Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Cisco Security Advisory

Multiple Vulnerabilities in Cisco IPS Software

Advisory ID: cisco-sa-20140219-ips

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140219-ips

Revision 1.0

For Public Release 2014 February 19 16:00  UTC (GMT)

Related Resources:

View related Applied Mitigation Bulletin

Summary

Cisco Intrusion Prevention System (IPS) Software is affected by the following vulnerabilities:

  • Cisco IPS Analysis Engine Denial of Service Vulnerability
  • Cisco IPS Control-Plane MainApp Denial of Service Vulnerability
  • Cisco IPS Jumbo Frame Denial of Service Vulnerability
The Cisco IPS Analysis Engine Denial of Service Vulnerability and the Cisco IPS Jumbo Frame Denial of Service Vulnerability could allow an unauthenticated, remote attacker to cause the Analysis Engine process to become unresponsive or crash. When this occurs, the Cisco IPS will stop inspecting traffic.

The Cisco IPS Control-Plane MainApp Denial of Service Vulnerability could allow an unauthenticated, remote attacker to cause the MainApp process to become unresponsive and prevent it from executing several tasks including alert notification, event store management, and sensor authentication. The Cisco IPS web server will also be unavailable while the MainApp process is unresponsive, and other processes such as the Analysis Engine process may not work properly.
 
Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of the vulnerabilities are available. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140219-ips

Affected Products

Vulnerable Products

Cisco IPS Analysis Engine Denial of Service Vulnerability

The following products are affected by the Cisco IPS Analysis Engine Denial of Service Vulnerability:

  • Cisco ASA 5500-X Series IPS Security Services Processor (IPS SSP) software and hardware modules
  • Cisco ASA 5500 Series Advanced Inspection and Prevention Security Services Module (AIP SSM)
  • Cisco IPS 4200 Series Sensors
  • Cisco IPS 4300 Series Sensors
  • Cisco IPS 4500 Series Sensors

This vulnerability does not affect Cisco IPS Software releases prior to 7.1(4)E4.

This vulnerability affects only Cisco IPS Software configured with a signature with the produce-verbose-alert action enabled or systems on which an event action override (EAO) is configured to add this action.

To determine whether the produce-verbose-alert option is used in any of the active signatures or in an EAO configuration use the show configuration command.

The following example shows signature ID 1475/0 modified to enable the produce-verbose-alert option:

sensor# show configuration
! ------------------------------
! Current configuration last modified Wed Feb 05 16:21:00 2014
! ------------------------------
! Version 7.1(8)
! Host:
!     Realm Keys          key1.0
[...]

variables WEBPORTS web-ports 24326-24326,3128-3128,80-80,8000-8000,8010-8010,8080-8080,8888-8888
signatures 1475 0
engine string-tcp
event-action produce-alert|produce-verbose-alert
exit

[...]

The following example shows the rules0 event action rules policy with an override enabled with the produce-verbose-alert option:

sensor# show configuration
! ------------------------------
! Current configuration last modified Wed Feb 05 16:21:00 2014
! ------------------------------
! Version 7.1(8) ! Host: !     Realm Keys          key1.0 [...] ! ------------------------------ service event-action-rules rules0 overrides deny-packet-inline override-item-status Enabled risk-rating-range 90-100 exit overrides produce-verbose-alert override-item-status Enabled risk-rating-range 90-100 exit exit ! ------------------------------
[...]


Alternatively, to determine wheter any active signature has the produce-verbose-alert option enabled, use the Cisco IPS Device Manager (IDM) to connect to the Cisco IPS and navigate to Configuration > Policies > Signature Definitions >  -Sig-Definition-Name- > Active Signatures and filter by using Filter: Action Produce Verbose Alert.

The produce-verbose-alert option is not enabled by default on any active signatures nor in any EAO rules.

Cisco IPS Control-Plane MainApp Denial of Service Vulnerability

The following products are affected by the Cisco IPS Control-Plane MainApp Denial of Service Vulnerability:

  • Cisco ASA 5505 Advanced Inspection and Prevention Security Services Card (AIP SSC)
  • Cisco ASA 5500 Series Advanced Inspection and Prevention Security Services Module (AIP SSM)
  • Cisco ASA 5500-X Series IPS Security Services Processor (IPS SSP) software and hardware modules

Note: The Advanced Inspection and Prevention Security Services Card (AIP SSC) for Cisco ASA 5505 has reached End of Software Maintenance Releases milestone. Customers are encouraged to contact their Cisco representative for an available replacement.

