Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Cisco :: ciaci020.txt

Cisco 7xx Password Buffer Overflow




-----BEGIN PGP SIGNED MESSAGE-----

__________________________________________________________
                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                      Cisco 7xx password buffer overflow

December 16, 1997 22:00 GMT                                       Number I-020
______________________________________________________________________________
PROBLEM:       A Cisco 7xx password buffer overflow problem exist that can
               allow an attacker to:
                    1.)crash or reboot the router
               or it may be possible but not verified:
                    2.)reconfigure or modify its functionality
                    3.)hang router up indefinitely
PLATFORM:      Cisco 7xx routers running ISO/700 sofware version 4.1(1),
               4.1(2) or 4.1, as well as interim releases earlier than
               4.1(2.1).
DAMAGE:        Possible shut down and reboot, causing denial of service to
               users or possibly causing excessive "call flapping".
SOLUTION:      Implementation of recommended workaround
VULNERABILITY  Cisco has had no known reports of malicious exploitation of
ASSESSMENT:    this vulnerability.
______________________________________________________________________________

[ Start Cisco System, Inc. Advisory ]

- -----BEGIN PGP SIGNED MESSAGE-----


Interim Field Notice:
7xx Router Password Buffer Overflow

December 15, 1997, 17:00 US/Pacific, Revision 1

Summary
- - -----
Some Cisco 7xx routers can be crashed by connecting with TELNET and typing
very long password strings. There exists a possibility that this bug could
be exploited to take complete control of the router, rather than simply
crashing it.

Who Is Affected
- - -------------
All Cisco 7xx routers running  IOS/700 software version 4.1(1), 4.1(2), or
4.1 interim releases earlier than 4.1(2.1) are affected. Systems running
releases earlier than 4.1 are not affected. In order to exploit the
vulnerability, an attacker must have access to the password prompt. This
means that the attacker must be able to TELNET to the target router, or to
gain access to its console port.

Impact
- - ----
This vulnerability allows attackers to force 7xx routers to reboot, denying
service to legitimate users during the reboot period, and possibly causing
excessive "call flapping" as routers shut down and restart.

It is possible that including the right data at the right place in the
too-long password string could enable an attacker to take complete control
of the router. Cisco has not fully evaluated the actual feasibility of this
attack. A person who succeeded in such an attack would be able to
reconfigure the router or modify its functionality, theoretically in any way
at all.

It is also possible that certain data strings, while not permitting total
control of the router, could cause it to hang indefinitely rather than
crashing, or to malfunction in other ways. Cisco has not fully evaluated the
possible effects of all possible data strings.

Details
- - -----
This vulnerability has been assigned bug ID CSCdj66458.

Insufficient bounds checking on the data buffer used for password input
allows the incoming password to exceed the buffer size, overwriting the
contents of memory beyond the end of the buffer. When the system tries to
use the now-incorrect data in that memory, unpredictable results occur. If
the data are randomly chosen, this unpredictable behavior can be expected to
result in the detection of errors, such as accesses to illegal addresses,
which result in system crashes. It might be possible to craft a data string
that, instead of creating detectable errors, caused particular system
behavior desired by the attacker.

Affected Cisco IOS/700 Software Versions
- - --------------------------------------
This vulnerability affects systems running IOS/700 version 4.1 releases,
including 4.1(1), 4.1(2), and 4.1 interim releases earlier than 4.1(2.1).
IOS/700 releases other than 4.1 are not affected.

Planned Software Fixes
- - --------------------
Cisco is presently testing a software fix for this problem. We expect the
fix to be ready for customer use by December 24, 1997. Because of the
exigencies of the software development and testing process, we cannot
guarantee this date. Please check the copy of this notice on Cisco's Web
page for updated information about the status of the fixed release. When the
fixed software is available, this page will include instructions for
obtaining it. Cisco will be making the fixed software available to all
IOS/700 customers who are presently running 4.1 software, regardless of
contract status.

Workaround
- - --------
The vulnerability may be avoided by controlling access to the system console
port, and by restricting access to the TELNET facility to trusted hosts.

TELNET access may be restricted either by using filters on firewalls or
surrounding routers, or by using filters on the 7xx router itself. To
restrict access to the TELNET service on a 7xx router running 4.1(x)
software to a single trusted management host, use the command

  set ip filter tcp in source = not trusted-ip-address destination = 7xx-
address:23 block

The command should be applied in every profile that may be active when the
router is connected to a potentially hostile network.

Exploitation and Public Announcements
- - -----------------------------------
Cisco has had no known reports of malicious exploitation of this
vulnerability.

This vulnerability has been discussed on the "bugtraq@netspace.org" mailing
list, and is therefore certain to be widely known in the cracker community.
The first public announcement of this vulnerability of which Cisco is aware
was on December 11, 1997.

The vulnerability can be exploited to crash systems with no special tools or
knowledge; no exploitation program as such is required.

Assuming that it is possible to exploit the vulnerability to take total
control of the system, an exploitation program would be needed in order to
do so. A person seeking to develop such an exploitation program would need
to be a competent assembly language programmer. She would also need detailed
knowledge of the internal workings of the IOS/700 software and/or the 7xx
router hardware. Such knowledge has not been made public by Cisco, but could
be obtained by reverse engineering or by theft of trade secrets from Cisco.

