-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =============================================================================== >> CERT-NL, 01-Mar-2000 << >> All CERT-NL information has been moved to http://cert.surfnet.nl. Links << >> to CERT-NL information contained in this advisory are therefore outdated. << >> << >> CERT-NL also has stopped the CERT-CC-Mirror service. Due to this the << >> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the << >> complete CERT-CC advisory texts: http://www.cert.org << =============================================================================== =============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : Teun Nijssen Index : S-99-11 Distribution : World Page : 1 Classification: External Version: 1 Subject : Cisco Catalyst Supervisor Remote Reload Date : 25-Mar-99 =============================================================================== By courtesy of Cisco Systems, Inc. we received information on a vulnerability in Cisco Catalyst LAN switches. CERT-NL recommends to download and use the offered free software upgrades. ============================================================================== Cisco Catalyst Supervisor Remote Reload Revision 1.2 Summary ======= A software bug (Cisco bug ID CSCdi74333) allows remote TCP/IP users to cause reloads of Cisco Catalyst LAN switches running Catalyst 5000 supervisor software versions from 1.0 through 2.1(5). The affected software was last shipped with new units in early 1997. In addition to the Catalyst 5xxx series, some, but not all, Catalyst 29xx family switches may run the affected software; see "Who is Affected" for more information. A similar bug, Cisco bug ID CSCdj71684, exists in the supervisor software for the older, and now discontinued, Catalyst 12xx family, up through software version 4.29. Fixes are available for both bugs. The fixes have been in the field for some time. Most Catalyst switch users have probably already installed the fixes. Who Is Affected =============== The following Cisco Catalyst LAN switch models are affected by this vulnerability-- * The Catalyst 12xx family, running supervisor software versions up to and including 4.29. * The Catalyst 29xx family (but not the Catalyst 2900XL), running supervisor software versions up to and including 2.1(5), 2.1(501), and 2.1(502). This includes the Catalyst 2901, 2902, and 2903 switches. Catalyst 2926 switches are not affected, because the Catalyst 2926 was not released until after the software fix was made. Catalyst 2900XL switches run unrelated software, and are not affected by this vulnerability. * The Catalyst 5xxx series (including the Catalyst 55xx family), running supervisor software versions up to and including 2.1(5), 2.1(501), and 2.1(502). Catalyst 5xxx and 29xx switches running versions 2.1(6) and later are not affected. Catalyst 12xx switches running versions 4.30 and later are not affected. Some Cisco Catalyst switches include intelligent modules that run software independent of the supervisor software. These modules, which include a variety of media controllers as well as the route switch module (RSM), are not affected. Fixed software for the Catalyst 5xxx and Catalyst 29xx series began shipping with new switches in mid-1997. Sales of the Catalyst 12xx family were stopped before the release of software version 4.30; if you have not upgraded your software since installing your Catalyst 12xx switch, you are affected by this vulnerability. The affected Cisco Catalyst LAN switches are rack-mountable units typically found in data centers and cable closets. Impact ====== A remote attacker who knows how to exploit this vulnerability, and who can make a connection to TCP port 7161 on an affected switch, can cause the supervisor module of that switch to reload. While the supervisor is reloading, the switch will not forward traffic, and the attack will therefore deny service to the equipment attached to the switch. The switch will recover automatically, but repeated attacks can extend the denial of service indefinitely. Software Details ================ For the Catalyst 29xx and Catalyst 5xxx switches, this vulnerability has Cisco bug ID CSCdi74333. The bug is present in all supervisor software versions through 2.1(5), including the spot fix releases 2.1(501) and 2.1(502). The bug is fixed in 2.1(6) and later versions, including all 2.2, 2.3, and 2.4 versions, and all 3.x, 4.x, and later versions. For the Catalyst 1200, this vulnerability has Cisco bug ID CSCdj71684. The bug is present in all software versions through 4.29, and is fixed in 4.30 and later versions. Getting Fixed Software ====================== Cisco is offering free software upgrades to remedy this vulnerability for all vulnerable Catalyst 5xxx, Catalyst 29xx, and Catalyst 12xx customers, regardless of contract status. Customers with service contracts may upgrade to any software version. Catalyst 5xxx and Catalyst 29xx customers without contracts may upgrade either to any 2.1 version from 2.1(6) onward; 2.1(12) is suggested. Catalyst 12xx customers without contracts may upgrade to version 4.30. Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained via the Software Center on Cisco's Worldwide Web site at http://www.cisco.com. Customers without contracts should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows: * +1 800 553 2447 (toll-free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades. Workarounds =========== This vulnerability may be worked around by assigning no IP addresses to affected Cisco Catalyst switches. However, this workaround will have the effect of disabling all remote management of those switches. Another possible workaround is to use the filtering capabilities of surrounding routers and/or dedicated firewall devices to prevent untrusted hosts from making connections to TCP port 7161 on affected switches. Exploitation and Public Announcements ===================================== Cisco knows of no public announcements or discussion of this vulnerability before the date of this notice. Cisco has had no reports of malicious exploitation of this vulnerability. These bugs were identified and reported by outside companies conducting laboratory testing. No special tools, and only the most basic of skills, are needed to exploit this vulnerability. It would not be difficult for a person with minimal sophistication to find a way to exploit this vulnerability. Status of This Notice ===================== This is a final field notice. Although Cisco cannot guarantee the accuracy of all statements in this notice, all of the facts have been checked to the best of our ability. Cisco does not anticipate issuing updated versions of this notice unless there is some material change in the facts. Should there be a significant change in the facts, Cisco may update this notice. Distribution ============ This notice will be posted on Cisco's Worldwide Web site at http://www.cisco.com/warp/public/770/cat7161-pub.shtml . In addition to Worldwide Web posting, the initial version of this notice is being sent to the following e-mail and Usenet news recipients: * cust-security-announce@cisco.com * bugtraq@netspace.org * first-teams@first.org (includes CERT/CC) * Various internal Cisco mailing lists Future updates of this notice, if any, will be placed on Cisco's Worldwide Web server, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the URL given above for any updates. Acknowledgements ================ Cisco thanks the Internet Security Systems (ISS) X-Force, for independently discovering this matter and bringing it to the attention of Cisco's Product Security Incident Response Team (PSIRT). The initial report of CSCdi74333 was received before the establishment of the PSIRT, from a customer who has neither requested credit nor given permission to be named in this notice. Cisco security notices do not name or credit third parties without their specific permission. Revision History ================ Revision 1.0, Initial release candidate version 17:45 US/Pacific 22-MAR-1999 Revision 1.1, Cosmetic changes 09:30 US/Pacific 23-MAR-1999 Revision 1.2, Remove erroneous mention of unaffected products. 11:00 US/Pacific 24-MAR-1999 Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's Worlwide Web site at http://www.cisco.com/warp/public/791/sec_incident_response.shtml This includes instructions for press inquiries regarding Cisco security notices. ============================================================================== CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: http://cert.surfnet.nl/ In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl ATTENDED REGULARLY ALL DAYS Phone: +31 302 305 305 BUSINESS HOURS ONLY Fax: +31 302 305 329 BUSINESS HOURS ONLY Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands NOODGEVALLEN: 06 22 92 35 64 ALTIJD BEREIKBAAR EMERGENCIES : +31 6 22 92 35 64 ATTENDED AT ALL TIMES CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES: THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED* PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU. =============================================================================== -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i iQA/AwUBOL6IpjSYjBqwfc9jEQJYYgCgo8fc32jfIn622L/mVOHMShkzY/EAnRga kUNs337c2L5pn79OCjmjY5VI =yHPu -----END PGP SIGNATURE-----