The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
IOS FTP Server Multiple Vulnerabilities
------------------------------------------------------------------------
SUMMARY
The Cisco IOS FTP Server feature contains multiple vulnerabilities that
can result in a denial of service (DoS) condition, improper verification
of user credentials, and the ability to retrieve or write any file from
the device filesystem, including the device's saved configuration. This
configuration file may include passwords or other sensitive information.
The IOS FTP Server is an optional service that is disabled by default.
Devices that are not specifically configured to enable the IOS FTP Server
service are unaffected by these vulnerabilities.
This vulnerability does not apply to the IOS FTP Client feature.
DETAILS
Affected Products:
Vulnerable Products
Cisco devices running IOS and configured for FTP server functionality are
affected by these issues.
IOS versions based on 11.3, 12.0, 12.1, 12.2, 12.3 and 12.4 contain the
IOS FTP server feature. The IOS FTP server feature was removed via
CSCsg16908.
Only certain IOS releases based on the above IOS trains contain the IOS
FTP server feature. For a device running Cisco IOS to be vulnerable, the
following command must be present in the device configuration:
ftp-server enable
Products Confirmed Not Vulnerable
Cisco devices that do not run IOS are not affected.
Cisco IOS devices that do not have the FTP server feature enabled are not
affected.
Cisco IOS XR is not affected.
No other Cisco devices are known to be affected.
Details:
Multiple vulnerabilities exist in the IOS FTP Server feature. These
vulnerabilities are documented with the following Cisco bug IDs:
* CSCek55259 - Improper authorization checking in IOS FTP server
* CSCse29244 - IOS reload when transferring files via FTP
Due to these issues with the IOS FTP server, the feature is being removed.
Cisco is considering adding fully featured and secure FTP server
functionality at a later date.
The IOS FTP Server feature removal is addressed with Cisco bug ID
CSCsg16908.
Impact:
Successful exploitation of these vulnerabilities may allow unauthorized,
remote users to access the filesystem on the IOS device, cause the
affected device to reload, or execute arbitrary code.
Unauthorized users could retrieve the device's startup-config file from
the filesystem. This file may contain information that could allow the
attacker to gain escalated privileges.
Repeated exploitation of the vulnerabilities could lead to an extended
Denial of Service (DoS).
Workarounds:
Customers can disable the use of the IOS FTP Server feature by executing
the following command in configuration mode:
no ftp-server enable
Additional mitigations that can be deployed on Cisco devices within the
network are available in the Cisco Applied Intelligence companion document
for this advisory:
<http://www.cisco.com/warp/public/707/cisco-air-20070509-iosftp.shtml>
http://www.cisco.com/warp/public/707/cisco-air-20070509-iosftp.shtml
Alternative File Transfer Mechanisms
Cisco IOS supports multiple methods for transferring files to and from the
device. One such method is Secure Copy (SCP). SCP is supported on Cisco
IOS images that support strong cryptography. More information on the SCP
feature can be found at the following url:
<http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804831d0.html>
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804831d0.html
Another alternative is using the Trivial File Transfer Protocol (TFTP)
server in IOS. Information on configuring the TFTP server can be found
here:
<http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca738.html#wp1000912>
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca738.html#wp1000912
If disabling the IOS FTP Server is not feasible, customers can limit FTP
access to the device via one of the following mechanisms:
Infrastructure ACLs (iACL)
Although it is often difficult to block traffic transiting your network,
it is possible to identify traffic which should never be allowed to target
your infrastructure devices and block that traffic at the border of your
network. Infrastructure ACLs are considered a network security best
practice and should be considered as a long-term addition to good network
security as well as a workaround for this specific vulnerability. The ACL
example shown below should be included as part of the deployed
infrastructure access-list which will protect all devices with IP
addresses in the infrastructure IP address range.
