Thread-topic: Cisco Security Advisory: Multiple Vulnerabilities in Firewall Services Module
> -----Original Message-----
> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
> [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf
> Of Cisco Systems Product Security Incident Response Team
> Sent: Wednesday, October 17, 2007 8:30 PM
> To: full-disclosure@xxxxxxxxxxxxxxxxx
> Cc: psirt@xxxxxxxxx
> Subject: [Full-disclosure] Cisco Security Advisory: Multiple
> Vulnerabilities in Firewall Services Module
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Cisco Security Advisory: Multiple Vulnerabilities in Firewall Services
> Module
>
> Advisory ID: cisco-sa-20071017-fwsm
>
> http://www.cisco.com/warp/public/707/cisco-sa-20071017-fwsm.shtml
>
> Revision 1.0
>
> For Public Release 2007 October 17 1600 UTC (GMT)
>
> +--------------------------------------------------------------------
>
> Summary
> =======
>
> Two crafted packet vulnerabilities exist in the Cisco Firewall
> Services Module (FWSM) that may result in a reload of the FWSM. These
> vulnerabilities can be triggered during the processing of HTTPS
> requests, or during the processing of Media Gateway Control Protocol
> (MGCP) packets.
>
> A third vulnerability may cause access control list (ACL)
> entries to not
> be evaluated after the access list has been manipulated.
>
> Note: These vulnerabilities are independent of each other; a
> device may
> be affected by one and not by the others.
>
> This advisory is posted at
> http://www.cisco.com/warp/public/707/cisco-sa-20071017-fwsm.shtml.
>
> Affected Products
> =================
>
> Vulnerable Products
> +------------------
>
> The FWSM is affected by a crafted HTTPS request vulnerability if the
> HTTPS server on the FWSM is enabled and is running software versions
> 3.1(5) and prior or 3.2(1). Version 2.3.x is not affected. The HTTPS
> server is not enabled by default.
>
> The FWSM is affected by a crafted MGCP packet vulnerability if MGCP
> application layer protocol inspection is enabled and the device is
> running software version 3.1(5) and prior. Versions 2.3.x and
> 3.2.x are
> not affected. MGCP inspection is not enabled by default.
>
> The FWSM is affected by an access control list corruption
> vulnerability
> that may result in the ACL not working properly, i.e. the ACL
> may allow
> traffic that would normally be denied, or would deny traffic
> that would
> normally be permitted. Affected versions include 3.1(6) and prior and
> 3.2(2) and prior. Version 2.3.x is not affected.
>
> In addition to the FWSM, the crafted MGCP packet vulnerability
> also affects the PIX 500 Series Security Appliances and the
> Cisco ASA 5500 Series Adaptive Security Appliances. More
> information regarding vulnerabilities affecting the PIX
> and ASA can be found in the companion advisory located at
> http://www.cisco.com/warp/public/707/cisco-sa-20071017-asa.shtml.
>
> To determine if you are running a vulnerable version of FWSM software,
> issue the "show module" command-line interface (CLI) command from
> Cisco IOS or Cisco CatOS to identify what modules and sub-modules are
> installed in the system.
>
> The following example shows a system with a Firewall Service Module
> (WS-SVC-FWM-1) installed in slot 4.
>
> switch#show module
> Mod Ports Card Type Model
> Serial No.
> --- ----- --------------------------------------
> ----------------- -----------
> 1 48 SFM-capable 48 port 10/100/1000mb RJ45
> WS-X6548-GE-TX SAxxxxxxxxx
> 4 6 Firewall Module
> WS-SVC-FWM-1 SAxxxxxxxxx
> 5 2 Supervisor Engine 720 (Active)
> WS-SUP720-BASE SAxxxxxxxxx
> 6 2 Supervisor Engine 720 (Hot)
> WS-SUP720-BASE SAxxxxxxxxx
>
> After locating the correct slot, issue the "show module <slot number>"
> command to identify the software version that is running:
>
> switch#show module 4
> Mod Ports Card Type Model
> Serial No.
> --- ----- --------------------------------------
> ----------------- -----------
> 4 6 Firewall Module
> WS-SVC-FWM-1 SAxxxxxxxxx
>
> Mod MAC addresses Hw Fw Sw
> Status
> --- --------------------------------- ------ ------------
> ------------ -------
> 4 0003.e4xx.xxxx to 0003.e4xx.xxxx 3.0 7.2(1)
> 3.1(3) Ok
>
> The example above shows that the FWSM is running version 3.1(3) as
> indicated by the column under "Sw" above.
