From xforce@iss.net Thu Mar 25 00:35:56 1999
From: X-Force <xforce@iss.net>
To: alert@iss.net
Cc: X-Force <xforce@iss.net>
Date: Wed, 24 Mar 1999 10:58:36 -0500 (EST)
Subject: ISSalert: ISS Security Advisory: Remote Denial of Service Vulnerability in Cisco Catalyst Series Ethernet Switches

TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to
majordomo@iss.net  Contact alert-owner@iss.net for help with any problems!
---------------------------------------------------------------------------


-----BEGIN PGP SIGNED MESSAGE-----

ISS Security Advisory
March 24, 1999


Remote Denial of Service Vulnerability in Cisco Catalyst Series Ethernet
Switches

Internet Security Systems (ISS) X-Force has discovered several
vulnerabilities in Cisco Catalyst Series Ethernet Switches running the Cisco
fixed configuration switch software. Cisco Catalyst switches are commonly
used in high volume production environments supporting high-end servers and
"virtual LAN" configurations.


Affected Models:

Catalyst 1200, 2900, 5000, and 5500 series switches are affected. The
Catalyst 2900XL and Catalyst 2926 are not affected.


Vulnerable Software Versions:

Catalyst 1200 family supervisor software versions up to and including 4.29
are vulnerable.

Catalyst  2900 family supervisor software revisions up to and including
2.1(5) are vulnerable.

Catalyst 5000 and 5500 family supervisor software revisions up to and
including 2.1(5) are vulnerable.

For the 2900, 5000, and 5500 series, minor revisions 2.1(501) and 2.1(502)
are also vulnerable.


Recommendations:

Upgrade your switch to the most recent version of the Catalyst switch
software, or any version that is not vulnerable. All affected users are
urged to review the "For More Information" section of this advisory.

Free fixes are available from Cisco Systems. Service contract customers can
download new versions of switch software at:

http://www.cisco.com/kobayashi/sw-center/sw-switching.shtml

Non-contract customers should contact the Cisco Technical Assistance Center
(TAC). TAC contacts are:

* +1 800 553 2447 (toll-free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
e-mail: tac@cisco.com

An immediate workaround involves removing the IP address from the vulnerable
switch hardware. This workaround has the negative effect of disabling remote
management of the switch.

ISS X-Force recommends that border routers and firewalls are configured to
block all traffic to the vulnerable switches from untrusted sources.


Description:

The Cisco Catalyst 5000 Series Ethernet Switches run  fixed configuration
switch software. This software operates an undocumented TCP service. Sending
a carriage return character to this port causes the switch to immediately
reset. An attacker may repeat this action indefinitely, causing a denial of
network services. The switch software does not provide any IP filtering
options to prevent this type of attack.

Credits:
These vulnerabilities were primarily researched by Josh Sierles and Chris
Stach of the ISS X-Force. ISS appreciates the assistance of the individuals
at Cisco Systems.


For more information:

Cisco's public advisory including detailed fix and support information is
located at: http://www.cisco.com/warp/public/770/cat7161-pub.shtml

Documentation on Cisco Catalyst switches is available at:
http://www.cisco.com/univercd/cc/td/doc/product/lan/index.htm

___________

Copyright (c) 1999 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this alert
electronically.  It is not to be edited in any way without express
consent of X-Force.  If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please e-mail
xforce@iss.net for permission.

Disclaimer:

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html,
as well as on MIT's PGP key server and PGP.com's key server.

X-Force Vulnerability and Threat Database: http://www.iss.net/xforce

Please send suggestions, updates, and comments to: X-Force
<xforce@iss.net> of Internet Security Systems, Inc.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBNvkLHjRfJiV99eG9AQFuHQP/TfumLTSwGdkog2q15aWvV7ilcRBolfmD
2zuM8clvNRRkr2GXKHp1z80IlSI6C1F+3XTPSoBiRXOR7uD2IV0SkFzvr0WC2tMx
UmL5k9EUBBGhHtmQUm5UM2JcSnGEHrTR7WWoX7Xac1EThjbQqPrj91MairHhumT0
qJWuMRUvr9Y=
=4KdT
-----END PGP SIGNATURE-----