Guest

Product Support

Identifying and Mitigating Multiple Vulnerabilities in Cisco Clean Access

Advisory ID: cisco-amb-20070103-CleanAccess

http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20070103-CleanAccess

Revision 1.0

For Public Release 2007 January 3 16:00  UTC (GMT)


Contents

Cisco Response
Device Specific Mitigation and Identification
Additional Information
Revision History
Cisco Security Procedures
Related Information

Cisco Response

Vulnerability Characteristics

There are two vulnerabilities associated with this Applied Mitigation Bulletin and the corresponding PSIRT security advisory.

  • Unchangeable shared secret password vulnerability - In order for Cisco Clean Access Manager (CAM) to authenticate to a Cisco Clean Access Server (CAS), both CAM and CAS must have the same shared secret. Due to this vulnerability this shared secret cannot be changed and it will be the same across all affected devices. In order to exploit this vulnerability the adversary must be able to establish a connection to CAS. This vulnerability is not covered by a CVE ID.
  • Readable snapshots vulnerability - Manual backups of the database snapshots taken on the Clean Access Manager are susceptible to brute-force download attacks. A malicious user can guess the filename and download it without authentication. This vulnerability can be exploited remotely with no authentication. If exploited, the attacker may perform a brute-force download of the backup database snapshots of Clean Access Server from the Clean Access Manager. The attack vector is through TCP ports 80 and 443. This vulnerability is not covered by a CVE ID.

This document contains information to assist Cisco customers in mitigating attempts to exploit the vulnerabilities in Cisco Clean Access described above. Certain versions of Cisco Clean Access are affected by two vulnerabilities that may allow a malicious user to gain control over a Clean Access Server and cause a denial of service or damage network integrity. Vulnerable software version and fixed software version information is available in the PSIRT Security Advisory at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070103-CleanAccess.

Mitigation Technique Overview

Cisco devices provide several countermeasures for the vulnerabilities in Cisco Clean Access described in the Vulnerability Characteristics section. The most preventive control is provided by access lists configured on Cisco IOS routers, switches and ASA, PIX, and FWSM firewalls at the network level. It should be noted that an attack may still be successful against the readable snapshot vulnerability if that attack originates on the same local network where the Clean Access Manager resides. Therefore, access control should be enforced as close to the Clean Access Manager as possible to minimize potential attack vectors. Detective controls can be also be performed through the use of access control lists on Cisco IOS routers, Cisco IOS switches and ASA, PIX, and FWSM firewalls. It should also be noted that the unchangeable password vulnerability attack on the Cisco Clean Access Server may also be successful if the attack originates on the same local subnet where the Clean Access Server resides. For this reason, access control should be enforced as close to the Clean Access Server as possible to minimize the attack vectors.

Risk Management

Organizations are advised to follow their standard risk evaluation and mitigation processes to determine the potential impact of [this vulnerability|these vulnerabilities]. Triage refers to sorting projects and prioritizing efforts that are most likely to be successful. Cisco has provided documents that can help organizations develop a risk-based triage capability for their information security teams. Risk Triage for Security Vulnerability Announcements and Risk Triage and Prototyping can help organizations develop repeatable security evaluation and response processes.

Device-specific Mitigation and Identification

Cisco IOS Routers

caution Caution: The effectiveness of any mitigation technique is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. As with any configuration change, evaluate the impact of this configuration prior to applying the change.

Mitigation: Unchangeable Shared Secret

Interface Access Lists

Interface access list statements may be deployed on an Cisco IOS router as part of a transit ACL, which will protect the router itself and devices deployed behind it. Protected devices will include the Clean Access Server when it is deployed in a Layer 3 mode. The following access list permits traffic from clients undergoing posture checks to the appropriate ports on the untrusted interface of a Clean Access Server (for example, 192.168.155.45).


!-- Permit incoming packets from clients undergoing !-- posture checks to Clean Access Server.

access-list 101 permit udp any host 192.168.155.45 eq 8905
access-list 101 permit udp any host 192.168.155.45 eq 8906
access-list 101 permit tcp any host 192.168.155.45 eq 443

!-- Deny all other traffic destined for the Clean Access Server.

access-list 101 deny ip any host 192.168.155.45
!

!-- Permit/deny all other IP traffic in accordance !-- with existing security policies and configurations.

!

!-- Apply access list to interface in the inbound direction.

interface FastEthernet0
ip access-group 101 in
!

