AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C
-
Cisco Intrusion Prevention System (IPS) Software is affected by the following vulnerabilities:
- Cisco IPS Analysis Engine Denial of Service Vulnerability
- Cisco IPS Control-Plane MainApp Denial of Service Vulnerability
- Cisco IPS Jumbo Frame Denial of Service Vulnerability
The Cisco IPS Control-Plane MainApp Denial of Service Vulnerability could allow an unauthenticated, remote attacker to cause the MainApp process to become unresponsive and prevent it from executing several tasks including alert notification, event store management, and sensor authentication. The Cisco IPS web server will also be unavailable while the MainApp process is unresponsive, and other processes such as the Analysis Engine process may not work properly.
Cisco has released software updates that address these vulnerabilities. Workarounds that mitigate some of the vulnerabilities are available. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140219-ips
-
Vulnerable Products
Cisco IPS Analysis Engine Denial of Service Vulnerability
The following products are affected by the Cisco IPS Analysis Engine Denial of Service Vulnerability:- Cisco ASA 5500-X Series IPS Security Services Processor (IPS SSP) software and hardware modules
- Cisco ASA 5500 Series Advanced Inspection and Prevention Security Services Module (AIP SSM)
- Cisco IPS 4200 Series Sensors
- Cisco IPS 4300 Series Sensors
- Cisco IPS 4500 Series Sensors
This vulnerability does not affect Cisco IPS Software releases prior to 7.1(4)E4.
This vulnerability affects only Cisco IPS Software configured with a signature with the produce-verbose-alert action enabled or systems on which an event action override (EAO) is configured to add this action.
To determine whether the produce-verbose-alert option is used in any of the active signatures or in an EAO configuration use the show configuration command.
The following example shows signature ID 1475/0 modified to enable the produce-verbose-alert option:sensor# show configuration
! ------------------------------
! Current configuration last modified Wed Feb 05 16:21:00 2014
! ------------------------------
! Version 7.1(8)
! Host:
! Realm Keys key1.0
[...]
variables WEBPORTS web-ports 24326-24326,3128-3128,80-80,8000-8000,8010-8010,8080-8080,8888-8888
signatures 1475 0
engine string-tcp
event-action produce-alert|produce-verbose-alert
exit
[...]The following example shows the rules0 event action rules policy with an override enabled with the produce-verbose-alert option:
sensor# show configuration
! ------------------------------
! Current configuration last modified Wed Feb 05 16:21:00 2014
! ------------------------------
! Version 7.1(8) ! Host: ! Realm Keys key1.0 [...] ! ------------------------------ service event-action-rules rules0 overrides deny-packet-inline override-item-status Enabled risk-rating-range 90-100 exit overrides produce-verbose-alert override-item-status Enabled risk-rating-range 90-100 exit exit ! ------------------------------
[...]
Alternatively, to determine wheter any active signature has the produce-verbose-alert option enabled, use the Cisco IPS Device Manager (IDM) to connect to the Cisco IPS and navigate to Configuration > Policies > Signature Definitions > -Sig-Definition-Name- > Active Signatures and filter by using Filter: Action Produce Verbose Alert.
The produce-verbose-alert option is not enabled by default on any active signatures nor in any EAO rules.
Cisco IPS Control-Plane MainApp Denial of Service Vulnerability
The following products are affected by the Cisco IPS Control-Plane MainApp Denial of Service Vulnerability:
- Cisco ASA 5505 Advanced Inspection and Prevention Security Services Card (AIP SSC)
- Cisco ASA 5500 Series Advanced Inspection and Prevention Security Services Module (AIP SSM)
- Cisco ASA 5500-X Series IPS Security Services Processor (IPS SSP) software and hardware modules
Note: The Advanced Inspection and Prevention Security Services Card (AIP SSC) for Cisco ASA 5505 has reached End of Software Maintenance Releases milestone. Customers are encouraged to contact their Cisco representative for an available replacement.
Cisco IPS Jumbo Frame Denial of Service VulnerabilityThe following products are affected by the Cisco IPS Jumbo Frame Denial of Service Vulnerability:
- Cisco IPS 4500 Series Sensors
How to Determine the Running Software Version
To determine whether a vulnerable version of Cisco IPS Software is running on an appliance, administrators can issue the show version command. The following example shows a Cisco IPS 4345 that is running software version 7.1(3)E4:sensor# show version
Application Partition:
Cisco Intrusion Prevention System, Version 7.1(3)E4
Host:
Realm Keys key1.0
Signature Definition:
Signature Update S605.0 2011-10-25
OS Version: 2.6.29.1
Platform: IPS-4345-K9Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
The Cisco IPS is a family of network security devices that provide network-based threat prevention services. Cisco IPS Software includes several applications that are used by the system to run different tasks. In particular, the MainApp process is responsible for multiple critical tasks, including reading the configuration, starting and stopping applications, and authentication service, while the Analysis Engine process is responsible for the analysis and inspection of traffic passing through the sensor.
