Cisco Security Advisory
Click Icon to Copy Verbose Score
AV:R/AC:L/Au:NR/C:N/I:N/A:P/B:N/E:U/RL:O/RC:C
-
Cisco Intrusion Prevention System (IPS) software contains a denial of service vulnerability in web administration interface involving malformed Secure Socket Layer (SSL) packets and a fragmented packet evasion vulnerability.
There is a workaround for the web administration interface SSL denial of service vulnerability. There is no workaround for the fragmented packet IPS evasion vulnerability.
Cisco has made free software available to address these vulnerabilities for affected customers.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20060920-ips.
-
This section provides details on affected products.
Vulnerable Products
The following Cisco IPS/IDS versions are vulnerable to the web administration interface SSL denial of service issue:
-
Cisco IDS 4.1(x) software prior to 4.1(5c)
-
Cisco IPS 5.0(x) software prior to 5.0(6p1)
-
Cisco IPS 5.1(x) software prior to
5.1(2)
The following Cisco IPS versions are vulnerable to the fragmented packet IPS evasion issue:
-
Cisco IPS 5.0(x) software prior to 5.0(6p2)
-
Cisco IPS 5.1(x) software prior to
5.1(2)
All platforms running vulnerable versions of Cisco IPS/IDS software are affected. This includes 4200 series appliances, IDSM2, NM-CIDS router modules, and ASA IPS modules (also referred to as Advanced Inspection and Prevention (AIP) Security Services Module [SSM]).
To determine the version of software running on an IPS/IDS device, log in to the IPS/IDS device via SSH or the console and issue the command show version.
sensor#show version Application Partition: Cisco Intrusion Prevention System, Version 5.1(2)S242.0
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
Cisco IOS® software images including the IPS feature set are not vulnerable to the IPS evasion vulnerability if Virtual Fragment Reassembly (VFR) is enabled. If VFR is not enabled, fragmented IP traffic is not inspected by the IPS component which may allow malicious traffic to evade detection. Please consult the IOS IPS documentation for more information.
-
Cisco IDS 4.1(x) software prior to 4.1(5c)
-
Cisco Intrusion Prevention and Detection Systems are a family of network security devices that provide network-based threat prevention services.
The web administration interface of Cisco IPS/IDS devices contains a denial of service vulnerability. It is possible to send a malformed SSLv2 Client Hello packet to the IPS/IDS web administration interface, which may cause the process (mainApp) responsible for managing remote access to fail. This results in an IPS/IDS device becoming unresponsive to all future remote management requests through the web administration interface or the command-line interface (CLI) via SSH and the console. This vulnerability is documented in Cisco bug IDs CSCsd91720 ( registered customers only) and CSCsd92033 ( registered customers only) . This vulnerability was originally fixed in Cisco IPS version 5.1(2).
By using a specially crafted sequence of fragmented IP packets, it is possible for malicious traffic to evade inspection by a Cisco IPS device. This may allow an attacker to circumvent the protection provided by an IPS device and access internal systems. IPS devices running in inline and promiscuous modes are affected. This vulnerability is documented in Cisco bug IDs CSCse17206 ( registered customers only) and CSCsf12379 ( registered customers only) . This vulnerability was originally fixed in Cisco IPS version 5.1(2).
-
It is possible to limit exposure to the web administration interface SSL denial of service vulnerability by applying an access control list (ACL) on an IPS/IDS device to restrict access to trusted management systems. Instructions to add an ACL can be found at:
http://www.cisco.com/en/US/docs/security/ips/5.1/configuration/guide/idm/dmSetup.html#wp1076229
There is no workaround for the fragmented packet IPS evasion vulnerability.
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.
Each row of the Cisco IOS software table (below) describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix (the "First Fixed Release") and the anticipated date of availability for each are listed in the "Rebuild" and "Maintenance" columns. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label).
For more information on the terms "Rebuild" and "Maintenance," consult the following URL:
http://www.cisco.com/warp/public/620/1.html
Affected Software Version
Fixed Software Version
Cisco IDS 4.1(5b) and earlier
Cisco IDS 4.1(5c)
Cisco IPS 5.0(6p1) and earlier
Cisco IPS 5.0(6p2)
Cisco IPS 5.1(1) and earlier
Cisco IPS 5.1(2)
Note: IPS version 5.1(2) is no longer available for download. It has been replaced by IPS version 5.1(3).
Note: Bug ID CSCsd91720 ( registered customers only) is fixed in IPS version 5.0(6p1), and CSCsf12379 ( registered customers only) is fixed in IPS version 5.0(6p2).
Fixed software for Cisco IPS versions 5.1(x) are available for download at http://www.cisco.com/pcgi-bin/tablebuild.pl/ips5?psrtdcat20e2 ( registered customers only) .
Fixed software for Cisco IPS versions 4.1(x) and 5.0(x) is available for download at http://www.cisco.com/pcgi-bin/tablebuild.pl/ids-patches?psrtdcat20e2 ( registered customers only) .
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
The web administration interface SSL denial of service vulnerability was discovered by Charles McAuley of Imperfect Networks and Spirent Communications.
The fragmented packet IPS evasion vulnerability was reported to Cisco by Pratap Ramamurthy and Shai Rubin of the Wisconsin Safety Analyzer group (WiSA) in the Computer Science department at the University of Wisconsin.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show Less
Revision 1.0
2006-August-20
Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.