Cisco Security Advisory-
Three new vulnerabilities are identified in Cisco Broadband Operating System (CBOS), an operating system for the Cisco 600 family of routers. Each vulnerability can cause a Denial of Service (DoS) by freezing the customer premises equipment (CPE). All three vulnerabilities can be exploited remotely.
No other Cisco product is vulnerable.
Workarounds are provided for two of the three vulnerabilities. Note that the workarounds provided may not be applicable in all cases. See the Workarounds section for further details.
This advisory is available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020523-cbos-dos.
-
This section provides details on affected products.
Vulnerable Products
All Cisco DSL CPE devices from the 600 family running CBOS software up to and including 2.4.4 release are vulnerable. The complete list of vulnerable hardware models is: 626, 627, 633, 673, 675, 675e, 676, 677, 677i and 678.
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
This section details the vulnerabilities described in this document.
-
CSCdw90020 -- By sending a large packet to the
Dynamic Host Configuration Protocol (DHCP) port it is possible to freeze the
CPE. DHCP service is enabled by default.
-
CSCdv50135 -- By sending a large packet to the
Telnet port it is possible to freeze the CPE. It is not necessary to be logged
in or to authenticate in any way. Telnet is enabled by default.
-
CSCdx36121 -- The TCP/IP stack will consume all
memory while processing received packets. This will happen only if the CPE must
process a high number of overly large packets. These packets must have the CPE
as the destination. After the memory is exhausted the CPE will lock up and stop
forwarding any further packets.
-
CSCdw90020 -- By sending a large packet to the
Dynamic Host Configuration Protocol (DHCP) port it is possible to freeze the
CPE. DHCP service is enabled by default.
-
This section describes workarounds for the vulnerabilities described in this document.
-
CSCdw90020 - The workaround is to filter DHCP
requests. This task must be executed while in enable mode.
To filter DHCP packets use this procedure:
The filter "0" will allow all DHCP requests from your internal network to the CPE. The filter "1" will allow all DHCP responses from the CPE. In this example, the eth0 interface of the CPE has the IP address of 1.2.3.4. You must substitute this address with the IP address of your eth0 port. This configuration is not the complete workaround since you are still exposed from you LAN side (behind the eth0 interface).cbos# set filter 0 on allow incoming eth0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 protocol udp srcport 68-68 destport 67-67 cbos# set filter 1 on allow outgoing eth0 1.2.3.4 255.255.255.255 0.0.0.0 0.0.0.0 protocol udp srcport 67-67 destport 68-68
Note: There is an implicit "deny all" as the last filter so you must include additional "permit" filters to allow a normal traffic flow. If you already have filters configured, you should combine this example with the configured filters and probably change the filter numbers to suit your configuration. Also note that this workaround is not applicable if you must have DHCP enabled on the WAN side.
For information regarding filters, refer to: http://www.cisco.com/en/US/products/hw/modems/ps296/products_installation_guide_book09186a008007dd7e.html.
-
CSCdv50135 - The workaround is to disable Telnet. This task
must be executed while in enable mode. To disable Telnet use this
procedure:
cbos# set telnet disable
cbos# write
-
CSCdx36121 - There is no workaround.
-
CSCdw90020 - The workaround is to filter DHCP
requests. This task must be executed while in enable mode.
-
All vulnerabilities are fixed in CBOS version 2.4.5 or later.
-
These vulnerabilities were reported by Knud Erik Højgaard from Cybercity, Denmark. The exploit code for CSCdv50135 was made public by a third party unrelated to Knud Højgaard in any way. This vulnerability was also publicly discussed.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show Less
Revision 1.2
2002-June-17
Updated Software Versions and Fixes section
Revision 1.1
2002-May-31
Updated Affected Products section
Revision 1.0
2002-May-23
Initial public release
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.