
2. Inspection of Malformed SIP Messages May Cause Reload
+-------------------------------------------------------
This vulnerability may cause a FWSM to reload when a
malformed SIP
message is received and deep packet inspection of SIP
messages is
enabled through the command "fixup protocol sip"
(in FWSM software 2.3.x
and before) or through the command "inspect sip"
(in FWSM software 3.x
and later). SIP inspection is enabled by default in the
2.3.x series
and before and is disabled by default in the 3.x series and
later.
This vulnerability is documented in Cisco Bug ID CSCsg80915.
3. Processing of Packets Destined to the FWSM May Cause
Reload
+-----------------------------------------------------------
--
This vulnerability will cause the FWSM to reload when trying
to
generate syslog message 710006. For this to happen the
following two
conditions must be satisfied:
* The FWSM receives a packet for one of the device's IP
addresses and
the message is not one of the following protocols: TCP,
UDP, ICMP,
OSPF, Failover, PIM, IGMP, and ESP. The source of the
packet is not
relevant.
* Logging must be enabled at a level high enough to
generate syslog
message 710006. By default this is debugging level
(level 7).
Please note that logging is disabled by default, and
Cisco
recommends customers only log at debugging level for
debugging and
troubleshooting purposes.
Note: The documentation for the Cisco Security
Monitoring,
Analysis and Response System (CS-MARS) suggests logging
at the
debugging level so more events can be reported by the
firewall.
For more information on syslog message 710006 please refer
to the
following document:
* Catalyst 6500 Series Switch and Cisco 7600 Series Router
Firewall
Services Module Logging Configuration and System Log
Messages, 3.1
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/
mod_icn/fwsm/fwsm_3_1/fwsm_log/logmsgs.htm#wp1285757
This vulnerability is documented in Cisco Bug ID CSCse85707.
4. Processing of Malformed HTTPS Requests May Cause Reload
+---------------------------------------------------------
This vulnerability may cause the FWSM to reload when a user
tries to
access a web site and the network administrator has
configured the
device to authenticate users before granting them network
access. This
feature is known as "authentication for network
access", or auth-proxy,
and is enabled through the command "aaa authentication
match" or
"aaa authentication include".
The reload is actually triggered by a specific HTTPS request
that is
invalid, and therefore, unlikely to be generated by a
regular web
browser.
This vulnerability is documented in Cisco Bug ID
CSCsg50228.
5. Processing of Long HTTP Requests May Cause Reload
+---------------------------------------------------
This vulnerability may also cause the FWSM to reload when
the
administrator has enabled "authentication for network
access
("auth-proxy") through the commands "aaa
authentication match" or
"aaa authentication include". However, in this
case, the HTTP request that
causes the reload is valid, although it is not a normal
request in the
sense that the URL being requested is very long. A web
browser could
potentially generate such a request during regular
browsing.
This vulnerability is documented in Cisco Bug ID CSCsd91268.
6. Processing of HTTPS Traffic May Cause Reload
+----------------------------------------------
This vulnerability may cause a FWSM to reload when the FWSM
receives a
particular type of HTTPS traffic directed to the FWSM
itself. This is
only a concern when the HTTPS server on the FWSM is enabled
through the
command "http server enable". This command is
disabled by default.
Cisco is aware of a commercial vulnerability scanner that
can generate
the HTTPS traffic that triggers the reload. We are not aware
of regular
web browser traffic that triggers this bug.
This vulnerability is documented in Cisco Bug ID CSCsf29974.
7. Processing of Malformed SNMP Requests May Cause a Reload
+----------------------------------------------------------
This vulnerability may cause a FWSM to reload upon receipt
of a
malformed SNMP message from a trusted device. The trusted
device must
be allowed explicit SNMP poll access via the command
"snmp-server host <interface name> <IP of
trusted device>".
This vulnerability is documented in Cisco Bug IDs
CSCse52679.
8. Manipulation of ACL May Cause ACL Corruption
+----------------------------------------------
This vulnerability may cause access control entries (ACEs)
in an ACL to
be evaluated out of order, or not to be evaluated. This ACL
corruption
is manifested, besides the obvious traffic implications,
when the
output from the "show access-list" command and the
corresponding ACL
shown by the "show running-config" command appear
to be out of sync. Only
a manual reload of the device will cause this condition to
go away.