Access to the Clean Access Server should also be protected on the trusted interface. This access list will permit management traffic from the Clean Access Manager (for example, 192.168.130.83) to the Clean Access Server (for example, 192.168.154.43). Packets to the Clean Access Server on TCP port 1099 are used by all versions of Clean Access. Packets to Clean Access Server on TCP ports 8995 and 8996 are used only with version 3.6.x and later. Packets to Clean Access Server on TCP ports 32768 through 61000 are used only with version 3.5.x. Access to the Clean Access Server from a trusted management network (for example, 192.0.2.x) is also provided. All other traffic to the Clean Access Server is dropped.


!-- Permit management traffic from CAM to CAS. !-- Traffic to Clean Access Server on TCP port 8995 and 8996 !-- required only with software version 3.6.x or later. !-- Traffic to Clean Access Server on TCP ports 32768 to 61000 !-- required only with software version 3.5.x.

access-list 102 permit tcp host 192.168.130.83 host 192.168.154.43 eq 1099
access-list 102 permit tcp host 192.168.130.83 host 192.168.154.43 eq 8995
access-list 102 permit tcp host 192.168.130.83 host 192.168.154.43 eq 8996
access-list 102 permit tcp host 192.168.130.83 host 192.168.154.43 range 32768 61000

!-- Allow communication to the Clean Access Server !-- from a trusted management network (192.0.2.0).

access-list 102 permit tcp 192.0.2.0 0.0.0.255 host 192.168.154.43 eq 22
access-list 102 permit tcp 192.0.2.0 0.0.0.255 host 192.168.154.43 eq www
access-list 102 permit tcp 192.0.2.0 0.0.0.255 host 192.168.154.43 eq 443

!-- Deny all other traffic to the Clean Access Server.

access-list 102 deny ip any host 192.168.154.43
!

!-- Permit/deny all other IP traffic in accordance !-- with existing security policies and configurations.

!

!-- Apply access list to interface in the inbound direction.

interface FastEthernet0
ip access-group 102 in
!

Identification: Unchangeable Shared Secret

When a transit access control list has been applied to an interface, the show access-list command can be used to identify the number of packets being filtered. Filtered packets should be investigated to determine if they are attempts to exploit this vulnerability. Example output for show access-list 101 follows. In this example, there were 13 packets dropped by access list 101. This access list has been applied in the inbound direction on interface FastEthernet0.

edge-router#show access-list 101
Extended IP access list 101
10 permit udp any host 192.168.155.45 eq 8905
20 permit udp any host 192.168.155.45 eq 8906
30 permit tcp any host 192.168.155.45 eq 443
40 deny ip any host 192.168.155.45 (13 matches)

When a transit access control list has been applied to an interface, the show access-list command can be used to identify the number of packets being filtered. Filtered packets should be investigated to determine if they are attempts to exploit this vulnerability. Example output for show access-list 102 follows. In this example, there were 5 packets dropped by access list 102. This access list has been applied in the inbound direction on interface FastEthernet0.

edge-router#show access-list 102
Extended IP access list 102
10 permit tcp host 192.168.130.83 host 192.168.154.43 eq 1099
20 permit tcp host 192.168.130.83 host 192.168.154.43 eq 8995
30 permit tcp host 192.168.130.83 host 192.168.154.43 eq 8996
40 permit tcp host 192.168.130.83 host 192.168.154.43 range 32768 61000
50 permit tcp 192.0.2.0 0.0.0.255 host 192.168.154.43 eq 22
60 permit tcp 192.0.2.0 0.0.0.255 host 192.168.154.43 eq www
70 permit tcp 192.0.2.0 0.0.0.255 host 192.168.154.43 eq 443
80 deny ip any host 192.168.154.43 (5 matches)

Mitigation: Readable Snapshots Vulnerability

Interface Access Lists Interface access list statements may be deployed on an Cisco IOS router as part of a transit access control list, which will protect the router itself and devices deployed behind it. Cisco IOS routers can be used to mitigate and detect attempted exploitation of these vulnerabilities. Further information about transit access lists is available in the white paper "Transit Access Control Lists: Filtering at Your Edge". This white paper is available at http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml.

