Advisory ID: cisco-sa-20070718-waas
For Public Release 2007 July 18 16:00 UTC (GMT)
The Cisco Wide Area Application Services (WAAS) software contains a
denial of service (DoS) vulnerability that may cause some devices that run WAAS
software (WAE appliance and NM-WAE-502 module) to stop processing all types of
traffic, including data traffic and management traffic. This condition may
occur if a device running WAAS software is configured for Edge Services, which
utilizes Common Internet File System (CIFS) optimization and receives a flood
of TCP SYN packets on port 139 or 445.
Cisco has made free software available to address this vulnerability
for affected customers. Workarounds are available to mitigate the effects of
This advisory is posted at
The vulnerability described in this document applies to both the WAE
appliance and the NM-WAE-502 network module with Edge Services configured,
which use CIFS optimization. Edge Services and CIFS optimization are disabled
by default. CIFS functionality is only available once Edge Services are
manually configured from the WAAS Central Manager. Only WAAS software versions
4.0.7 and 4.0.9 are affected by this vulnerability.
In order to determine whether Edge Services are configured and to
display the WAAS software version information, use the WAAS Central Manager
GUI. The show version EXEC command from the CLI will also display the WAAS
software version information.
Determine whether Edge Services are configured and display the WAAS
software version information by following the steps below.
Log on to WAAS Central Manager.
Select the "Devices" tab.
Look under the Services column. "Edge" will denote if Edge Services
Look under the Software Version column. The software version for each
device is identified.
The example below shows the output of the show version command from a
WAE appliance CLI. In this example, the WAE is running version 4.0.9.
Cisco Wide Area Application Services Software (WAAS)
Copyright (c) 1999-2007 by Cisco Systems, Inc.
Cisco Wide Area Application Services Software Release 4.0.9
(build b10 Apr 6 2007)
Compiled 15:26:06 Apr 6 2007 by cnbuild
System was restarted on Sat Jun 16 05:03:41 2007.
The system has been up for 33 minutes, 40 seconds.
No other Cisco products or versions of WAAS software that are not
explicitly identified in this advisory are currently known to be affected by
WAE appliances and NM-WAE-502 modules that are not configured to
provide Edge Services performing CIFS optimization are not affected. The
NM-WAE-302 is not susceptible to this vulnerability as it cannot be configured
for CIFS optimization.
The Cisco Wide Area Application Services solution uses a combination of
application acceleration and WAN optimization techniques to mitigate
application and transport latency. WAAS software is utilized on the Wide Area
Application Engine appliance and the Wide Area Application Services Network
Module that are incorporated in the solution.
A DoS vulnerability exists in some versions of WAAS software that may
cause some devices that run WAAS software (WAE appliance and NM-WAE-502 module)
to stop processing all types of traffic, including traffic going through the
device (data traffic) and traffic terminating on the device (management
traffic). If the WAAS device has Edge Services, which uses CIFS optimization
configured, and receives a flood of TCP SYN packets on ports 139 or 445, this
vulnerability may be triggered, resulting in a DoS condition. Ports 139 and 445
are utilized by the CIFS functionality of the WAAS software. This condition may
result from network traffic that is sent directly to the WAAS platform, or by
automated systems such as hostscanners, portscanners, or network worms.
This vulnerability is documented in Cisco Bug ID
registered customers only)
Successful exploitation of the vulnerability described in this document
may allow a remote host to cause a device that is running an affected version
of the WAAS software with Edge Services using CIFS optimization configured to
enter into an unresponsive state. During this unresponsive state, no services
are provided, including management access to the device. Recovery of the system
from this unresponsive state can only be accomplished by resetting or power
cycling the affected device. The following process can be used to remotely
recover the NM-WAE-502.
Remote Recovery of the NM-WAE-502
Log in to the router and issue the following command from IOS CLI to
reboot the NM-WAE-502:
Router# service-module integrated-Service-Engine <slot>/<port> reset
When considering software upgrades, also consult
and any subsequent advisories to determine exposure and a complete upgrade
In all cases, customers should exercise caution to be
certain the devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported properly by
the new release. If the information is not clear, contact the Cisco Technical
Assistance Center ("TAC") or your contracted maintenance provider for
This vulnerability is fixed in version 4.0.11 of the Cisco WAAS
software. WAAS public software releases have version numbers that end in odd
numbers and can be downloaded from the following URL:
If the device that is running WAAS software does not need to provide
Edge Services, then disabling Edge Services is a viable workaround. When the
Edge Services are turned off, CIFS clients may not benefit from the response
time reduction that is associated with the operation of the CIFS cache,
preposition and other CIFS latency optimizations. However, other Layer 4
optimizations will continue to apply according to the application policy
In order to disable Edge Services, which includes the CIFS accelerator
and CIFS auto discovery features, follow the steps below.
Log in to WAAS Central Manager.
Select the "Devices" tab.
Select the "Devices" category (or "Device Groups" if using multiple
devices in groups).
Choose target device or group.
Choose "File Services" located in the left column under "Contents."
Choose "Edge configuration" located under "File Services."
Uncheck "Enable Edge Server."
Transit ACLs (tACL)
Filters that block access to TCP ports 139 and 445 packets should be
deployed at the network edge as part of a transit access list, which will
protect the router where the filter is configured as well as other devices
behind it. Filters should also be deployed in front of vulnerable network
devices so that TCP ports 139 and 445 packets are only allowed from trusted
CIFS Clients to trusted CIFS Servers.
Further information about transit ACLs is available in the white paper
"Transit Access Control Lists: Filtering at Your Edge" at the following link:
Further information about configuring ACLs on the WAAS client is in the
"Creating and Managing IP Access Control Lists for WAAS Devices" chapter of the
WAAS Configuration Guide at the following link:
Additional mitigations that can be deployed on Cisco devices within the
network are discussed in the Cisco Applied Mitigation Bulletin companion document for
this advisory available at the following link:
Cisco will make free software available to address this vulnerability
for affected customers. This advisory will be updated as fixed software becomes
available. Prior to deploying software, customers should consult their
maintenance provider or check the software for feature set compatibility and
known issues specific to their environment.
Customers may only install and expect support for the
feature sets they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound by the
terms of Cisco's software license terms found at
or as otherwise set forth at Cisco.com Downloads at
Do not contact either "email@example.com" or
"firstname.lastname@example.org" for software upgrades.
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades should be
obtained through the Software Center on Cisco's worldwide website at
Customers whose Cisco products are provided or maintained through prior
or existing agreement with third-party support organizations such as Cisco
Partners, authorized resellers, or service providers should contact that
support organization for guidance and assistance with the appropriate course of
action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on
specific customer situations such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected products
and releases, customers should consult with their service provider or support
organization to ensure any applied workaround or fix is the most appropriate
for use in the intended network before it is deployed.
Customers who purchase direct from Cisco but who do not hold a Cisco
service contract and customers who purchase through third-party vendors but are
unsuccessful at obtaining fixed software through their point of sale should
obtain their upgrades by contacting the Cisco Technical Assistance Center
(TAC). TAC contacts are as follows.
+1 800 553 2447 (toll free from within North America)
+1 408 526 7209 (toll call from anywhere in the world)
Have your product serial number available and provide the URL of this notice as evidence of entitlement to a software patch or bug fix. Customers without service contracts should request a software patch or bug fix through the TAC.
for additional TAC contact information, including special localized telephone
numbers and instructions and e-mail addresses for use in various
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was discovered during the resolution of
customer support cases.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.
This advisory is posted on Cisco's worldwide website at :
In addition to worldwide web posting, a text version of
this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.
In "Vulnerable Products" section, added a line break
Initial public release