Cisco NX-OS Malformed IP Packet Denial of Service Vulnerability

Summary

Cisco NX-OS Software is affected by a denial of service (DoS) vulnerability that could cause Cisco Nexus 1000v, 5000, and 7000 Series Switches that are running affected versions of Cisco NX-OS Software to reload when the IP stack processes a malformed IP packet.

Vulnerable Products

Cisco Nexus 1000v, 5000, and 7000 Series Switches that are running affected versions of Cisco NX-OS Software are affected by this vulnerability. The vulnerability is in the operating system’s IP stack; therefore, any feature that makes use of the services that are offered by the IP stack to process IP packets is affected.

Cisco NX-OS Software versions prior to the First Fixed Release version are affected. Refer to the Software Versions and Fixes section for details regarding fixed versions.

To determine the version of Cisco NX-OS Software that is running on a Cisco Nexus switch, administrators can log in to the device and issue the show version command to display the system banner.

Products Confirmed Not Vulnerable

Cisco NX-OS Software for products other than the Cisco Nexus 1000v, 5000, and 7000 Series Switches is not affected by this vulnerability. In particular, the following products that run Cisco NX-OS Software are not affected:

Cisco Nexus 2000 Series Switches
Cisco Nexus 3000 Series Switches
Cisco Nexus 4000 Series Switches
Unified Computing System (UCS)
Cisco MDS 9000 Series Multilayer Switches

No other Cisco products are currently known to be affected by this vulnerability.

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120215-nxos

Cisco Secure ACS Unauthorized Password Change Vulnerability

I just finished testing a solution involving ACS 5.2 and Active Directory, when this “good news” hit me in face. It seems that ACS has a vulnerability that allow an unauthenticated attacker to change the password of any user account to any value without providing the account’s previous password.

You might think that this affects older version of the ACS, but in fact all recent versions are affected by this bug (CSCtl77440):

Vulnerable Products

The following Cisco Secure ACS versions are affected by this vulnerability:

  • Cisco Secure ACS version 5.1 with patch 3, 4, or 5 (or any combination of these patches) installed and without patch 6 or later installed
  • Cisco Secure ACS version 5.2 without any patches installed
  • Cisco Secure ACS version 5.2 with patch 1 or 2 (or both of these patches) installed and without patch 3 or later installed

The previous list applies to both the hardware appliance and the software-only versions of the product.

There is no workaround for this bug, but Cisco recommend some actions to limit this problem. One of the recommendation is to limit the number of machines that have direct access to the ACS environment. If you provide UCP (User Change Password) service, then it is recommended to stop it and don’t allow any machine that offer UCP access to ACS. These actions would help if you have a central management area where you connect remotely in order to access your ACS servers.

Now for some good news. It seems that this vulnerability works only if the user is defined in the ACS internal identity store, so if you are using external identity store like Active Directory you are somehow safe. Here are the situations in which this exploit does not work:

This vulnerability cannot be used to change the password for the following types of users accounts:

  • User accounts that are defined on external identity stores such as a Lightweight Directory Access Protocol (LDAP) server, a Microsoft Active Directory server, an RSA SecurID server, or an external RADIUS server
  • System administrator accounts for the Cisco Secure ACS server itself that have been configured through the web-based interface
  • Users accounts for the Cisco Secure ACS server itself that have been configured through the username username password password CLI command

This vulnerability does not allow an attacker to perform any other changes to the ACS database. That is, an attacker cannot change access policies, device properties, or any user attributes except the user password.

For more information have a look to: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b74117.shtml

Web Server Directory Traversal Vulnerability in Cisco CDS

The Cisco Internet Streamer application, part of the Cisco Content Delivery System, contains a directory traversal vulnerability on its web server component that allows for arbitrary file access. By exploiting this vulnerability, an attacker may be able to read arbitrary files on the device, outside of the web server document directory, by using a specially crafted URL.

An unauthenticated attacker may be able to exploit this issue to access sensitive information, including the password files and system logs, which could be leveraged to launch subsequent attacks.

All versions of system software on the Cisco Internet Streamer application are vulnerable prior to the first fixed release, but Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.

This vulnerability can be exploited over all open HTTP ports; TCP ports 80 (Default HTTP port), 443 (Default HTTPS port) and 8090 (Alternate HTTP and HTTPS port), as well as those that are configured as part of the HTTP proxy.

As an interim step prior to upgrading the Cisco content delivery system software, it is possible to deny access to sensitive directories via service rules. The following example shows denying access to move up a directory level. This also caters for other directory moves, such as “\.\./”, “.\./” or “\../”:

rule enable
rule action block pattern-list 1
rule pattern-list 1 url-regex ^http://.*/../.*
rule pattern-list 1 url-regex ^https://.*/../.*

If you are affected by this issue or just want to read more please do it at http://www.cisco.com/warp/public/707/cisco-sa-20100721-spcdn.shtml.