Cisco Biannual Patch Day: Seven DoS Advisories Primarily Affect IOS

Summary:

• These vulnerabilities affect: Devices running Cisco IOS and Cisco UCM
• How an attacker exploits them: Multiple vectors of attack; in the most common, the attacker sends specially crafted network packets
• Impact: Various Denial of Service (DoS) issues, can force a Cisco device to crash, reload, or halt. One may also allow an attacker to execute code
• What to do: Administrators who manage Cisco IOS or UCM devices should download, test, and deploy the appropriate Cisco updates as soon as possible

Exposure:

Yesterday, Cisco released seven security advisories as part of their biannual patch day, which falls on the fourth Wednesday of March and September. All of these advisories cover Denial of Service (DoS) security vulnerabilities that primarily affect devices running Cisco’s Internetwork Operating System (IOS) software. IOS is the operating system that runs on most Cisco routers. That said, attackers could potentially leverage one of the IOS DoS flaws to execute code on your IOS device, potentially gaining control of it. Finally, one of the advisories also covers a DoS in Unified Communications Manager (UCM), which is Cisco’s enterprise-level, IP telephony call-processing system.

While Cisco’s IOS advisories differ technically, all of them cover vulnerabilities that attackers could exploit in DoS attacks. For a complete list of today’s Cisco advisories, check out Cisco’s Bundled Advisory for March 24th or their Security Advisories page. We summarize three of the IOS advisories below:

Cisco Document ID 111448: IOS SIP DoS and code execution vulnerabilities.

The Session Initiation Protocol (SIP) is a multimedia communication standard used to make voice and video calls over an IP network. IOS’s SIP implementation suffers from three unspecified vulnerabilities involving the way it handles SIP Messages. By sending specially crafted SIP packets, a remote attacker could exploit these vulnerabilities to either reload your IOS device, or to potentially execute code on your IOS device. If you use a Cisco IOS router to get to the Internet, an attacker could repeatedly exploit the DoS vulnerabilities to knock your network offline. In the case of code execution, the attacker could potentially gain complete control of your IOS device.
Base CVSS Score: 10

Cisco Document ID 111265: IOS H.323 DoS vulnerabilities.

H.323 is a protocol designed to stream multimedia over a network, and often used in video conferencing. IOS’s H.323 implementation suffers from two unspecified vulnerabilities involving the way it handles H.323 traffic. By sending specially crafted H.323 packets, a remote attacker could exploit these vulnerabilities to reload your IOS device. If you use a Cisco IOS router to get to the Internet, an attacker could repeatedly exploit these vulnerabilities to knock your network offline.
Base CVSS Score: 7.8 (10 being the most severe)

Cisco Document ID 111266: IOS IPsec DoS vulnerability.

IPsec is a VPN standard designed to allow you to securely tunnel private communications over the Internet. IOS’s IPsec implementation suffers from a flaw in the way it handles specially crafted IPsec IKE packets. By sending specially crafted IKE packets to your Cisco device, a remote attacker could exploit this vulnerability to reload your IOS device. If you use a Cisco IOS router to get to the Internet, an attacker could repeatedly exploit these vulnerabilities to knock your network offline.
Base CVSS Score: 7.8

The remaining advisories also fix DoS flaws just as severe as the ones described above. For greater detail on all of Cisco’s March vulnerabilities, check out the individual advisories in the References section of this alert, or refer to Cisco’s bundled security advisory for March 2010.

Cisco also published an advisory describing a DoS vulnerability in their Unified Communications Manager (UCM). If you use Cisco UCM, be sure to apply these patches as well.

Solution Path:

Cisco has released patches to fix these vulnerabilities. If you use any Cisco device running IOS software or Cisco’s Unified Communications Manager (UCM), you should immediately consult the “Software Versions and Fixes” and “Obtaining Fixed Software” sections of the advisories listed in Cisco’s bundled security advisory for March 2010 to learn which fixes apply to your devices, and how to obtain them. You can also refer to the “Software Versions and Fixes” and “Obtaining Fixed Software” section of each of the individual alerts linked below.

For All WatchGuard Users:

Since these vulnerabilities can affect your router, which is typically in front of your WatchGuard firewall, the solutions above are your primary recourse.

Status:

Cisco has made fixes available.

References:

• Cisco Bundled March 2010 Security Advisory
• Cisco IOS Software H.323 Denial of Service Vulnerabilities
• Cisco IOS Software IPsec DoS Vulnerability
• Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerabilities
• Cisco IOS Software Multiprotocol Label Switching Packet Vulnerability
• Cisco IOS Software Crafted TCP Packet Denial of Service Vulnerability
• Cisco IOS Software NAT Skinny Call Control Protocol Vulnerability
• Cisco Unified Communications Manager Express Denial of Service Vulnerabilities