Cisco Security Advisory
Click Icon to Copy Verbose Score
AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
-
The Cisco ONS 15300 series Edge Optical Transport Platform, the Cisco ONS 15454 Optical Transport Platform, the Cisco ONS 15454 SDH Multiservice Platform, and the Cisco ONS 15600 Multiservice Switching Platform contains a vulnerability when processing TCP traffic streams that may result in a reload of the device control card.
Cisco has released software updates that address this vulnerability.
There are no workarounds that mitigate this vulnerability. Several mitigations exist that can limit the exposure of this vulnerability.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090114-ons.
-
Vulnerable Products
The following Cisco ONS products are vulnerable if running affected software versions:
-
Cisco ONS 15310-CL and 15310-MA
-
Cisco ONS 15327
-
Cisco ONS 15454 and 15454 SDH
-
Cisco ONS 15600
Consult the section "Software Versions and Fixes" within this advisory for affected software versions. To determine your software version, view the Help > About window on the CTC management software).
Products Confirmed Not Vulnerable
The following Cisco ONS products are confirmed not vulnerable:
-
Cisco ONS 15800 Series
-
Cisco ONS 15500 Series Extended Service Platform
-
Cisco ONS 15302
-
Cisco ONS 15305
-
Cisco ONS 15200 Series Metro DWDM Systems
-
Cisco ONS 15190 Series IP Transport Concentrator
No other Cisco products are currently known to be affected by this vulnerability.
-
Cisco ONS 15310-CL and 15310-MA
-
The affected Cisco 15310-CL, 15310-MA, ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 hardware is managed through the CTX, CTX2500, XTC, TCC/TCC+/TCC2/TCC2P, TCCi/TCC2/TCC2P, and TSC control cards respectively. These control cards are usually connected to a Data Communications Network (DCN). In this context the term DCN is used to denote the network that transports management information between a management station and the network entity (NE). This definition of DCN is sometimes referred to as Management Communication Network (MCN). The DCN is usually physically or logically separated from the optical data network and isolated from the Internet. This limits the exposure to the exploitation of this vulnerability from the Internet.
A crafted stream of TCP traffic to the control cards on a node will result in a reset of the corresponding control cards on this node. A complete 3-way handshake is required on any open TCP port to be able to exploit this vulnerability.
The timing for the data channels traversing the switch is provided by the control cards.
When an active and a standby Cisco ONS 15310-MA, ONS 15310-CL, ONS 15327, ONS 15454 or ONS 15454 SDH control card reloads at the same time, the synchronous data channels traversing the switch drop traffic until the card comes back online. Asynchronous data channels traversing the switch are not impacted. Manageability functions provided by the network element using the CTX, CTX2500, XTC or TCC/TCC+/TCC2/TCC2P control cards are not available until the control card comes back online.
On the Cisco ONS 15600 hardware, whenever both the active and standby control cards are rebooting at the same time, there is no impact to the data channels traversing the switch because the TSC performs a software reset which does not impact the timing being provided by the TSC for the data channels.
Manageability functions provided by the network element through the TSC control cards are not available until the control card comes back online.
This vulnerability is documented in Cisco bug ID CSCsr41128 ( registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-3818.
-
There are no workarounds for this vulnerability. The following general mitigation actions help prevent remote exploitation:
-
Isolate DCN:
Ensuring the DCN is physically or logically separated from the customer network and isolated from the Internet will limit the exposure to the exploitation of these vulnerabilities from the Internet or customer networks.
-
Apply Transit Access Control Lists:
Apply access control lists (ACLs) on routers / switches / firewalls installed in front of the vulnerable network devices such that TCP/IP traffic destined for the CTX, CTX2500, XTC, TCC2/TCC2+/TCC2P, or TSC control cards on the ONS is allowed only from the network management workstations.
For examples on how to apply ACLs on Cisco routers, refer to the white paper "Transit Access Control Lists: Filtering at Your Edge", which is available at the following link: http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml.
Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20090114-ons.
-
Isolate DCN:
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
Affected Major Release
Affected Releases
First Fixed Release
6.x and earlier
Not Vulnerable.
7.0
7.0.2, 7.0.4, 7.0.5
7.0.7
7.2
7.2.0, 7.2.2
7.2.3
8.0
Vulnerable; migrate to 8.5.3 or later.
8.5
8.5.0, 8.5.1, 8.5.2
8.5.3
9.0
Not Vulnerable.
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
This vulnerability was found by reviewing Cisco TAC service requests.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show Less
Revision 1.1
2009-January-16
Replaced software table.
Revision 1.0
2009-January-14
Initial public release
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.