COMMAND

    CISCO (CBOS)

SYSTEMS AFFECTED

    CBOS 2.0.1, 2.1.0, 2.1.0a, 2.2.0, 2.2.1, 2.2.1a, 2.3, 2.3.2, 2.3.5, 2.3.7 and 2.3.8.

PROBLEM

    Following  is  based  on  a  Cisco  Security  Advisory.   Multiple
    vulnerabilities  have  been  identified  and  fixed  in  CBOS,  an
    operating system for the Cisco 600 family of routers:

        * Any  router in  the Cisco  600 family  that is configured to
          allow Web access  can be locked  by sending a  specific URL.
          Web access is disabled by default, and it is usually enabled
          in order to facilitate remote configuration.  This defect is
          documented as Cisco bug ID CSCdr98772.
        * By sending a stream of TCP SYN packets to the router, it  is
          possible  to  exhaust  all   available  TCP  sockets.    The
          consequence is  that no  new TCP  sessions addressed  to the
          router will  be established.   The difference  between  this
          vulnerability  and  a  SYN  Denial-of-Service attack is that
          this one  can be  accomplished by  a slow  stream of packets
          (one per second).   This defect is  documented as Cisco  bug
          ID CSCds59206.
        * Invalid  login  attempts  using  the  Web interface are  not
          logged.   This  defect  is   documented  as  Cisco  bug   ID
          CSCds19142.
        * It is possible to lock up the router by sending a large ICMP
          ECHO  (PING)  packet  to  it.  This  defect is documented as
          Cisco bug ID CSCds23921.

    The affected models are: 627,  633, 673, 675, 675E, 677,  677i and
    678.   These  models  are  vulnerable  if  they  run  any  of  the
    following, or earlier, CBOS releases: 2.0.1, 2.1.0, 2.1.0a, 2.2.0,
    2.2.1,  2.2.1a,  2.3,  2.3.2,  2.3.5,  2.3.7  and 2.3.8.  No other
    releases of CBOS software are affected by this vulnerability.   No
    other Cisco products are affected by this vulnerability.

    CSCdr98772
    ==========
    The behavior is  caused by inadequate  URL parsing in  CBOS.  Each
    URL was  expected to  terminate with  a minimum  of a single space
    character (ACSII code 32, decimal).   Sending a URL that does  not
    terminate with a space causes CBOS to enter an infinite loop.   It
    is necessary to power cycle the router to resume operation.

    In  order  to  exploit  this  vulnerability,  a  router  must   be
    configured  to  accept  Web  connections.   Having  a  Web  access
    password  configured  does  not  provide  protection  against this
    vulnerability.

    Note: Web access on all  Cisco 600 routers is disabled  by default
    and  must  be  explicitly   enabled.   However,  the  web   access
    interface of  the 675  is ENABLED  BY DEFAULT  in every CBOS image
    seen. (2.0.x, 2.1.x, 2.2.x)

    By sending a tailored URL to  a router, it is possible to  cause a
    Denial-of-Service.  Every affected router must be powered off  and
    back on in order to restore its normal functionality.

    CSCds59206
    ==========
    By sending a stream of SYN packets addressed to the router, it  is
    possible to exhaust all available  TCP sockets within CBOS.   This
    is due to the memory  leak in CBOS.  When  a router is set into  a
    state  where  it  cannot  accept  a  new  connection,  it  can  be
    maintained in  this state  by a  slow stream  of SYN packets until
    the router is rebooted.  The  stream can be as slow as  one packet
    per second,  so one  machine with  a 64Kb  connection can  hold up
    approximately 150 routers.

    Note: This  does not  effect non-TCP  traffic.   All User Datagram
    Protocol  (UDP)  and  Internet  Control  Message  Protocol  (ICMP)
    packets can  be handled  by a  router without  any problems.   All
    existing  and  new  TCP  sessions  through  the router will not be
    affected.

    When an attacking stream  is terminated, a router  recovers itself
    within a few minutes.

    It is possible to prevent all TCP access to a router.  This blocks
    all attempts at remote router administration.

