From xforce@ISS.NET Sun Mar 14 05:19:11 1999
From: X-Force <xforce@ISS.NET>
To: BUGTRAQ@netspace.org
Date: Thu, 11 Mar 1999 11:44:28 -0500
Subject: ISS Security Advisory: Remote Reconfiguration and Denial of              Service Vulnerabilities in Cisco 700 ISDN Routers

-----BEGIN PGP SIGNED MESSAGE-----

ISS Security Advisory
March 11, 1999


Remote Reconfiguration and Denial of Service Vulnerabilities in Cisco 700
ISDN Routers

Synopsis:

Internet Security Systems (ISS) X-Force has discovered several
vulnerabilities in Cisco Series 700 routers.  The Cisco 700 series is
popular among corporate users and telecommuters.  It is used to support
networks in small offices or home offices.  It is also recommended by
Internet Service Providers (ISPs) for personal ISDN connectivity.  Remote
attackers may issue commands to the router without authentication.  Remote
attackers may also deny network connectivity by forcing the router to
reboot.


Affected Versions:

All versions of IOS/700 on all Cisco 700 series routers are vulnerable. The
700 series includes all models in the 760 and 770 series including the 762M,
766M, 772M, and the 776M.  All international models in this series are also
vulnerable.


Description:

The Cisco 700 series was formerly known as the Combinet 750 series.  Cisco
acquired Combinet and repackaged its products as the Cisco 700 series.  The
Cisco 700 series runs a non-traditional Cisco operating system.  This
advisory is
limited to Cisco 700 series routers only.

Attackers may also take advantage of remote reconfiguration vulnerabilities
in ClickStart.  ClickStart is a small embedded web server in the IOS/700
that allows for easy remote configuration. ClickStart may allow remote
attackers to connect to the router via its web server and issue certain
commands to the router.  Attackers may also learn which type of switch is
connected to the router, as well as the telephone numbers for the ISDN
lines.  Hackers may use this information to launch further attacks.

ClickStart does not attempt to authenticate users that connect to the web
server, nor does it automatically filter connection attempts from outside
the currently configured subnet.  The 700s have the ability to filter these
attacks. For detailed filtering information, users must refer to Cisco's
on-line documentation.

Cisco 700 series is vulnerable to remote resource starvation attacks that
can immediately force the router to panic and reboot.  These attacks can be
repeated indefinitely to permanently deny service to the router.  The Cisco
700 series is also vulnerable to similar well-known denial of service
attacks.


Recommendations:

The ClickStart option is always set to "on" unless it is explicitly turned
off. The following command will disable ClickStart:

Router> set clickstart off

All affected users are urged to review the "For More Information" section of
this advisory.  Cisco urges all Cisco 77x and 76x users to upgrade to
IOS/700 version 4.3(1).  This version is not supported by the Cisco 75x
routers.  All service contract customers may download updates at the
following address:

http://www.cisco.com/cgi-bin/tablebuild.pl/760

Non-contract customers should contact Cisco Technical Assistance Center
(TAC). TAC contacts are as follows:

* +1 800 553 2447 (toll-free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com


For more information:

Cisco has compiled a document entitled "Cisco 7xx TCP and HTTP
Vulnerabilities" that contains more specific information, as well as
workarounds for these vulnerabilities.  It is available at the following
address:

http://www.cisco.com/warp/public/770/7xxconn-pub.shtml

More extensive online documentation for the Cisco 700 series is available
at:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_fix/750/700cr/ind
ex.htm


Credits:

These vulnerabilities were primarily researched by Dan Ingevaldson of the
ISS X-Force. ISS appreciates the assistance of the individuals at Cisco
Systems.


________

Copyright (c) 1999 by Internet Security Systems, Inc.  Permission is
hereby granted for the electronic redistribution of this Security Alert.
It is not to be edited in any way without express consent of the X-Force.
If you wish to reprint the whole or any part of this Alert Summary in any
other medium excluding electronic medium, please e-mail xforce@iss.net for
permission.

Internet Security Systems, Inc. (ISS) is the leading provider of adaptive
network security monitoring, detection, and response software that
protects the security and integrity of enterprise information systems.  By
dynamically detecting and responding to security vulnerabilities and
threats inherent in open systems, ISS's SAFEsuite family of products
provide protection across the enterprise, including the Internet,
extranets, and internal networks, from attacks, misuse, and security
policy violations.  ISS has delivered its adaptive network security
solutions to organizations worldwide, including firms in the Global 2000,
nine of the ten largest U.S. commercial banks, and over 35 governmental
agencies.  For more information, call ISS at 678-443-6000 or 800-776-2362
or visit the ISS Web site at http://www.iss.net..

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

X-Force PGP Key available at:   http://www.iss.net/xforce/sensitive.html
as well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to:
X-Force <xforce@iss.net> of Internet Security Systems, Inc.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBNufrOTRfJiV99eG9AQEmNAP+IgV6LTFvitDCJowQvZee9nzIgCy2hWHK
XuuaOPjTonUWIgeEZW9M5M/IDOiyLOh4pHoETRg+LU9zNJ80amCfDNDYDiPYnOok
RcPeU5BjMWRJ/nL0yUsbV4TBDCDNHUHUeOSdp7EY25r+aYY6eEpJXc95ERidO7uR
PTtElRd+a4M=
=aP5D
-----END PGP SIGNATURE-----