>
> Note: Recent versions of Cisco IOS will show the software version of
> each module in the output from the "show module" command; therefore,
> executing the "show module <slot number>" command is not necessary.
>
> Alternatively, the information may also be obtained directly from the
> FWSM through the "show version" command as seen below.
>
> FWSM#show version
> FWSM Firewall Version 3.1(3)
>
> Customers who use the Cisco Adaptive Security Device Manager (ASDM) to
> manage their devices can find the version of the software displayed in
> the table in the login window or in the upper left corner of the ASDM
> window. The version notation is similar to this:
>
> FWSM Version: 3.1(3)
>
> Products Confirmed Not Vulnerable
> +--------------------------------
>
> With the exception of the Cisco PIX 500 Series Security Appliances and
> the Cisco ASA 5500 Series Adaptive Security Appliances, no other Cisco
> products are known to be vulnerable to the issues described in this
> advisory.
>
> Details
> =======
>
> This Security Advisory describes multiple distinct vulnerabilities.
> These vulnerabilities are independent of each other.
>
> 1. Crafted HTTPS Request
>
> A FWSM that has the HTTPS server enabled may reload if a crafted HTTP
> request is processed by the device. The HTTPS server is disabled by
> default.
>
> The source IP address and interface on which the HTTPS request is
> received must comply with the configured "http <source IP> <address
> mask> <source interface>" command. For example, if the command "http
> 10.10.10.0 255.255.255.0" inside is present in the configuration, then
> only crafted HTTPS requests coming from the 10.10.10.0/24 network may
> represent an issue for the device.
>
> No other HTTP(s) services are known to be affected, such as HTTP
> Inspection, HTTP/HTTPS Proxy Server, and HTTP redirect.
>
> To confirm if the HTTPS server is enabled, log in to the FWSM
> and issue
> the CLI command "show running-config | include http". If the output
> contains both "http server enable" and "http <source IP>
> <address mask>
> <source interface>", then the device has a vulnerable
> configuration. The
> following example shows an FWSM with a vulnerable configuration:
>
> FWSM# show running-config | include http
> http server enable
> http 10.10.10.0 255.255.255.0 inside
> FWSM#
>
> This vulnerability is documented in Cisco Bug ID CSCsi77844
> and does not
> affect the PIX or ASA security appliances.
>
> 2. Crafted MGCP Packet
>
> An FWSM that has the MGCP application layer protocol
> inspection feature
> enabled may reload when a crafted MGCP packet is processed by the
> device. MGCP application layer protocol inspection is not enabled by
> default.
>
> MGCP messages are transmitted over the User Datagram Protocol (UDP),
> which does allow the crafted MGCP messages to be sourced from
> a spoofed
> address. Only the MGCP for gateway application (MGCP traffic
> on UDP port
> 2427) is affected.
>
> To determine whether MGCP inspection is configured on the FWSM, log
> in to the device and issue the CLI command "show service-policy |
> include mgcp". If the output contains the text "Inspect: mgcp" and
> some statistics, then the device has a vulnerable configuration. The
> following example shows a vulnerable FWSM:
>
> FWSM# show service-policy | include mgcp
> Inspect: mgcp, packet 66, drop 0, reset-drop 0
> FWSM#
>
> This vulnerability is documented in Cisco Bug ID CSCsi00694. The
> corresponding Cisco Bug ID for the PIX and ASA security appliances,
> included in the companion PIX/ASA Security Advisory, is CSCsi90468.
>
> 3. Manipulation of ACL May Cause ACL Corruption
>
> This vulnerability may cause access control list entries (ACEs) in an
> ACL that has been manipulated to not be evaluated. Manipulation of the
> ACL can take place via the command-line interface or ASDM and consists
> of deleting and re-adding ACEs. When the access list is manipulated
> in this way, the internal structure that represents the ACL becomes
> corrupted, resulting in the FWSM not evaluating some ACEs.
>
> Because ACEs in an ACL may not be evaluated, the ACL may allow traffic
> that would normally be denied, or deny traffic that would normally be
> permitted.
>
> This vulnerability is documented in Cisco Bug ID CSCsj52536
> and does not
> affect the PIX or ASA security appliances.
>
> Vulnerability Scoring Details
> +----------------------------
>
> Cisco is providing scores for the vulnerabilities in this
> advisory based
> on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
> this Security Advisory is done in accordance with CVSS version 2.0.
>
> Cisco will provide a base and temporal score. Customers can then
> compute environmental scores to assist in determining the
> impact of the
> vulnerability in individual networks.
