Cisco IOS Vulnerability Results in Unexpected Reload

SANS Incident Handling Training

If you found the articles in this section useful and would like to look into Incident Handling training, upcoming SANS conferences in the following cities will feature the Hacker Techniques, Exploits & Incident Handling Track:

San Francisco, CA
   Dec. 15 - 20, 2002
Riyahd, Saudi Arabia
   Jan. 11 - 16, 2003
New Orleans, LA
   Jan. 13 - 18, 2003
Orlando, FL
   Feb. 4 - 9, 2003
San Diego, CA
   Mar. 7 - 12, 2003
New York, NY
   Mar. 24 - 29, 2003

Cisco IOS Vulnerability Results in Unexpected Reload
James Born
June 12, 2001

The Vulnerability

Cisco released a security advisory, May 24, 2001 describing a vulnerability of its Cisco IOS Software, Cisco Bug ID CSCds 07326, reporting that "security scanning software can cause a memory error in Cisco IOS versions 12.1(2)T and 12.1(3)T that will cause a reload to occur". This vulnerability can cause service interruptions and could be exploited as a denial of service attack; cisco advises customers using the affected IOS releases to upgrade their software immediately. http://www.cisco.com/warp/public/707/ios-tcp-scanner-reload-pub.shtml. This vulnerability is significant because the reload can be caused by an unauthorized person as well as by an authorized network administrator testing the network.

Background

Identifying network device types, their software and versions, IP addresses, etc. are the first steps a hacker takes to look for vulnerabilities to exploit and gain unauthorized access to private information resources. This "footprinting" process can be followed by network scanning directed at revealed targets with tools like traceroute (UNIX), tracrt (WinNT), or with scanning software like netcat http://www.l0pht.com/~weld/netcat/ and nmap http://www.insecure.org/nmap. The search for vulnerable devices commonly begin with routers, because traceroute output often terminates at a network border router or firewall, giving the hacker an initial target as well as a hint of the victim network sitting behind the router.

Scanning with the above mentioned utilities can reveal the IP address of the router, what ports are open on the router and at times, what the device make/model is. Knowing what the vendor make/model is, for instance a Cisco 2600 router, gives a hacker enough information to pursue an attack on this device based simply on the latest technical advisory regarding known vulnerabilities of that system. Even the most conscientious network administrators that read the latest security alert as it is posted can still be beaten by a determined hacker that has targeted their system and who attacks before the patch can be applied.

For instance, a router might be identified as a Cisco router from its characteristic response to a particular tcp-connect attempt. Upon scanning Cisco finger service and virtual terminal ports 2001, 4001, 6001 the Vty’s respond back with finger –l @<host>, a response particular to a Cisco device. Connecting to port 4001 via a web browser would give results like User Access Verification Password: Password: Password: %Bad passwords, again a Cisco characteristic response (Hacking Exposed, pp. 429-430). These are examples of informational searches, which set the stage of an attack, next come the mapping and/or entry into the network.

Upon finding an open port a hacker might take advantage of, for example, the snmp read-write ILMI community string vulnerability, http://www.cisco.com/warp/public/707/ios-snmp-ilmi-vuln-pub.shtml. Using the snmpwalk command on a vulnerable device will reveal the snmp objects sysName = router hostname, sysContact = administrator contact name and phone number as well as the sysLocation = physical location of the device. These and other objects can be changed possibly resulting in a loss of ATM service not to mention the fact that these ports are vulnerable to an SNMP packet flood resulting in a denial of service attack. An alarming observation regarding SNMP security is made by the authors of Hacking Exposed, p.430, which states, "…that in many organizations, SNMP is all but forgotten about during security reviews. Perhaps it’s because SNMP runs over UDP (a commonly missed portion of the protocol stack), or maybe few administrators know about its function. Either way, SNMP can be (and usually is) missed in security reviews, leaving gaping holes for attack".

The Cisco IOS Bug

This latest Cisco alert describes an operating system flaw that hackers can exploit but with a twist since, the service interruption can also be initiated by the network’s own protectors. Security scanning software used to investigate known vulnerabilities of various open ports attempts to make a TCP connection to ports 3100-3999, 5100-5999, 7100-7999, and 10100-10999. Cisco IOS software cannot be configured for services supporting these ports nor to accept connection attempt to these ports. Attempts to connect to these ports will cause a memory corruption in the affected IOS releases which will cause the router to unexpectedly reload the next time the configuration file is accessed, for example as when the show running-configuration or write memory commands are executed. One indicator of the scanned software-related crashes found on equipment logs was the attempt to connect to RSHELL error message. Cisco stated that while this bug can be used to mount a denial of service (DoS) attack "this defect by itself does not cause the disclosure of confidential information nor allow unauthorized access". At the time this article was written the problem had not been reported to Cisco as having been used as a hacker exploit although unexpected device reboots were reported from Cisco customers following the use of scanning software.

(http://www.cisco.com/warp/public/707/ios-tcp-scanner-reload-pub.shtml.)