Additional information about the MainApp and Analysis Engine processes is in the "System Architecture" section of the product configuration guide:
http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/idm/idm_system_architecture.html#wp1126061
Cisco IPS Analysis Engine Denial of Service Vulnerability
A vulnerability in the produce-verbose-alert code of Cisco Intrusion Prevention System (IPS) Software could allow an unauthenticated, remote attacker to cause the Analysis Engine process to become unresponsive.
The vulnerability is due to improper handling of fragmented packets by the Analysis Engine process when the produce-verbose-alert action is enabled. An attacker could exploit this vulnerability by sending fragmented packets through the affected system. To trigger the vulnerability, the attacker could cause a signature with the produce-verbose-alert action to fire, or trigger an event for which produce-verbose-alert has been configured as an event action override. An exploit could allow the attacker to cause the Analysis Engine process to become unresponsive. This will cause the affected system to stop inspecting traffic.
The vulnerability can be triggered by IP version 4 (IPv4) and IP version 6 (IPv6) fragmented packets passing through the affected system. Traffic directed to the management IP address of the Cisco IPS will not trigger this vulnerability.
This vulnerability is documented in Cisco bug ID CSCui91266 (registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2014-0718.
Cisco IPS Control-Plane MainApp Denial of Service Vulnerability
A vulnerability in the implementation of the control-plane access list of the Cisco IPS Software could allow an unauthenticated, remote attacker to cause the MainApp process to become unresponsive.
The vulnerability is due to a failure to properly handle malformed TCP packets sent to the management IP address of the affected system. An attacker could exploit this vulnerability by sending crafted TCP packets to TCP port 7000 of the IP address of the management interface. An exploit could allow the attacker to make the MainApp process unresponsive. This creates a denial of service (DoS) condition because the Cisco IPS sensor is not able to execute several critical tasks including alert notification, event store management, and sensor authentication. The Cisco IPS web server will also be unavailable while the MainApp process is unresponsive. Additionally, due to this general system failure, other processes such as the Analysis Engine may not work properly.
The vulnerability can be triggered only by TCP traffic directed to TCP port 7000 of the IP address of the management interface. Traffic passing through the sensing interfaces will not trigger this vulnerability. If the Cisco IPS is configured in promiscuous mode, mitigation actions that require MainApp processing such as shun or rate-limit may be unavailable. If the Cisco IPS is configured in inline mode, the sensor may not correctly perform inspection and mitigation actions because the Analysis Engine process may not work properly.
This vulnerability affects only Cisco IPS Software running on hardware and software module for Cisco ASA 5500 Series and Cisco ASA 5500-X Series.
This vulnerability is documented in Cisco bug ID CSCui67394 (registered customers only) and has been assigned CVE ID CVE-2014-0719.
Cisco IPS Jumbo Frame Denial of Service Vulnerability
A vulnerability in Cisco IPS code that handles jumbo frames could allow an unauthenticated, remote attacker to cause the Analysis Engine process to become unresponsive.
The vulnerability is due to improper handling of jumbo frames sent a high rate. An attacker could exploit this vulnerability by sending jumbo frames through the sensing interface of the affected device. An exploit could allow the attacker to cause the Analysis Engine process to become unresponsive. This will cause the affected system to stop inspecting traffic.
The vulnerability can be triggered by IPv4 and IPv6 based jumbo frames passing through the affected system. Traffic directed to the management IP address of the Cisco IPS will not trigger this vulnerability.
This vulnerability is documented in Cisco bug ID CSCuh94944 (registered customers only) and has been assigned CVE ID CVE-2014-0720.
-
To work around the Cisco IPS Analysis Engine Denial of Service Vulnerability administrator can disable the produce-verbose-alert action.
Use show configuration command to determine which signature has the produce-verbose-alert option enabled or wheter the produce-verbose-alert option is enabled as EAO.
If the produce-verbose-alert has been configured at the signature level, the value can be modified by entering the signature configuration prompt and modifying the event action for each signature that needs modification to use produce-alert instead of the produce-verbose-alert action. The following example shows the procedure to change the event action from produce-verbose-alert to produce-alert for signature 1475/0:
sensor(config)# service signature-definition sig0
sensor(config-sig)# signatures 1475 0
sensor(config-sig-sig)# engine string-tcp
sensor(config-sig-sig-str)# event-action produce-alert
sensor(config-sig-sig-str)# exit
sensor(config-sig-sig)# exit
sensor(config-sig)# exit
Apply Changes?[yes]: yes
sensor(config)#
For each of the signatures, right-click and choose Edit Action. From the panel, uncheck the Produce Verbose Alert check box, click the OK and apply the changes.
