AV:R/AC:L/Au:NR/C:N/I:N/A:C/B:N/E:F/RL:O/RC:C
-
The Cisco Wide Area Application Services (WAAS) software contains a denial of service (DoS) vulnerability that may cause some devices that run WAAS software (WAE appliance and NM-WAE-502 module) to stop processing all types of traffic, including data traffic and management traffic. This condition may occur if a device running WAAS software is configured for Edge Services, which utilizes Common Internet File System (CIFS) optimization and receives a flood of TCP SYN packets on port 139 or 445.
Cisco has made free software available to address this vulnerability for affected customers. Workarounds are available to mitigate the effects of this vulnerability.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070718-waas.
-
Vulnerable Products
The vulnerability described in this document applies to both the WAE appliance and the NM-WAE-502 network module with Edge Services configured, which use CIFS optimization. Edge Services and CIFS optimization are disabled by default. CIFS functionality is only available once Edge Services are manually configured from the WAAS Central Manager. Only WAAS software versions 4.0.7 and 4.0.9 are affected by this vulnerability.
In order to determine whether Edge Services are configured and to display the WAAS software version information, use the WAAS Central Manager GUI. The show version EXEC command from the CLI will also display the WAAS software version information.
Determine whether Edge Services are configured and display the WAAS software version information by following the steps below.
-
Log on to WAAS Central Manager.
-
Select the "Devices" tab.
-
Look under the Services column. "Edge" will denote if Edge Services
are configured.
-
Look under the Software Version column. The software version for each
device is identified.
The example below shows the output of the show version command from a WAE appliance CLI. In this example, the WAE is running version 4.0.9.
CE-115-16#show version Cisco Wide Area Application Services Software (WAAS) Copyright (c) 1999-2007 by Cisco Systems, Inc. Cisco Wide Area Application Services Software Release 4.0.9 (build b10 Apr 6 2007) Version: fe611-4.0.9.10 Compiled 15:26:06 Apr 6 2007 by cnbuild System was restarted on Sat Jun 16 05:03:41 2007. The system has been up for 33 minutes, 40 seconds. CE-115-16#
Products Confirmed Not Vulnerable
No other Cisco products or versions of WAAS software that are not explicitly identified in this advisory are currently known to be affected by this vulnerability.
WAE appliances and NM-WAE-502 modules that are not configured to provide Edge Services performing CIFS optimization are not affected. The NM-WAE-302 is not susceptible to this vulnerability as it cannot be configured for CIFS optimization.
-
Log on to WAAS Central Manager.
-
The Cisco Wide Area Application Services solution uses a combination of application acceleration and WAN optimization techniques to mitigate application and transport latency. WAAS software is utilized on the Wide Area Application Engine appliance and the Wide Area Application Services Network Module that are incorporated in the solution.
A DoS vulnerability exists in some versions of WAAS software that may cause some devices that run WAAS software (WAE appliance and NM-WAE-502 module) to stop processing all types of traffic, including traffic going through the device (data traffic) and traffic terminating on the device (management traffic). If the WAAS device has Edge Services, which uses CIFS optimization configured, and receives a flood of TCP SYN packets on ports 139 or 445, this vulnerability may be triggered, resulting in a DoS condition. Ports 139 and 445 are utilized by the CIFS functionality of the WAAS software. This condition may result from network traffic that is sent directly to the WAAS platform, or by automated systems such as hostscanners, portscanners, or network worms.
This vulnerability is documented in Cisco Bug ID CSCsi58809 ( registered customers only)
-
If the device that is running WAAS software does not need to provide Edge Services, then disabling Edge Services is a viable workaround. When the Edge Services are turned off, CIFS clients may not benefit from the response time reduction that is associated with the operation of the CIFS cache, preposition and other CIFS latency optimizations. However, other Layer 4 optimizations will continue to apply according to the application policy settings.
In order to disable Edge Services, which includes the CIFS accelerator and CIFS auto discovery features, follow the steps below.
-
Log in to WAAS Central Manager.
-
Select the "Devices" tab.
-
Select the "Devices" category (or "Device Groups" if using multiple
devices in groups).
-
Choose target device or group.
-
Choose "File Services" located in the left column under "Contents."
-
Choose "Edge configuration" located under "File Services."
-
Uncheck "Enable Edge Server."
-
Click Submit.
Transit ACLs (tACL)
Filters that block access to TCP ports 139 and 445 packets should be deployed at the network edge as part of a transit access list, which will protect the router where the filter is configured as well as other devices behind it. Filters should also be deployed in front of vulnerable network devices so that TCP ports 139 and 445 packets are only allowed from trusted CIFS Clients to trusted CIFS Servers.
Further information about transit ACLs is available in the white paper "Transit Access Control Lists: Filtering at Your Edge" at the following link: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml
Further information about configuring ACLs on the WAAS client is in the "Creating and Managing IP Access Control Lists for WAAS Devices" chapter of the WAAS Configuration Guide at the following link: http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v407/configuration/guide/ipacl.html
Additional mitigations that can be deployed on Cisco devices within the network are discussed in the Cisco Applied Mitigation Bulletin companion document for this advisory available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20070718-waas
-
Log in to WAAS Central Manager.
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.
This vulnerability is fixed in version 4.0.11 of the Cisco WAAS software. WAAS public software releases have version numbers that end in odd numbers and can be downloaded from the following URL:
http://www.cisco.com/pcgi-bin/tablebuild.pl/waas40?psrtdcat20e2.
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
This vulnerability was discovered during the resolution of customer support cases.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.1
2007-July-21
In "Vulnerable Products" section, added a line break
Revision 1.0
2007-July-18
Initial public release
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.