COMMAND

    Cisco Web Cache Control Protocol

SYSTEMS AFFECTED

    CISCO (all users of the Cisco Cache Engine and WCCP - read on)

PROBLEM

    Following is based on Cisco Security Notice.  Cisco's Cisco  Cache
    Engine  product  provides  transparent  caching for world-wide web
    pages  retrieved  via  HTTP.   The  Cache  Engine  uses  a   Cisco
    proprietary protocol called the Web Cache Control Protocol  (WCCP)
    to  communicate  with  a  properly-configured  Cisco  router   and
    register as a cache service provider. The router then diverts HTTP
    traffic to the Cache Engine.

    Although this process is not  enabled by default, and takes  place
    only if a user specifically configures the router to enable  WCCP,
    there is no authentication in WCCP itself. A router configured  to
    support Cache Engines will treat any host that sends it valid WCCP
    hello packets as  a cache engine,  and may divert  HTTP traffic to
    that host. This means that  it is possible for malicious  users to
    divert web traffic passing through such a router, even though they
    may  not  have  either  physical  or  configuration  access to the
    router.   Attackers  can  cause  a  router  configured for WCCP to
    divert some or all HTTP traffic to any host they choose,  anywhere
    on the Internet. Once having done this, attackers are able to:

        - intercept  confidential information,  including site  access
          passwords
        - substitute data of their own choosing for the actual content
          of web pages
        - disrupt  web  service  for  connections passing through  the
          targeted router

    In order to do this, the attacker would either need a Cisco  Cache
    Engine or software capable of generating WCCP traffic. Cisco sells
    Cache Engines to the  general public, although a  relatively small
    number  have  been   shipped  thus  far.    The  WCCP   protococol
    specification is unpublished,  but the protocol  is not immune  to
    reverse engineering.

SOLUTION

    This attack can be avoided  by using access lists to  prevent WCCP
    traffic from untrusted hosts from reaching the router. Cisco plans
    to release  software that  supports authentication  for WCCP. This
    will involve a modification to the WCCP protocol. In order to take
    advantage of the authentication  features, customers will need  to
    upgrade the software in both  routers and Cache Engines, and  will
    need to  make some  minor configuration  changes on  both devices.
    Release  of  the  improved  software  is tentatively scheduled for
    September, 1998,  but this  schedule is  subject to  change. Cisco
    believes  that  the  workaround  described  below  will adequately
    protect Cache Engine users until the new software is ready.

    As for workaround,  WCCP runs over  UDP at port  2048. By blocking
    unauthorized  UDP  traffic  destined  to  port  2048 on the router
    running WCCP, attackers can be prevented from sending WCCP traffic
    to the router,  and therefore from  diverting any actual  traffic.
    For proper security, it's important to block all traffic  destined
    for port 2048 at any address assigned to the router, as well as at
    all broadcast addresses  for networks on  which the router  may be
    attached, and all multicast addresses  to which the router may  be
    listening. The  blocking can  be configured  either using  inbound
    access lists on the WCCP  router itself, or using access  lists or
    other filtering on surrounding devices.