Advisory ID: cisco-sa-20100811-aceRevision 1.0
For Public Release 2010 August 11 16:00 UTC (GMT)
The Cisco ACE Application Control Engine Module and Cisco ACE 4710
Application Control Engine contain the following DoS vulnerabilities:
-
Real-Time Streaming Protocol (RTSP) inspection DoS
vulnerability
-
HTTP, RTSP, and Session Initiation Protocol (SIP) inspection DoS
vulnerability
-
Secure Socket Layer (SSL) DoS vulnerability
-
SIP inspection DoS vulnerability
Cisco has released free software updates for affected customers.
Workarounds that mitigate some of the vulnerabilities are available.
Note: These vulnerabilities are independent of each other. A device may be
affected by one vulnerability and not affected by another.
This advisory is posted at
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20100811-ace.
The Cisco ACE Application Control Engine Module and Cisco ACE 4710
Application Control Engine are affected by multiple vulnerabilities. Affected
versions vary depending on the specific vulnerability. For specific version
information, refer to the Software Versions and Fixes section of this
advisory.
RTSP Inspection DoS Vulnerability
Cisco ACE Application Control Engine Module and Cisco ACE 4710
Application Control Engine appliances configured with RTSP inspection are
affected. RTSP inspection is disabled by default.
HTTP, RTSP, and SIP Inspection DoS Vulnerability
Cisco ACE 4710 Application Control Engine appliances configured with
HTTP, RTSP, or SIP inspection are affected. HTTP, RTSP, and SIP inspection are
disabled by default. The Cisco ACE Application Control Engine Module is not
affected by this vulnerability.
Note: This vulnerability is independent from the other RSTP and SIP
inspection vulnerabilities described in this advisory.
SSL DoS Vulnerability
Cisco ACE Application Control Engine Module processing SSL transactions
are affected by this vulnerability. The Cisco ACE 4710 Application Control
Engine appliance is not affected by this vulnerability.
SIP Inspection DoS Vulnerability
Cisco ACE Application Control Engine Module and Cisco ACE 4710
Application Control Engine appliances configured for SIP inspection are
affected. SIP inspection is disabled by default.
Determining Software Versions
To display the version of system software that is currently running on
Cisco ACE Application Control Engine, use the show version
command. This example displays the output of the show version
command on the Cisco ACE Application Control Engine software version
A3(1.0):
ACE-4710/Admin# show version
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2008 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
Software
loader: Version 0.95
system: Version A3(1.0) [build 3.0(0)A3(0.0.148)]
system image file: (nd)/192.168.65.31/scimitar.bin
Device Manager version 1.1 (0) 20080805:0415
...
<output truncated>
This example displays the output of the show version
command on a Cisco ACE Application Control Engine Module software version
A2(3.0):
ACEmod/Admin# show version
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2009, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
Software
loader: Version 12.2[121]
system: Version A2<3.0> [build 3.0(0)A2(2.99.80)]
system image file: [LCP] disk0:c6ace-t1k9-mzg.A2_2_99_80.bin
licensed features: no feature license is installed
...
<output truncated>
The Cisco ACE XML Gateway, the Cisco ACE Web Application Firewall, and
the Cisco ACE GSS 4400 Series Global Site Selector Appliances are not affected
by any of the vulnerabilities that are described in this advisory.
No other Cisco products are currently known to be affected
by these vulnerabilities.
The Cisco ACE 4710 Application Control Engine appliance and the Cisco
ACE Application Control Engine Module for Cisco Catalyst 6500 Series Switches
and Cisco 7600 Series Routers are a load-balancing and application-delivery
solution for data centers. Multiple vulnerabilities exist in both products.
These vulnerabilities are independent of each other. A device may be affected
by one vulnerability and not affected by another. The following information
provides the details about each of the vulnerabilities that are addressed in
this advisory.
