AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
-
A vulnerability in the Transaction Language 1 (TL1) code of Cisco ASR 900 Series routers could allow an unauthenticated, remote attacker to cause a reload of, or remotely execute code on, the affected system.
The vulnerability exists because the affected software performs incomplete bounds checks on input data. An attacker could exploit this vulnerability by sending a malicious request to the TL1 port, which could cause the device to reload. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or cause a reload of the affected system.
Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-tl1
-
Vulnerable Products
This vulnerability affects Cisco ASR 900 Series Aggregation Services Routers (ASR902, ASR903, and ASR907) that are running the following releases of Cisco IOS XE Software:
- 3.17.0S
- 3.17.1S
- 3.17.2S
- 3.18.0S
- 3.18.1S
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS XE Software or similar text.
The following example shows the output of the show version command on a device that is running Cisco IOS XE Software Release 3.17.01.S:
Router>show version Cisco IOS XE Software, Version 03.17.01.S - Standard Support Release
Cisco IOS Software, ASR903 Software (PPC_LINUX_IOSD-UNIVERSALK9_NPE-M), Version 15.6(1)S1, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Wed 09-Mar-16 06:34 by mcpre
Cisco IOS-XE software, Copyright (c) 2005-2016 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.For information about the naming and numbering conventions for Cisco IOS XE Software releases, see White Paper: Cisco IOS and NX-OS Software Reference Guide.
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following products:
- Cisco ASR 901 Series Aggregation Services Routers
- Cisco ASR 901 10G Series Aggregation Services Routers
- Cisco ASR 901S Series Aggregation Services Routers
- Cisco ASR 920 Series Aggregation Services Routers
-
Exploitation of this vulnerability could cause potential remote code execution or a reload of the device. The exploit could be confirmed by a decode of the stack trace, indicating that the device crashed in the TL1 Helper Process. An error message similar to the following example could be found in the device logs:
Exception to IOS Thread: Frame pointer 0x348D3D18, PC = 0x150255E4 UNIX-EXT-SIGNAL: Segmentation fault(11), Process = TL1 Helper Process -Traceback= 1#c2f8cd10bbd769d41be54f5792c0ec33 :10000000+50255E4 :10000000+33DEED0 :10000000+33DEED0 :10000000+33D6718 :10000000+33D5444
-
There are workarounds for this vulnerability. The following mitigation may help protect an infrastructure until an upgrade to a fixed version of Cisco IOS XE software can be scheduled:
Infrastructure Access Control Lists
To protect infrastructure devices and minimize the risk, impact, and effectiveness of direct infrastructure attacks, administrators are advised to deploy infrastructure access control lists (iACLs) to perform policy enforcement of traffic sent to infrastructure equipment. Administrators can construct an iACL by explicitly permitting only authorized traffic sent to infrastructure devices in accordance with existing security policies and configurations. For the maximum protection of infrastructure devices, deployed iACLs should be applied in the ingress direction on all interfaces to which an IP address has been configured. An iACL workaround cannot provide complete protection against this vulnerability when the attack originates from a trusted source address.
The iACL policy denies unauthorized TL1 packets on TCP and UDP ports 3082 and 3083 that are sent to affected devices. In the following example, 192.168.60.0/24 is the IP address space that is used by the affected devices, and the host at 192.168.100.1 is considered a trusted source that requires access to the affected devices. Care should be taken to allow required traffic for routing and administrative access prior to denying all unauthorized traffic. Whenever possible, infrastructure address space should be distinct from the address space used for user and services segments. Using this addressing methodology will assist with the construction and deployment of iACLs.ip access-list extended Infrastructure-ACL-Policy
remark - permit trusted TL1 traffic - won't prevent exploitation from these hosts. remark - The exploit has only been seen on TCP port 3083, others are included for completeness.
remark - Do not use these four lines if not using TL1 feature.
permit tcp host 192.168.100.1 192.168.60.0 0.0.0.255 eq 3082
permit tcp host 192.168.100.1 192.168.60.0 0.0.0.255 eq 3083
permit udp host 192.168.100.1 192.168.60.0 0.0.0.255 eq 3082
permit udp host 192.168.100.1 192.168.60.0 0.0.0.255 eq 3083
!-- The following vulnerability-specific access control entry
!-- (ACE) can aid in identification of attacks.
remark deny all other traffic to TL1 port.
deny tcp any 192.168.60.0 0.0.0.255 eq 3082 log
deny tcp any 192.168.60.0 0.0.0.255 eq 3083 log
deny udp any 192.168.60.0 0.0.0.255 eq 3082 log
deny udp any 192.168.60.0 0.0.0.255 eq 3083 log
!-- Permit or deny all other Layer 3 and Layer 4 traffic in accordance
!-- with existing security policies and configurations
!-- Apply iACL to interfaces in the ingress direction
permit ip any any
interface GigabitEthernet0
ip access-group Infrastructure-ACL-Policy in
-
Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.htmlAdditionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC):
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.htmlCustomers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
Fixed Releases
This vulnerability affects the 3.17S and 3.18S release trains running on affected products.
Cisco IOS XE Major Affected Release First Fixed Release 3.17S 3.17.3S; Scheduled for 30th November 3.18S 3.18.2S Additionally to help customers determine their exposure to vulnerabilities in Cisco IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker, that identifies any Cisco Security Advisories that impact a specific Cisco IOS XE Software release and the earliest release that fixes the vulnerabilities described in each advisory (“First Fixed”). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified (“Combined First Fixed”).
Customers can use this tool to perform the following tasks:
- Initiate a search by choosing one or more releases from a drop-down menu or uploading a file from a local system for the tool to parse
- Enter the output of the show version command for the tool to parse
- Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication
To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS XE Software release—for example, 3.17.0S—in the following field:
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
-
This vulnerability was discovered when handling customer service requests.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Version Description Section Status Date 1.0 Initial public release — Final 2016-November-02
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.