Cisco Security Advisory-
Multiple vulnerabilities exist in the Cisco ONS 15327 Edge Optical Transport Platform, the Cisco ONS 15454 Optical Transport Platform, the Cisco ONS 15454 SDH Multiplexer Platform, and the Cisco ONS 15600 Multiservice Switching Platform.
These vulnerabilities are documented as Cisco bug ID CSCec17308/CSCec19124(tftp), CSCec17406(port 1080), and CSCec66884/CSCec71157(SU access). There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20040219-ONS.
-
Vulnerable Products
- Cisco ONS 15327 Edge Optical Transport Platform.
- Cisco ONS 15454 Optical Transport Platform.
- Cisco ONS 15454 SDH Multiplexer Platform.
- Cisco ONS 15600 Multiservice Switching Platform.
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
The affected Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 hardware is managed through the XTC, TCC+/TCC2, TCCi/TCC2, and TSC control cards respectively. These control cards are usually connected to a network isolated from the Internet and local to the customer's environment. This limits the exposure to the exploitation of the vulnerabilities from the Internet.
-
CSCec17308/CSCec19124(tftp)
The TFTP service on UDP port 69 is enabled by default to allow both GET and PUT commands to be executed without any authentication. Using a TFTP client, it is possible to connect to the optical device and upload or retrieve ONS system files on the current active TCC in the /flash0 or /flash1 directories. It is not possible to upload or retrieve any user data files.
Cisco bug ID CSCec17308 documents the issue on the Cisco ONS 15327, ONS 15454 and ONS 15454 SDH, and Cisco bug ID CSCec19124 documents the issue on the Cisco ONS 15600 hardware. -
CSCec17406(port 1080)
The Cisco ONS 15327, ONS 15454 and ONS 15454 SDH hardware is susceptible to an ACK Denial of Service (DoS) attack on TCP port 1080. TCP port 1080 is used by network management applications to communicate with the controller card. The controller card on the optical device will reset under such an attack.
An ACK DoS attack is conducted by not sending the final ACK required for a 3-way TCP handshake to complete, and instead sending an invalid response to move the connection to an invalid TCP state.
The Cisco ONS 15600 Multiservice Switching Platform is not affected by this vulnerability. -
CSCec66884/CSCec71157(SU access)
Telnet access to the underlying VxWorks operating system, by default, is restricted to Superusers only. Due to this vulnerability, a superuser whose account is locked out, disabled, or suspended is still able to login (Telnet) into the VxWorks shell, using their previously configured password.
Cisco bug ID CSCec66884 documents the issue on the Cisco ONS 15327, ONS 15454 and ONS 15454 SDH, and Cisco bug ID CSCec71157 documents the issue on the Cisco ONS 15600 hardware.
The Internetworking Terms and Cisco Systems Acronyms online guides can be found at http://www.cisco.com/univercd/cc/td/doc/cisintwk/.
These vulnerabilities are documented in the Cisco Bug Toolkit ( registered customers only) as Cisco bug IDs CSCec17308/CSCec19124(tftp), CSCec17406(port 1080), and CSCec66884/CSCec71157(SU access). To access this tool, you must be a registered user and you must be logged in.
-
CSCec17308/CSCec19124(tftp)
-
There are mitigation workarounds available for these vulnerabilities. The Cisco PSIRT recommends that affected users upgrade to a fixed software version of code.
-
CSCec17308/CSCec19124(tftp)
Use access control lists on routers and firewalls that are installed in the network to allow only valid network management workstations to gain TFTP access to the XTC, TCC+/TCC2, TCCi/TCC2, or TSC control cards. -
CSCec17406(port 1080)
Use access control lists on routers and firewalls that are installed in the network to allow only valid network management workstations to gain TCP port 1080 access to the XTC, TCC+/TCC2, TCCi/TCC2, or TSC control cards. -
CSCec66884/CSCec71157(SU access)
Use access control lists on routers and firewalls that are installed in the network to allow only valid network management workstations to gain login (Telnet) access to the XTC, TCC+/TCC2, TCCi/TCC2, or TSC control cards.
Refer to http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml for examples on how to apply access control lists (ACLs) on Cisco routers.
-
CSCec17308/CSCec19124(tftp)
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
-
CSCec17308/CSCec19124(tftp)
Product
Fixed Releases
15327
4.1(3) and later
15454, 15454 SDH
4.6(1) and later, 4.1(3) and later
15600
1.3(0) and later, 1.1(0) and later
-
CSCec17406(port 1080)
Product
Fixed Releases
15327
4.1(1) and later, 4.0(2) and later
15454, 15454 SDH
4.6(1) and later, 4.1(1) and later, 4.0(2) and later
15600
Not Affected
-
CSCec66884/CSCec71157(SU access)
Product
Fixed Releases
15327
4.1(3) and later
15454, 15454 SDH
4.6(1) and later, 4.1(3) and later
15600
1.1(1), 5.0 and later (when available)
Cisco ONS Release 4.6(0) is not affected by these vulnerabilities. The recommended release to upgrade to is Cisco ONS release 4.6(1).
Upgrade procedures can be found as indicated below.
- The procedure to upgrade to the fixed software version on the Cisco ONS 15327 hardware is detailed at http://www.cisco.com/univercd/cc/td/doc/product/ong/15327/327doc41/index.htm.
- The procedure to upgrade to the fixed software version on the Cisco ONS 15454 hardware is detailed at http://www.cisco.com/univercd/cc/td/doc/product/ong/15400/r46docs/index.htm.
- The procedure to upgrade to the fixed software version on the Cisco ONS 15600 hardware is detailed at http://cisco.com/univercd/cc/td/doc/product/ong/15600/index.htm.
-
CSCec17308/CSCec19124(tftp)
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
This vulnerability was reported to Cisco by internal testing.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.