Cisco IPS Jumbo Frame Denial of Service Vulnerability

The following products are affected by the Cisco IPS Jumbo Frame Denial of Service Vulnerability:

  • Cisco IPS 4500 Series Sensors

How to Determine the Running Software Version

To determine whether a vulnerable version of Cisco IPS Software is running on an appliance, administrators can issue the show version command. The following example shows a Cisco IPS 4345 that is running software version 7.1(3)E4:
sensor# show version
Application Partition:

Cisco Intrusion Prevention System, Version 7.1(3)E4

Host:
    Realm Keys          key1.0
Signature Definition:
    Signature Update    S605.0        2011-10-25
OS Version:             2.6.29.1
Platform:               IPS-4345-K9
Customers who use Cisco Intrusion Prevention System Device Manager (IDM) to manage devices can locate the software version in the table that is displayed in the login window or top left corner of the Cisco IDM window.

Products Confirmed Not Vulnerable

No other Cisco products are currently known to be affected by these vulnerabilities.

Details

The Cisco IPS is a family of network security devices that provide network-based threat prevention services. Cisco IPS Software includes several applications that are used by the system to run different tasks. In particular, the MainApp process is responsible for multiple critical tasks, including reading the configuration, starting and stopping applications, and authentication service, while the Analysis Engine process is responsible for the analysis and inspection of traffic passing through the sensor.

Additional information about the MainApp and Analysis Engine processes is in the "System Architecture" section of the product configuration guide:
http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/idm/idm_system_architecture.html#wp1126061

Cisco IPS Analysis Engine Denial of Service Vulnerability

A vulnerability in the produce-verbose-alert code of Cisco Intrusion Prevention System (IPS) Software could allow an unauthenticated, remote attacker to cause the Analysis Engine process to become unresponsive.

The vulnerability is due to improper handling of fragmented packets by the Analysis Engine process when the produce-verbose-alert action is enabled. An attacker could exploit this vulnerability by sending fragmented packets through the affected system. To trigger the vulnerability, the attacker could cause a signature with the produce-verbose-alert action to fire, or trigger an event for which produce-verbose-alert has been configured as an event action override. An exploit could allow the attacker to cause the Analysis Engine process to become unresponsive. This will cause the affected system to stop inspecting traffic.

The vulnerability can be triggered by IP version 4 (IPv4) and IP version 6 (IPv6) fragmented packets passing through the affected system. Traffic directed to the management IP address of the Cisco IPS will not trigger this vulnerability.

This vulnerability is documented in Cisco bug ID CSCui91266 (registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2014-0718.


Cisco IPS Control-Plane MainApp Denial of Service Vulnerability

A vulnerability in the implementation of the control-plane access list of the Cisco IPS Software could allow an unauthenticated, remote attacker to cause the MainApp process to become unresponsive.

The vulnerability is due to a failure to properly handle malformed TCP packets sent to the management IP address of the affected system. An attacker could exploit this vulnerability by sending crafted TCP packets to TCP port 7000 of the IP address of the management interface. An exploit could allow the attacker to make the MainApp process unresponsive. This creates a denial of service (DoS) condition because the Cisco IPS sensor is not able to execute several critical tasks including alert notification, event store management, and sensor authentication. The Cisco IPS web server will also be unavailable while the MainApp process is unresponsive. Additionally, due to this general system failure, other processes such as the Analysis Engine may not work properly.

The vulnerability can be triggered only by TCP traffic directed to TCP port 7000 of the IP address of the management interface. Traffic passing through the sensing interfaces will not trigger this vulnerability. If the Cisco IPS is configured in promiscuous mode, mitigation actions that require MainApp processing such as shun or rate-limit may be unavailable. If the Cisco IPS is configured in inline mode, the sensor may not correctly perform inspection and mitigation actions because the Analysis Engine process may not work properly.

This vulnerability affects only Cisco IPS Software running on hardware and software module for Cisco ASA 5500 Series and Cisco ASA 5500-X Series.

This vulnerability is documented in Cisco bug ID CSCui67394 (registered customers only) and has been assigned CVE ID CVE-2014-0719.

Cisco IPS Jumbo Frame Denial of Service Vulnerability

A vulnerability in Cisco IPS code that handles jumbo frames could allow an unauthenticated, remote attacker to cause the Analysis Engine process to become unresponsive.

The vulnerability is due to improper handling of jumbo frames sent a high rate. An attacker could exploit this vulnerability by sending jumbo frames through the sensing interface of the affected device. An exploit could allow the attacker to cause the Analysis Engine process to become unresponsive. This will cause the affected system to stop inspecting traffic.

The vulnerability can be triggered by IPv4 and IPv6 based jumbo frames passing through the affected system. Traffic directed to the management IP address of the Cisco IPS will not trigger this vulnerability.

This vulnerability is documented in Cisco bug ID CSCuh94944 (registered customers only) and has been assigned CVE ID CVE-2014-0720.