A sample access list for devices running Cisco IOS is below:
!--- Permit FTP services from trusted hosts destined
!--- to infrastructure addresses.
access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES
MASK eq 21
access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES
MASK eq 20
!--- Deny FTP packets from all other sources destined to
infrastructure addresses.
access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 21
access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 20
!--- Permit all other traffic to transit the device.
access-list 150 permit IP any any
interface serial 2/0
ip access-group 150 in
The white paper entitled "Protecting Your Core: Infrastructure Protection
Access Control Lists" presents guidelines and recommended deployment
techniques for infrastructure protection access lists. This white paper
can be obtained here: <http://www.cisco.com/warp/public/707/iacl.html>
http://www.cisco.com/warp/public/707/iacl.html.
Receive ACLs (rACL)
For distributed platforms, Receive ACLs may be an option starting in Cisco
IOS Software Versions 12.0(21)S2 for the 12000 (GSR), 12.0(24)S for the
7500, and 12.0(31)S for the 10720. The Receive ACL protects the device
from harmful traffic before the traffic can impact the route processor.
Receive ACLs are designed to only protect the device on which it is
configured. On the 12000, transit traffic is never affected by a receive
ACL. Because of this, the destination IP address "any" used in the example
ACL entries below only refer to the router's own physical or virtual IP
addresses. On the 7500 and 10720, transit traffic with IP options set will
be subject to the Receive ACL and permitted or denied accordingly. Receive
ACLs are considered a network security best practice, and should be
considered as a long-term addition to good network security, as well as a
workaround for this specific vulnerability. The white paper entitled "GSR:
Receive Access Control Lists" will help you identify and allow legitimate
traffic to your device and deny all unwanted packets:
http://www.cisco.com/warp/public/707/racl.html.
The following is the receive path ACL written to permit this type of
traffic from trusted hosts:
!--- Permit FTP from trusted hosts allowed to the RP.
access-list 151 permit tcp TRUSTED_ADDRESSES MASK any eq 21
access-list 151 permit tcp TRUSTED_ADDRESSES MASK any eq 20
!--- Deny FTP from all other sources to the RP.
access-list 151 deny tcp any any eq 21
access-list 151 deny tcp any any eq 20
!--- Permit all other traffic to the RP.
!--- according to security policy and configurations.
access-list 151 permit ip any any
!--- Apply this access list to the 'receive' path.
ip receive access-list 151
Control Plane Policing (CoPP)
The Control Plane Policing (CoPP) feature may be used to mitigate these
vulnerabilities. In the following example, only FTP traffic from trusted
hosts and with 'receive' destination IP addresses is permitted to reach
the route processor (RP).
It should be noted that dropping traffic from unknown or untrusted IP
addresses may affect hosts with dynamically assigned IP addresses from
connecting to the Cisco IOS device.
access-list 152 deny tcp TRUSTED_ADDRESSES MASK any eq 21
access-list 152 deny tcp TRUSTED_ADDRESSES MASK any eq 20
access-list 152 permit tcp any any eq 20
access-list 152 permit tcp any any eq 21
access-list 152 deny ip any any
!
class-map match-all COPP-KNOWN-UNDESIRABLE
match access-group 152
!
!
policy-map COPP-INPUT-POLICY
class COPP-KNOWN-UNDESIRABLE
drop
!
control-plane
service-policy input COPP-INPUT-POLICY
In the above CoPP example, the ACL entries that match the exploit packets
with the "permit" action result in these packets being discarded by the
policy-map "drop" function, while packets that match the "deny" action are
not affected by the policy-map drop function.
CoPP is available in Cisco IOS release trains 12.0S, 12.2SX, 12.2S, 12.3T,
12.4, and 12.4T.
Additional information on the configuration and use of the CoPP feature
can be found at the following URL:
<http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd804fa16a.shtml>
http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd804fa16a.shtml
ADDITIONAL INFORMATION
The information has been provided by <mailto:psirt@cisco.com> Cisco
Systems Product Security Incident Response Team.
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20070509-iosftp.shtml>
http://www.cisco.com/warp/public/707/cisco-sa-20070509-iosftp.shtml
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