If the produce-verbose-alert action is enabled as EAO, this can be disable by modifying the settings for the event action rules policy.
The following example shows how to disable the override with produce-verbose-alert configured in the rules0 event action rules policy:
sensor(config)# service event-action-rules rules0
sensor(config-eve)# no overrides produce-verbose-alert
sensor(config-eve)# exit
Apply Changes?[yes]: yes
sensor(config)#
There is no workaround for the Cisco IPS Control-Plane MainApp Denial of Service Vulnerability , however restricting the number of allowed hosts may reduce the exposure of this vulnerability.
To restrict the number of allowed hosts, the administrator should use the access-list command. The no access-list command should be used to remove any hosts or networks from the list.
The following example shows the sequence of commands to remove access to the full 192.168.1.0/24 network and allow access only to the host with IP address 192.168.1.1:- Use the show settings command in network-setting configuration mode to see the current allowed hosts or networks. The following example shows that the Cisco IDSM-2 is configured to allow all the hosts in the 192.168.1.0/24 network:
sensor(config-hos-net)# show settings
network-settings
-----------------------------------------------
[...]
access-list (min: 0, max: 512, current: 1)
-----------------------------------------------
network-address: 192.168.1.0/24
-----------------------------------------------
-----------------------------------------------
ftp-timeout: 300 seconds <defaulted>
login-banner-text: <defaulted>
[...]- Use the access-list command in network-setting configuration mode to add the 192.168.1.1 hosts.
Note: make sure that if this is the only allowed host, it is also the one from which you are executing the configuration commands to avoid losing connectivity to the Cisco IDSM-2 Module.
sensor(config-hos-net)#access-list 192.168.1.1/32
- Use the no access-list command in network-setting configuration mode to remove the 192.168.1.0/32 network for the allowed hosts list:
sensor(config-hos-net)#no access-list 192.168.1.0/24
- Use the show settings command in network-setting configuration mode to check that the list of allowed hosts is correct:
sensor(config-hos-net)# show settings
network-settings
-----------------------------------------------
[...]
access-list (min: 0, max: 512, current: 1)
-----------------------------------------------
network-address: 192.168.1.1/32
-----------------------------------------------
-----------------------------------------------
ftp-timeout: 300 seconds <defaulted>
login-banner-text: <defaulted>
[...]- Exit and apply the configuration:
sensor(config-hos-net)# exit
sensor(config-hos)# exit
Apply Changes:?[yes]:
There is no workaround for the Cisco IPS Jumbo Frame Denial of Service Vulnerability.
Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this Advisory: http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=32605
-
When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
The following table summarizes the first fixed release for each vulnerability and for each major release version. The last row gives information on the recommended releases that resolves all the vulnerabilities in this security advisory.6.x
7.0
7.1
7.2
7.3
Cisco IPS Analysis Engine Denial of Service Vulnerability - CSCui91266
Not Affected
Not Affected
7.1(8)E41
7.2(2)E4 Not Affected
Cisco IPS Control-Plane MainApp Denial of Service Vulnerability - CSCui67394
Affected, move to 7.1 or later2
Affected, move to 7.1 or later
7.1(8p2)E4 7.2(2)E4
Not Affected
Cisco IPS Jumbo Frame Denial of Service Vulnerability - CSCuh94944
Not Affected
Not Affected
7.1(8)E4
7.2(2)E4
Not Affected
Recommended Release
Affected, move to 7.1 or later
Affected, move to 7.1 or later
7.1(8p2)E4 or later 7.2(2)E4 or later
Not Affected
1This vulnerability does not affect Cisco IPS Software versions prior to 7.1(4)E4
2 Cisco ASA 5505 Advanced Inspection and Prevention Security Services Card (AIP SSC) supports only Cisco IPS Software version 6.2 and prior. Advanced Inspection and Prevention Security Services Card (AIP SSC) for Cisco ASA 5505 has reached End of Software Maintenance Releases milestone.
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.
The Cisco IPS Analysis Engine Denial of Service Vulnerability and the Cisco IPS Control-Plane MainApp Denial of Service Vulnerability were found during the resolution of customer service requests. The Cisco IPS Jumbo Frame Denial of Service Vulnerability was found during internal testing.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.0 2014-February-19 Initial public release
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.