>
> CVSS is a standards-based scoring method that conveys vulnerability
> severity and helps determine urgency and priority of response.
>
> Cisco has provided an FAQ to answer additional questions regarding
> CVSS at
>
> http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html.
>
> Cisco has also provided a CVSS calculator to help compute the
> environmental impact for individual networks at
>
> http://intellishield.cisco.com/security/alertmanager/cvss.
>
> * Crafted HTTPS Request (CSCsi77844)
>
> CVSS Base Score - 7.8
> Access Vector - Network
> Access Complexity - Low
> Authentication - None
> Confidentiality Impact - None
> Integrity Impact - None
> Availability Impact - Complete
>
> CVSS Temporal Score - 6.4
> Exploitability - Functional
> Remediation Level - Official-Fix
> Report Confidence - Confirmed
>
> * Crafted MGCP packet (CSCsi00694)
>
> CVSS Base Score - 7.1
> Access Vector - Network
> Access Complexity - Medium
> Authentication - None
> Confidentiality Impact - None
> Integrity Impact - None
> Availability Impact - Complete
>
> CVSS Temporal Score - 5.9
> Exploitability - Functional
> Remediation Level - Official-Fix
> Report Confidence - Confirmed
>
> * Manipulation of ACL May Cause ACL Corruption (CSCsj52536)
>
> CVSS Base Score - 6.8
> Access Vector - Network
> Access Complexity - Medium
> Authentication - None
> Confidentiality Impact - Partial
> Integrity Impact - Partial
> Availability Impact - Partial
>
> CVSS Temporal Score - 5.6
> Exploitability - Functional
> Remediation Level - Official-Fix
> Report Confidence - Confirmed
>
> Impact
> ======
>
> Successful exploitation of the crafted packet vulnerabilities that are
> described in this advisory will result in a reload of the affected
> device. Repeated exploitation can result in a sustained denial of
> service (DoS) attack.
>
> In the case of the "Manipulation of ACL May Cause ACL Corruption"
> vulnerability, a device that becomes affected after an administrator
> manipulates an ACL may allow traffic that would normally be denied,
> or deny traffic that would normally be permitted. If the ACL is used
> for other functions like NAT (policy NAT and NAT exemption), AAA
> (auth-proxy), control of access to the device (SSH, Telnet,
> HTTP, ICMP),
> then those functions may be adversely affected as well.
>
> Software Versions and Fixes
> ===========================
>
> When considering software upgrades, also consult
> http://www.cisco.com/go/psirt and any subsequent advisories
> to determine
> exposure and a complete upgrade solution.
>
> In all cases, customers should exercise caution to be certain that
> the devices to be upgraded contain sufficient memory and that current
> hardware and software configurations will continue to be supported
> properly by the new release. If the information is not clear, contact
> the Cisco Technical Assistance Center ("TAC") or your contracted
> maintenance provider for assistance.
>
> The following list contains the first fixed software release for each
> vulnerability:
>
> +---------------------------------------+
> | | Affected | First |
> | Vulnerability | Major | Fixed |
> | | Release | Release |
> |---------------+----------+------------|
> | | 2.3 | Not |
> | | | affected |
> |Crafted HTTPS |----------+------------|
> | Request | 3.1 | 3.1(6) |
> | |----------+------------|
> | | 3.2 | 3.2(2) |
> |---------------+----------+------------|
> | | 2.3 | Not |
> | | | affected |
> |Crafted MGCP |----------+------------|
> | packet | 3.1 | 3.1(6) |
> | |----------+------------|
> | | 3.2 | Not |
> | | | affected |
> |---------------+----------+------------|
> | | 2.3 | Not |
> | | | affected |
> | |----------+------------|
> | Manipulation | 3.1 | 3.1(7) |
> |of ACL May |----------+------------|
> | Cause ACL | | 3.2(3), |
> | Corruption | | available |
> | | 3.2 | week of |
> | | | October |
> | | | 22, 2007 |
> +---------------------------------------+
>
> FWSM software versions 3.1(7) and 3.2(3) contain the fixes for all the
> vulnerabilities described in this document.
>
> FWSM software is available for download
> from the following location on cisco.com:
> http://www.cisco.com/pcgi-bin/tablebuild.pl/cat6000-fwsm?psrtdcat20e2.
>
> Workarounds
> ===========
>
> General Considerations
> +---------------------
>
> Filters that deny HTTPS packets using TCP port 443 and MGCP packets on
> UDP port 2427 should be deployed throughout the network as part of a
> transit ACL (tACL) policy for protection of traffic which enters the
> network at ingress access points. This policy should be configured to
> protect the network device where the filter is applied and
> other devices
> behind it. Filters for HTTPS packets using TCP port 443 and
> MGCP packets
> on UDP port 2427 should also be deployed in front of
> vulnerable network
> devices so that traffic is only allowed from trusted clients.
