The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Cisco DLSw Vulnerability
------------------------------------------------------------------------
SUMMARY
A vulnerability exists in the Data-link Switching (DLSw) feature in Cisco
IOS where an invalid value in a DLSw message could result in a reload of
the DLSw device. Successful exploitation of this vulnerability requires
that an attacker be able to establish a DLSw connection to the device.
There are workarounds available for this vulnerability, as detailed in the
Workarounds section below.
DETAILS
Vulnerable Products:
This security advisory applies to all Cisco products that run Cisco IOS
Software versions 11.0 through 12.4 configured for DLSw. A system which
contains the DLSw feature, but does not have it enabled, is not affected.
A router which is configured for DLSw will have a line in the
configurations defining a local DLSw peer. This definition can be seen by
issuing the command show running-config and looking for lines similar to
the following:
dlsw local-peer peer-id
To determine if DLSw is enabled on your Cisco IOS device, it is also
possible to issue the show dlsw statistics command while in enable mode
and look for output similar to:
Router#show dlsw statistics
DLSw+ Control Queue Statistics:
SNA Control Queue (count/max/dropped): (0/0/0)
Netbios Control Queue (count/max/dropped): (0/0/0)
Other Control Queue (count/max/dropped): (0/100/0)
Critical Control Queue (count/max): (0/0)
DLSw+ Border Peer Caching Statistics:
0 Border Peer Frames processed
0 Border frames found Local
0 Border frames found Remote
0 Border frames found Group Cache
A device which is not configured for DLSw will simply return to a command
prompt with no output.
A device which does not support the DLSw feature will return output
similar to:
Router#show dlsw statistics
^
% Invalid input detected at '^' marker.
Any version of Cisco IOS prior to the versions which will be listed in the
Software Versions and Fixes section below may be vulnerable.
To determine the version of Cisco IOS software running on a Cisco product,
log in to the device and issue the show version command to display the
system banner. Cisco IOS Software will identify itself as "Internetwork
Operating System Software" or simply "IOS". On the next line of output,
the image name will be displayed between parentheses, followed by
"Version" and the IOS release name. Other Cisco devices will not have the
show version command or will give different output.
The following example identifies a Cisco product running IOS release
12.3(6) with an installed image name of C3640-I-M:
Cisco Internetwork Operating System Software
IOS (tm) 3600 Software (C3640-I-M), Version 12.3(6), RELEASE SOFTWARE
(fc3)
The next example shows a product running IOS release 12.3(11)T3 with an
image name of C3845-ADVIPSERVICESK9-M:
Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version
12.3(11)T3,
RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Additional information about Cisco IOS release naming can be found at
<http://www.cisco.com/warp/public/620/1.html>
http://www.cisco.com/warp/public/620/1.html.
No other Cisco products are currently known to be affected by the
vulnerability addressed in this advisory.
Details:
Data-link switching (DLSw) provides a means of transporting IBM Systems
Network Architecture (SNA) and network basic input/output system (NetBIOS)
traffic over an IP network.
Establishing DLSw communications involves several operational stages.
1. In phase one, DLSw peers establish two TCP connections with each other
via TCP ports 2065 or 2067. Those TCP connections provide the foundation
for the DLSw communication.
2. After a connection is established, the DLSw partners exchange a list of
supported capabilities in phase two. This helps to ensure that the peers
use the same options. This is particularly vital when the DLSw partners
are manufactured by different vendors.
3. Next, the DLSw partners establish circuits between SNA or NetBIOS end
systems, and information frames can flow over the circuit.
A vulnerability exists in certain Cisco IOS software releases when
configured for DLSw. After the connection is established, it is possible
for a reload to occur should the device receive an invalid option during
the capabilities exchange.
This vulnerability is documented in Cisco Bug ID
<http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsf28840>
CSCsf28840 ( registered customers only) .
Impact:
Successful exploitation of the vulnerability may result in a reload of the
device.
Workarounds:
The effectiveness of any mitigation or fix is dependent on specific
customer situations such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied mitigation or fix
is the most appropriate for use in the intended network before it is
deployed.
Additional mitigations that can be deployed on Cisco devices within the
network are available in the Cisco Applied Intelligence companion document
for this advisory:
<http://www.cisco.com/warp/public/707/cisco-air-20070110-dlsw.shtml>
http://www.cisco.com/warp/public/707/cisco-air-20070110-dlsw.shtml
Configure Explicitly Defined DLSw Peers
If DLSw is configured with no remote peers defined, then it must be
operating in promiscuous mode on one end of the connection. Promiscuous
mode could allow for any device to attempt to establish a DLSw peer with
the router. To prevent malicious connections, DLSw peers may be explicitly
defined with the dlsw remote-peer command removing the need for
promiscuous mode.
ADDITIONAL INFORMATION
The information has been provided by <mailto:psirt@cisco.com> Cisco
Systems Product Security Incident Response Team.
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20070110-dlsw.shtml>
http://www.cisco.com/warp/public/707/cisco-sa-20070110-dlsw.shtml
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
