Cisco Security Advisory
High
Advisory ID:
cisco-sa-20140806-energywise
First Published:
2014 August 6 16:00 GMT
Last Updated:
2014 August 20 20:35 GMT
Version 1.2:
Workarounds:
Cisco Bug IDs:
CVSS Score:
Base 7.8,
Temporal 6.4
Click Icon to Copy Verbose Score
AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
Click Icon to Copy Verbose Score
AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
-
A vulnerability in the EnergyWise module of Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of the affected device.
The vulnerability is due to improper parsing of crafted EnergyWise packets destined to an affected device. An attacker could exploit this vulnerability by sending a crafted EnergyWise packet to be processed by an affected device. An exploit could allow the attacker to cause a reload of the affected device.
Cisco has released software updates that address this vulnerability.
There are no workarounds for this vulnerability.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140806-energywise
-
Vulnerable Products
Cisco devices that are running an affected release of Cisco IOS and Cisco IOS XE Software and configured for EnergyWise operation are affected by this vulnerability.
The EnergyWise feature is not enabled by default on Cisco IOS and Cisco IOS XE devices.
To determine whether a Cisco IOS device is configured with EnergyWise, use the show run | include energywise command. The following example is the output of the show run | include energywise command on a Cisco IOS device configured with the minimum EnergyWise configuration needed to enable its operation:
Note: The EnergyWise domain configuration is the minimum configuration required to enable the EnergyWise feature on a Cisco IOS device.Router#show run | include energywise
energywise domain test_domain security shared-secret 0 test123
To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software." The image name displays in parentheses, followed by "Version" and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output.
The following example identifies a Cisco product that is running Cisco IOS Software Release 15.0(1)M1 with an installed image name of C3900-UNIVERSALK9-M:
Router>show version
Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by cisco Systems, Inc.
Compiled Wed 02-Dec-09 17:17 by prod_rel_team
<output truncated>Products Confirmed Not Vulnerable
Products and services included in the Cisco EnergyWise Suite, formerly known as JouleX Energy Manager solutions, are not affected by this vulnerability.
The Cisco EnergyWise Management for Data Center, Cisco EnergyWise Management for Distributed Office, Cisco EnergyWise Discovery Service, and Cisco EnergyWise Optimization Service are not affected by this vulnerability.
Cisco IOS XR is not affected by this vulnerability.
No other Cisco products are currently known to be affected by this vulnerability.
-
Cisco EnergyWise began as a Cisco IOS Software-based protocol used to measure and control the energy use of an enterprise IT network.
In a Cisco EnergyWise network, EnergyWise monitors and manages the power usage of powered devices in a domain including Cisco networking devices, Power over Ethernet (PoE) endpoints, and endpoints running agents built using the software development kit (SDK).
A vulnerability in the EnergyWise module of Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of the affected device.
The vulnerability is due to improper parsing of crafted EnergyWise packets destined to an affected device. An attacker could exploit this vulnerability by sending a crafted EnergyWise packet to be processed by an affected device. An exploit could allow the attacker to cause a reload of the affected device.
Both UDP and TCP packets destined to an affected device can be used to exploit this vulnerability. Traffic transiting an affected device cannot be used to exploit this vulnerability.
Cisco IOS Software and Cisco IOS XE Software support EnergyWise for IP version 4 (IPv4) communication.
Only IPv4 packets destined to a device configured as an EnergyWise domain member can trigger this vulnerability. IPv6 packets cannot be used to trigger this vulnerability.
An attacker could exploit this vulnerability using IPv4 packets sent on TCP or UDP port 43440.
An exploit could cause Cisco IOS and Cisco IOS XE Software to reload, leading to a denial of service (DoS) condition.
This vulnerability is documented in Cisco bug ID CSCup52101 (registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2014-3327.
Protocol and Port Details
Cisco EnergyWise domain members communicate with other EnergyWise-enabled devices over three independent communication channels:
- Cisco Discovery Protocol or UDP messages for neighbor discovery
- TCP packets for management applications
- TCP packets for control messages sent to EnergyWise-enabled endpoints
Cisco Discovery Protocol or UDP Messages
Cisco EnergyWise domain members use Cisco Discovery Protocol when it is enabled or EnergyWise UDP messages to automatically discover neighbors. By default, UDP port 43440 is enabled on an EnergyWise domain member.
Only packets sent on UDP port 43440 for neighbor discovery can be used to exploit this vulnerability.
