Cisco Security Advisory
-
Cisco's Cisco Cache Engine product provides transparent caching for world-wide web pages retrieved via HTTP. The Cache Engine uses a Cisco proprietary protocol called the Web Cache Control Protocol (WCCP) to communicate with a properly-configured Cisco router and register as a cache service provider. The router then diverts HTTP traffic to the Cache Engine.
Although this process is not enabled by default, and takes place only if a user specifically configures the router to enable WCCP, there is no authentication in WCCP itself. A router configured to support Cache Engines will treat any host that sends it valid WCCP hello packets as a cache engine, and may divert HTTP traffic to that host. This means that it is possible for malicious users to divert web traffic passing through such a router, even though they may not have either physical or configuration access to the router.
This attack can be avoided by using access lists to prevent WCCP traffic from untrusted hosts from reaching the router. Cisco will be modifying WCCP to include hash-based authentication in a future release.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-19980513-wccp-auth.
-
This section provides details on affected products.
Vulnerable Products
All users of the Cisco Cache Engine and WCCP who have not configured filtering access lists to prevent WCCP access by unauthorized hosts are affected by this attack.
Products Confirmed Not Vulnerable
Users who have not specifically configured their routers to enable WCCP are not affected by this attack. If the character string "wccp" does not appear in your router configuration file, you are not affected.
No other Cisco products are currently known to be affected by these vulnerabilities.
-
This vulnerability has been assigned Cisco bug ID CSCdk07174. If you are a registered CCO user and you have logged in, you can view bug details.
-
WCCP runs over UDP at port 2048. By blocking unauthorized UDP traffic destined to port 2048 on the router running WCCP, attackers can be prevented from sending WCCP traffic to the router, and therefore from diverting any actual traffic. For proper security, it's important to block all traffic destined for port 2048 at any address assigned to the router, as well as at all broadcast addresses for networks on which the router may be attached, and all multicast addresses to which the router may be listening. The blocking can be configured either using inbound access lists on the WCCP router itself, or using access lists or other filtering on surrounding devices.
-
This vulnerability affects all versions of Cisco IOS software that support WCCP that have been released as of the date of this notice. This includes Cisco IOS 11.2(P) releases beginning with 11.2(10)P, 11.1CA releases beginning with 11.1(14)CA, and 11.1 releases derived from 11.1(14)CA, including 11.1CC.
Cisco plans to release software that supports authentication for WCCP. This will involve a modification to the WCCP protocol. In order to take advantage of the authentication features, customers will need to upgrade the software in both routers and Cache Engines, and will need to make some minor configuration changes on both devices. Release of the improved software is tentatively scheduled for September, 1998, but this schedule is subject to change. Cisco believes that the workaround described below will adequately protect Cache Engine users until the new software is ready.
Cisco is considering making an interim fix involving an explicit command to apply an access list to all incoming WCCP traffic. This would be largely equivalent to the workaround discussed below, but might be easier for some users to configure. No decision has been made on when or whether to offer this interim fix. If an interim fix is created, this notice will be updated to reflect that fact.
-
Cisco has had no reports of malicious exploitation of this vulnerability.
Cisco knows of no public announcements of this vulnerability before the date of this notice. However, the vulnerability has been independently identified by several people both inside and outside of Cisco, and should be considered to be public knowledge.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.