>
> Additional information about tACLs is available in "Transit Access
> Control Lists : Filtering at Your Edge":
>
> http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white
> _paper09186a00801afc76.shtml.
>
> Additional mitigations techniques that can be deployed on
> Cisco devices
> within the network are available in the Cisco Applied Intelligence
> companion document for this advisory:
>
> http://www.cisco.com/warp/public/707/cisco-air-20071017-asafwsm.shtml.
>
> 1. Crafted HTTPS Request
>
> There are no workarounds for these vulnerabilities other than
> disabling
> the HTTPS server on the device. See the Cisco Applied Intelligence
> companion document for mitigations.
>
> Limiting the networks and hosts that can connect to the HTTPS server
> on the FWSM can help mitigate this vulnerability. For example, if
> the command "http 10.10.10.0 255.255.255.0 inside" is present in the
> configuration, then only hosts on this trusted network can establish
> HTTPS sessions with the FWSM. This scenario eliminates the possibility
> of malicious hosts on other IP networks launching successful attacks
> against the FWSM.
>
> 2. Crafted MGCP Packet
>
> There is no workaround for this vulnerability other than
> disabling MGCP
> application layer protocol inspection on the device.
>
> Leveraging anti-spoofing techniques will help mitigate spoofed packets
> from triggering this vulnerability.
>
> Limiting MGCP application layer inspection to traffic between MGCP
> gateways may help to mitigate this vulnerability since it
> would require
> an attacker to have additional information (the addresses of the MGCP
> gateways) to launch a successful attack. To limit MGCP
> application layer
> inspection to traffic between certain devices, a class map
> that matches
> only traffic between the gateways must be created. Then, MGCP
> inspection
> must be performed on traffic in that class. The following
> example shows
> how to accomplish this:
>
> FWSM(config)# access-list mgcp_traffic permit udp host 192.168.0.1
> host 172.16.0.1 eq 2427
> FWSM(config)# access-list mgcp_traffic permit udp host 172.16.0.1
> host 192.168.0.1 eq 2427
> FWSM(config)# class-map MGCP
> FWSM(config-cmap)# match access-list mgcp_traffic
> FWSM(config-cmap)# exit
> FWSM(config)# policy-map global_policy
> FWSM(config-pmap)# class inspection_default
> FWSM(config-pmap-c)# no inspect mgcp
> FWSM(config-pmap-c)# exit
> FWSM(config-pmap)# class MGCP
> FWSM(config-pmap-c)# inspect mgcp
> FWSM(config-pmap-c)# exit
> FWSM(config-pmap)# exit
> FWSM(config)#
>
> Note that MGCP inspection is applied only to UDP traffic between hosts
> 192.168.0.1 and 172.16.0.1
>
> See the Cisco Applied Intelligence companion document for additional
> mitigation possibilities.
>
> 3. Manipulation of ACL May Cause ACL Corruption
>
> A possible workaround for this vulnerability is to completely
> remove the
> ACL before modifying it, and then recreate it with the
> desired changes.
> ACLs can be removed with the command "clear configure access-list <ACL
> name>".
>
> Note: The ACL corruption does not occur during normal operation of the
> device, and it cannot be triggered by some type of traffic. It can
> only occur if an administrator makes configuration changes, and more
> specifically, if an administrator manipulates an ACL. For this reason,
> if ACL changes are made only during a maintenance window and
> the FWSM is
> reloaded after making those changes, there should not be any concerns
> with this vulnerability.
>
> Obtaining Fixed Software
> ========================
>
> Prior to deploying software, customers should consult their
> maintenance
> provider or check the software for feature set compatibility and known
> issues specific to their environment.
>
> Customers may only install and expect support for the feature
> sets they have purchased. By installing, downloading, accessing
> or otherwise using such software upgrades, customers agree to
> be bound by the terms of Cisco's software license terms found
> at http://www.cisco.com/public/sw-license-agreement.html,
> or as otherwise set forth at Cisco.com Downloads at
> http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
>
> Do not contact either "psirt@xxxxxxxxx" or "security-alert@xxxxxxxxx"
> for software upgrades.
>
> Customers with Service Contracts
> +-------------------------------
>
> Customers with contracts should obtain upgraded software through their
> regular update channels. For most customers, this means that upgrades
> should be obtained through the Software Center on Cisco's worldwide
> website at http://www.cisco.com.
