Summary:
- These vulnerabilities affect: Many devices running Cisco IOS
- How an attacker exploits them: Multiple vectors of attack; in the most common, the attacker sends specially crafted network packets
- Impact: An attacker can cause your IOS device to reload and can repeatedly exploit these flaws to cause a Denial of Service (DoS) situation
- What to do: Administrators who manage Cisco IOS devices should download, test, and deploy the appropriate Cisco updates as soon as possible
Exposure:
Over a year ago, Cisco implemented a twice-yearly patch cycle that falls on the fourth Wednesday of March and September. Yesterday marked another Cisco biannual patch day, for which they released six security advisories. Five of these advisories cover security vulnerabilities that affect devices running Cisco’s Internetwork Operating System (IOS) software. IOS is the operating system that runs on most Cisco routers and switches. The remaining advisory covers a flaw in Unified Communications Manager.
While Cisco’s IOS advisories differ in technical ways, all of them cover vulnerabilities that attackers could exploit in Denial of Service (DoS) attacks. For a complete list of today’s IOS alerts, check out the Cisco’s Bundled Advisory for September 22nd. However, we summarize three of the IOS advisories below:
Cisco Document ID 112028: Three NAT-related DoS vulnerabilities.
Cisco’s Network Address Translation (NAT) component suffers from three different DoS vulnerabilities. More specifically, the three DoS vulnerabilities have to do with how IOS NAT translates SIP, H.323, and H.225.0 traffic. Though these flaw differ technically, they essentially share the same scope and impact. By sending specially crafted packets, an unauthenticated attacker can exploit any of these flaws to cause your IOS device to reload. Furthermore, if you use a Cisco IOS router as your Internet gateway, an attacker could repeatedly exploit these vulnerabilities to knock your network offline.
Base CVSS Score: 7.8 (10 being the most severe)
Cisco Document ID 112022: IOS SIP DoS vulnerabilities.
The Session Initiation Protocol (SIP) is a popular signaling standard used by many Voice over IP (VoIP) products. Unfortunately, IOS’s SIP handling implementation suffers from three unspecified DoS vulnerabilities. By sending a specially crafted SIP message to your IOS device, an attacker could exploit this vulnerability to reload your IOS device. If you use a Cisco IOS router to get to the Internet, an attacker could repeatedly exploit these vulnerabilities to knock your network offline. This vulnerability only affects IOS devices with SIP voice services enabled. This issue may sound similar to the flaws described above. However, this flaw actually lies within IOS’s SIP component, while the flaws above lie within IOS’s NAT component.
Average CVSS Score: 7.8
Cisco Document ID 112021: IOS H.323 DoS vulnerability.
H.323 is a standard that defines various protocols used to pass audio-visual communications across packet networks. Similar to the SIP issue above, IOS’s H.323 component suffers from two unspecified DoS vulnerabilities. By sending a specially crafted H.323 packets to your IOS device, an attacker can remotely cause a DoS condition on your IOS device.
Average CVSS Score: 7.8
The remaining two IOS advisories also fix DoS flaws just as severe as the ones described above. For greater detail on all of Cisco’s September vulnerabilities, check out the individual advisories in the References section of this alert, or refer to Cisco’s bundled security advisory for September 2010. Also, if you happen to use Cisco’s Unified Communications Manager, you should check out Cisco’s advisory describing a DoS flaw in it as well.
Solution Path:
Cisco has released patches to fix these vulnerabilities. If you use any Cisco device running IOS software, you should immediately consult the “Software Versions and Fixes” and “Obtaining Fixed Software” section of Cisco’s bundled security advisory for September 2010 to learn which fixes apply to your devices, and how to obtain them. You can also refer to the “Software Versions and Fixes” and “Obtaining Fixed Software” section of each of the individual alerts linked below.
For All Users:
Since these vulnerabilities can affect your router, which is typically in front of your firewall, the solutions above are your primary recourse.
Status:
Cisco has made fixes available.
References:
- Cisco Bundled Security Advisory September 2010
- Cisco IOS NAT DoS Vulnerabilities
- Cisco IOS IGMP3 DoS Vulnerability
- Cisco IOS SIP DoS Vulnerabilities
- Cisco IOS H.323 DoS Vulnerabilities
- Cisco IOS SSL VPN DoS Vulnerability
- Cisco Unified Communications Manager SIP DoS Vulnerabilities
This alert was researched and written by Corey Nachreiner, CISSP.