Cisco Security Advisory

Vulnerable Products

Products Confirmed Not Vulnerable

Cisco IOS Intrusion Prevention System (IPS) is an inline, deep-packet inspection feature that effectively mitigates a wide range of network attacks. A component of the Cisco IOS Integrated Threat Control framework and complemented by Cisco IOS Flexible Packet Matching feature, Cisco IOS IPS provides your network with the intelligence to accurately identify, classify, and stop or block malicious traffic in real time. Additional information on the Cisco IOS IPS feature can be found at http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gt_fwids.html.

Previous to the introduction of the Cisco IOS IPS feature, Cisco IOS provided a similar feature, the Cisco IOS Intrusion Detection System (IDS). The Cisco IOS IDS feature is not affected by this vulnerability. Additional information on the Cisco IOS IDS feature can be found at http://www.cisco.com/en/US/docs/ios/12_0t/12_0t5/feature/guide/ios_ids.html.

Certain network traffic can trigger IPS signatures on the SERVICE.DNS signature engine which may cause the Cisco IOS device to crash or hang. This may cause a denial of service that results in disruption of network traffic. This vulnerability is documented in Cisco Bug ID CSCsq13348 ( registered customers only) .

This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2008-2739.

Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding CVSS at

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html.

Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at

http://intellishield.cisco.com/security/alertmanager/cvss.

Successful exploitation of this vulnerability may cause a Cisco IOS device configured with the Cisco IOS IPS feature to crash or hang, resulting in a denial of service condition.

When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.

Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table.

The workaround consists of adding an Access Control List (ACL) to every Cisco IOS IPS policy configured on the device so that traffic destined to ports 53/udp or 53/tcp is not inspected by the Cisco IOS IPS feature. The following ACL would need to be added to the device configuration:

! deny inspection of traffic with a destination port of 53/udp
access-list 177 deny   udp any any eq 53
! deny inspection of traffic with a destination port of 53/tcp
access-list 177 deny   tcp any any eq 53
! allow all other traffic to be inspected
access-list 177 permit ip any any

Every instance of a Cisco IOS IPS policy on the device would then need to be modified in order to reference the previous ACL. In order to determine which Cisco IOS IPS policies are configured on the device, execute the command show running-config | include ip ips name as in the following example:

Router#show running-config | include ip ips name
ip ips name ios-ips-incoming
ip ips name ios-ips-outgoing
Router#

In the previous example, two Cisco IOS IPS policies are configured on the device. The following example shows the addition of an ACL to each one of the Cisco IOS IPS policies previously identified:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#ip ips name ios-ips-incoming list 177
Router(config)#ip ips name ios-ips-outgoing list 177
Router(config)#end
Router#

As a verification step, the command show ip ips interfaces can be executed again to verify the ACL has been properly attached to each one of the Cisco IOS IPS policies:

Router#show ip ips interfaces
    Interface Configuration
      Interface FastEthernet0/0
        Inbound IPS rule is ios-ips-incoming
    acl list 177
        Outgoing IPS rule is not set
      Interface FastEthernet0/1
        Inbound IPS rule is not set
        Outgoing IPS rule is ios-ips-outgoing
    acl list 177
Router#

Note: Disabling or deleting individual or all signatures using the SERVICE.DNS engine of the Cisco IOS IPS feature is not a recommended workaround. The previous workaround is the only Cisco-recommended workaround for this vulnerability.

Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades.

Customers with Service Contracts

Customers Using Third-Party Support Organizations

Customers Without Service Contracts

The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.

This vulnerability was reported to Cisco by a customer.

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.

This advisory is posted on Cisco's worldwide website at:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-iosips

In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients.

• cust-security-announce@cisco.com
  
• first-bulletins@lists.first.org
  
• bugtraq@securityfocus.com
  
• vulnwatch@vulnwatch.org
  
• cisco@spot.colorado.edu
  
• cisco-nsp@puck.nether.net
  
• full-disclosure@lists.grok.org.uk
  
• comp.dcom.sys.cisco@newsgate.cisco.com
  

Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.