Vulnerability Scoring Details

Cisco has scored the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response.

Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks.

Cisco has provided additional information regarding CVSS at the following link:

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link:

http://intellishield.cisco.com/security/alertmanager/cvss



CSCui91266 - Cisco IPS Analysis Engine Denial of Service Vulnerability

Calculate the environmental score of CSCui91266

CVSS Base Score - 7.1

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Medium

None

None

None

Complete

CVSS Temporal Score - 5.9

Exploitability

Remediation Level

Report Confidence

Functional

Official-Fix

Confirmed




CSCui67394 - Cisco IPS Control-Plane MainApp Denial of Service Vulnerability

Calculate the environmental score of CSCui67394

CVSS Base Score - 7.8

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Low

None

None

None

Complete

CVSS Temporal Score - 6.8

Exploitability

Remediation Level

Report Confidence

High

Official-Fix

Confirmed




CSCuh94944 - Cisco IPS Jumbo Frame Denial of Service Vulnerability

Calculate the environmental score of CSCuh94944

CVSS Base Score - 7.1

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Medium

None

None

None

Complete

CVSS Temporal Score - 5.9

Exploitability

Remediation Level

Report Confidence

Functional

Official-Fix

Confirmed


Impact

Successful exploitation of the Cisco IPS Analysis Engine Denial of Service Vulnerability and the Cisco IPS Jumbo Frame Denial of Service Vulnerability may cause the Analysis Engine process to become unresponsive. When this occurs, the Cisco IPS will stop inspecting traffic.

Successful exploitation of the Cisco IPS Control-Plane MainApp Denial of Service Vulnerability may cause the MainApp process to become unresponsive and prevent it from executing several tasks including alert notification, event store management, and sensor authentication. The Cisco IPS web server will also be unavailable while the MainApp process is unresponsive, and other processes such as the Analysis Engine process may not work properly.

If the Cisco IPS is configured in promiscuous mode, mitigation actions that require MainApp processing, such as shun or rate-limit, may be unavailable. If the Cisco IPS is configured in inline mode, the sensor may not correctly perform inspection and mitigation actions because the Analysis Engine process may not work properly. A reload is required to restore the full functionality of the affected system.

Additionally, if the Cisco ASA with a Cisco IPS module running an affected version of software is configured in High Availability (HA) mode, a fail-over event may be triggered when the MainApp becomes unresponsive.

Software Versions and Fixes

When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

The following table summarizes the first fixed release for each vulnerability and for each major release version. The last row gives information on the recommended releases that resolves all the vulnerabilities in this security advisory.

   6.x
 7.0
7.1 
 7.2
 7.3
Cisco IPS Analysis Engine Denial of Service Vulnerability - CSCui91266

Not Affected
 
Not Affected
 7.1(8)E41
 7.2(2)E4  Not Affected
Cisco IPS Control-Plane MainApp Denial of Service Vulnerability - CSCui67394
Affected, move to 7.1 or later2
Affected, move to 7.1 or later
 7.1(8p2)E4  7.2(2)E4
 Not Affected
Cisco IPS Jumbo Frame Denial of Service Vulnerability - CSCuh94944
Not Affected
Not Affected
7.1(8)E4

7.2(2)E4
 
 Not Affected
 Recommended Release

Affected, move to 7.1 or later
 

Affected, move to 7.1 or later
 
7.1(8p2)E4 or later  7.2(2)E4 or later
 Not Affected

1This vulnerability does not affect Cisco IPS Software versions prior to 7.1(4)E4
2 Cisco ASA 5505 Advanced Inspection and Prevention Security Services Card (AIP SSC) supports only Cisco IPS Software version 6.2 and prior. Advanced Inspection and Prevention Security Services Card (AIP SSC) for Cisco ASA 5505 has reached End of Software Maintenance Releases milestone.

Workarounds

To work around the Cisco IPS Analysis Engine Denial of Service Vulnerability administrator can disable the produce-verbose-alert action.

Use show configuration command to determine which signature has the produce-verbose-alert option enabled or wheter the produce-verbose-alert option is enabled as EAO.

If the produce-verbose-alert has been configured at the signature level, the value can be modified by entering the signature configuration prompt and modifying the event action for each signature that needs modification to use produce-alert instead of the produce-verbose-alert action. The following example shows the procedure to change the event action from produce-verbose-alert to produce-alert for signature 1475/0:

sensor(config)# service signature-definition sig0
sensor(config-sig)# signatures 1475 0
sensor(config-sig-sig)# engine string-tcp
sensor(config-sig-sig-str)# event-action produce-alert
sensor(config-sig-sig-str)# exit
sensor(config-sig-sig)# exit
sensor(config-sig)# exit
Apply Changes?[yes]: yes
sensor(config)#

Alternatively, an administrator can use the Cisco Intrusion Prevention System Device Manager (IDM) to connect to the Cisco IPS and navigate to Configuration > Policies > Signature Definitions >  -Sig-Definition-Name- > Active Signatures and filter by using Filter: Action Produce Verbose Alert in order to verify any active signatures with the produce-verbose-alert option enabled.

