|
| |
|
Security Intelligence Operations
Cisco IOS Multiprotocol Label Switching Virtual Private Network Information Disclosure Issue |
| |
| Security Issue Alert | Powered by  |
|
|
| Threat Type: | IntelliShield: Security Issue Alert |
|
| IntelliShield ID: | 16669 |
| Version: | 1 |
| First Published: | September 24, 2008 01:38 PM EDT |
| Last Published: | September 24, 2008 01:38 PM EDT |
| Vector: | Network |
| Authentication: | None |
| Exploit: | Functional |
| Port: |
Not Available
|
| CVE: | CVE-2008-3803 |
| BugTraq ID: | 31366 |
| |
| Urgency: |
Weakness
|  |
| Credibility: |
Confirmed
|  |
| Severity: |
Harrassment
|  |
| CVSS Base: | 5.1 |
CVSS Calculator
CVSS Version 2
|
| CVSS Temporal: | 4.2 |
|
|
| |
| Version Summary: | Cisco IOS Software contains an issue that could expose restricted information from Multiprotocol Label Switching Virtual Private Network sessions to malicious users. Updated software is available. |
| |
| |
| Description |
|
Cisco IOS Software contains an issue that could expose sensitive information to malicious users. The issue affects Cisco IOS devices that contain the updated software for Cisco bug ID CSCee83237. The devices must be configured for Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs) or VPN Routing and Forwarding Lite (VRF Lite). The affected devices must also use Border Gateway Protocol (BGP) to communicate between Customer Edge (CE) and Provider Edge (PE) devices.
The issue exists due to an error when handling extended communities in MPLS VPN sessions. In this situation, an affected device may use a corrupted route target, which could allow traffic from one MPLS VPN session to leak to another MPLS VPN session.
Although this issue cannot be directly exploited by an attacker, Cisco has provided a CVSS score due to the potential importance of this issue.
Cisco has confirmed this issue and released updated software. |
| |
| Patches/Software |
|
Cisco has released a security advisory for Cisco bug ID CSCec12299 at the following link: cisco-sa-20080924-vpn. Cisco customers with active contracts can obtain updates through the Software Center at the following link: Cisco. Cisco customers without contracts can obtain upgrades by contacting the Cisco Technical Assistance Center at 1-800-553-2447 or 1-408-526-7209 or via e-mail at tac@cisco.com. |
|
| |
| Impact |
|
This issue could expose sensitive information from MPLS VPN sessions to malicious users. Depending on the information that was leaked, the malicious user may be able to perform other malicious activity against the target device or network. |
| |
| Safeguards |
|
Administrators are advised to apply the appropriate updates.
Administrators may consider implementing a BGP route-map on affected devices to route target entries on inbound BGP sessions.
Administrators are advised to allow only trusted users to access VPN sessions on affected networks. |
|
| |
| Alert History |
| |
Initial Release |
|
Product Sets |
| |
The security vulnerability applies to the following combinations of products.
|
|
LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME. |
|
|
| |
