COMMAND
CISCO (CBOS)
SYSTEMS AFFECTED
CBOS 2.0.1, 2.1.0, 2.1.0a, 2.2.0, 2.2.1, 2.2.1a, 2.3, 2.3.2, 2.3.5, 2.3.7 and 2.3.8.
PROBLEM
Following is based on a Cisco Security Advisory. Multiple
vulnerabilities have been identified and fixed in CBOS, an
operating system for the Cisco 600 family of routers:
* Any router in the Cisco 600 family that is configured to
allow Web access can be locked by sending a specific URL.
Web access is disabled by default, and it is usually enabled
in order to facilitate remote configuration. This defect is
documented as Cisco bug ID CSCdr98772.
* By sending a stream of TCP SYN packets to the router, it is
possible to exhaust all available TCP sockets. The
consequence is that no new TCP sessions addressed to the
router will be established. The difference between this
vulnerability and a SYN Denial-of-Service attack is that
this one can be accomplished by a slow stream of packets
(one per second). This defect is documented as Cisco bug
ID CSCds59206.
* Invalid login attempts using the Web interface are not
logged. This defect is documented as Cisco bug ID
CSCds19142.
* It is possible to lock up the router by sending a large ICMP
ECHO (PING) packet to it. This defect is documented as
Cisco bug ID CSCds23921.
The affected models are: 627, 633, 673, 675, 675E, 677, 677i and
678. These models are vulnerable if they run any of the
following, or earlier, CBOS releases: 2.0.1, 2.1.0, 2.1.0a, 2.2.0,
2.2.1, 2.2.1a, 2.3, 2.3.2, 2.3.5, 2.3.7 and 2.3.8. No other
releases of CBOS software are affected by this vulnerability. No
other Cisco products are affected by this vulnerability.
CSCdr98772
==========
The behavior is caused by inadequate URL parsing in CBOS. Each
URL was expected to terminate with a minimum of a single space
character (ACSII code 32, decimal). Sending a URL that does not
terminate with a space causes CBOS to enter an infinite loop. It
is necessary to power cycle the router to resume operation.
In order to exploit this vulnerability, a router must be
configured to accept Web connections. Having a Web access
password configured does not provide protection against this
vulnerability.
Note: Web access on all Cisco 600 routers is disabled by default
and must be explicitly enabled. However, the web access
interface of the 675 is ENABLED BY DEFAULT in every CBOS image
seen. (2.0.x, 2.1.x, 2.2.x)
By sending a tailored URL to a router, it is possible to cause a
Denial-of-Service. Every affected router must be powered off and
back on in order to restore its normal functionality.
CSCds59206
==========
By sending a stream of SYN packets addressed to the router, it is
possible to exhaust all available TCP sockets within CBOS. This
is due to the memory leak in CBOS. When a router is set into a
state where it cannot accept a new connection, it can be
maintained in this state by a slow stream of SYN packets until
the router is rebooted. The stream can be as slow as one packet
per second, so one machine with a 64Kb connection can hold up
approximately 150 routers.
Note: This does not effect non-TCP traffic. All User Datagram
Protocol (UDP) and Internet Control Message Protocol (ICMP)
packets can be handled by a router without any problems. All
existing and new TCP sessions through the router will not be
affected.
When an attacking stream is terminated, a router recovers itself
within a few minutes.
It is possible to prevent all TCP access to a router. This blocks
all attempts at remote router administration.
CSCds19142
==========
Using the Cisco Web Management interface, it is possible to keep
guessing an access password without those password attempts being
logged. A password may be either "exec-only" or "enable". A user
with an "exec-only" password cannot change a router configuration.
Long term, brute force password guessing can be performed without
being noticed. When the correct password is guessed, it can be
used to view or modify router configuration. This may be
particularly dangerous in installations where multiple routers
have the same password.
CSCds23921
==========
By sending a large (at least 65500 bytes in size) ICMP ECHO (PING)
packet to the router itself, it is possible to overflow an
internal variable and cause router lockup. The router is not
affected by the packets which are routed through it.
It is possible to lock up the router thus causing DoS. Every
affected device must be powered off and back on in order to
restore its normal functionality.
SOLUTION
These defects will be fixed in the following CBOS releases:
2.3.5.015, 2.3.7.002, 2.3.9 and 2.4.1.
The following table summarizes the CBOS software releases affected
by the defects described in this notice and scheduled dates on
which the earliest corresponding fixed releases will be available.
Dates are tentative and subject to change.
+===========+================+==============================================+
| | | |
| Release | Description or | Availability of Repaired Releases* |
| | Platform |==================+===========================+
| | | Patch release** | General Availability (GA) |
+===========+================+==================+===========================+
| All | 627, 633, 673 | 2.3.5.015 | |
| releases | 675, 677, 678 | 2000-DEC-11 | |
+-----------+----------------+------------------+---------------------------+
| 2.3.7.001 | 677i | 2.3.7.002 | |
| | | 2000-DEC-11 | |
+-----------+----------------+------------------+---------------------------+
| All | All platforms | | 2.3.9 |
| releases | | | 2001-JAN |
+-----------+----------------+------------------+---------------------------+
| All | All platforms | | 2.4.1 |
| releases | | | 2000-DEC-11 |
+===========+================+==================+===========================+
| Notes |
+===========================================================================+
|* All dates are estimated and subject to change. |
+---------------------------------------------------------------------------+
|** Patch releases are subjected to less rigorous testing than regular |
| GA releases, and may have serious bugs. |
+===========================================================================+
QWest DSL customers should be aware that QWest do not support the
fixed CBOS versions. Therefore the sizable QWest dsl customer
base is likely to remain vulnerable. QWest only support 2.2.0
and there are some several issues relating to higher versions of
CBOS on a 675 that connects through a QWest DSLAM.
Workarounds:
CSCdr98772
==========
There are two workarounds for this vulnerability. The potential
for exploitation can be lessened by ensuring that Web access to
the router is limited to a legitimate IP address. This can be
done by entering the following commands while in enable mode:
cbos# set web remote 10.0.0.1
cbos# set web remote enabled
where 10.0.0.1 is the address of the host with a legitimate need
for Web access to the router. Alternatively, disabling the Web
access completely will also prevent this vulnerability from being
exploited. This can be done by entering the following command
while in enable mode:
cbos# set web remote disable
CSCds59206
==========
There is no workaround for this vulnerability.
CSCds19142
==========
The Web Management interface can be disabled by entering the
following commands in enable mode:
cbos# set web remote disable
CSCds23921
==========
All incoming ICMP ECHO (PING) packets destined to the router
itself should be denied. That can be achieved by following
commands:
cbos# set filter number on deny incoming all 0.0.0.0 0.0.0.0 <eth0_IP_address> 255.255.255.255 protocol ICMP
cbos# set filter number+1 on deny incoming all 0.0.0.0 0.0.0.0 <wan0_IP_address> 255.255.255.255 protocol ICMP
Where number is a free filter number between 0 and 17.