Note: You have the option to change the default UDP port number (43440) that the EnergyWise device will listen to by using the energywise domain domain security shared-secret 0 secret protocol udp port udp-port-number command.
TCP Packets for Management Applications
In addition, a domain member may also have a management port configured for the Cisco EnergyWise management API (MAPI). Applications that use the MAPI can connect to the management port configured on a domain member and use that port for communication between the management workstation and domain members.
The management port is not enabled by default. Administrators can configure this option with the energywise management security shared-secret 0 shared-secret command. The configuration defaults to TCP port 43440.
If a management port is configured, management packets sent on TCP port 43440 can be used to exploit this vulnerability.
Note: You have the option to change the TCP port number that the EnergyWise device will listen to for management communication by using the energywise management security shared-secret 0 shared-secret port tcp-port-number command. The default is TCP port 43440.
TCP Packets for Control Messages
Cisco EnergyWise domain members can also be configured to send queries and control messages to PoE endpoints and endpoints running agents built using the SDK.
Domain members and endpoints receive power from an AC or DC power source or a power supply. PoE domain members and endpoints also receive power from PoE switches or Cisco EtherSwitch service modules.
The Cisco EnergyWise domain member can be configured to communicate with endpoints with the following configuration command: energywise endpoint security shared-secret.
If configured, EnergyWise endpoint communication uses TCP port 43440. EnergyWise endpoint communication is not enabled by default.
If EnergyWise endpoint communication is configured, packets from endpoints sent on TCP port 43440 can be used to exploit this vulnerability.
Note: EnergyWise domain members configured for endpoint communication listen on the same TCP socket used for management. If EnergyWise management functionality is not configured, the default TCP port used for endpoint communication cannot be changed.
-
There are no workarounds for this vulnerability.
Additional mitigations that can be deployed on Cisco devices in the network are in the Cisco Applied Intelligence companion document for this advisory: https://sec.cloudapps.cisco.com/security/center/viewAMBAlert.x?alertId=34962
-
When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Cisco IOS Software
Each row of the following Cisco IOS Software table corresponds to a Cisco IOS Software train. If a particular train is vulnerable, the earliest releases that contain the fix are listed in the First Fixed Release column. Cisco recommends upgrading to the latest available release where possible.
The Cisco IOS Software Checker allows customers to search for Cisco Security Advisories that address specific Cisco IOS Software releases. This tool is available on the Cisco Security (SIO) portal at https://sec.cloudapps.cisco.com/security/center/selectIOSVersion.x
Major Release Availability of Repaired Releases Affected 12.0-Based Releases First Fixed Release There are no affected 12.0 based releases Affected 12.2-Based Releases First Fixed Release 12.2EX Vulnerable; migrate to any release in 12.2SEG
Releases up to and including 12.2(55)EX2 are not vulnerable.
12.2EY Vulnerable; migrate to any release in 15.1EY
Releases up to and including 12.2(55)EY are not vulnerable.
12.2EZ Releases up to and including 12.2(55)EZ are not vulnerable.
12.2IRB Not vulnerable
12.2IRC Not vulnerable
12.2IRD Not vulnerable
12.2IRE Not vulnerable
12.2IRF Not vulnerable
12.2IRG Not vulnerable
12.2IRH Not vulnerable
12.2IRI Not vulnerable
12.2IXG Not vulnerable
12.2IXH Not vulnerable
12.2MC Not vulnerable
12.2MRA Not vulnerable
12.2MRB Not vulnerable
12.2SB Not vulnerable
12.2SCA Not vulnerable
12.2SCB Not vulnerable
12.2SCC Not vulnerable
12.2SCD Not vulnerable
12.2SCE Not vulnerable
12.2SCF Not vulnerable
12.2SCG Not vulnerable
12.2SCH Not vulnerable
12.2SCI Not vulnerable
12.2SE Releases up to and including 12.2(55)SE9 are not vulnerable.