Status of This Notice
- - -------------------
This is an interim field notice. Because Cisco customers are in immediate
need of timely information about the issues addressed, this notice has been
issued with less review and less fact-checking than is customary in
corporate public statements. Although Cisco believes all statements in this
notice to be correct, readers must understand that the potential for error
does exist. Errors may include both factual errors and errors of editing,
formatting, and emphasis. Readers of this notice rely on the information
herein at their own risk.

This notice will be updated as more information becomes available. The
status of this notice will be changed from interim to final when complete,
fully verified information is available.

Distribution
- - ----------
The initial version of this notice is being sent to the following Internet
mailing lists and newsgroups:

   * cisco@spot.colorado.edu
   * comp.dcom.sys.cisco
   * bugtraq@netspace.org
   * first-teams@first.org (includes CERT/CC)

Future versions of this notice will be posted on Cisco's Web site, but will
not be actively announced on mailing lists or newsgroups. Users concerned
about this problem are encouraged to check the Web site for updates.

This notice will be posted in the "Field Notices" section of Cisco's
Worldwide Web site, which can be found under "Technical Tips" in the
"Software and Support" section. The URL is
http://www.cisco.com/warp/public/770/pwbuf-pub.shtml. The copy on the
Worldwide Web will be updated as appropriate.

Revision History
- - --------------
 Revision 1, 17:00,  Initial version.
 15-DEC-1997

Cisco Security Procedures
- - -----------------------
Please report security issues with Cisco products, and/or sensitive security
intrusion emergencies involving Cisco products, to security-alert@cisco.com.
Reports may be encrypted using PGP; public RSA and DSS keys for
security-alert@cisco.com are on the public PGP keyservers.

The alias security-alert@cisco.com is used only for reports incoming to
Cisco. Mail sent to security-alert@cisco.com goes only to a very small group
of users within Cisco. Neither outside users nor unauthorized Cisco
employees may subscribe to security-alert@cisco.com. We will shortly be
creating a security announcement mailing list for outgoing information. When
that list is created, an announcement will be sent to appropriate Internet
forums.

Please do not use security-alert@cisco.com for configuration questions, for
security intrusions that you do not consider to be sensitive emergencies, or
for general, non-security-related support requests. We do not have the
capacity to handle such requests through this channel, and will have to
refer them to Cisco's Technical Assistance Center, delaying response to your
questions. We advise contacting the Technical Assistance Center directly
with this type of question.

- - ------------------------------------------------------------------------
This notice is copyright 1997 by Cisco Systems, Inc. This notice may be
redistributed freely provided that redistributed copies are complete and
unmodified, including all date and version information.
- - ------------------------------------------------------------------------

- -----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQEVAwUBNJX7ZwyPsuGbHvEpAQGxlAf9Ge17KxUheGFPJt7rNHjZQhf8cLM0Xzz5
POu7RklgnE9/L23nFyyzsn1x6nEq4OK/P33q2uI9dERRzcaPlZnAgmpSj+bTul8n
/QZ8jJKJfXK11q1Hu+OWk3F25Dk4cyxXC5ftNqk/tEaHzBSXTFUIDnYs73h9S2Hv
CKzCJioemiFAeTecssivxbwCM2UbZHYHIBNfb0TqfqQoyh2i7AGSbYkBwdD+wNar
r//qBMGVraUbKGQIsK9q5WZJltignt5Wv6nOZ2WcEBW1xS69Mxqiml4P+I7/7oV9
3y/c5A/V4vVsfCfoTYgOivw11gj/U9DgPW65J6jcSPaiYu8RGbGaZw==
=HxeU
- -----END PGP SIGNATURE-----

[******  End Cisco System, Inc. Advisory ******]

______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Cisco Systems, Inc. for the
information contained in this bulletin.
______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 510-422-8193
    FAX:      +1 510-423-8002
    STU-III:  +1 510-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://ciac.llnl.gov/
   Anonymous FTP:       ciac.llnl.gov (198.128.39.53)
   Modem access:        +1 (510) 423-4753 (28.8K baud)
                        +1 (510) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
   availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, ciac-notes, spi-announce OR spi-notes for list-name:

E-mail to       ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov:
        subscribe list-name
  e.g., subscribe ciac-notes

You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email.  This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.

If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

I-010: HP-UX CDE Vulnerability
I-011: IBM AIX portmir command Vulnerability
I-012: IBM AIX ftp client Vulnerability
I-013: Count.cgi Buffer Overrun Vulnerabiliity
I-014: Vulnerability in GlimpseHTTP and WebGlimpse cgi-bin Packages
I-015: SGI IRIX Vulnerabilities (syserr and permissions programs)
I-016: SCO  /usr/bin/X11/scoterm Vulnerability
I-017: statd Buffer Overrun Vulnerability
I-018: FTP Bounce Vulnerability
I-019: Tools Generating IP Denial-of-Service Attacks


-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition

iQCVAwUBNJmZsbnzJzdsy3QZAQGQ3QQAuedpQGsq8kHm5UEG2bJD/puN3Dottns6
6iv+hwh3BwuJ5InsvHq6d/uEIayd6z7p9Qs18bGsp2DvRkBLHXDIPnxwE6JvmJSh
YlfiGqzib+HPPisj7GznwkBYmZjM215JJ+79cGuh0yvKwhO9iem56s+thskRFrz0
LXJST78rdHE=
=bAhW
-----END PGP SIGNATURE-----


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH