Guest

Product Support

Identifying and Mitigating Exploitation of the DOCSIS RW Community String Enabled Vulnerability

Advisory ID: cisco-amb-20060923-docsis

http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20060923-docsis

Revision 1.0

For Public Release 2006 September 23 16:00  UTC (GMT)


Contents

Cisco Response
Device Specific Mitigation and Identification
Additional Information
Revision History
Cisco Security Procedures
Related Information

Cisco Response

Vulnerability Characteristics

This vulnerability can be exploited remotely with no authentication and no user interaction is necessary. If exploited, the attacker may obtain full control of the IOS device. The attack vector is through the Simple Network Management Protocol (SNMP), using UDP/161. This vulnerability is not covered by a CVE ID.

This document contains information to assist Cisco customers in mitigating attempts to exploit the Data Over Cable Service Interface Specification (DOCSIS) Read-Write Community String Enabled in Non-DOCSIS Platforms vulnerability. This vulnerability affects Cisco IAD2400 series devices, Cisco MWR 1900 Series Mobile Wireless Edge Routers, and Cisco VG224 Analog Phone Gateways that are running affected Cisco IOS? software and have the SNMP server enabled. Vulnerable versions may contain a default hard-coded Simple Network Management Protocol (SNMP) community string.

Vulnerable, non-affected, and fixed software information is available in the PSIRT Security Response at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20060920-docsis.

Mitigation Technique Overview

Cisco devices provide several countermeasures for the Cisco DOCSIS Read-Write Community String Enabled in Non-DOCSIS Platforms vulnerability. Until a fixed version of Cisco IOS software can be installed, the most effective means of exploitation prevention is to disable the SNMP server (if possible) on affected IOS devices. Exploitation of this vulnerability can also be mitigated by applying interface access control lists (ACLs) to filter SNMP (UDP/161) packets from all but known source addresses that are destined for the IOS device itself. It should be noted that an exploit may still be successful if the SNMP packet is sourced from an address that has been spoofed and is permitted by the access list.

Risk Management

Organizations are advised to follow their standard risk evaluation and mitigation processes to determine the potential impact of [this vulnerability|these vulnerabilities]. Triage refers to sorting projects and prioritizing efforts that are most likely to be successful. Cisco has provided documents that can help organizations develop a risk-based triage capability for their information security teams. Risk Triage for Security Vulnerability Announcements and Risk Triage and Prototyping can help organizations develop repeatable security evaluation and response processes.

Device-specific Mitigation and Identification

Specific information on mitigation and identification is available for these devices:

Cisco IOS Routers

caution Caution: The effectiveness of any mitigation technique is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. As with any configuration change, evaluate the impact of this configuration prior to applying the change.

Mitigation

Interface Access Lists

The following access list permits UDP/161 (SNMP) packets from a trusted management network (i.e., 192.168.131.0/24) destined for the target device (i.e. 192.168.131.100). All other SNMP packets are dropped. Added access list entries should be implemented as part of a transit ACL that filters transit and edge traffic at network ingress points.

For more information on ACLs, refer to Transit Access Control Lists: Filtering at Your Edge.


!-- Allow the SNMP (UDP/161) packets from known source addresses only.

access-list 100 permit udp 192.168.131.0 0.0.0.255 host 192.168.131.100 eq snmp

!-- Block SNMP from all other source addresses

access-list 100 deny   udp any host 192.168.131.100 eq snmp

!-- Permit/deny all other traffic in accordance with !-- existing security policies and configurations. !-- Apply access list to interface in the inbound direction. 
interface FastEthernet0
ip access-group 100 in

Note: If the access list is being applied to the target device itself, it must be applied to all ingress interfaces of the device.

Anti-Spoofing

This vulnerability can be exploited by a spoofed packet. Anti-spoof protection in the form of unicast Reverse Path Forwarding (uRPF) can provide limited mitigation if properly configured. This feature should not be relied upon to provide 100% mitigation since spoofed packets may still enter the network from the interface expected by uRPF or allowed by anti-spoofing access-lists. Also care must be taken to ensure that the appropriate uRPF mode (loose or strict) is configured to ensure that legitimate packets are not dropped. Additional information about unicast Reverse Path Forwarding is available at http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ft_urpf.html.