RTSP Inspection DoS Vulnerability
The RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4,
RealPlayer, and Cisco IP/TV connections. RTSP applications use the well-known
port 554 with TCP and UDP as the control channel. The module and the appliance
only support RTSP over TCP.
The Cisco ACE Application Control Engine Module and Cisco
ACE 4710 Application Control Engine contain a DoS vulnerability that can be
exploited by an unauthenticated attacker while sending crafted RTSP packets.
Only devices with RTSP inspection enabled are affected. RTSP inspection is
disabled by default.
Note: A TCP three-way handshake is needed in order to exploit this
vulnerability. Only transit traffic can trigger this vulnerability; traffic
that is destined to the affected device will not trigger the
vulnerability.
This vulnerability is documented in these Cisco Bug IDs and has been
assigned these Common Vulnerability and Exposures (CVE) IDs:
-
Cisco ACE Application Control Engine Appliance:
CSCta85227
(
registered customers only)
- CVE-2010-2822
-
Cisco ACE Application Control Engine Module:
CSCtg14858
(
registered customers only)
- CVE-2010-2822
HTTP, RTSP, and SIP Inspection DoS Vulnerability
The ACE performs a stateful deep packet inspection of the HTTP
protocol. Deep packet inspection is a special case of application inspection
where the ACE examines the application payload of a packet or a traffic stream
and makes decisions based on the content of the data. During HTTP deep
inspection, the main focus of the application inspection process is on HTTP
attributes such as the HTTP header, the URL, and to a limited extent, the
payload. User-defined regular expressions can also be used to detect
"signatures" in the payload.
The Cisco ACE 4710 Application Control Engine contains a DoS
vulnerability that can be exploited by an unauthenticated attacker while
sending crafted HTTP packets. Devices with HTTP, RTSP, or SIP inspection
enabled are affected. HTTP, RTSP, and SIP inspection are disabled by
default.
Note: The Cisco ACE Application Control Engine Module is not affected by
this vulnerability. A TCP three-way handshake is needed in order to exploit
this vulnerability. Only transit traffic can trigger this vulnerability;
traffic that is destined to the affected device will not trigger this
vulnerability.
This vulnerability is documented in Cisco Bug ID
CSCtb54493
(
registered customers only)
and has been assigned
the CVE ID CVE-2010-2823.
SSL DoS Vulnerability
The Cisco ACE Application Control Engine Module contains a DoS
vulnerability that can be exploited by an unauthenticated attacker while
sending a series of SSL packets. The Cisco ACE 4710 Application Control Engine
appliance is not affected by this vulnerability.
Note: A TCP three-way handshake is needed in order to exploit this
vulnerability. Only traffic that is destined to the affected device can trigger
this vulnerability; transit traffic will not trigger this vulnerability.
Note: The Cisco ACE 4710 Application Control Engine appliance is not
affected by this vulnerability.
This vulnerability is documented in Cisco Bug ID
CSCta20756
(
registered customers only)
and has been assigned
the CVE ID CVE-2010-2824.
SIP Inspection DoS Vulnerability
SIP is used for call handling sessions, especially two-party
conferences. The Cisco ACE Application Control Engine Module and Cisco ACE 4710
Application Control Engine contain a DoS vulnerability that can be exploited by
an unauthenticated attacker while sending crafted SIP packets. Only devices
with SIP inspection enabled are affected. SIP inspection is disabled by
default.
Note: TCP or UDP SIP packets may cause a device reload. If TCP is used, a
TCP three-way handshake is needed in order to exploit this vulnerability. Only
transit traffic can trigger this vulnerability; traffic that is destined to the
affected device will not trigger this vulnerability.
This vulnerability is documented in these Cisco Bug IDs and has been
assigned these CVE IDs:
-
Cisco ACE Application Control Engine Module:
CSCta65603
(
registered customers only)
- CVE-2010-2825
-
Cisco ACE Application Control Engine Appliance:
CSCta71569
(
registered customers only)
- CVE-2010-2825
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys
vulnerability severity and helps determine urgency and priority of
response.
