Securing Tool Command Language on Cisco IOS

Summary

Cisco IOS software provides powerful Tool Command Language (Tcl) scripting capabilities. By making Tcl available on the Cisco IOS device itself, it is possible to automate tasks as well as build elaborate, network enabled services. However, the feature rich nature of Tcl does present some security concerns that should be addressed.

This document provides an overview of Tcl on Cisco IOS and lists best practices that should be incorporated into any environment that leverages Tcl. If implemented, these best practices will help mitigate the risk associated with Tcl.

Overview of Tcl Scripting on Cisco IOS

Officially added to Cisco IOS software releases 12.3(2)T and 12.2(25)S, Tool Command Language (Tcl) support provides scripting functionality for IOS devices. Earlier releases of Cisco IOS may contain Tcl capabilities in support of technologies such as Embedded Syslog Manager (ESM), Embedded Event Manager (EEM) and Interactive Voice Response (IVR); however, Tcl scripting through the Tcl shell is unsupported in all Cisco IOS releases prior to 12.3(2)T and 12.2(25)S. This document focuses on Tcl scripting through the Tcl shell.

The Tcl shell has been included in every Cisco IOS Software image since official support was added and includes all 12.3T releases from 12.3(2)T on, 12.2S images from 12.2(25)S on, and all 12.4 images and their derivatives. By default, the tclsh command is only available to users at privilege level 15, the highest privilege level present in IOS.

The simplest method to verify whether or not a particular image includes Tcl support is to attempt to enter the Tcl interactive shell using the tclsh command. If the command is present, the user will be presented with the Router(tcl)# prompt indicating that the IOS release contains Tcl scripting support. The tclquit or exit commands will exit back to the EXEC mode once inside the Tcl shell. If the command is not present, the user will be presented with the following error message:

Router#tclsh
Translating "tclsh"
Translating "tclsh" Unknown command or computer name,or unable to find computer address Router#

Using tclsh, it is possible to manually enter both Tcl and IOS commands.

Router#tclsh
Router(tcl)#puts "’puts’ is an example Tcl Command"
‘puts’ is an example Tcl Command Router(tcl)#show running-config | include hostname
hostname Router Router(tcl)#

Commands entered are first evaluated as Tcl commands and if no matching Tcl command is found, the command is passed to the Cisco IOS CLI Parser. As a result of this serial processing, commands that are invalid Tcl and IOS commands will produce two error messages. Additionally, it is not possible to execute IOS commands that exist in both Tcl and IOS, such as the IOS configuration command set.

Router(tcl)#invalid-command
invalid command name "invalid-command"          ^
% Invalid input detected at '^'  marker.

Router(tcl)#

It is possible to load previously saved Tcl scripts in one of two ways: by using the IOS command tclsh saved-script or by using the source filename Tcl command within the Tcl shell. In either case, it is possible for tclsh to access any local or remote file system that is supported by the Cisco IOS release currently in use.

Router#tclsh flash:tcl-script.tcl

Router#tclsh ftp://management-station/tcl-script.tcl

Router#tclsh
Router(tcl)#source tftp://tftp-server/tcl-script.tcl 

Tcl scripting on Cisco IOS supports the loading of compiled Tcl scripts. Scripts can be compiled using the Tclpro compiler. Tclpro is available at http://tclpro.sourceforge.net. While compiling Tcl scripts does provide a level of obfuscation, it does nothing to verify the authenticity of scripts or prevent script modification.

To determine if any Tcl scripts are currently being executed on an IOS device, use the show processes cpu command. It is possible to filter the output from this command using the following include command:

Router#show processes cpu | include Tcl
   53          268       5      53600   5.48%  0.44%  0.09%    2 Tcl Serv - tty2
Router#

As illustrated in the preceding command, there is one Tcl process in use and that Tcl process has been started by the user on tty2. The show users command can be used to attempt to determine which user is using tty2. In the following example, tty2 is in use by user TclUser who has logged on from host 192.168.1.100. The username will only be present in the show users output if AAA authentication has been enabled on the IOS device.

Router#show users
    Line      User       Host(s)              Idle       Location *  0 con 0     Admin      idle                 00:00:00   2 vty 0     TclUser    idle                 00:00:00 192.168.1.100
Router#

More information regarding Tcl support on Cisco IOS is available at Cisco IOS Scripting with Tcl.

