AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
-
Cisco IOS software configured for IOS firewall Application Inspection Control (AIC) with a HTTP configured application-specific policy are vulnerable to a Denial of Service when processing a specific malformed HTTP transit packet. Successful exploitation of the vulnerability may result in a reload of the affected device.
Cisco has released software updates that address this vulnerability.
A mitigation for this vulnerability is available. See the "Workarounds" section for details.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-iosfw.
Note: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory.
Individual publication links are listed below:
-
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-iosips
-
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-ssl
-
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-sip
-
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-cucm
-
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-vpn
-
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-ipc
-
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-mfi
-
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-ubr
-
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-sccp
-
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-multicast
-
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-iosfw
-
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-l2tp
-
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-iosips
-
The HTTP AIC feature was introduced in Cisco IOS Software Release 12.4(9)T. The software table in this advisory identifies the affected releases.
Vulnerable Products
Devices that are running a vulnerable version of Cisco IOS software and configured for Cisco IOS firewall AIC for HTTP are affected.
To determine the software running on a Cisco IOS product, log in to the device and issue the show version command-line interface (CLI) command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS." On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the Cisco IOS release name. Other Cisco devices will not have the show version command, or will give different output.
The following example shows output from a device running Cisco IOS image 12.4(15)T2:
router#show version Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(15)T2, RELEASE SOFTWARE (fc7) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 17-Jan-08 23:12 by prod_rel_team !--- Output truncated.
Additional information on the Cisco IOS release naming conventions can be found on the document entitled "White Paper: Cisco IOS Reference Guide", which is available at http://www.cisco.com/web/about/security/intelligence/ios-ref.html.
The device is vulnerable if the configuration has a Layer 7 class map and Layer 7 policy map for HTTP deep packet inspection (DPI), and these policies are applied to any firewall zone. To determine whether the device is running a vulnerable configuration of Cisco IOS firewall AIC for HTTP, log in to the device and issue the CLI command show policy-map type inspect zone-pair | section packet inspection. If the output contains Policy: http layer7-policymap name , the device is vulnerable. The following example shows the response from a vulnerable device:
Router#show policy-map type inspect zone-pair | section packet inspection Deep packet inspection Policy: http layer7-policymap 1 packets, 28 bytes Router#
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by this vulnerability. IOS releases before 12.4(9)T are not affected by this issue. Products confirmed not vulnerable include:
-
Cisco PIX
-
Cisco ASA
-
Cisco Firewall Services Module (FWSM)
-
The Virtual Firewall (VFW) application on the multiservice blade
(MSB) on the Cisco XR 12000 Series Router
-
Cisco PIX
-
Firewalls are networking devices that control access to an organization's network assets. Firewalls are often positioned at the entrance points into networks. Cisco IOS software provides a set of security features that enable you to configure a simple or elaborate firewall policy, according to your particular requirements.
HTTP uses port 80 by default to transport Internet web services, which are commonly used on the network and rarely challenged with regard to their legitimacy and conformance to standards. Because port 80 traffic is typically allowed through the network without being challenged, many application developers are leveraging HTTP traffic as an alternative transport protocol that will allow their application's traffic to travel through or even bypass the firewall. When the Cisco IOS Firewall is configured with HTTP AIC, it performs packet inspection to detect HTTP connections that are not authorized in the scope of the security policy configuration. It also detects users who are tunneling applications through port 80. If the packet is not in compliance with the HTTP protocol, it will be dropped, the connection will be reset, and a syslog message will be generated, as appropriate.
Cisco IOS Software that is configured for IOS firewall AIC with an HTTP application-specific policy is vulnerable to a denial of service condition when it processes a specific malformed HTTP transit packet. Successful exploitation of the vulnerability may result in a reload of the affected device.
HTTP runs over TCP. For this vulnerability to be exploited, a full three-way handshake between client and server is required before any malicious traffic would be processed to result in a device reload.