The following access list permits communication from the IP address of the Clean Access Server (for example, 192.168.154.43) to the IP address of the Clean Access Manager (for example, 192.168.130.83) via HTTP (TCP/80 or www) and HTTPS (TCP/443). It should be noted that access to the Clean Access Manager on TCP port 80 is required only with Clean Access versions 3.5.x and 3.6.x. Clean Access versions 4.0.x and 4.1.x should not have TCP port 80 access provided from the Clean Access Server. This access list also permits other management traffic from the Clean Access Server to the Clean Access Manager. Packets from the Clean Access Server on TCP port 1099 are used by all versions of Clean Access. Packets from Clean Access Server on TCP ports 8995 and 8996 are used only with version 3.6.x and later. Packets from Clean Access Server on TCP ports 32768 through 61000 are used only with version 3.5.x. Packets from a trusted management network (for example, 192.0.2.0) are also permitted. All other traffic to the Clean Access Manager is dropped.


!-- Allow communication from the Clean Access Server (192.168.154.43) !-- to the Clean Access Manager (192.168.130.83) on ports 80 and 443. !-- TCP port 80 communication is required only !-- with Clean Access versions 3.5.x and 3.6.x.

access-list 100 permit tcp host 192.168.154.43 host 192.168.130.83 eq www
access-list 100 permit tcp host 192.168.154.43 host 192.168.130.83 eq 443

!-- Permit other management traffic from CAS to CAM. !-- Traffic to Clean Access Server on TCP port 8995 and 8996 !-- required only with version 3.6.x or later. !-- Traffic to Clean Access Server on TCP ports 32768 to 61000 !-- required only with version 3.5.x.

access-list 100 permit tcp host 192.168.154.43 eq 1099 host 192.168.130.83
access-list 100 permit tcp host 192.168.154.43 eq 8995 host 192.168.130.83
access-list 100 permit tcp host 192.168.154.43 eq 8996 host 192.168.130.83
access-list 100 permit tcp host 192.168.154.43 range 32768 61000 host 192.168.130.83

!-- Allow communication to the Clean Access Manager !-- from a trusted management network (192.0.2.0).

access-list 100 permit tcp 192.0.2.0 0.0.0.255 host 192.168.130.83 eq www
access-list 100 permit tcp 192.0.2.0 0.0.0.255 host 192.168.130.83 eq 443

!-- Deny all other traffic to the Clean Access Manager.

access-list 100 deny ip any host 192.168.130.83
!

!-- Permit/deny all other IP traffic in accordance !-- with existing security policies and configurations.

!

!-- Apply access list to interface in the inbound direction.

interface FastEthernet0
ip access-group 100 in
!

Identification: Readable Snapshots Vulnerability

When a transit access control list has been applied to an interface, the show access-list command can be used to identify the number of packets being filtered. Filtered packets should be investigated to determine if they are attempts to exploit this vulnerability. Example output for show access-list 100 follows. In this example, there were 33 packets dropped by access list 100. This access list has been applied in the inbound direction on interface FastEthernet0.

edge-router#show access-list 100
Extended IP access list 100
10 permit tcp host 192.168.154.43 host 192.168.130.83 eq www
20 permit tcp host 192.168.154.43 host 192.168.130.83 eq 443
30 permit tcp host 192.168.154.43 eq 1099 host 192.168.130.83
40 permit tcp host 192.168.154.43 eq 8995 host 192.168.130.83
50 permit tcp host 192.168.154.43 eq 8996 host 192.168.130.83
60 permit tcp host 192.168.154.43 range 32768 61000 host 192.168.130.83
70 permit tcp 192.0.2.0 0.0.0.255 host 192.168.130.83 eq www
80 permit tcp 192.0.2.0 0.0.0.255 host 192.168.130.83 eq 443
90 deny ip any host 192.168.130.83 (33 matches)

Cisco ASA, PIX, and FWSM Firewalls

caution Caution: The effectiveness of any mitigation technique is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. As with any configuration change, evaluate the impact of this configuration prior to applying the change.

Mitigation: Unchangeable Shared Secret

Interface Access Lists

These access list statements may be deployed on a Cisco ASA, PIX, or FWSM Firewall as part of a firewall policy which will protect devices deployed behind it, including the Clean Access Server when deployed in a Layer Three Mode. The following access list permits traffic from clients undergoing posture checks to the appropriate ports on the untrusted interface of a Clean Access Server (e.g. 192.168.155.45).


