Summary

• Cisco IOS software configured for IOS firewall Application Inspection Control (AIC) with a HTTP configured application-specific policy are vulnerable to a Denial of Service when processing a specific malformed HTTP transit packet. Successful exploitation of the vulnerability may result in a reload of the affected device.

  Cisco has released software updates that address this vulnerability.

  A mitigation for this vulnerability is available. See the "Workarounds" section for details.

  This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-iosfw.

  Note: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory.

  Individual publication links are listed below:

  • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-iosips
    
  • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-ssl
    
  • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-sip
    
  • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-cucm
    
  • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-vpn
    
  • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-ipc
    
  • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-mfi
    
  • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-ubr
    
  • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-sccp
    
  • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-multicast
    
  • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-iosfw
    
  • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-l2tp
    

Affected Products

• The HTTP AIC feature was introduced in Cisco IOS Software Release 12.4(9)T. The software table in this advisory identifies the affected releases.

  Vulnerable Products

  Devices that are running a vulnerable version of Cisco IOS software and configured for Cisco IOS firewall AIC for HTTP are affected.

  To determine the software running on a Cisco IOS product, log in to the device and issue the show version command-line interface (CLI) command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS." On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the Cisco IOS release name. Other Cisco devices will not have the show version command, or will give different output.

  The following example shows output from a device running Cisco IOS image 12.4(15)T2:

  router#show version
  Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), 
     Version 12.4(15)T2, RELEASE SOFTWARE (fc7) Technical Support:                         
  http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco             
  Systems, Inc. Compiled Thu 17-Jan-08 23:12 by prod_rel_team
  
  !--- Output truncated.
  
  

  Additional information on the Cisco IOS release naming conventions can be found on the document entitled "White Paper: Cisco IOS Reference Guide", which is available at http://www.cisco.com/web/about/security/intelligence/ios-ref.html.

  The device is vulnerable if the configuration has a Layer 7 class map and Layer 7 policy map for HTTP deep packet inspection (DPI), and these policies are applied to any firewall zone. To determine whether the device is running a vulnerable configuration of Cisco IOS firewall AIC for HTTP, log in to the device and issue the CLI command show policy-map type inspect zone-pair | section packet inspection. If the output contains Policy: http layer7-policymap name , the device is vulnerable. The following example shows the response from a vulnerable device:

  Router#show policy-map type inspect zone-pair | section packet inspection
  
           Deep packet inspection
              Policy: http layer7-policymap
              1 packets, 28 bytes
  
  Router#

  Products Confirmed Not Vulnerable

  No other Cisco products are currently known to be affected by this vulnerability. IOS releases before 12.4(9)T are not affected by this issue. Products confirmed not vulnerable include:

  • Cisco PIX
    
  • Cisco ASA
    
  • Cisco Firewall Services Module (FWSM)
    
  • The Virtual Firewall (VFW) application on the multiservice blade (MSB) on the Cisco XR 12000 Series Router
    

Details

• Firewalls are networking devices that control access to an organization's network assets. Firewalls are often positioned at the entrance points into networks. Cisco IOS software provides a set of security features that enable you to configure a simple or elaborate firewall policy, according to your particular requirements.

  HTTP uses port 80 by default to transport Internet web services, which are commonly used on the network and rarely challenged with regard to their legitimacy and conformance to standards. Because port 80 traffic is typically allowed through the network without being challenged, many application developers are leveraging HTTP traffic as an alternative transport protocol that will allow their application's traffic to travel through or even bypass the firewall. When the Cisco IOS Firewall is configured with HTTP AIC, it performs packet inspection to detect HTTP connections that are not authorized in the scope of the security policy configuration. It also detects users who are tunneling applications through port 80. If the packet is not in compliance with the HTTP protocol, it will be dropped, the connection will be reset, and a syslog message will be generated, as appropriate.

  Cisco IOS Software that is configured for IOS firewall AIC with an HTTP application-specific policy is vulnerable to a denial of service condition when it processes a specific malformed HTTP transit packet. Successful exploitation of the vulnerability may result in a reload of the affected device.

  HTTP runs over TCP. For this vulnerability to be exploited, a full three-way handshake between client and server is required before any malicious traffic would be processed to result in a device reload.

  Additional information regarding Cisco IOS Firewall AIC with HTTP application-specific policy maps is available at /en/US/products/ps6441/products_feature_guide09186a008060f6dd.html#wp1407906.

  This vulnerability is documented in Cisco bug ID CSCsh12480 ( registered customers only) and Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-3812 has been assigned to this vulnerability.

Workarounds

• There are no known workarounds for this vulnerability. The only known action to help counter this vulnerability is to disable AIC HTTP deep packet inspection in the affected device's configuration. Disabling deep packet HTTP inspection will allow the rest of the firewall features to continue to function until a software upgrade can be implemented. All other firewall features will continue to perform normally.