>
> Customers using Third Party Support Organizations
> +------------------------------------------------
>
> Customers whose Cisco products are provided or maintained
> through prior
> or existing agreement with third-party support organizations such as
> Cisco Partners, authorized resellers, or service providers should
> contact that support organization for guidance and assistance with the
> appropriate course of action in regards to this advisory.
>
> The effectiveness of any workaround or fix is dependent on specific
> customer situations such as product mix, network topology, traffic
> behavior, and organizational mission. Due to the variety of affected
> products and releases, customers should consult with their service
> provider or support organization to ensure any applied
> workaround or fix
> is the most appropriate for use in the intended network before it is
> deployed.
>
> Customers without Service Contracts
> +----------------------------------
>
> Customers who purchase direct from Cisco but who do not hold a Cisco
> service contract and customers who purchase through
> third-party vendors
> but are unsuccessful at obtaining fixed software through their point
> of sale should get their upgrades by contacting the Cisco Technical
> Assistance Center (TAC). TAC contacts are as follows.
>
> * +1 800 553 2447 (toll free from within North America)
> * +1 408 526 7209 (toll call from anywhere in the world)
> * e-mail: tac@xxxxxxxxx
>
> Have your product serial number available and give the URL of this
> notice as evidence of your entitlement to a free upgrade.
> Free upgrades
> for non-contract customers must be requested through the TAC.
>
> Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
> for additional TAC contact information, including special localized
> telephone numbers and instructions and e-mail addresses for use in
> various languages.
>
> Exploitation and Public Announcements
> =====================================
>
> The Cisco PSIRT is not aware of any public announcements or malicious
> use of the vulnerabilities described in this advisory.
>
> The crafted packet vulnerabilities were discovered by Cisco during
> internal testing of the associated products.
>
> The ACL corruption vulnerability was discovered during the
> resolution of
> customer support cases.
>
> Status of this Notice: FINAL
> ============================
>
> THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
> ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
> MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
> INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
> AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
> DOCUMENT AT ANY TIME.
>
> A stand-alone copy or Paraphrase of the text of this document
> that omits
> the distribution URL in the following section is an uncontrolled copy,
> and may lack important information or contain factual errors.
>
> Distribution
> ============
>
> This advisory is posted on Cisco's worldwide website at :
>
> http://www.cisco.com/warp/public/707/cisco-sa-20071017-fwsm.shtml
>
> In addition to worldwide web posting, a text version of this notice is
> clear-signed with the Cisco PSIRT PGP key and is posted to
> the following
> e-mail and Usenet news recipients.
>
> * cust-security-announce@xxxxxxxxx
> * first-teams@xxxxxxxxx
> * bugtraq@xxxxxxxxxxxxxxxxx
> * vulnwatch@xxxxxxxxxxxxx
> * cisco@xxxxxxxxxxxxxxxxx
> * cisco-nsp@xxxxxxxxxxxxxxx
> * full-disclosure@xxxxxxxxxxxxxxxxx
> * comp.dcom.sys.cisco@xxxxxxxxxxxxxxxxxx
>
> Future updates of this advisory, if any, will be placed on Cisco's
> worldwide website, but may or may not be actively announced on mailing
> lists or newsgroups. Users concerned about this problem are encouraged
> to check the above URL for any updates.
>
> Revision History
> ================
>
> +---------------------------------------+
> | Revision | | Initial |
> | 1.0 | 2007-October-17 | public |
> | | | release. |
> +---------------------------------------+
>
> Cisco Security Procedures
> =========================
>
> Complete information on reporting security vulnerabilities in Cisco
> products, obtaining assistance with security incidents, and
> registering to receive security information from Cisco, is available
> on Cisco's worldwide website at
> http://www.cisco.com/en/US/products/products_security_vulnerab
> ility_policy.html.
> This includes instructions for press inquiries regarding
> Cisco security
> notices. All Cisco security advisories are available at
> http://www.cisco.com/go/psirt.
>
> +--------------------------------------------------------------------
> All contents are Copyright 2006-2007 Cisco Systems, Inc. All rights
> reserved.
> +--------------------------------------------------------------------
>
> Updated: Oct 17, 2007 Document ID: 98612
>
> +--------------------------------------------------------------------
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFHFjlO8NUAbBmDaxQRAq3pAKCjqx/5M40GWuV9Cr+ODp22XT0WPQCfe000
> FFmDr8st8YJBWSrIwc6Tlp8=
> =oiLW
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>