Additional information regarding Cisco IOS Firewall AIC with HTTP application-specific policy maps is available at /en/US/products/ps6441/products_feature_guide09186a008060f6dd.html#wp1407906.
This vulnerability is documented in Cisco bug ID CSCsh12480 ( registered customers only) and Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-3812 has been assigned to this vulnerability.
-
There are no known workarounds for this vulnerability. The only known action to help counter this vulnerability is to disable AIC HTTP deep packet inspection in the affected device's configuration. Disabling deep packet HTTP inspection will allow the rest of the firewall features to continue to function until a software upgrade can be implemented. All other firewall features will continue to perform normally.
Disabling AIC HTTP Deep Packet Inspection
To disable AIC HTTP Deep Packet Inspection, remove the linkage between policy-map type inspect layer4-policymap and policy-map type inspect http layer7-policymap. This example shows an existing configuration, followed by how to remove AIC HTTP Deep Packet Inspection:
!--- Existing Configuration ! parameter-map type inspect global ! class-map type inspect http match-any layer7-classmap class-map type inspect match-any layer4-classmap match protocol http ! policy-map type inspect http layer7-policymap class type inspect http layer7-classmap allow class class-default policy-map type inspect layer4-policymap class type inspect layer4-classmap inspect global service-policy http layer7-policymap class class-default ! zone security inside description ** Inside Network ** zone security outside description ** Outside Network ** zone-pair security in2out source inside destination outside description ** Zone Pair - inside to outside ** service-policy type inspect layer4-policymap
Remove the service-policy from the zone-pair in question:
Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#zone-pair security in2out source inside destination outside Router(config-sec-zone-pair)#no service-policy type inspect layer4-policymap Router(config-sec-zone-pair)#exit
Remove the linkage between policy-map type inspect layer4-policymap and policy-map type inspect http layer7-policymap:
Router(config)#policy-map type inspect layer4-policymap Router(config-pmap)#class type inspect layer4-classmap Router(config-pmap-c)#no service-policy http layer7-policymap Router(config-pmap-c)#exit Router(config-pmap)#exit
Reapply the service-policy to the zone-pair in question:
Router(config)#zone-pair security in2out source inside destination outside Router(config-sec-zone-pair)#service-policy type inspect layer4-policymap Router(config-sec-zone-pair)#exit
Although not required, for completeness of the configuration the policy-map type inspect http layer7-policymap and class-map type inspect http match-any layer7-classmap are recommended to be removed.
Router(config)#no policy-map type inspect http layer7-policymap Router(config)#no class-map type inspect http match-any layer7-classmap Router(config)#exit Router#
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table.
Major Release
Availability of Repaired Releases
Affected 12.0-Based Releases
First Fixed Release
Recommended Release
There are no affected 12.0 based releases
Affected 12.1-Based Releases
First Fixed Release
Recommended Release
There are no affected 12.1 based releases
Affected 12.2-Based Releases
First Fixed Release
Recommended Release
There are no affected 12.2 based releases
Affected 12.3-Based Releases
First Fixed Release
Recommended Release
There are no affected 12.3 based releases
Affected 12.4-Based Releases
First Fixed Release
Recommended Release
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Releases prior to 12.4(9)T are not vulnerable. First fixed in:
12.4(9)T7
12.4(11)T4
12.4(15)T
12.4(15)T7
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Vulnerable; first fixed in 12.4T
12.4(15)T7
Not Vulnerable
Not Vulnerable
Vulnerable; first fixed in 12.4T
12.4(15)T7
Vulnerable; first fixed in 12.4T
12.4(15)T7
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Vulnerable; contact TAC
12.4(11)XW1
12.4(11)XW9
Not Vulnerable
Not Vulnerable
12.4YA
Not Vulnerable
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
This vulnerability was found by Cisco internal testing.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.1
2009-April-16
Removed references to the combined software table, as it is now outdated
Revision 1.0
2008-September-24
Initial public release
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.