Control Plane Policing

Cisco IOS release trains 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support Control Plane Policing (CoPP) which may be configured to protect the device from attacks that target the management and control planes of the device itself. The following example can be adapted to your network. This example assumes that all SNMP access is to be restricted to management stations that exist on the 192.168.131.0/24 network, and that the management station need only communicate with the target router's IP address 192.168.131.100:

access-list 111 deny   udp 192.168.131.0 0.0.0.255 host 192.168.131.100 eq snmp
access-list 111 permit udp any any eq snmp
access-list 111 deny   ip any any
!
class-map match-all drop-snmp-class
 match access-group 111
!
!
policy-map drop-snmp-policy
 class drop-snmp-class
   drop
!
control-plane
 service-policy input drop-snmp-policy

Please note that in the 12.0S, 12.2S, and 12.2SX Cisco IOS trains the policy-map syntax is different:

policy-map drop-snmp-policy
 class drop-snmp-class
  police 32000 1500 1500 conform-action drop exceed-action drop

Note: In the above CoPP examples, the ACL entries that match the exploit packets with the "permit" action result in these packets being discarded by the policy-map "drop" function, while packets that match the "deny" action are not affected by the policy-map drop function.

Identification

Interface Access Lists

With a transit access list, once the interface access list is deployed, the command show access-list can be used to identify the number of packets being filtered. Filtered packets should be investigated to determine if they are attempts to exploit this issue.

Here is example output for the show access-list 100 command:

router-01#show access-list 100
Extended IP access list 100
    10 permit udp 192.168.131.0 0.0.0.255 host 192.168.131.100 eq snmp (282 matches)
    20 deny udp any host 192.168.131.100 eq snmp (6 matches)

In the above example, there were six (6) SNMP packets dropped by access list 100 configured inbound on interface FastEthernet 0.

Control Plane Policing

The output of the show policy-map control-plane command below indicates that a total of six (6) packets were dropped by the "drop-snmp-class" class-map that is part of the CoPP policy, "drop-snmp-policy":

router-01#show policy-map control-plane
 Control Plane
  Service-policy input: drop-snmp-policy
    Class-map: drop-snmp-class (match-all)
      6 packets, 486 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group 111
      drop
    Class-map: class-default (match-any)
      385 packets, 39380 bytes
      5 minute offered rate 2000 bps, drop rate 0 bps
      Match: any
router-01#

In addition, the show access-list command can be used to also identify packets dropped by the access list that is being used within the CoPP service policy and associated class-map:

router-01#show access-lists 111
Extended IP access list 111
    10 deny udp 192.168.131.0 0.0.0.255 host 192.168.131.100 eq snmp
    20 permit udp any any eq snmp (6 matches)
    30 deny ip any any (383 matches)
router-01#

The above display indicates that a total of six (6) packets were dropped by access list 111. This correlates to the packets dropped by the "drop-snmp-class" class-map as described previously.

NetFlow

NetFlow can be configured on Internet Edge routers to determine if attempts are in progress to exploit this vulnerability.

router-01#show ip cache flow
IP packet size distribution (27288995 total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .000 .005 .968 .024 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
  5 active, 4091 inactive, 232766 added
  4400609 ager polls, 0 flow alloc failures
  Active flows timeout in 30 minutes
  Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 25736 bytes
  5 active, 1019 inactive, 232766 added, 232766 added to flow
  0 alloc failures, 0 force free
  1 chunk, 3 chunks added
  last clearing of statistics never
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
TCP-Telnet          15      0.0        35    57      0.0      11.3      11.8
TCP-FTP              1      0.0         1    60      0.0       0.0      15.4
TCP-FTPD             1      0.0         1    60      0.0       0.0      15.0
TCP-WWW             32      0.0         1    60      0.0       0.0      15.4
TCP-SMTP             1      0.0         1    60      0.0       0.0      15.4
TCP-X                1      0.0         1    60      0.0       0.0      15.7
TCP-BGP          63732      0.0         1    40      0.0       0.0       1.5
TCP-NNTP             1      0.0         1    60      0.0       0.0      15.2
TCP-Frag            86      0.0      5837   120      0.2      13.6      15.4
TCP-other        61985      0.0         1    67      0.0       0.3      15.3
UDP-NTP          21741      0.0         1    76      0.0       0.0      15.1
UDP-other        83577      0.0       316    78     14.5      18.7      15.4
ICMP              1588      0.0        89   127      0.0       0.8      15.4
Total:          232761      0.1       117    79     15.0       6.8      11.5
SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Fa0           10.86.115.211   Local         192.168.131.100 11 0432 00A1     3
Fa0           10.86.115.200   Local         192.168.131.100 11 0432 00A1     3
Fa0           10.10.11.123    Local         192.168.131.100 11 0432 00A1     3

In the above example, there are several SNMP flows (Destination Port (DstP) Hex 00A1) from unknown IP addresses to the target device (192.168.131.100). This may be indicative of an attempt to exploit this vulnerability and should be compared to baseline utilization of these ports on the monitoring devices.

To only view SNMP (DstP Hex 00A1) flows, the command show ip cache flow | include SrcIf|A1 may be used as shown here:

router-01#show ip cache flow | include SrcIf|A1
SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Fa0           10.86.115.211   Local         192.168.131.100 11 0432 00A1     3

Cisco ASA/PIX/FWSM Firewalls

caution Caution: The effectiveness of any mitigation technique is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. As with any configuration change, evaluate the impact of this configuration prior to applying the change.