Devices which use the Cisco IOS:

The Cisco Security Advisory lists products that use the Cisco Internetwork Operating System Software (IOS) and explains that to determine if your device is running it you should type the show version command. Cisco IOS software will respond with "IOS" or "Internetwork Operating System Software" while other Cisco devices not running this software will either not have the show version command, or will respond with different output. Below is a list of commonly used Cisco products that run the IOS software but this is not a complete list, you should issue the show version command or call Cisco for information about your Cisco product.

Cisco routers in the AGS/MGS/CGS/AGS+, IGS,RSM, 8xx,ubr9xx,1xxx, 25xx, 26xx, 30xx, 36xx, 38xx, 40xx, 45xx, 47xx, AS52xx,

AS53xx, AS58xx, 64xx, 70xx, 72xx (including the ubr72xx), 75xx, and 12xxx series.

Most recent versions of the LS1010 ATM switch.

Some versions of the Catalyst 2900XL LAN switch.

The Cisco DistributedDirector.

Software fixes listed by version

Upgrade your affect IOS versions according to the table below. The Advisory provides a list of affected IOS versions and their respective upgrades but some have multiple releases, Cisco suggests using the Maintenance release as soon as it becomes available.

Interim = less testing than maintenance release, only use if maintenance unavailable, then upgrade as soon as it becomes available.

Maintenance = most heavily tested and recommended release by cisco.


Affected version   Interim release   Maintenance release

12.1DB             none              12.1(4)DB

12.1DC             none              12.1(4)DC

12.1T	           12.1(4.3)T        12.1(5)T

12.1XB             none              12.2(1)

12.1XC             none              12.2(1)

12.1XE             none              12.2(1)

12.1XF             none              12.2(1)

12.1XG             none              12.2T*

12.1XH             none              12.2(1)

12.1XI             none              12.2(1)

12.1XJ             none              12.2T*

12.1XK             none              12.2(1)

12.1XL             none              12.2(1)

12.1XP             none              12.2T*

12.1XQ             none              12.2T*

12.1XS             none              12.1(5)XS

12.1XT             none              12.2T*

* Cisco states that this release does not have a rebuild solution therefore you should upgrade to 12.2T when it becomes available.

Significance

This vulnerability can result in an unexpected network outage which can be service affecting depending on the redundancy and configuration of your network.

In addition to the exploits mentioned above, this latest Cisco bug is signified by the fact that a service outage could be inadvertently caused following the network’s administrator’s or consultant’s security scan. Imagine a dedicated engineer that has convinced his superiors to pay for a security penetration check of the company network. They sign off on or initiate scanning as a part of the test for known port vulnerabilities but soon after such scans begin and/or possibly not until the scans are completed the network crashes. The engineer is positive that they did not bring down the network therefore they begin a forensic examination to get to the root of the problem. After checking the circuits and later the device logs and they should eventually come across this technical advisory and fix. However, explaining how you brought down your company’s network and why you did not know it could be a "resume generating" event, illustrating the importance of addressing exactly how security scanning and software updates are implemented for the company.

Having a thorough security policy and written permission to scan is critical insurance to address such unforeseen issues. The SANS web site is an excellent starting point to find information and resources regarding security policies

http://www.sans.org/newlook/resources/policies/policies.htm. Here you can learn the basics of security policy content which can include procedures for acceptable use, remote access, configuration management, data backup/storage, and disaster response to name just a few of the topics covered on this site

http://www.sans.org/newlook/resources/policies/bssi3/index.htm

Having proper documentation in place that is implementable and enforceable ensures that the client’s needs are being addressed and should free the security engineer of any reservations they might have to act proactively to meet these needs.

Conclusion

The Cisco vulnerability described here is troubling not only for its exploitability to attack but also because the service interruption may as likely originate from an unwitting albeit uninformed administrator. In addition, the outage may not occur during or even soon after the attack making the initial incident analysis more difficult. This situation becomes more complicated if the company’s security policy does not address authorized network scanning and if the culprit never secured proper written authorization to conduct the scan in the first place. The take home lesson for the security engineer is to stay informed, keep up to date on the latest vulnerabilities but more importantly to understand the policies in place and to "get it in writing".

References

Cisco Security Advisory: IOS Reload after Scanning Vulnerability http://www.cisco.com/warp/public/707/ios-tcp-scanner-reload-pub.shtml

Netcat resource http://www.l0pht.com/~weld/netcat/

Nmap resource http://www.insecure.org/nmap

Joel Scambray, Stuart McClure, George Kurtz, Hacking Exposed Network Security Secrets & Solutions(second edition), pp. 429-430, Berkeley, Osborne/McGraw-Hill, 2001

Cisco Security Advisory: Cisco IOS Software SNMP Read-Write ILMI Community String Vulnerability http://www.cisco.com/warp/public/707/ios-snmp-ilmi-vuln-pub.shtml

SANS Institute, Model Security Policies by Michele Crabb-Guel http://www.sans.org/newlook/resources/policies/policies.htm

SANS Institute, Model Security Policies Section Three: Policies and Procedures by Michele Crabb-Guel http://www.sans.org/newlook/resources/policies/bssi3/index.htm

to top of page | to Threats & Vulnerabilities | to Reading Room Home