The ACL corruption occurs when an ACL that makes use of
object groups
is manipulated.
This vulnerability is documented in Cisco Bug IDs CSCse60868
and CSCse99740.
Vulnerability Scoring Details
+----------------------------
Cisco is providing scores for the vulnerabilities in this
advisory
based on the Common Vulnerability Scoring System (CVSS).
Cisco will provide a base and temporal score. Customers can
then
compute environmental scores to assist in determining the
impact of the
vulnerability in individual networks.
Cisco PSIRT will set the bias in all cases to normal.
Customers are
encouraged to apply the bias parameter when determining the
environmental impact of a particular vulnerability.
CVSS is a standards based scoring method that conveys
vulnerability
severity and helps determine urgency and priority of
response.
Cisco has provided an FAQ to answer additional questions
regarding CVSS
at http://www.cisco.com/web/about/security/in
telligence/cvss-qandas.html.
Cisco has also provided a CVSS calculator to help compute
the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/c
vss.
CSCsd75794 - Enhanced inspection of Malformed HTTP traffic
can crash device
CVSS Base Score: 3.3
Access Vector: Remote
Access Complexity: Low
Authentication: Not Required
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Complete
Impact Bias: Normal
CVSS Temporal Score: 2.7
Exploitability: Functional
Remediation Level: Official Fix
Report Confidence: Confirmed
CSCsg80915 - FWSM - Traceback when inspecting SIP packets
CVSS Base Score: 3.3
Access Vector: Remote
Access Complexity: Low
Authentication: Not Required
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Complete
Impact Bias: Normal
CVSS Temporal Score: 2.7
Exploitability: Functional
Remediation Level: Official Fix
Report Confidence: Confirmed
CSCse85707 - FWSM crash when printing debug level syslog
710006
CVSS Base Score: 2.7
Access Vector: Remote
Access Complexity: High
Authentication: Not Required
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Complete
Impact Bias: Normal
CVSS Temporal Score: 2.2
Exploitability: Functional
Remediation Level: Official Fix
Report Confidence: Confirmed
CSCsg50228 - FWSM ST MODE crashes at Thread NAME: uauth with
RADIUS
CVSS Base Score: 2.7
Access Vector: Remote
Access Complexity: High
Authentication: Not Required
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Complete
Impact Bias: Normal
CVSS Temporal Score: 2.2
Exploitability: Functional
Remediation Level: Official Fix
Report Confidence: Confirmed
CSCsd91268 - FWSM crashes at Thread: uauth while using aaa
with TACACS
CVSS Base Score: 3.3
Access Vector: Remote
Access Complexity: Low
Authentication: Not Required
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Complete
Impact Bias: Normal
CVSS Temporal Score: 2.7
Exploitability: Functional
Remediation Level: Official Fix
Report Confidence: Confirmed
CSCsf29974 - Crash in emweb/https thread
CVSS Base Score: 3.3
Access Vector: Remote
Access Complexity: Low
Authentication: Not Required
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Complete
Impact Bias: Normal
CVSS Temporal Score: 2.7
Exploitability: Functional
Remediation Level: Official Fix
Report Confidence: Confirmed
CSCse52679 - FWSM Crash in thread name SNMP
CVSS Base Score: 3.3
Access Vector: Remote
Access Complexity: Low
Authentication: Not Required
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Complete
Impact Bias: Normal
CVSS Temporal Score: 2.7
Exploitability: Functional
Remediation Level: Official Fix
Report Confidence: Confirmed
CSCse60868 - Modifying an ACL with an object-group could
cause ACL corruption
and
CSCse99740 - When removing network objects the existing ACL
lines are
not removed |
CVSS Base Score: 5.3
Access Vector: Remote
Access Complexity: High
Authentication: Not Required
Confidentiality Impact: Complete
Integrity Impact: Complete
Availability Impact: None
Impact Bias: Normal
CVSS Temporal Score: 4.4
Exploitability: Functional
Remediation Level: Official Fix
Report Confidence: Confirmed
Impact
======
In all cases, with the exception of the "Manipulation
of ACL May Cause
ACL Corruption" vulnerability, successful exploitation
of any
vulnerability may cause a reload of the affected device.
Repeated
exploitation could result in a sustained Denial-of-Service
(DoS)
condition.
In the case of the "Processing of Long HTTP Requests
May Cause Reload"
vulnerability (CSCsd91268), the reload occurs because a
stack-based
buffer is overflowed. In this case remote code execution may
be
possible.
In the case of the "Manipulation of ACL May Cause ACL
Corruption"
vulnerability, a device that becomes affected after an
administrator
manipulates an ACL with object groups may allow traffic that
would
normally be denied, or would deny traffic that would
normally be
permitted. If the ACL is used for other functions like NAT
(policy NAT
and NAT exemption), AAA (auth-proxy), control of access to
the device
(SSH, Telnet, HTTP, ICMP), then those functions may be
adversely
affected as well.
Software Version and Fixes
==========================
When considering software upgrades, also consult
http://www.cisco.com/go
/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be
certain the
devices to be upgraded contain sufficient memory and that
current
hardware and software configurations will continue to be
supported
properly by the new release. If the information is not
clear, contact
the Cisco Technical Assistance Center ("TAC") or
your contracted
maintenance provider for assistance.
Each row of the FWSM software table (below) describes one of
the
vulnerabilities described in this document. For each
vulnerability the
earliest possible release that contains the fix (the
"First Fixed
Release") and the anticipated date of availability for
each are listed
in the "First Fixed Release" column. A device
running a release that is
earlier than the release in a specific column (less than the
First
Fixed Release) is known to be vulnerable. The release should
be
upgraded at least to the indicated release or a later
version (greater
than or equal to the First Fixed Release label).
+-----------------------------------------------------------
--+
| Vulnerability | First Fixed Release
|
|---------------------------------+-------------------------
--|
| 1. Enhanced Inspection of | 3.1(3.24) (the 2.3.x
|
| Malformed HTTP Traffic May | series are not affected)
|
| Cause Reload ( CSCsd75794) |
|
|---------------------------------+-------------------------
--|
| 2. Inspection of Malformed SIP | 2.3(4.12) for the 2.3.x
|
| Messages May Cause Reload ( | series, and 3.1(3.24)
for |
| CSCsg80915) | the 3.x series
|
|---------------------------------+-------------------------
--|
| 3. Processing of Packets | 3.1(3.3) (the 2.3.x
|
| Destined to the FWSM May Cause | series are not affected)
|
| Reload ( CSCse85707) |
|
|---------------------------------+-------------------------
--|
| 4. Processing of Malformed | 3.1(3.18) (the 2.3.x
|
| HTTPS Requests May Cause Reload | series are not affected)
|
| ( CSCsg50228) |
|
|---------------------------------+-------------------------
--|
| 5. Processing of Long HTTP | 3.1(1.9) (the 2.3.x
|
| Requests May Cause Reload ( | series are not affected)
|
| CSCsd91268) |
|
|---------------------------------+-------------------------
--|
| 6. Processing HTTPS Traffic May | 3.1(3.11) (the 2.3.x
|
| Cause a Reload ( CSCsf29974) | series are not affected)
|
|---------------------------------+-------------------------
--|
| 7. Processing of Malformed SNMP | 3.1(3.1) (the 2.3.x
|
| Requests May Cause a Reload ( | series are not affected)
|
| CSCse52679) |
|
|---------------------------------+-------------------------
--|
| 8. Manipulation of ACL May | 2.3(4.7) for the 2.3.x
|
| Cause ACL Corruption ( | series, and 3.1(3.1) for
|
| CSCse60868) and ( CSCse99740) | the 3.x series
|
+-----------------------------------------------------------
--+
For the 2.3.x series, FWSM software version 2.3(4.12)
contains the
fixes for all the vulnerabilities described in this
document.
For the 3.x series, FWSM software version 3.1(4) contains
the fixes for
all the vulnerabilities described in this document.
FWSM software is available for download from the following
location on
cisco.com:
http://www.cisco.com/pcgi-bin/tablebuild.pl
/cat6000-fwsm?psrtdcat20e2
For FWSM release 2.3(4.12) please use the following link:
http://www.cisco.com/pcgi-bin/tablebuild.pl/FW
SMPSIRT?psrtdcat20e2
Workarounds
===========
Additional mitigations that can be deployed on Cisco devices
within the
network are available in the Cisco Applied Intelligence
companion
document for this advisory:
http://www.cisco.com/warp/public/707/cisco
-air-20070214-firewall.shtml
1. Enhanced Inspection of Malformed HTTP Traffic May Cause
Reload
+-----------------------------------------------------------
-----
It is possible to mitigate this vulnerability by disabling
enhanced
inspection of HTTP traffic. Please note that disabling HTTP
enhanced
inspection will prevent the FWSM from protecting against
specific
attacks and other threats that may be associated with HTTP
traffic.