Signed Tcl Support

Cisco IOS Software 12.4(15)T includes support for the cryptographic signing of Tcl scripts. Cryptographic signing makes it possible to ensure that an IOS device will only execute Tcl scripts that have been signed with a certificate for which the device has been explicitly configured. This feature may also be used to prevent the execution of scripts in situations where the signature verification fails due to modification of the script post-signing or the complete lack of a signature.

The signing of Tcl scripts only applies to scripts that are sourced using the source Tcl command or that are executed directly using the tclsh filename IOS command. It is still possible for a user to manually enter Tcl commands into the Tcl shell without any signature verification.

Once Signed Tcl support has been enabled using the instructions at Signed Tcl Scripts, administrators are advised to keep the execution of nonsigned scripts disabled. This behavior is configured using the global configuration command scripting tcl trustpoint untrusted {execute | safe-execute | terminate}, which defaults to terminate.

If it is imperative that scripts without a valid signature be executed by an IOS device, administrators are advised to use the global configuration command scripting tcl trustpoint untrusted safe-execute. Using this command will restrict the operations afforded to the untrusted script to those allowed by the Safe-Tcl mechanism.

Note: While Safe-Tcl does limit the ability of a Tcl script to interact with local file systems and completely removes the ability to execute Cisco IOS CLI commands, Safe-Tcl does not prohibit a Tcl script from interacting with the network using sockets.

Should a script signature fail verification with the default untrusted script action of terminate, IOS will not execute the script and will log a message similar to the following:

*Nov 29 20:35:50.907: %SYS-6-SCRIPTING_TCL_INVALID_OR_MISSING_SIGNATURE: tcl signing validation failed on script signed with trustpoint name TRUSTPOINT, cannot run the signed TCL script.

Given the powerful functionality available with Tcl on IOS, the use of this feature is critical to the security of an IOS device if Tcl is actively used in an environment. This functionality is only possible in Cisco IOS software images that support cryptographic features.

More information regarding Safe-Tcl is available at Cisco IOS use of Safe-Tcl.

Cisco IOS Tcl Security Recommendations

The following recommendations, if implemented, can help secure networks leveraging Tcl support in Cisco IOS.

Use Tcl script signing: Use signed Tcl support to verify the authenticity of Tcl scripts that are being executed in the network. The comprehensive use of this feature, specifically the ability to prevent the execution of unsigned scripts, will ensure that only legitimate Tcl scripts are utilized.

Disallow the Tcl shell if not needed: If use of the Tcl shell is not allowed on Cisco IOS devices in the network, use AAA command authorization or CLI Views to prohibit execution of the tclsh command for all users. The tclsh command is restricted to privilege level 15 (enable mode) by default; however, prohibiting the use of this command to all users via AAA TACACS+ command authorization or CLI Views will help ensure that no user is able to trivially execute Tcl scripts.

Do not execute remote unsigned Tcl scripts: To help ensure that modified Tcl scripts are not executed without an administrator’s knowledge, the sourcing of unsigned Tcl scripts from a remote location is not recommended. Use Signed Tcl scripts or locally stored files to help prevent undetected modification of Tcl scripts.

Do not allow access to tclsh for privilege levels less than 15: The Tcl shell on a Cisco IOS device has tremendous functionality, with the ability to open, read, and write files as well as communicate with remote devices using IP sockets. Although it is possible to allow the use of the tclsh command for users at privilege levels less than 15, no functionality exists to limit what actions those users could perform inside of tclsh. For this reason, administrators are advised to limit access to this command to only trusted users.

Conclusion

The purpose of this document is to provide network administrators with techniques that can help mitigate the risk associated with Tcl scripting on Cisco IOS. The use of these techniques throughout an environment using Tcl will help ensure that modified scripts are not run inadvertently and that access to the Tcl shell is strictly limited to those users who require access.

References

Cisco IOS Scripting with Tcl

Signed Tcl Scripts

Safe-Tcl in Cisco IOS

Authentication, Authorization and Accounting on Cisco IOS

Role-Based CLI Access

Cisco Security Response: AAA Command Authorization by-pass


This document is part of the Cisco Security Center.

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top

Cisco Security Center