Advisory ID: cisco-sa-20070718-waas
For Public Release 2007 July 18 16:00 UTC (GMT)
The Cisco Wide Area Application Services (WAAS) software contains a denial of service (DoS) vulnerability that may cause some devices that run WAAS software (WAE appliance and NM-WAE-502 module) to stop processing all types of traffic, including data traffic and management traffic. This condition may occur if a device running WAAS software is configured for Edge Services, which utilizes Common Internet File System (CIFS) optimization and receives a flood of TCP SYN packets on port 139 or 445.
Cisco has made free software available to address this vulnerability for affected customers. Workarounds are available to mitigate the effects of this vulnerability.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070718-waas.
The vulnerability described in this document applies to both the WAE appliance and the NM-WAE-502 network module with Edge Services configured, which use CIFS optimization. Edge Services and CIFS optimization are disabled by default. CIFS functionality is only available once Edge Services are manually configured from the WAAS Central Manager. Only WAAS software versions 4.0.7 and 4.0.9 are affected by this vulnerability.
In order to determine whether Edge Services are configured and to display the WAAS software version information, use the WAAS Central Manager GUI. The show version EXEC command from the CLI will also display the WAAS software version information.
Determine whether Edge Services are configured and display the WAAS software version information by following the steps below.
- Log on to WAAS Central Manager.
- Select the "Devices" tab.
- Look under the Services column. "Edge" will denote if Edge Services are configured.
- Look under the Software Version column. The software version for each device is identified.
The example below shows the output of the show version command from a WAE appliance CLI. In this example, the WAE is running version 4.0.9.
Cisco Wide Area Application Services Software (WAAS)
Copyright (c) 1999-2007 by Cisco Systems, Inc.
Cisco Wide Area Application Services Software Release 4.0.9
(build b10 Apr 6 2007)
Compiled 15:26:06 Apr 6 2007 by cnbuild
System was restarted on Sat Jun 16 05:03:41 2007.
The system has been up for 33 minutes, 40 seconds.
No other Cisco products or versions of WAAS software that are not explicitly identified in this advisory are currently known to be affected by this vulnerability.
WAE appliances and NM-WAE-502 modules that are not configured to provide Edge Services performing CIFS optimization are not affected. The NM-WAE-302 is not susceptible to this vulnerability as it cannot be configured for CIFS optimization.
The Cisco Wide Area Application Services solution uses a combination of application acceleration and WAN optimization techniques to mitigate application and transport latency. WAAS software is utilized on the Wide Area Application Engine appliance and the Wide Area Application Services Network Module that are incorporated in the solution.
A DoS vulnerability exists in some versions of WAAS software that may cause some devices that run WAAS software (WAE appliance and NM-WAE-502 module) to stop processing all types of traffic, including traffic going through the device (data traffic) and traffic terminating on the device (management traffic). If the WAAS device has Edge Services, which uses CIFS optimization configured, and receives a flood of TCP SYN packets on ports 139 or 445, this vulnerability may be triggered, resulting in a DoS condition. Ports 139 and 445 are utilized by the CIFS functionality of the WAAS software. This condition may result from network traffic that is sent directly to the WAAS platform, or by automated systems such as hostscanners, portscanners, or network worms.
This vulnerability is documented in Cisco Bug ID CSCsi58809 ( registered customers only)
Successful exploitation of the vulnerability described in this document may allow a remote host to cause a device that is running an affected version of the WAAS software with Edge Services using CIFS optimization configured to enter into an unresponsive state. During this unresponsive state, no services are provided, including management access to the device. Recovery of the system from this unresponsive state can only be accomplished by resetting or power cycling the affected device. The following process can be used to remotely recover the NM-WAE-502.
Remote Recovery of the NM-WAE-502
Log in to the router and issue the following command from IOS CLI to reboot the NM-WAE-502:
Router# service-module integrated-Service-Engine <slot>/<port> reset
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.
This vulnerability is fixed in version 4.0.11 of the Cisco WAAS software. WAAS public software releases have version numbers that end in odd numbers and can be downloaded from the following URL:
If the device that is running WAAS software does not need to provide Edge Services, then disabling Edge Services is a viable workaround. When the Edge Services are turned off, CIFS clients may not benefit from the response time reduction that is associated with the operation of the CIFS cache, preposition and other CIFS latency optimizations. However, other Layer 4 optimizations will continue to apply according to the application policy settings.
In order to disable Edge Services, which includes the CIFS accelerator and CIFS auto discovery features, follow the steps below.
- Log in to WAAS Central Manager.
- Select the "Devices" tab.
- Select the "Devices" category (or "Device Groups" if using multiple devices in groups).
- Choose target device or group.
- Choose "File Services" located in the left column under "Contents."
- Choose "Edge configuration" located under "File Services."
- Uncheck "Enable Edge Server."
- Click Submit.
Transit ACLs (tACL)
Filters that block access to TCP ports 139 and 445 packets should be deployed at the network edge as part of a transit access list, which will protect the router where the filter is configured as well as other devices behind it. Filters should also be deployed in front of vulnerable network devices so that TCP ports 139 and 445 packets are only allowed from trusted CIFS Clients to trusted CIFS Servers.
Further information about transit ACLs is available in the white paper "Transit Access Control Lists: Filtering at Your Edge" at the following link: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml
Further information about configuring ACLs on the WAAS client is in the "Creating and Managing IP Access Control Lists for WAAS Devices" chapter of the WAAS Configuration Guide at the following link: http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v407/configuration/guide/ipacl.html
Additional mitigations that can be deployed on Cisco devices within the network are discussed in the Cisco Applied Mitigation Bulletin companion document for this advisory available at the following link: http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20070718-waas
Cisco will make free software available to address this vulnerability for affected customers. This advisory will be updated as fixed software becomes available. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact either "firstname.lastname@example.org" or "email@example.com" for software upgrades.
Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com.
Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed.
Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should obtain their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows.
- +1 800 553 2447 (toll free from within North America)
- +1 408 526 7209 (toll call from anywhere in the world)
- e-mail: firstname.lastname@example.org
Have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages.
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
This vulnerability was discovered during the resolution of customer support cases.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.
This advisory is posted on Cisco's worldwide website at :
In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients.
Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.
In "Vulnerable Products" section, added a line break
Initial public release