Enhanced inspection of HTTP traffic is disabled by removing
the command
"inspect http <appfw>" from the
configuration, where appfw is the name of
an HTTP map.
For further information about the "inspect http
<appfw>" command, and the
type of checks it performs on HTTP traffic, please see the
documentation for this command at:
http:
//www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_i
cn/fwsm/fwsm_3_1/fwsm_ref/i2.htm#wp1570030
Please note that the command "inspect http"
(without an HTTP map) can be
left in the configuration and the device will not be
affected by this
vulnerability.
2. Inspection of Malformed SIP Messages May Cause Reload
+-------------------------------------------------------
It is possible to mitigate this vulnerability by disabling
deep packet
inspection ("fixup" in software version prior to
3.x or "inspect" in
software version 3.x and later) of SIP messages. Note,
however, that
this may have negative impact on devices terminating SIP
sessions since
SIP traffic will no longer undergo stateful application
inspection, and
devices which terminate sessions for this protocol will be
exposed to
packets that may cause these devices to crash or become
compromised.
If you are running a 3.x FWSM software release, then the
alternative is
to allow traffic only from the trusted hosts. The
configuration to
accomplish this is as follows:
access-list sip-acl extended permit udp 10.1.1.0
255.255.255.0 host 192.168.5.4 eq sip
access-list sip-acl extended permit udp host 192.168.5.4
10.1.1.0 255.255.255.0 eq sip
class-map sip-traffic
match access-list sip-acl
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
class sip-traffic
inspect sip
!
service-policy global_policy global
In this example SIP endpoints are any host within 10.1.1.0
network
(inside the trusted network) and a host with the IP address
of
192.168.5.4 (outside of the trusted network). You would have
to
substitute these IP addresses with the ones that are used in
your
network.
Please note that SIP is an UDP-based protocol, so spoofing
SIP messages
is possible.
3. Processing of Packets Destined to the FWSM May Cause
Reload
+-----------------------------------------------------------
--
Since this vulnerability only manifests itself when syslog
message
710006 is generated, it is possible to workaround the
vulnerability
either by disabling generation of syslog message 710006
altogether, or
by logging at a syslog level that is lower than the syslog
level at
which this message is generated.
By default, syslog message 710006 is generated at syslog
level 7
("debugging"), so a viable workaround is to log at
level 6 or lower.
This can be accomplished with the command "logging
<destination> 6". If
syslog message 710006 has been moved to a different logging
level, then
the logging level in use must be changed accordingly to
prevent the
message from being generated.
If logging at the "debugging" level is necessary,
the vulnerability can
also be eliminated by disabling this particular syslog
message by using
the command "no logging message 710006".
4. Processing of Malformed HTTPS Requests May Cause Reload
+---------------------------------------------------------
There are no workarounds for this vulnerability.
5. Processing of Long HTTP Requests May Cause Reload
+---------------------------------------------------
There are no workarounds for this vulnerability.
6. Processing HTTPS Traffic May Cause a Reload
+---------------------------------------------
Since this vulnerability is caused by the HTTPS server on
the FWSM
failing to handle certain types of HTTPS traffic, disabling
the HTTPS
server through the command "no http server enable"
is a valid workaround
if this functionality is not needed. Please note that this
functionality is used by ASDM, so if configuration of the
FWSM is
exclusively done through ASDM disabling the HTTPS server may
not be a
viable workaround.
Additionally, it is possible to limit the exposure by
allowing HTTPS
connections only from trusted IP addresses or networks. This
can be
accomplished with the "http" command. For example,
the following command:
FWSM(config)# http 192.168.1.10 255.255.255.255
inside
will only permit HTTPS connections from the IP address
192.168.1.10.
7. Processing of Malformed SNMP Requests May Cause a Reload
+----------------------------------------------------------
This bug can only be triggered by a malformed SNMP message
that comes
from a device that is allowed SNMP access on the FWSM. If
SNMP is not
needed it can be removed through the command
"no snmp-server host <interface name> <IP
address of trusted device>",
which will eliminate the vulnerability.