For each of the signatures, right-click and choose Edit Action. From the panel, uncheck the Produce Verbose Alert check box, click the OK and apply the changes.

If the produce-verbose-alert action is enabled as EAO, this can be disable by modifying the settings for the event action rules policy.

The following example shows how to disable the override with produce-verbose-alert configured in the rules0 event action rules policy:

sensor(config)# service event-action-rules rules0
sensor(config-eve)# no overrides produce-verbose-alert
sensor(config-eve)# exit
Apply Changes?[yes]: yes
sensor(config)# 


There is no workaround for the Cisco IPS Control-Plane MainApp Denial of Service Vulnerability , however restricting the number of allowed hosts may reduce the exposure of this vulnerability.

To restrict the number of allowed hosts, the administrator should use the access-list command. The no access-list command should be used to remove any hosts or networks from the list.
The following example shows the sequence of commands to remove access to the full 192.168.1.0/24 network and allow access only to the host with IP address 192.168.1.1:
  • Use the show settings command in network-setting configuration mode to see the current allowed hosts or networks. The following example shows that the Cisco IDSM-2 is configured to allow all the hosts in the 192.168.1.0/24 network:
sensor(config-hos-net)# show settings
   network-settings
   -----------------------------------------------
[...]
      access-list (min: 0, max: 512, current: 1)
      -----------------------------------------------
         network-address: 192.168.1.0/24
         -----------------------------------------------
      -----------------------------------------------
      ftp-timeout: 300 seconds <defaulted>
      login-banner-text: <defaulted>
   [...]
  • Use the access-list command in network-setting configuration mode to add the 192.168.1.1 hosts.
Note: make sure that if this is the only allowed host, it is also the one from which you are executing the configuration commands to avoid losing connectivity to the Cisco IDSM-2 Module.
sensor(config-hos-net)#access-list 192.168.1.1/32
  • Use the no access-list command in network-setting configuration mode to remove the 192.168.1.0/32 network for the allowed hosts list:
sensor(config-hos-net)#no access-list 192.168.1.0/24
  • Use the show settings command in network-setting configuration mode to check that the list of allowed hosts is correct:
sensor(config-hos-net)# show settings
   network-settings
   -----------------------------------------------
[...]
      access-list (min: 0, max: 512, current: 1)
      -----------------------------------------------
         network-address: 192.168.1.1/32
         -----------------------------------------------
      -----------------------------------------------
      ftp-timeout: 300 seconds <defaulted>
      login-banner-text: <defaulted>
   [...]
  • Exit and apply the configuration:
sensor(config-hos-net)# exit
sensor(config-hos)# exit
Apply Changes:?[yes]:

There is no workaround for the Cisco IPS Jumbo Frame Denial of Service Vulnerability.


Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this Advisory: http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=32605

Obtaining Fixed Software

Cisco has released free software updates that address the vulnerabilities described in this advisory. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments.

Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html.

Customers with Service Contracts

Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Navigator on Cisco.com at http://www.cisco.com/cisco/software/navigator.html.

Customers Using Third-Party Support Organizations

Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action.

The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed.

Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC):

  • +1 800 553 2447 (toll free from within North America)
  • +1 408 526 7209 (toll call from anywhere in the world)
  • e-mail: tac@cisco.com

Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC.

Refer to Cisco Worldwide Contacts at http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, instructions, and e-mail addresses for support in various languages.

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.

The Cisco IPS Analysis Engine Denial of Service Vulnerability and the Cisco IPS Control-Plane MainApp Denial of Service Vulnerability were found during the resolution of customer service requests. The Cisco IPS Jumbo Frame Denial of Service Vulnerability was found during internal testing.

Status of This Notice: Final

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.


Distribution

This advisory is posted on Cisco Security at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140219-ips

Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses:

  • cust-security-announce@cisco.com
  • first-bulletins@lists.first.org
  • bugtraq@securityfocus.com
  • vulnwatch@vulnwatch.org
  • cisco@spot.colorado.edu
  • cisco-nsp@puck.nether.net
  • full-disclosure@lists.grok.org.uk

Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates.


Revision History

Revision 1.0 2014-February-19 Initial public release

Cisco Security Procedures

Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at http://www.cisco.com/go/psirt.


Download this document (PDF)
View Printable Version