!-- Permit incoming packets from clients undergoing !-- posture checks to Clean Access Server.

access-list outside extended permit udp any host 192.168.155.45 eq 8905
access-list outside extended permit udp any host 192.168.155.45 eq 8906
access-list outside extended permit tcp any host 192.168.155.45 eq https

!-- Deny all other traffic destined for the Clean Access Server.

access-list outside extended deny ip any host 192.168.155.45

!-- Permit/deny all other IP traffic in accordance !-- with existing security policies and configurations.

!

!-- Apply access list to interface in the inbound direction.

access-group outside in interface outside
!

The trusted interface of a Clean Access Server should also be protected. The following access list will permit management traffic from the Clean Access Manager (for example, 192.168.130.83) to the Clean Access Server (for example, 192.168.154.43) when the trusted interface of the Clean Access Server resides on the inside interface of a firewall. Packets to the Clean Access Server on TCP port 1099 are used by all versions of Clean Access. Packets to Clean Access Server on TCP ports 8995 and 8996 are used only with version 3.6.x and later. Packets to Clean Access Server on TCP ports 32768 through 61000 are used only with version 3.5.x. Access to the Clean Access Server from a trusted management network (for example, 192.0.2.x) is also provided. All other traffic to the Clean Access Server is dropped.


!-- Permit other management traffic from CAM to CAS. !-- Traffic to Clean Access Server on port 8995 and 8996 !-- required only with version 3.6.x or later. !-- Traffic to Clean Access Server on ports 32768 to 61000 !-- required only with software version 3.5.x.

access-list inside extended permit tcp host 192.168.130.83
  host 192.168.154.43 eq 1099
access-list inside extended permit tcp host 192.168.130.83
  host 192.168.154.43 eq 8995
access-list inside extended permit tcp host 192.168.130.83
  host 192.168.154.43 eq 8996
access-list inside extended permit tcp host 192.168.130.83
  host 192.168.154.43 range 32768 61000

!-- Allow communication to the Clean Access Server !-- from a trusted management network (192.0.2.0).

access-list inside extended permit tcp 192.0.2.0 0.0.0.255
  host 192.168.154.43 eq ssh
access-list inside extended permit tcp 192.0.2.0 0.0.0.255
  host 192.168.154.43 eq http
access-list inside extended permit tcp 192.0.2.0 0.0.0.255
  host 192.168.154.43 eq https

!-- Deny all other traffic to the Clean Access Server.

access-list inside extended deny ip any host 192.168.154.43

!-- Permit/deny all other IP traffic in accordance !-- with existing security policies and configurations.

!

!-- Apply access list to interface in the inbound direction.

access-group inside out interface inside
!

Identification: Unchangeable Shared Secret

When an access control list has been applied to an interface on an ASA, PIX or FWSM Firewall, the show access-list command can be used to identify the number of packets being filtered. Filtered packets should be investigated to determine if they are attempts to exploit this vulnerability. Example output for show access-list outside follows. In this example, there were 40 packets dropped by access list outside. This access list has been applied in the inbound direction on the outside interface.

ASA5520#show access-list outside
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside; 4 elements
access-list outside line 1 extended permit udp any
  host 192.168.155.45 eq 8905 (hitcnt=86) 0x2564912b
access-list outside line 2 extended permit udp any
  host 192.168.155.45 eq 8906 (hitcnt=30) 0xd9874ae6
access-list outside line 3 extended permit tcp any
  host 192.168.155.45 eq https (hitcnt=17) 0xd52ab493
access-list outside line 4 extended deny ip any
  host 192.168.155.45 (hitcnt=40) 0xe9a7a8df

When an access control list has been applied to an interface on an ASA, PIX, or FWSM Firewall, the show access-list command can be used to identify the number of packets being filtered. Filtered packets should be investigated to determine if they are attempts to exploit this vulnerability. Example output for show access-list inside follows. In this example, there were 8 packets dropped by access-list inside. This access list has been applied in the outbound direction on the inside interface.

