-
A defect in multiple Cisco IOS software versions will cause a Cisco router to reload unexpectedly when the router is tested for security vulnerabilities by security scanning software programs. The defect can be exploited repeatedly to produce a consistent denial of service (DoS) attack.
Customers using the affected Cisco IOS software releases are urged to upgrade as soon as possible to later versions that are not vulnerable to this defect. Vulnerable products and releases are listed in detail below.
The security scanner is testing for the presence of two specific vulnerabilities that affect certain UNIX-based systems. The vulnerabilities are unrelated to Cisco IOS software and Cisco IOS software is not directly at risk from them. However, a side-effect of the tests exposes the defect described in this security advisory, and the router will reload unexpectedly as soon as it receives any subsequent traffic.
This defect is documented as Cisco Bug ID CSCdm70743.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20000420-ios-telnet.
-
This section provides details on affected products.
Vulnerable Products
The following Major Releases of Cisco IOS software are vulnerable to this defect:
-
11.3AA
-
12.0 releases: 12.0(2) up to and including 12.0(6)
-
12.0(7), except that 12.0(7)S, 12.0(7)T, and 12.0(7)XE are not
vulnerable
This vulnerability affects the following Cisco hardware products if they are running affected software:
-
AS5200, AS5300, and AS5800 series access servers
-
7200 and 7500 series routers
-
ubr7200 series cable routers
-
7100 series routers
-
3660 series routers
-
SC3640 System Controllers (see the explanation below)
-
AS5800 series Voice Gateway products
-
AccessPath LS-3, TS-3, and VS-3 Access Solutions products
The SC3640 System Controller is a Cisco 3640 router customized to provide local management of multiple access servers. The Cisco SC3640 binary image contains the defect and thus is vulnerable if it is possible for the attacker to telnet to the device. However, the original Cisco 3640 router does not contain the defect and is not vulnerable to the denial of service attack described in this notice.
Products Confirmed Not Vulnerable
Cisco customers running Cisco IOS software versions 11.3, 11.3T, 11.2 or lower, and 12.0(8) or 12.1 or higher are not affected. Details regarding specific releases of Cisco IOS software and suggested upgrade paths are provided below in the section "Software Versions and Fixes".
No other Cisco products are currently known to be affected by these vulnerabilities.
-
11.3AA
-
Software packages are available from various commercial and free sites that perform automated remote tests for computer security vulnerabilities by scanning computers on a network for known security flaws. Two security vulnerabilities associated with several UNIX-based platforms are the subject of two specific tests that have the same effect on vulnerable Cisco routers. The scanning program is asserting the Telnet ENVIRON option, #36, before the router indicates that it is willing to accept it, and this causes the router to reload unexpectedly.
-
The vulnerability described in this notice can only be exploited if the Telnet service is configured on the affected system and reachable from the attacker's computer. The following recommendations provide an interactive login capability without using the Telnet service, thus mitigating the threat in lieu of a software upgrade while preserving remote access to the router for administrative purposes:
-
Prevent access using the Telnet service by defining an appropriate
access control list and applying it to the vty line or the router's interfaces
using the "access-group" keyword. Security can be increased further by
restricting both the virtual terminal lines and the router's physical
interfaces with two access-groups, one to control who can connect to the vtys,
and the other on the interfaces to control from where those connections can be
attempted.
-
Disable Telnet and use SSH (if it is available to you) to connect to
the router for administrative purposes.. After "line vty 0 4" in the router's
configuration, add "transport input ssh". This stipulates that only the SSH
protocol may be used for interactive logins to the router. As of the date of
this notice, SSH is only available on certain products: 7200, 7500, and 12000
series running Cisco IOS software releases such as 12.0S, 12.1S, and 12.1T.
-
Disable interactive network logins to the router completely by
removing the "line" command such that virtual consoles are never enabled. Use
an out-of-band method to login to and administer the router such as a
hard-wired console. Consider connecting the console to a terminal server which
itself is only reachable via a separate parallel network that in turn is
restricted by site policy exclusively for administrative purposes.
The wide variety of customer configurations make it impossible to judge the effectiveness and relative merits of these workarounds in lieu of a software upgrade. Customers are cautioned to evaluate these recommendations carefully with regard to their specific network configurations.
-
Prevent access using the Telnet service by defining an appropriate
access control list and applying it to the vty line or the router's interfaces
using the "access-group" keyword. Security can be increased further by
restricting both the virtual terminal lines and the router's physical
interfaces with two access-groups, one to control who can connect to the vtys,
and the other on the interfaces to control from where those connections can be
attempted.
-
For the affected Cisco IOS software Major Release version shown in the first column of the table below, customers should upgrade to the known invulnerable releases listed to the right in the same row. In general, customers should upgrade to the release in the column furthest to the right within the same row. For example, any customer running 12.0 "mainline" (Major Release) should upgrade at least to 12.0(7.1), but preferably to 12.0(8).
Any release not specifically listed in the left-most column below is unaffected by the vulnerability.
The projected release date is shown with the software release version number for those releases that are not yet complete or available on CCO.*
An "interim release" is scheduled and contains numerous fixes and occasional enhancements that carry forward into all later versions.** A "maintenance release" is a regularly scheduled event that incorporates significant enhancements and cumulative fixes; it may be the entry point for support of noteworthy new technology in Cisco IOS software.
Major Release
Description
Projected Fixed Regular or Interim** Releases
Projected Fixed Regular Maintenance Releases
Unaffected Earlier Releases
11.2 and earlier, all variants
Multiple releases
Unaffected
Unaffected
11.3-based Releases
11.3AA
AS5800 support and other dial platforms
-
11.3(11a)AA
12.0-based Releases
12.0
12.0 mainline
12.0(7.1)
12.0(8)
12.0S
ISP support: 7200, RSP, GSR12000
12.0(6.6)S
12.0(7)S
12.0(7.1)S
12.0(8)S
12.0SC
Cable ISP support: ubr7200
12.0(6.6)SC1
12.0(8)SC*** or 12.0(9)SC
12.0(7.1)SC
12.0T
12.0 new technology early deployment release
12.0(6.5)T3
12.0(7)T
12.0(6.5)T4
12.0W
12.0 for Catalyst 8500 and LS1010
12.0(6.5)W5(16.0.9)
12.0(6.5)W5(17), 2000/04/18*
12.0XE
Short-life release for selected enterprise features, 7200 & 7500
Unavailable
12.0(7)XE1
12.0XJ
Short-life release for Dial/Voice, 5200, 5300, 5800, 2600, & 3600
Unavailable
12.0(4)XJ4
12.1-based Releases
12.1 and later, all variants
Multiple releases
Unaffected
Unaffected
* All dates are tentative and subject to change
** Interim releases are subjected to less internal testing and verification than are regular releases, may have serious bugs, and should be installed with great care.
*** 12.0(8)SC is not vulnerable to this defect, but due to other issues it is no longer available on CCO as of the date of this notice. Upgrade instead to 12.0(9)SC.
-
As of the date of this notice, Cisco knows of no publicity, discussion, nor reports of malicious exploitation of this specific vulnerability applied directly against a Cisco product.
The denial of service (DoS) aspect of this vulnerability was reported to Cisco by several different customers who found it while conducting security scans of their networks. The defect that causes this vulnerability, documented in CSCdm70743, was discovered internally by a Cisco development engineer.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.