    CSCds19142
    ==========
    Using the Cisco Web Management  interface, it is possible to  keep
    guessing an access password without those password attempts  being
    logged.  A password may be either "exec-only" or "enable".  A user
    with an "exec-only" password cannot change a router configuration.

    Long term, brute force password guessing can be performed  without
    being noticed.   When the correct  password is guessed,  it can be
    used  to  view  or  modify  router  configuration.   This  may  be
    particularly  dangerous  in  installations  where multiple routers
    have the same password.

    CSCds23921
    ==========
    By sending a large (at least 65500 bytes in size) ICMP ECHO (PING)
    packet  to  the  router  itself,  it  is  possible  to overflow an
    internal variable  and cause  router lockup.   The router  is  not
    affected by the packets which are routed through it.

    It is  possible to  lock up  the router  thus causing  DoS.  Every
    affected  device  must  be  powered  off  and  back on in order to
    restore its normal functionality.

SOLUTION

    These  defects  will  be  fixed  in  the  following CBOS releases:
    2.3.5.015, 2.3.7.002, 2.3.9 and 2.4.1.

    The following table summarizes the CBOS software releases affected
    by the  defects described  in this  notice and  scheduled dates on
    which the earliest corresponding fixed releases will be available.
    Dates are tentative and subject to change.

        +===========+================+==============================================+
        |           |                |                                              |
        |  Release  | Description or |      Availability of Repaired Releases*      |
        |           |   Platform     |==================+===========================+
        |           |                | Patch release**  | General Availability (GA) |
        +===========+================+==================+===========================+
        |    All    | 627, 633, 673  |    2.3.5.015     |                           |
        | releases  | 675, 677, 678  |   2000-DEC-11    |                           |
        +-----------+----------------+------------------+---------------------------+
        | 2.3.7.001 | 677i           |    2.3.7.002     |                           |
        |           |                |   2000-DEC-11    |                           |
        +-----------+----------------+------------------+---------------------------+
        |    All    | All platforms  |                  |           2.3.9           |
        | releases  |                |                  |         2001-JAN          |
        +-----------+----------------+------------------+---------------------------+
        |    All    | All platforms  |                  |           2.4.1           |
        | releases  |                |                  |        2000-DEC-11        |
        +===========+================+==================+===========================+
        |                                   Notes                                   |
        +===========================================================================+
        |* All dates are estimated and subject to change.                           |
        +---------------------------------------------------------------------------+
        |** Patch releases are subjected to less rigorous testing than regular      |
        | GA releases, and may have serious bugs.                                   |
        +===========================================================================+

    QWest DSL customers should be aware that QWest do not support  the
    fixed CBOS  versions.   Therefore the  sizable QWest  dsl customer
    base is  likely to  remain vulnerable.   QWest only  support 2.2.0
    and there are some several  issues relating to higher versions  of
    CBOS on a 675 that connects through a QWest DSLAM.

    Workarounds:
    CSCdr98772
    ==========
    There are two workarounds  for this vulnerability.   The potential
    for exploitation can  be lessened by  ensuring that Web  access to
    the router is  limited to a  legitimate IP address.   This can  be
    done by entering the following commands while in enable mode:

        cbos# set web remote 10.0.0.1
        cbos# set web remote enabled

    where 10.0.0.1 is the address  of the host with a  legitimate need
    for Web access  to the router.   Alternatively, disabling the  Web
    access completely will also prevent this vulnerability from  being
    exploited.   This can  be done  by entering  the following command
    while in enable mode:

        cbos# set web remote disable

    CSCds59206
    ==========
    There is no workaround for this vulnerability.

    CSCds19142
    ==========
    The  Web  Management  interface  can  be  disabled by entering the
    following commands in enable mode:

        cbos# set web remote disable

    CSCds23921
    ==========
    All  incoming  ICMP  ECHO  (PING)  packets  destined to the router
    itself  should  be  denied.   That  can  be  achieved by following
    commands:

        cbos# set filter number on deny incoming all 0.0.0.0 0.0.0.0 <eth0_IP_address> 255.255.255.255 protocol ICMP
        cbos# set filter number+1 on deny incoming all 0.0.0.0 0.0.0.0 <wan0_IP_address> 255.255.255.255 protocol ICMP

    Where number is a free filter number between 0 and 17.