AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
-
The Cisco Application Control Engine Global Site Selector (GSS) contains a vulnerability when processing specific Domain Name System (DNS) requests that may lead to a crash of the DNS service on the GSS.
Cisco has released software updates that address this vulnerability.
A workaround that mitigates this vulnerability is available.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090107-gss.
-
All versions of GSS system software prior to 3.0(1) are affected by this vulnerability. If the GSS is configured with the optional Cisco Network Registrar (CNR) software, the device is not vulnerable.
Vulnerable Products
The following GSS products are affected by this vulnerability:
-
Cisco GSS 4480 Global Site Selector
-
Cisco GSS 4490 Global Site Selector
-
Cisco GSS 4491 Global Site Selector
-
Cisco GSS 4492R Global Site Selector
In order to determine the software that runs on a GSS device, users should log in to the device and issue the show version command to display the system software banner. The version is indicated on the line starting with Version. The following example shows a GSS that runs system software 2.0(1):
gss.cisco.com#show version Global Site Selector (GSS) Model Number: GSS-4491-k9 Copyright (c) 1999-2007 by Cisco Systems, Inc. Version 2.0(1) Uptime: 19 Hours 18 Minutes and 14 seconds gss.cisco.com#
In order to determine if CNR is enabled on the GSS device, users should log in to the device and issue the show running-config | grep cnr command to display the system CNR configuration. If CNR is enabled, cnr enable will be displayed in the output. If CNR is disabled, no cnr enable will be displayed. The following example shows a GSS that does not have CNR enabled:
GSS.cisco.com#show running-config | grep cnr no cnr enable GSS.cisco.com#
Products Confirmed Not Vulnerable
The following products have been confirmed not vulnerable:
-
Cisco Global Site Selector using interaction with Cisco Network
Registrar
-
Cisco Application Control Engine Module
-
Cisco Network Registrar
-
Cisco Content Services Switch (CSS)
No other Cisco products are currently known to be affected by this vulnerability.
-
Cisco GSS 4480 Global Site Selector
-
The Cisco GSS platform allows customers to leverage global content deployment across multiple distributed and mirrored data locations, optimizing site selection, improving Domain Name System (DNS) responsiveness, and ensuring data center availability.
The GSS is inserted into the traditional DNS hierarchy and is closely integrated with the Cisco CSS, Cisco Content Switching Module (CSM), or third-party server load balancers (SLBs) to monitor the health and load of the SLBs in customers data centers. The GSS uses this information and user-specified routing algorithms to select the best-suited and least-loaded data center in real time.
A vulnerability exists in the GSS when processing a specific sequence of DNS requests. An exploit of the vulnerability may result in a crash of the DNS service on the GSS.
When the DNS server crashes, an error message will appear in the logs similar to the following example:
Dec 18 04:47:21 gss NMR-6-LAUNCHSVR_EXIT[27261] dnsserver' has exited [ExitUnknown(139)]"
This vulnerability is documented in Cisco Bug ID: CSCsj70093 ( registered customers only)
This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-3819.
-
A workaround for this vulnerability requires the administrator to disable the property "ServerConfig.dnsserver.returnError" ( set to zero). On GSS version 1.1(x), 1.2(x) and 1.3(x), this property is disabled by default.
On GSS version 2.0(x), this property is enabled by default (set to one).
The following example shows how to disable this property:
GSS#config terminal GSS(config)#property set ServerConfig.dnsserver.returnError 0 GSS(config)#exit GSS#write memory
To ensure the workaround has been applied properly, from privileged exec mode, execute the show properties command and verify that the response returned shows "ServerConfig.dnsserver.returnError" parameter set to zero. The following example shows how to verify the workaround has been sucessfully applied:
gss.cisco.com#show properties | grep ServerConfig.dnsserver.returnError ServerConfig.dnsserver.returnError : 0
For the property to take affect, the GSS should be stopped and restarted:
GSS#gss stop GSS#gss start
Note:
-
GSS version 3.0(x) is not impacted by the issue in the
advisory.
-
GSS version 1.x(y) is not impacted by the issue in the advisory so
long as the negative return property has not been changed from its default
settings. [GSS versions 1.1(x), 1.2(x) and 1.3(x) ship with this property
disabled. GSS version 1.0(x) does not allow user customization of the property
command].
-
GSS version 2.0.x is vulnerable. [GSS version 2.0.x ships with this
property enabled].
Mechanics of the Workaround
If there is a query for which there is no domain match on the GSS, such a query is dropped and the DNSQueriesUnmatched counter is incremented. As a side-effect of the workaround, neither of the negative responses NXDOMAIN,NODATA are sent for queries for which there is no domain match.
Impact of the Workaround
-
If there are no Authority Domains configured on the GSS, there is no
impact that will be noticed by the end-user.
-
If there are Authority Domains configured on the GSS, and since
disabling negative response will result in no communication to the resolver,
the resolver receives no indication whether the lack of response is because of
network failure or because that domain was not supported by the GSS. This lack
of knowledge will result in the resolver attempting to send the same query for
a domain that does not exist on the GSS again if it receives a request for such
a domain from a DNS client.
-
GSS version 3.0(x) is not impacted by the issue in the
advisory.
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
GSS Major Version
First Fixed Release
Recommended Release
1.x(y)
Vulnerable;
Option1: Migrate to 3.0(1) or later;
Option 2: Migrate to 2.0(5) or later.
3.0(2)
2.x(y)
Vulnerable; Migrate to 2.0(5) or later;
3.0(2)
3.x(y)
Not Vulnerable
GSS fixed system software is available for download from http://www.cisco.com/pcgi-bin/tablebuild.pl/gss-3des?psrtdcat20e2
-
The Cisco PSIRT is aware of active exploitations where malicious use of the vulnerability described in this advisory has occurred.
This vulnerability was discovered by investigating customer TAC service requests.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.1
2009-November-12
Updated workarounds
Revision 1.0
2009-January-07
Initial public release
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.