Summary

• The Cisco ONS15454 optical transport platform is vulnerable when IP packets, with the Type Of Service (TOS) bit set, are sent to the Timing Control Card (TCC) LAN interface. Cisco ONS software releases 3.1.0 to 3.2.0, both inclusive, are vulnerable.

  This vulnerability is documented as Cisco bug ID CSCdx48853.

  Cisco has released software updates that address these vulnerabilities.
  
  There are workarounds available to mitigate the effects of this vulnerability.
  
   This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020619-ons-tos.

Affected Products

• This section provides details on affected products.

  Vulnerable Products

  All Cisco ONS15454 hardware running Cisco ONS release 3.1.0 to 3.2.0, both inclusive, is affected by this vulnerability.

  To determine your software revision, view the help-about window on the CTC.

  Products Confirmed Not Vulnerable

  Hardware not affected includes the Cisco ONS15327 edge optical transport platform, Cisco ONS15540 extended service platform, ONS15800 series, ONS15200 series metro DWDM systems and the ONS15194 IP transport concentrator.

  No other Cisco products are currently known to be affected by these vulnerability.

Details

• When an IP packet with non-zero TOS bits in its header is received by the TCC on its LAN interface, this causes software versions 3.1.0 and later to reset the TCC. When the crafted packets are sent repeatedly, both TCCs reset leaving no active TCC in the platform.

  In order to exploit this vulnerability, an attacker must be able to establish an IP connection to the TCC's LAN interface.

  This vulnerability is documented as Cisco bug ID CSCdx48853 ( registered customers only).
  

Workarounds

• Restrict IP traffic to the gateway node(s) with a router configured to change the TOS to zero for all out-bound packets going to the TCC.

  Sample Cisco router configuration:

  class-map match-all MY_LAN
        match any 
        
  !--- Matches all packets
  
        !
        !
        policy-map SET_TOS
        class MY_LAN
        set ip dscp default 
  
        !--- Sets all packets to "00000000" (Best effort)
  
       
        !
        interface FastEthernet0/0
        service-policy output SET_TOS 
        
  !--- Modifies outbound packets
  
  

Fixed Software

• This vulnerability is fixed in Cisco ONS software release 3.2.1 and later.

  Cisco ONS software release 3.2.1 is the maintenance release fix version for this vulnerability. Cisco ONS software version 3.3.0 is currently available as an interim fix release for this vulnerability until Cisco ONS software version 3.2.1 is released at the end of July 2002.

  The procedure to upgrade to the fixed software version on the Cisco ONS 15454 is detailed at: http://www.cisco.com/univercd/cc/td/doc/product/ong/15400/r33docs/sftuprgd/index.htm.

  When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.

  In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.

Exploitation and Public Announcements

• The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
  
  This vulnerability was reported to Cisco by Cisco customer.
  
  

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020619-ons-tos

Revision History

• Revision 1.0

  2002-Jun-19

  Initial public release.

  Show Less