ASA5520#show access-list inside
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list inside; 8 elements
access-list inside line 1 extended permit tcp host 192.168.130.83
  host 192.168.154.43 eq 1099 (hitcnt=4) 0x2c21a16c
access-list inside line 2 extended permit tcp host 192.168.130.83
  host 192.168.154.43 eq 8995 (hitcnt=3) 0x25e3545a
access-list inside line 3 extended permit tcp host 192.168.130.83
  host 192.168.154.43 eq 8996 (hitcnt=10) 0x6cf78029
access-list inside line 4 extended permit tcp host 192.168.130.83
  host 192.168.154.43 range 32768 61000 (hitcnt=0) 0x01271d7c
access-list inside line 5 extended permit tcp 192.0.2.0 0.0.0.255
  host 192.168.154.43 eq ssh (hitcnt=3) 0xb1cd10b9
access-list inside line 6 extended permit tcp 192.0.2.0 0.0.0.255
  host 192.168.154.43 eq http (hitcnt=0) 0x7a89dc01
access-list inside line 7 extended permit tcp 192.0.2.0 0.0.0.255
  host 192.168.154.43 eq https (hitcnt=0) 0x80cee546
access-list inside line 8 extended deny ip any
  host 192.168.154.43 (hitcnt=8) 0x8e5395a4

Mitigation: Readable Snapshots Vulnerability

Interface Access Lists

Interface access list statements may be deployed on a Cisco ASA, PIX, or FWSM firewall as part of a firewall policy that will protect devices deployed behind it. The following access list assumes there is a firewall placed between the Clean Access Manager and the Clean Access Server protecting the Clean Access Manager. This access list permits communication from the IP address of the Clean Access Server (for example, 192.168.154.43) to the IP address of the Clean Access Manager (for example, 192.168.130.83) via HTTP (TCP/80 or www) and HTTPS (TCP/443). Other management connections from the Clean Access Manager to the Clean Access Server are permitted by the default firewall policy. It should be noted that access to the Clean Access Manager on TCP port 80 is required only with Clean Access versions 3.5.x and 3.6.x. Clean Access versions 4.0.x and 4.1.x should not have TCP port 80 access provided from the Clean Access Server. Packets from a trusted management network (for example, 192.0.2.0) are also permitted. All other traffic to the Clean Access Manager is dropped.


!-- Allow communication from the Clean Access Server (192.168.154.43) !-- to the Clean Access Manager (192.168.130.83) on ports 80 and 443. !-- Port 80 communication is only required !-- with Clean Access versions 3.5.x and 3.6.x.

access-list outside extended permit tcp host 192.168.154.43 host 192.168.130.83 eq www
access-list outside extended permit tcp host 192.168.154.43 host 192.168.130.83 eq https

!-- Allow communication to the Clean Access Manager !-- from a trusted management network (192.0.2.0).

access-list outside extended permit tcp 192.0.2.0 0.0.0.255 host 192.168.130.83 eq www
access-list outside extended permit tcp 192.0.2.0 0.0.0.255 host 192.168.130.83 eq https

!-- Deny all other traffic to the Clean Access Manager.

access-list outside extended deny ip any host 192.168.130.83

!-- Permit/deny all other IP traffic in accordance !-- with existing security policies and configurations.

!

!-- Apply access list to interface in the inbound direction.

access-group outside in interface outside
!

Identification: Readable Snapshots Vulnerability

When an access control list has been applied to an interface on an ASA, PIX, or FWSM Firewall, the show access-list command can be used to identify the number of packets being filtered by the access list. Filtered packets should be investigated to determine if they are attempts to exploit this vulnerability. Example output for show access-list outside follows. In this example, there were 93 packets dropped by access list outside. This access list had been applied on the outside interface in the inbound direction.

ASA5520#show access-list outside
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside; 5 elements
access-list outside line 1 extended permit tcp host 192.168.154.43
  host 192.168.130.83 eq www (hitcnt=86) 0x25faa090
access-list outside line 2 extended permit tcp host 192.168.154.43
  host 192.168.130.83 eq https (hitcnt=30) 0x64e200db
access-list outside line 3 extended permit tcp 192.0.2.0 0.0.0.255
  host 192.168.130.83 eq www (hitcnt=17) 0xf19cfcd9
access-list outside line 4 extended permit tcp 192.0.2.0 0.0.0.255
  host 192.168.130.83 eq https (hitcnt=15) 0x33ab9a26
access-list outside line 5 extended deny ip any
  host 192.168.130.83 (hitcnt=93) 0xb2ff30de

Cisco Switches

caution Caution: The effectiveness of any mitigation technique is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. As with any configuration change, evaluate the impact of this configuration prior to applying the change.

Mitigation: Unchangeable Shared Secret

Layer 3 Access List Applied to a VLAN Interface

VLAN access list statements may be deployed on a Cisco IOS Switch VLAN Interface. The following access list will protect the Clean Access Server when deployed in a layer three mode. This access list permits traffic from clients undergoing posture checks to the appropriate ports on the untrusted interface of a Clean Access Server (for example, 192.168.155.45). This example assumes that the clients undergoing the posture checking process reside on interface VLAN 11.


