A number of Cisco vulnerabilities have recently been made more dangerous by the public release of proof-of-concept code, which can be utilized to exploit these vulnerabilities. Anyone using one of the many vulnerable products needs to take immediate steps to fix the vulnerabilities or confirm that the vulnerabilities have already been fixed or mitigated.
There are also two recently announced vulnerabilities that require attention, but no published exploits have been released for these flaws.
Older threats that now have public exploits
A number of exploits for known Cisco vulnerabilities have recently been published. Here is the list as taken from a Cisco Security Notice:
* Cisco 677/678 Telnet Buffer Overflow Vulnerability DoS
* Cisco IOS Router DoS Vulnerability, Cisco IOS HTTP Server
* Cisco IOS HTTP Auth Vulnerability
* Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability, IOS HTTP Authorization Vulnerability
* Cisco Catalyst SSH Protocol Mismatch DoS Vulnerability
* Cisco 675 Web Administration DoS Vulnerability (“Cisco is currently researching this vulnerability further. Mitigation methods have been available for some time such as setting the Web server to listen on a different port.”)
* Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability
* Cisco IOS Software HTTP Request DoS Vulnerability
* Cisco 514 UDP Flood DoS Vulnerability, a vulnerability in the IOS Firewall feature set
* CiscoSecure ACS for Windows NT Server DoS Vulnerability
One of the new flaws to look out for is a Cisco Content Service Switch Management Port UDP remotely exploitable DoS vulnerability, which has been flagged by SecurityFocus. The relevant Cisco Security Bulletin contains more details.
The other new flaw is another DoS threat that comes in the form of a Cisco OpenSSL Vulnerability.
Applicability (new threats only)
Cisco Content Service Switch Management Port UDP
* Cisco CSS11000
* Cisco CSS11050
* Cisco CSS11150
* Cisco CSS11800
* Cisco CSS11100 (added in the Cisco Security Advisory revision)
OpenSSL vulnerability (taken from the Cisco Bulletin)
* Cisco IOS 12.2ZA
* Cisco IOS 12.2SY
* Cisco IOS 12.1E
* Cisco PIX Firewall
* Cisco Firewall Services Module for Cisco Catalyst 6500 Series and Cisco 7600 Series routers
* Cisco MDS 9000 Series Multilayer Switch
* Cisco Content Service Switch 11000 and 11500 series
* Cisco Global Site Selector 4480 and 4490
* Cisco Content Service Switch Secure Content Accelerator versions 1 and 2
* CiscoWorks Common Services 2.2 and CiscoWorks Common Management Foundation 2.1
* Cisco Access Registrar
* Cisco Call Manager
* Cisco Okena Stormwatch 3.2
* Cisco Application and Content Networking Software (ACNS)
* Cisco Threat Response
For the Cisco Content Service Switch Management Port UDP flaw, Cisco has made fixes available in the form of updates 05.0(04.07)S and later or 06.10(02.05)S and later. There are no workarounds.
For the OpenSSL flaw, some fixes are available now and some others have already been scheduled for release. The list is extensive and complicated (also subject to change); therefore, the best information available is found in the Cisco Bulletin. Here is a brief summary:
* Cisco IOS 12.2ZA—no fix date listed yet.
* Cisco IOS 12.2SY—patch available.
* Cisco IOS 12.1E—some fixed releases are scheduled.
* Cisco PIX Firewall—fixes available.
* Cisco Firewall Services Module for Cisco Catalyst 6500 Series and Cisco 7600 Series routers—fix available.
* Cisco MDS 9000 Series Multilayer Switch—no fix date scheduled.
* Cisco Content Service Switch 11000 and 11500 series—fix should be available by the time you read this.
* Cisco Global Site Selector 4480 and 4490—fix should be available by the time you read this.
* Cisco Content Service Switch Secure Content Accelerator versions 1 & 2—fix available.
* CiscoWorks Common Services 2.2 and CiscoWorks Common Management Foundation 2.1—no fix date listed yet.
* Cisco Access Registrar—fix available.
* Cisco Call Manager—fixes for some versions available, fix for version 4.0(2) not yet scheduled.
* Cisco Okena Stormwatch 3.2—no fix date listed yet.
* Cisco Application & Content Networking Software (ACNS)—fix available.
* Cisco Threat Response—no fix date listed yet.
All of the available fixes are updates to later versions. The workaround for this flaw is to disable the SSL Server.
For the older flaws that now have public exploits, administrators will need to take swift action to make sure their systems are protected. The new Cisco flaws can be addressed in the manner of your company’s standard process for handling security patches and updates.
Also watch for …
* Spim is the IM variant of spam and, according to a report from The Yankee Group as quoted in InformationWeek, message volume is expected to triple this year to nearly 1.2 billion messages. That’s a drop in the bucket compared to spam, but obviously it’s something you need to keep an eye on. Enterprise IM software blocks a lot of this, which is another incentive to install one and close down any of the “public” IM installations on your corporate network.
* Forrester Research is fueling the Microsoft vs. Linux/UNIX security debate with a recent study that had some surprising results, as described in TechWeb. The study itself was based on vulnerability reports from BugTraq, CERT, Bugzilla, and other public sources collected from June 1, 2002, to May 31, 2003. The metric used was “days-at-risk,” basically the time between disclosure and a fix, weighted by risk level and the number left unpatched. “During the year’s worth of vulnerabilities, Microsoft posted just 25 days at risk, while Red Hat and Debian tied for second, with 57 vulnerable days. MandrakeSoft’s Linux distribution came in dead last, with 82 at-risk days, more than triple Windows. Measuring each OS vendor’s thoroughness record, Forrester found that Microsoft again led the pack by patching all of the 128 severe problems discovered within Windows. Red Hat came in second at 99.6 percent (it let one vulnerability slip through the cracks), while Debian brought up the rear by fixing 96.2 percent of the high-rated vulnerabilities (Debian left 11 unpatched).”
Don’t bother flaming me. I’m just quoting Forrester’s research. Obviously there are other metrics to measure the security of operating systems. For example, if you simply counted the number of severe vulnerabilities, then Microsoft would have the most, by far. In part, the actual, real-world security level depends a lot on how quickly IT professionals can apply published patches. If Microsoft quickly published fixes but you didn’t apply them, your systems are insecure. On the other hand, Debian didn’t even offer fixes for some serious vulnerabilities, but they had fewer total, so if you don’t patch at all, then Debian was more secure during the time period measured.