 |
News Item |
0 |
|
|
Summary
A vulnerability exists in the Data-link Switching (DLSw) feature in Cisco IOS where an invalid value in a DLSw message could result in a reload of the DLSw device.
Successful exploitation of this vulnerability requires that an attacker be able to establish a DLSw connection to the device.
There are workarounds available for this vulnerability, as detailed in the Workarounds section below.
Credit:
The information has been provided by Cisco Systems Product Security Incident Response Team.
The original article can be found at: http://www.cisco.com/warp/public/707/cisco-sa-20070110-dlsw.shtml
Vulnerable Products:
This security advisory applies to all Cisco products that run Cisco IOS Software versions 11.0 through 12.4 configured for DLSw.
A system which contains the DLSw feature, but does not have it enabled, is not affected.
A router which is configured for DLSw will have a line in the configurations defining a local DLSw peer.
This definition can be seen by issuing the command show running-config and looking for lines similar to the following:
dlsw local-peer peer-id
To determine if DLSw is enabled on your Cisco IOS device, it is also possible to issue the show dlsw statistics command while in enable mode and look for output similar to:
Router#show dlsw statistics
DLSw+ Control Queue Statistics:
SNA Control Queue (count/max/dropped): (0/0/0)
Netbios Control Queue (count/max/dropped): (0/0/0)
Other Control Queue (count/max/dropped): (0/100/0)
Critical Control Queue (count/max): (0/0)
DLSw+ Border Peer Caching Statistics:
0 Border Peer Frames processed
0 Border frames found Local
0 Border frames found Remote
0 Border frames found Group Cache
A device which is not configured for DLSw will simply return to a command prompt with no output.
A device which does not support the DLSw feature will return output similar to:
Router#show dlsw statistics
^
% Invalid input detected at '^' marker.
Any version of Cisco IOS prior to the versions which will be listed in the Software Versions and Fixes section below may be vulnerable.
To determine the version of Cisco IOS software running on a Cisco product, log in to the device and issue the show version command to display the system banner.
Cisco IOS Software will identify itself as "Internetwork Operating System Software" or simply "IOS". On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the IOS release name.
Other Cisco devices will not have the show version command or will give different output.
The following example identifies a Cisco product running IOS release 12.3(6) with an installed image name of C3640-I-M:
Cisco Internetwork Operating System Software
IOS (tm) 3600 Software (C3640-I-M), Version 12.3(6), RELEASE SOFTWARE (fc3)
The next example shows a product running IOS release 12.3(11)T3 with an image name of C3845-ADVIPSERVICESK9-M:
Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version 12.3(11)T3,
RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Additional information about Cisco IOS release naming can be found at http://www.cisco.com/warp/public/620/1.html.
No other Cisco products are currently known to be affected by the vulnerability addressed in this advisory.
Details:
Data-link switching (DLSw) provides a means of transporting IBM Systems Network Architecture (SNA) and network basic input/output system (NetBIOS) traffic over an IP network.
Establishing DLSw communications involves several operational stages.
1.
In phase one, DLSw peers establish two TCP connections with each other via TCP ports 2065 or 2067.
Those TCP connections provide the foundation for the DLSw communication.
2. After a connection is established, the DLSw partners exchange a list of supported capabilities in phase two.
This helps to ensure that the peers use the same options. This is particularly vital when the DLSw partners are manufactured by different vendors.
3.
Next, the DLSw partners establish circuits between SNA or NetBIOS end systems, and information frames can flow over the circuit.
A vulnerability exists in certain Cisco IOS software releases when configured for DLSw.
After the connection is established, it is possible for a reload to occur should the device receive an invalid option during the capabilities exchange.
This vulnerability is documented in Cisco Bug ID CSCsf28840 ( registered customers only) .
Impact:
Successful exploitation of the vulnerability may result in a reload of the device.
Workarounds:
The effectiveness of any mitigation or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission.
Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied mitigation or fix is the most appropriate for use in the intended network before it is deployed.
Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-air-20070110-dlsw.shtml
Configure Explicitly Defined DLSw Peers
If DLSw is configured with no remote peers defined, then it must be operating in promiscuous mode on one end of the connection.
Promiscuous mode could allow for any device to attempt to establish a DLSw peer with the router.
To prevent malicious connections, DLSw peers may be explicitly defined with the dlsw remote-peer command removing the need for promiscuous mode.
|
|
»
full story @ source-link: ace
|
| Related Articles: |
»
Xpression News 1.0.1 (archives.php) Remote File Disclosure Exploit
»
S-Gastebuch <= 1.5.3 (gb_pfad) Remote File Include Exploit
»
PHP-Nuke Module Emporium <= 2.3.0 Remote SQL Injection Exploit
»
SendStudio <= 2004.14 (ROOTDIR) Remote File Inclusion Vulnerability
|
|
|