!-- Permit incoming packets from clients undergoing !-- posture checks to Clean Access Server.

access-list 101 permit udp any host 192.168.155.45 eq 8905
access-list 101 permit udp any host 192.168.155.45 eq 8906
access-list 101 permit tcp any host 192.168.155.45 eq 443

!-- Deny all other traffic destined for the Clean Access Server.

access-list 101 deny ip any host 192.168.155.45

!-- Permit/deny all other IP traffic in accordance !-- with existing security policies and configurations.

!

!-- Apply access list to interface in the inbound direction.

interface Vlan11
ip access-group 101 in
!

Access to the Clean Access Server should also be protected on the trusted interface. The following access list will permit management traffic from the Clean Access Manager (for example, 192.168.130.83) to the Clean Access Server (for example, 192.168.154.43) when the trusted interface of the Clean Access Server resides on interface VLAN 12. Packets to the Clean Access Server on TCP port 1099 are used by all versions of Clean Access. Packets to Clean Access Server on TCP ports 8995 and 8996 are used only with version 3.6.x and later. Packets to Clean Access Server on TCP ports 32768 through 61000 are used only with version 3.5.x. Access to the Clean Access Server from a trusted management network (for example, 192.0.2.x) is also provided. All other traffic to the Clean Access Server is dropped.


!-- Permit management traffic from CAM to CAS. !-- Traffic to Clean Access Server on TCP port 8995 and 8996 !-- required only with software version 3.6.x or later. !-- Traffic to Clean Access Server on TCP ports 32768 to 61000 !-- required only with software version 3.5.x.

access-list 102 permit tcp host 192.168.130.83 host 192.168.154.43 eq 1099
access-list 102 permit tcp host 192.168.130.83 host 192.168.154.43 eq 8995
access-list 102 permit tcp host 192.168.130.83 host 192.168.154.43 eq 8996
access-list 102 permit tcp host 192.168.130.83 host 192.168.154.43 range 32768 61000

!-- Allow communication to the Clean Access Server !-- from a trusted management network (192.0.2.0).

access-list 102 permit tcp 192.0.2.0 0.0.0.255 host 192.168.154.43 eq 22
access-list 102 permit tcp 192.0.2.0 0.0.0.255 host 192.168.154.43 eq www
access-list 102 permit tcp 192.0.2.0 0.0.0.255 host 192.168.154.43 eq 443

!-- Deny all other traffic to the Clean Access Server.

access-list 102 deny ip any host 192.168.154.43
!

!-- Permit/deny all other IP traffic in accordance !-- with existing security policies and configurations.

!

!-- Apply access list to interface in the outbound direction.

interface Vlan12
ip access-group 102 out
!

Identification: Unchangeable Shared Secret

When an access list has been applied to a VLAN interface, the show access-list command can be used to identify the number of packets being filtered. Filtered packets should be investigated to determine if they are attempts to exploit this vulnerability. Example output for show access-list 101 follows. In this example, there were 17 packets dropped by access list 101. This access list has been applied in the inbound direction on interface VLAN11.

switch#show access-list 101
Extended IP access list 101
10 permit udp any host 192.168.155.45 eq 8905
20 permit udp any host 192.168.155.45 eq 8906
30 permit tcp any host 192.168.155.45 eq 443
40 deny ip any host 192.168.155.45 (17 matches)

When an access list has been applied to a VLAN interface, the show access-list command can be used to identify the number of packets being filtered. Filtered packets should be investigated to determine if they are attempts to exploit this vulnerability. Example output for show access-list 102 follows. In this example, there were 13 packets dropped by access list 102. This access list has been applied in the outbound direction on interface VLAN 12.

switch#show access-list 102
Extended IP access list 102
10 permit tcp host 192.168.130.83 host 192.168.154.43 eq 1099
20 permit tcp host 192.168.130.83 host 192.168.154.43 eq 8995
30 permit tcp host 192.168.130.83 host 192.168.154.43 eq 8996
40 permit tcp host 192.168.130.83 host 192.168.154.43 range 32768 61000
50 permit tcp 192.0.2.0 0.0.0.255 host 192.168.154.43 eq 22
60 permit tcp 192.0.2.0 0.0.0.255 host 192.168.154.43 eq www
70 permit tcp 192.0.2.0 0.0.0.255 host 192.168.154.43 eq 443
80 deny ip any host 192.168.154.43 (13 matches)