Mitigation

Access lists can be configured on the PIX/ASA/FWSM firewalls to only allow SNMP (UDP/161) packets from trusted management networks destined for network devices.

PIX 6.x

The following access lists permit SNMP (UDP/161) packets from 192.168.131.0/24 destined for a particular network device (i.e. 192.168.132.100). All other SNMP packets destined to this network device are dropped.


!-- Allow trusted management network to send SNMP packets !-- to the network device.

access-list SNMP permit udp 192.168.131.0 255.255.255.0 host 192.168.132.100 eq snmp

!-- Deny all other SNMP traffic to the network device.

access-list SNMP deny udp any host 192.168.132.200 eq snmp

!-- Permit/deny all other IP traffic in accordance with !-- existing security policies and configurations. !-- Apply SNMP access-list inbound to outside interface. 
access-group SNMP in interface outside

PIX/ASA 7.x

The following access lists permit SNMP (UDP/161) packets from 192.168.131.0/24 destined for a particular network device (i.e., 192.168.132.100). All other SNMP packets destined to this network device are dropped.


!-- Allow trusted network to send SNMP packets to the network device.

access-list SNMP extended permit udp 192.168.131.0 255.255.255.0 host 192.168.132.100 eq snmp

!-- Deny all other SNMP traffic to the network device.

access-list SNMP extended deny udp any host 192.168.132.100 eq snmp

!-- Permit/deny all other IP traffic in accordance with !-- existing security policies and configurations. !-- Apply SNMP access-list inbound to outside interface. 
access-group SNMP in interface outside

FWSM

The following access lists permit SNMP (UDP/161) packets from 10.1.1.0/24 destined for a particular network device (i.e. 192.168.30.100). All other SNMP packets destined to this network device are dropped.


!-- Allow trusted network to send SNMP packets to the network device.

access-list SNMP extended permit udp 10.1.1.0 255.255.255.0 host 192.168.30.100 eq snmp

!-- Deny all other SNMP traffic to the network device.

access-list SNMP extended deny udp any host 192.168.30.100 eq snmp

!-- Permit/deny all other IP traffic in accordance with !-- existing security policies and configurations. !-- Apply SNMP access-list inbound to outside interface. 
access-group SNMP in interface outside

Identification

PIX 6.x

pix#show access-list SNMP
access-list SNMP; 2 elements
access-list SNMP line 1 permit udp 192.168.131.0 255.255.255.0 host 192.168.132.100 eq snmp (hitcnt=0)
access-list SNMP line 2 deny udp any host 192.168.132.100 eq snmp (hitcnt=100)

In the above example, 100 SNMP packets have been received and blocked. In addition, the following syslog message will be sent for any attempts that are blocked by access list SNMP:

106023: Deny udp src outside:10.89.236.157/32782
  dst inside:192.168.132.100/161 by access-group "SNMP"

More information on this syslog message can be found at http://www.cisco.com/en/US/docs/security/pix/pix63/system/message/pixemsgs.html#wp1052375.

PIX/ASA 7.x

pix#show access-list SNMP
access-list SNMP; 2 elements
access-list SNMP line 1 extended permit udp 192.168.131.0 255.255.255.0 host 192.168.132.100 eq snmp (hitcnt=0)
access-list SNMP line 2 extended deny udp any host 192.168.132.100 eq snmp (hitcnt=100)

In the above example, 100 SNMP packets have been received and blocked. In addition, the following syslog message will be sent for any attempts that are blocked by access list SNMP:

Sep 13 2006 15:08:55: %PIX-4-106023: Deny udp src outside:192.168.10.157/32782
  dst inside:192.168.132.100/161 by access-group "SNMP"

More information on this syslog message can be found at http://www.cisco.com/en/US/docs/security/asa/asa71/system/message/logmsgs.html#wp1279897.

FWSM

fwsm-01#show access-list SNMP
access-list SNMP; 2 elements
access-list SNMP extended permit udp 10.1.1.0 255.255.255.0 host 192.168.30.100 eq snmp (hitcnt=0)
access-list SNMP extended deny udp any host 192.168.30.100 eq snmp (hitcnt=100)

In the above example, 100 SNMP packets have been received and blocked. In addition, the following syslog message will be sent for any attempts that are blocked by access list SNMP:

Sep 12 2006 14:13:36: % FWSM-4-106023: Deny udp src outside:192.168.131.10/32952
  dst inside:192.168.30.100/161 by access-group "SNMP"

More information on this syslog message can be found at http://www.cisco.com/en/US/docs/security/asa/asa71/system/message/logmsgs.html#wp1279897.

Additional Information

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

Revision History

Revision 1.0

2007-April-12

Initial public release.

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.

Related Information