12.2SEG Not vulnerable
12.2SG Not vulnerable
12.2SGA Not vulnerable
12.2SM Not vulnerable
12.2SQ Not vulnerable
12.2SRA Not vulnerable
12.2SRB Not vulnerable
12.2SRC Not vulnerable
12.2SRD Not vulnerable
12.2SRE Not vulnerable
12.2STE Not vulnerable
12.2SV Not vulnerable
12.2SVD Not vulnerable
12.2SVE Not vulnerable
12.2SW Not vulnerable
12.2SXF Not vulnerable
Please see IOS Software Modularity Patch
12.2SXH Not vulnerable
Please see IOS Software Modularity Patch
12.2SXI Not vulnerable
12.2SXJ Not vulnerable
12.2SY Not vulnerable
12.2WO Not vulnerable
12.2XNA Please see Cisco IOS-XE Software Availability
12.2XNB Please see Cisco IOS-XE Software Availability
12.2XNC Please see Cisco IOS-XE Software Availability
12.2XND Please see Cisco IOS-XE Software Availability
12.2XNE Please see Cisco IOS-XE Software Availability
12.2XNF Please see Cisco IOS-XE Software Availability
12.2XO Not vulnerable
12.2ZYA Not vulnerable
Affected 12.3-Based Releases First Fixed Release There are no affected 12.3 based releases Affected 12.4-Based Releases First Fixed Release There are no affected 12.4 based releases Affected 15.0-Based Releases First Fixed Release 15.0EA Not vulnerable
15.0EB Not vulnerable
15.0EC Not vulnerable
15.0ED Vulnerable; First fixed in Release 15.2E
15.0EH Vulnerable; First fixed in Release 15.2E
15.0EJ Vulnerable; First fixed in Release 15.2E
15.0EK Releases prior to 15.0(2)EK1 are vulnerable; Releases 15.0(2)EK1 and later are not vulnerable. First fixed in Release 15.2E
15.0EX Not vulnerable
15.0EY Not vulnerable
15.0EZ Not vulnerable
15.0M Not vulnerable
15.0MR Not vulnerable
15.0S Not vulnerable
15.0SE Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.
15.0SG Not vulnerable
15.0SQC Not vulnerable
15.0SY Not vulnerable
15.0XA Not vulnerable
15.0XO Not vulnerable
Affected 15.1-Based Releases First Fixed Release 15.1EY Not vulnerable
15.1GC Not vulnerable
15.1M Not vulnerable
15.1MR Not vulnerable
15.1MRA Not vulnerable
15.1S Not vulnerable
15.1SG Vulnerable; First fixed in Release 15.2E
15.1SNG Not vulnerable
15.1SNH Not vulnerable
15.1SNI Not vulnerable
15.1SY 15.1(1)SY4; Available on 31-OCT-14
15.1T Not vulnerable
15.1XO Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.
Affected 15.2-Based Releases First Fixed Release 15.2E 15.2(3)E; Available on 23-OCT-14
15.2EA Not vulnerable
15.2EB Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.
15.2EY Not vulnerable
15.2GC Not vulnerable
15.2JA Not vulnerable
15.2JAC Not vulnerable
15.2JAX Not vulnerable
15.2JB Not vulnerable
15.2JN Not vulnerable
15.2M Not vulnerable
15.2S Not vulnerable
15.2SA Not vulnerable
15.2SNG Not vulnerable
15.2SNH Not vulnerable
15.2SNI Not vulnerable
15.2T Not vulnerable
Affected 15.3-Based Releases First Fixed Release There are no affected 15.3 based releases Affected 15.4-Based Releases First Fixed Release 15.4CG Not vulnerable
15.4M Not vulnerable
15.4S Not vulnerable
15.4T Not vulnerable
Cisco IOS XE Software
For mapping of Cisco IOS XE to Cisco IOS releases, please refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, and Cisco IOS XE 3SG Release Notes, available at http://www.cisco.com/en/US/docs/ios/ios_xe/2/release/notes/rnasr21.html#wp2310700,
http://www.cisco.com/en/US/docs/ios/ios_xe/3/release/notes/asr1k_rn_3s_sys_req.html#wp2999052 and
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/release/note/OL_24726.html#wp2570252 respectively.Customers with service contracts should contact Cisco support organization per the instructions in the "Obtaining Fixed Software" section of this advisory.
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
This vulnerability was found and reported to Cisco by Ayhan Koca and Matthias Luft of ERNW GmbH.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show LessRevision 1.2 2014-August-20 Added 3.3xXO to the list of vulnerable IOS XE releases. Marked 15.0EX, 15.0EZ, 15.2S, and 15.4S not vulnerable and removed from affected IOS releases. Revision 1.1 2014-August-15 Added 3.6xE to the list of vulnerable IOS XE releases. Revision 1.0 2014-August-06 Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.