Mitigation: Readable Snapshots Vulnerability

Layer 3 Access List Applied to a VLAN Interface

VLAN access list statements may be deployed on a Cisco IOS Switch VLAN Interface. The following access list is applied in the outbound direction on a VLAN where the Clean Access Manager resides. This access list permits communication from the IP address of the Clean Access Server (for example, 192.168.154.43) to the IP address of the Clean Access Manager (for example, 192.168.130.83) via HTTP (TCP/80 or www) and HTTPS (TCP/443). It should be noted that access to the Clean Access Manager on port 80 is required only with Clean Access versions 3.5.x and 3.6.x. Clean Access versions 4.0.x and 4.1.x should not have TCP port 80 access provided from the Clean Access Server. This access lists also permits other management traffic from the Clean Access Server to the Clean Access Manager. Packets from the Clean Access Server on TCP port 1099 are used by all versions of Clean Access. Packets from Clean Access Server on TCP ports 8995 and 8996 are used only with version 3.6.x and later. Packets from Clean Access Server on TCP ports 32768 through 61000 are used only with version 3.5.x. Packets from a trusted management network (for example, 192.0.2.0) are also permitted. All other traffic to the Clean Access Manager is dropped.


!-- Allow communication from the Clean Access Server (192.168.154.43). !-- to the Clean Access Manager (192.168.130.83) on port 80 and 443. !-- Port 80 communication is only required !-- with Clean Access versions 3.5.x and 3.6.x.

access-list 100 permit tcp host 192.168.154.43 host 192.168.130.83 eq www
access-list 100 permit tcp host 192.168.154.43 host 192.168.130.83 eq 443

!-- Permit other management traffic from CAS to CAM. !-- Traffic to Clean Access Server on port 8995 and 8996 !-- required only with version 3.6.x or later. !-- Traffic to Clean Access Server on ports 32768 to 61000 !-- required only with software version 3.5.x.

access-list 100 permit tcp host 192.168.154.43 eq 1099 host 192.168.130.83
access-list 100 permit tcp host 192.168.154.43 eq 8995 host 192.168.130.83
access-list 100 permit tcp host 192.168.154.43 eq 8996 host 192.168.130.83
access-list 100 permit tcp host 192.168.154.43 range 32768 61000 host 192.168.130.83

!-- Allow communication to the Clean Access Manager !-- from a trusted management network (192.0.2.0).

access-list 100 permit tcp 192.0.2.0 0.0.0.255 host 192.168.130.83 eq www
access-list 100 permit tcp 192.0.2.0 0.0.0.255 host 192.168.130.83 eq 443

!-- Deny all other traffic to the Clean Access Manager.

access-list 100 deny ip any host 192.168.130.83

!-- Permit/deny all other IP traffic in accordance !-- with existing security policies and configurations.

!

!-- Apply access list to interface in the outbound direction.

interface Vlan10
ip access-group 100 out
!

Identification: Readable Snapshots Vulnerability

When an access list has been applied to a VLAN interface, the show access-list command can be used to identify the number of packets being filtered. Filtered packets should be investigated to determine if they are attempts to exploit this vulnerability. Example output for show access-list 100 follows. In this example, there were 10 packets dropped by access list 100. This access list has been applied in the outbound direction on interface VLAN 10.

switch#show access-list 100
Extended IP access list 100
10 permit tcp host 192.168.154.43 host 192.168.130.83 eq www
20 permit tcp host 192.168.154.43 host 192.168.130.83 eq 443
30 permit tcp host 192.168.154.43 eq 1099 host 192.168.130.83
40 permit tcp host 192.168.154.43 eq 8995 host 192.168.130.83
50 permit tcp host 192.168.154.43 eq 8996 host 192.168.130.83
60 permit tcp host 192.168.154.43 range 32768 61000 host 192.168.130.83
70 permit tcp 192.0.2.0 0.0.0.255 host 192.168.130.83 eq www
80 permit tcp 192.0.2.0 0.0.0.255 host 192.168.130.83 eq 443
90 deny ip any host 192.168.130.83 (10 matches)

Additional Information

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

Revision History

Revision 1.0

2007-January-03

Initial public release.

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.

Related Information