8. Manipulation of ACL May Cause ACL Corruption
+----------------------------------------------
There are no workarounds for this vulnerability. However,
please note
that the ACL corruption does not occur during normal
operation of the
device and it cannot be triggered by some type of traffic.
It can only
occur if an administrator makes configuration changes (and
more
specifically, if an administrator manipulates an ACL.) For
this reason,
if ACL changes are made only during a maintenance window,
and the FWSM
is reloaded after making those changes, there should not be
any
concerns with this vulnerability.
Obtaining Fixed Software
========================
Cisco will make free software available to address this
vulnerability
for affected customers. This advisory will be updated as
fixed software
becomes available. Prior to deploying software, customers
should
consult their maintenance provider or check the software for
feature
set compatibility and known issues specific to their
environment.
Customers may only install and expect support for the
feature
sets they have purchased. By installing, downloading,
accessing
or otherwise using such software upgrades, customers agree
to
be bound by the terms of Cisco's software license terms
found
at http://www.cisco.com/public/sw-license-agreement.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact either "psirt cisco.com" or
"security-alertcisco.com"
for software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software
through their
regular update channels. For most customers, this means that
upgrades
should be obtained through the Software Center on Cisco's
worldwide
website at http://www.cisco.com .
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained
through prior
or existing agreement with third-party support organizations
such as
Cisco Partners, authorized resellers, or service providers
should
contact that support organization for guidance and
assistance with the
appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on
specific
customer situations such as product mix, network topology,
traffic
behavior, and organizational mission. Due to the variety of
affected
products and releases, customers should consult with their
service
provider or support organization to ensure any applied
workaround or
fix is the most appropriate for use in the intended network
before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but who do not hold
a Cisco
service contract and customers who purchase through
third-party vendors
but are unsuccessful at obtaining fixed software through
their point of
sale should get their upgrades by contacting the Cisco
Technical
Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: taccisco.com
Have your product serial number available and give the URL
of this
notice as evidence of your entitlement to a free upgrade.
Free upgrades
for non-contract customers must be requested through the
TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC
.shtml
for additional TAC contact information, including special
localized
telephone numbers and instructions and e-mail addresses for
use in
various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or
malicious
use of the vulnerability described in this advisory.
Some of these vulnerabilities where reported to Cisco by
customers that
experienced these issues during normal operation of their
equipment.
The other vulnerabilities were discovered during internal
testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND
DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF
THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE
DOCUMENT IS AT
YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE
THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this
document that
omits the distribution URL in the following section is an
uncontrolled
copy, and may lack important information or contain factual
errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-2
0070214-fwsm.shtml
In addition to worldwide web posting, a text version of this
notice is
clear-signed with the Cisco PSIRT PGP key and is posted to
the
following e-mail and Usenet news recipients.
* cust-security-announcecisco.com
* first-teamsfirst.org
* bugtraqsecurityfocus.com
* vulnwatchvulnwatch.org
* ciscospot.colorado.edu
* cisco-nsppuck.nether.net
* full-disclosurelists.grok.org.uk
* comp.dcom.sys.cisconewsgate.cisco.com
Future updates of this advisory, if any, will be placed on
Cisco's
worldwide website, but may or may not be actively announced
on mailing
lists or newsgroups. Users concerned about this problem are
encouraged
to check the above URL for any updates.
Revision History
================
+-----------------------------------------------------------
--+
| Revision 1.0 | 2007-Feb-14 | Initial public release
|
+-----------------------------------------------------------
--+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities
in Cisco products, obtaining assistance with security
incidents, and registering to receive security information
from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/en/US/produ
cts/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding
Cisco security notices. All Cisco security advisories are
available at
http://www.cisco.com/g
o/psirt.
-
------------------------------------------------------------
-----------
All contents are Copyright 1992-2007 Cisco Systems, Inc. All
rights
reserved.
-
------------------------------------------------------------
-----------
Updated: Feb 14, 2007
Document ID: 72327
-
------------------------------------------------------------
-----------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFF00BP8NUAbBmDaxQRAiiQAJwIufqcGpa9cXsK92XF57DQMSvmdgCg
r19e
UbzxvqBydc20RBYb+LGjguA=
=blXH
-----END PGP SIGNATURE-----
|