Cisco has provided a base and temporal score. Customers can
then compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions
regarding CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html.
Cisco has also provided a CVSS calculator to help compute
the environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss.
|
CSCta85227 and CSCtg14858 - RTSP Inspection DoS
Vulnerability
Calculate the environmental score of
CSCta85227
and CSCtg14858
|
|
CVSS Base Score - 7.8
|
|
Access Vector
|
Access Complexity
|
Authentication
|
Confidentiality Impact
|
Integrity Impact
|
Availability Impact
|
|
Network
|
Low
|
None
|
None
|
None
|
Complete
|
|
CVSS Temporal Score - 6.4
|
|
Exploitability
|
Remediation Level
|
Report Confidence
|
|
Functional
|
Official-Fix
|
Confirmed
|
|
CSCtb54493 - HTTP, RTSP, and SIP Inspection DoS
Vulnerability
Calculate the environmental score of
CSCtb54493
|
|
CVSS Base Score - 7.8
|
|
Access Vector
|
Access Complexity
|
Authentication
|
Confidentiality Impact
|
Integrity Impact
|
Availability Impact
|
|
Network
|
Low
|
None
|
None
|
None
|
Complete
|
|
CVSS Temporal Score - 6.4
|
|
Exploitability
|
Remediation Level
|
Report Confidence
|
|
Functional
|
Official-Fix
|
Confirmed
|
|
CSCta20756 - SSL DoS Vulnerability
Calculate the environmental score of
CSCta20756
|
|
CVSS Base Score - 7.8
|
|
Access Vector
|
Access Complexity
|
Authentication
|
Confidentiality Impact
|
Integrity Impact
|
Availability Impact
|
|
Network
|
Low
|
None
|
None
|
None
|
Complete
|
|
CVSS Temporal Score - 6.4
|
|
Exploitability
|
Remediation Level
|
Report Confidence
|
|
Functional
|
Official-Fix
|
Confirmed
|
|
CSCta65603 and CSCta71569 - SIP Inspection DoS
Vulnerability
Calculate the environmental score of
CSCta65603
and CSCta71569
|
|
CVSS Base Score - 7.8
|
|
Access Vector
|
Access Complexity
|
Authentication
|
Confidentiality Impact
|
Integrity Impact
|
Availability Impact
|
|
Network
|
Low
|
None
|
None
|
None
|
Complete
|
|
CVSS Temporal Score - 6.4
|
|
Exploitability
|
Remediation Level
|
Report Confidence
|
|
Functional
|
Official-Fix
|
Confirmed
|
Successful exploitation of any of the vulnerabilities described in this
security advisory may cause a reload of the affected device. Repeated
exploitation could result in a sustained DoS condition.
When considering software upgrades, also consult
http://www.cisco.com/go/psirt
and any subsequent advisories to determine exposure and a complete upgrade
solution.
In all cases, customers should exercise caution to be
certain the devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported properly by
the new release. If the information is not clear, contact the Cisco Technical
Assistance Center (TAC) or your contracted maintenance provider for
assistance.
Each row of the software table (below) describes the
earliest possible releases that contain the fix (along with the anticipated
date of availability for each, if applicable) are listed in the "First Fixed
Release" column of the table. The "Recommended Release" column indicates the
releases which have fixes for all the published vulnerabilities at the time of
this Advisory. A device running a release in the given train that is earlier
than the release in a specific column (less than the First Fixed Release) is
known to be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
|
Vulnerability
|
First Fixed Release
|
Recommended Release
|
|
ACE Appliance
|
ACE Module
|
ACE Appliance
|
ACE Module
|
|
RTSP Inspection Vulnerability
|
A3(2.6)
|
A2(3.2)
|
A3(2.6)
|
A2(3.2)
|
|
HTTP, RTSP, SIP Inspection Vulnerability
|
A3(2.6)
|
Not vulnerable
|
A3(2.6)
|
A2(3.2)
|
|
SSL Vulnerability
|
Not vulnerable
|
A2(1.6)
A2(2.3)
A2(3.1)
|
A3(2.6)
|
A2(3.2)
|
|
SIP Inspection Vulnerability
|
A3(2.4)
|
A2(1.6)
A2(2.3)
A2(3.1)
|
A3(2.6)
|
A2(3.2)
|
Cisco ACE 4710 Application Control Engine appliance software can be
downloaded from:
http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=281222179
(
registered customers only)
Cisco ACE Module software can be downloaded from:
http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=280557289
(
registered customers only)
In addition to the recommendations described below, mitigation
techniques that can be deployed on Cisco devices within the network are
available in the Cisco Applied Mitigation Bulletin companion document for this
advisory:
http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20100811-ace.
RTSP Inspection DoS Vulnerability
This vulnerability can be mitigated by disabling RTSP inspection if it
is not required. RTSP inspection is disabled by default. Administrators can
disable RTSP inspection by issuing the no inspect rtsp command
under the respective policy map.
Note: This workaround is only feasible if RTSP inspection is not needed or
required in a load-balancing deployment.
HTTP, RTSP, and SIP Inspection DoS Vulnerability
This vulnerability can be mitigated by disabling HTTP, RTSP, and SIP
inspection if they are not required. HTTP, RTSP, and SIP inspection are
disabled by default.
Administrators can disable HTTP inspection by issuing the
no inspect http command under the respective policy
map.
Administrators can disable RTSP inspection by issuing the
no inspect rtsp command under the respective policy
map.
Administrators can disable SIP inspection by issuing the
no inspect sip command under the respective policy map.
Note: This workaround is only feasible if HTTP, RTSP, and SIP inspections
are not needed or required in a load-balancing deployment.
SSL DoS Vulnerability
There are no workarounds available to mitigate this
vulnerability.
SIP Inspection DoS Vulnerability
This vulnerability can be mitigated by disabling SIP inspection if it
is not required. SIP inspection is disabled by default. Administrators can
disable SIP inspection by issuing the no inspect sip command
under the respective policy map.
Note: This workaround is only feasible if SIP inspection is not needed or
required in a load-balancing deployment.
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult their
maintenance provider or check the software for feature set compatibility and
known issues specific to their environment.
Customers may only install and expect support for the
feature sets they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound by the
terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
.
Do not contact psirt@cisco.com or security-alert@cisco.com
for software upgrades.
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades should be
obtained through the Software Center on Cisco's worldwide website at
http://www.cisco.com.
Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such as Cisco
Partners, authorized resellers, or service providers should contact that
support organization for guidance and assistance with the appropriate course of
action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on
specific customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected products
and releases, customers should consult with their service provider or support
organization to ensure any applied workaround or fix is the most appropriate
for use in the intended network before it is deployed.
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale should
acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC
contacts are as follows.
-
+1 800 553 2447 (toll free from within North America)
-
+1 408 526 7209 (toll call from anywhere in the world)
-
e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a free
upgrade. Free upgrades for non-contract customers must be requested through the
TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone numbers,
and instructions and e-mail addresses for use in various languages.
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were found during the troubleshooting
of customer service requests and internal testing.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.
This advisory is posted on Cisco's worldwide website at :
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20100811-ace
In addition to worldwide web posting, a text version of
this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
-
cust-security-announce@cisco.com
-
first-bulletins@lists.first.org
-
bugtraq@securityfocus.com
-
vulnwatch@vulnwatch.org
-
cisco@spot.colorado.edu
-
cisco-nsp@puck.nether.net
-
full-disclosure@lists.grok.org.uk
-
comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.
|
Revision 1.0
|
2010-August-11
|
Initial public release.
|
|
