COMMAND

    Cisco

SYSTEMS AFFECTED

    CBOS 2.0.1, 2.1.0, 2.1.0a, 2.2.0, 2.2.1, 2.2.1a, 2.3, 2.3.2, 2.3.5, 2.3.7 and 2.3.8.

PROBLEM

    Following  is  based  on  a  Cisco  Security  Advisory.   Multiple
    vulnerabilities  have  been  identified  and  fixed  in  CBOS,  an
    operating system for the Cisco 600 family of routers.
    * Cisco CBOS Software contains a flaw that permits the  successful
      prediction of TCP Initial Sequence Numbers.  It only affects the
      security of TCP connections  that originate or terminate  on the
      affected Cisco device itself; it  does not apply to TCP  traffic
      forwarded through  the affected  device in  transit between  two
      other hosts.  This vulnerability  is documented as Cisco bug  ID
      CSCds16078.
    * A Cisco 600 router  may stop passing the traffic  and responding
      to the console when an ECHO REQUEST packet with the record route
      option is routed through  it.  This vulnerability  is documented
      as Cisco bug ID CSCds30150.
    * Passwords, exec and enable,  are stored in the cleartext  in the
      NVRAM.   This  vulnerability  is  documented  as  Cisco  bug  ID
      CSCdt04882.
    * When multiple,  large ECHO REPLY  packets are routed  through an
      affected Cisco  600 router,  it will  enter the  ROMMON mode and
      stop  passing  any  further  traffic.   This  vulnerability   is
      documented as Cisco bug ID CSCds74567.

    The affected models are: 627,  633, 673, 675, 675E, 677,  677i and
    678.   These  models  are  vulnerable  if  they  run  any  of  the
    following, or earlier, CBOS releases: 2.0.1, 2.1.0, 2.1.0a, 2.2.0,
    2.2.1,  2.2.1a,  2.3,  2.3.2,  2.3.5,  2.3.7  and 2.3.8.  No other
    releases of CBOS software  are affected by these  vulnerabilities.
    No other Cisco products are affected by these vulnerabilities.

    CSCds16078
    ==========
    TCP sequence numbers are 32-bit integers in the circular range  of
    0  to  4,294,967,295.   The  host  devices  at  both ends of a TCP
    connection exchange an Initial  Sequence Number (ISN) selected  at
    random  from  that  range  as  part  of  the  setup  of  a new TCP
    connection.

    This method provides reasonably good protection against accidental
    receipt of unintended data.   However, to guard against  malicious
    use,  it  should  not  be  possible  for  an  attacker  to infer a
    particular  number  in  the  sequence.   If  the  initial sequence
    number  is  not  chosen  randomly  or  if  it  is incremented in a
    non-random  manner  between  the  initialization of subsequent TCP
    sessions, then it  is possible, with  varying degrees of  success,
    to forge one half of a  TCP connection with another host in  order
    to gain  access to  that host,  or hijack  an existing  connection
    between two hosts in order  to compromise the contents of  the TCP
    connection.   To guard  against such  compromises, ISNs  should be
    generated as randomly as possible.

    Forged packets  can be  injected into  a network  from a  location
    outside its  boundary so  that they  are trusted  as authentic  by
    the  receiving  host,  thus  resulting  in a failure of integrity.
    Such packets could  be crafted to  gain access or  make some other
    modification  to  the  receiving  system  in  order to attain some
    goal,  such  as  gaining  unauthorized  interactive  access  to  a
    system or compromising  stored data.   From a position  within the
    network where it  is possible to  receive the return  traffic (but
    not necessarily  in a  position that  is directly  in the  traffic
    path), a greater  range of violations  is possible.   For example,
    the contents of  a message could  be diverted, modified,  and then
    returned to the traffic flow again, causing a failure of integrity
    and a possible failure of confidentiality.

    Any compromise using this  vulnerability is only possible  for TCP
    sessions that originate or terminate on the affected Cisco  device
    itself.  It does not apply to TCP traffic that is merely forwarded
    through the device.

    CSCds30150
    ==========
    By sending  ICMP ECHO  REQUEST packets  (ping) with  the IP Record
    Route option  set it  is possible  to freeze  a Cisco  600 router.
    This can be  done either by  sending the specially  crafted packet
    or  by  specifying  the  "-r"  option  on  the most ping programs.
    The packet should not be destined to a router itself.

    CSCdt04882
    ==========
    The  exec  and  enable  passwords  are  stored in the cleartext in
    NVRAM.  Similarly,  they are also  stored in the  cleartext in the
    configuration file  if one  is stored  on a  computer.  Anyone who
    is  in  a  position  to  see  a  router's  configuration,   either
    directly  from  the  device  or  in  the  file  on a computer, can
    learn the passwords.

    This vulnerability  is corrected  by storing  only an  MD5 hash of
    the password  in both  NVRAM and  in the  configuration file,  and
    the plaintext password itself is never retained.

    Anyone  who  is  in  a  position  to see a router's configuration,
    either directly from the device or in the file on a computer,  can
    learn the exec and enable  passwords.  Armed with that  knowledge,
    an  attacker  can  log  into  the  device  and change the router's
    configuration.

    This vulnerability can be even more dangerous if the ISP is  using
    the same passwords for all of the devices which it manages.   Such
    practice,  using  the  same  passwords  for  multiple  devices, is
    strongly discouraged.

    CSCds74567
    ==========
    When  multiple  ICMP  ECHO  REPLY  packets, non standard size, are
    passed through the  affected device the  device will stop  passing
    any further traffic.  Packets  must be larger than the  usual size
    (64 bytes) but that can be easily accomplished either by  crafting
    packets  or  by  adjusting  the  response size, either via command
    line or by modifying the program source.

SOLUTION

    These vulnerabilities  are fixed  in the  following CBOS releases:
    2.3.9,  2.4.1  and  2.4.2.   Customers  are  urged  to  upgrade to
    releases that are not vulnerable as shown in detail in the section
    below.

    The following table summarizes the CBOS software releases affected
    by  the  vulnerabilities  described  in  this notice and scheduled
    dates on which the  earliest corresponding fixed releases  will be
    available.

        +===========+================+=====================================+
        |           |                |                                     |
        |  Release  | Description or |  Availability of Repaired Releases  |
        |           |   Platform     |=====================================+
        |           |                |      General Availability (GA)      |
        +===========+================+=====================================+
        |    All    | All platforms  |      2.3.9                          |
        | releases  |                |      2001-Mart-19                   |
        +-----------+----------------+-------------------------------------+
        |    All    | All platforms  |      2.4.1                          |
        | releases  |                |      2000-December-11               |
        +-----------+----------------+-------------------------------------+
        |    All    | All platforms  |      2.4.2                          |
        | releases  |                |      2001-May-14                    |
        +===========+================+=====================================+