  Disabling AIC HTTP Deep Packet Inspection

  To disable AIC HTTP Deep Packet Inspection, remove the linkage between policy-map type inspect layer4-policymap and policy-map type inspect http layer7-policymap. This example shows an existing configuration, followed by how to remove AIC HTTP Deep Packet Inspection:

  
  !--- Existing Configuration
  !
  
  parameter-map type inspect global
  
  !
  
  class-map type inspect http match-any layer7-classmap
  class-map type inspect match-any layer4-classmap
   match protocol http
  
  !
  
  policy-map type inspect http layer7-policymap
   class type inspect http layer7-classmap
    allow
   class class-default
  policy-map type inspect layer4-policymap
   class type inspect layer4-classmap
    inspect global
    service-policy http layer7-policymap
   class class-default
  
  !
  
  zone security inside
   description ** Inside Network **
  zone security outside
   description ** Outside Network **
  zone-pair security in2out source inside destination outside
   description ** Zone Pair - inside to outside **
   service-policy type inspect layer4-policymap
  

  Remove the service-policy from the zone-pair in question:

  Router#configure terminal
  Enter configuration commands, one per line.  End with CNTL/Z.
  Router(config)#zone-pair security in2out source inside destination outside
  Router(config-sec-zone-pair)#no service-policy type inspect layer4-policymap
  Router(config-sec-zone-pair)#exit
  

  Remove the linkage between policy-map type inspect layer4-policymap and policy-map type inspect http layer7-policymap:

  Router(config)#policy-map type inspect layer4-policymap
  Router(config-pmap)#class type inspect layer4-classmap
  Router(config-pmap-c)#no service-policy http layer7-policymap
  Router(config-pmap-c)#exit
  Router(config-pmap)#exit
  

  Reapply the service-policy to the zone-pair in question:

  Router(config)#zone-pair security in2out source inside destination outside
  Router(config-sec-zone-pair)#service-policy type inspect layer4-policymap
  Router(config-sec-zone-pair)#exit
  

  Although not required, for completeness of the configuration the policy-map type inspect http layer7-policymap and class-map type inspect http match-any layer7-classmap are recommended to be removed.

  Router(config)#no policy-map type inspect http layer7-policymap
  Router(config)#no class-map type inspect http match-any layer7-classmap
  Router(config)#exit
  Router#

Fixed Software

• When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.

  In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.

  Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table.

  Major Release	Availability of Repaired Releases
  Affected 12.0-Based Releases	First Fixed Release	Recommended Release
  There are no affected 12.0 based releases
  Affected 12.1-Based Releases	First Fixed Release	Recommended Release
  There are no affected 12.1 based releases
  Affected 12.2-Based Releases	First Fixed Release	Recommended Release
  There are no affected 12.2 based releases
  Affected 12.3-Based Releases	First Fixed Release	Recommended Release
  There are no affected 12.3 based releases
  Affected 12.4-Based Releases	First Fixed Release	Recommended Release
  12.4	Not Vulnerable
  12.4JA	Not Vulnerable
  12.4JK	Not Vulnerable
  12.4JL	Not Vulnerable
  12.4JMA	Not Vulnerable
  12.4JMB	Not Vulnerable
  12.4JMC	Not Vulnerable
  12.4JX	Not Vulnerable
  12.4MD	Not Vulnerable
  12.4MR	Not Vulnerable
  12.4SW	Not Vulnerable
  12.4T	Releases prior to 12.4(9)T are not vulnerable. First fixed in: 12.4(9)T7 12.4(11)T4 12.4(15)T	12.4(15)T7
  12.4XA	Not Vulnerable
  12.4XB	Not Vulnerable
  12.4XC	Not Vulnerable
  12.4XD	Not Vulnerable
  12.4XE	Vulnerable; first fixed in 12.4T	12.4(15)T7
  12.4XF	Not Vulnerable
  12.4XG	Not Vulnerable
  12.4XJ	Vulnerable; first fixed in 12.4T	12.4(15)T7
  12.4XK	Vulnerable; first fixed in 12.4T	12.4(15)T7
  12.4XL	Not Vulnerable
  12.4XM	Not Vulnerable
  12.4XN	Not Vulnerable
  12.4XP	Not Vulnerable
  12.4XQ	Not Vulnerable
  12.4XT	Not Vulnerable
  12.4XV	Vulnerable; contact TAC
  12.4XW	12.4(11)XW1	12.4(11)XW9
  12.4XY	Not Vulnerable
  12.4XZ	Not Vulnerable
  12.4YA	Not Vulnerable

Exploitation and Public Announcements

• The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.

  This vulnerability was found by Cisco internal testing.

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-iosfw

Revision History

• Revision 1.1	2009-April-16	Removed references to the combined software table, as it is now outdated
  Revision 1.0	2008-September-24	Initial public release

  Show Less