Cisco Security Advisory
Click Icon to Copy Verbose Score
AV:R/AC:L/Au:NR/C:C/I:C/A:C/B:N/E:F/RL:O/RC:C
-
Cisco Catalyst 6000, 6500 series and Cisco 7600 series that have a Network Analysis Module installed are vulnerable to an attack, which could allow an attacker to gain complete control of the system. Only Cisco Catalyst systems that have a NAM on them are affected. This vulnerability affects systems that run Internetwork Operating System (IOS) or Catalyst Operating System (CatOS).
Cisco has made free software available to address this vulnerability for affected customers.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070228-nam.
-
Vulnerable Products
Catalyst 6000, 6500 series and Cisco 7600 series that have a NAM installed in them are affected. A system that has a NAM can be identified by the show module command. A NAM will be seen as WS-SVC-NAM-1, WS-SVC-NAM-2 or WS-X6380-NAM in this output.
This vulnerability affects systems that run IOS or CatOS.
A sample output for a system that has a NAM-2 on it is provided below:
Cat6k#show module Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 1 2 Catalyst 6000 supervisor 2 (Active) WS-X6K-SUP2-2GE SAL06417E23 3 48 48 port 10/100 mb RJ-45 ethernet WS-X6248-RJ-45 SAD050108R4 5 8 8 port 1000mb ethernet WS-X6408-GBIC SAD041300CL 6 8 Network Analysis Module WS-SVC-NAM-2 SAD093002AM
Products Confirmed Not Vulnerable
No other Cisco products are known to be affected by this vulnerability.
-
NAMs are deployed in Catalyst 6000, 6500 series and Cisco 7600 series to monitor and analyze network traffic by using Remote Monitoring (RMON), RMON2, and other MIBs. More information about NAMs can be found at the following URL:
NAMs communicate with the Catalyst system by using the Simple Network Management Protocol (SNMP). By spoofing the SNMP communication between the Catalyst system and the NAM an attacker may obtain complete control of the Catalyst system.
Devices running both Cisco IOS and Cisco CatOS are affected by this vulnerability. This vulnerability is introduced in CatOS at 7.6(15) and 8.5(1). Older CatOS images are not vulnerable.
This issue is documented in bug IDs CSCsd75273 ( registered customers only) , CSCse52951 ( registered customers only) for IOS and CSCse39848 ( registered customers only) for CatOS.
Vulnerability Scoring Details
Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks.
Cisco PSIRT will set the bias in all cases to normal. Customers are encouraged to apply the bias parameter when determining the environmental impact of a particular vulnerability.
CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response.
Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html.
Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at https://sec.cloudapps.cisco.com/security/center/cvssCalculator.x
CSCsd75273 - Cat6k NAM vulnerability ( registered customers only) Calculate the environmental score of CSCsd75273
CVSS Base Score - 10
Access Vector
Access Complexity
Authentication
Confidentiality Impact
Integrity Impact
Availability Impact
Impact Bias
Remote
Low
Not Required
Complete
Complete
Complete
Normal
CVSS Temporal Score - 8.3
Exploitability
Remediation Level
Report Confidence
Functional
Official Fix
Confirmed
CSCse52951 - Catk NAM vulnerability, additional protection ( registered customers only) Calculate the environmental score of CSCse52951
CVSS Base Score - 10
Access Vector
Access Complexity
Authentication
Confidentiality Impact
Integrity Impact
Availability Impact
Impact Bias
Remote
Low
Not Required
Complete
Complete
Complete
Normal
CVSS Temporal Score - 8.3
Exploitability
Remediation Level
Report Confidence
Functional
Official Fix
Confirmed
CSCse39848 - Cat6k NAM vulnerability in CatOS ( registered customers only) Calculate the environmental score of CSCse39848
CVSS Base Score - 10
Access Vector
Access Complexity
Authentication
Confidentiality Impact
Integrity Impact
Availability Impact
Impact Bias
Remote
Low
Not Required
Complete
Complete
Complete
Normal
CVSS Temporal Score - 8.3
Exploitability
Remediation Level
Report Confidence
Functional
Official Fix
Confirmed
-
No workarounds exist for this vulnerability.
This vulnerability requires an attacker to spoof SNMP packets from the IP address of the NAM. Filtering SNMP traffic to an affected device can be used as a mitigation. Filtering SNMP traffic needs to be done on systems that are deployed in front of an affected device, since it is ineffective to filter against such spoofed packets on the device itself.
Anti-spoofing measures and infrastructure access-lists can also be deployed at your network edge as a potential mitigation technique. Refer to http://www.cisco.com/warp/public/707/iacl.html for examples on how to apply ACLs on Cisco routers for infrastructure protection.
Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20070228-nam
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.
Each row of the Cisco IOS software table (below) describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix (the "First Fixed Release") and the anticipated date of availability for each are listed in the "Rebuild" and "Maintenance" columns. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label).
For more information on the terms "Rebuild" and "Maintenance," consult the following URL: http://www.cisco.com/warp/public/620/1.html.
Major Release
Availability of Repaired Releases
Affected 12.1-Based Release
Rebuild
Maintenance
12.1E
12.1(26)E8
12.1(27b)E1
12.1EX
12.1(12c)EX
12.1(13)EX
Affected 12.2-Based Release
Rebuild
Maintenance
12.2EU
Vulnerable; migrate to 12.2(25)EWA7 or later
12.2EW
Vulnerable; migrate to 12.2(25)EWA7 or later
12.2EWA
12.2(25)EWA7
12.2IXA
Vulnerable; migrate to 12.2(18)IXB2 or later
12.2IXB
12.2(18)IXB2
12.2S
12.2(14)S3
12.2(18)S5
12.2(20)S
12.2SG
12.2(25)SG1
12.2SGA
12.2(31)SGA1
12.2SRA
12.2(33)SRA2
12.2SX
Vulnerable; migrate to 12.2(18)SXD7a or later
12.2SXA
Vulnerable; migrate to 12.2(18)SXD7a or later
12.2SXB
Vulnerable; migrate to 12.2(18)SXD7a or later
12.2SXD
12.2(18)SXD7a
12.2SXE
12.2(18)SXE6a
12.2SXF
12.2(18)SXF5
12.2SY
Vulnerable; migrate to 12.2(18)SXD7a or later
12.2ZA
Vulnerable; migrate to 12.2(18)SXD7a or later
12.2ZU
12.2(18)ZU1
CatOS Release
Availability of Fixed Releases
Interim
Maintenance
5.x
Not vulnerable
6.x
Not vulnerable
7.6(1) through 7.6(14)
Not vulnerable
7.6(15) through 7.6(19)
7.6(19.2)
7.6(20) Available 2007-Mar-21
8.5(1) through 8.5(5)
8.5(5.3)
8.5(6)
8.6(x)
Not vulnerable
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
This vulnerability was found internally.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.1
2007-March-15
Updated the availability date of CatOS release 7.6(20)
Revision 1.0
2007-February-28
Initial public release.
Show Less
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.