Summary

• The Cisco Application Control Engine Global Site Selector (GSS) contains a vulnerability when processing specific Domain Name System (DNS) requests that may lead to a crash of the DNS service on the GSS.

  Cisco has released software updates that address this vulnerability.

  A workaround that mitigates this vulnerability is available.

  This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090107-gss.

Affected Products

• All versions of GSS system software prior to 3.0(1) are affected by this vulnerability. If the GSS is configured with the optional Cisco Network Registrar (CNR) software, the device is not vulnerable.

  Vulnerable Products

  The following GSS products are affected by this vulnerability:

  • Cisco GSS 4480 Global Site Selector
    
  • Cisco GSS 4490 Global Site Selector
    
  • Cisco GSS 4491 Global Site Selector
    
  • Cisco GSS 4492R Global Site Selector
    

  In order to determine the software that runs on a GSS device, users should log in to the device and issue the show version command to display the system software banner. The version is indicated on the line starting with Version. The following example shows a GSS that runs system software 2.0(1):

  gss.cisco.com#show version
  
  Global Site Selector (GSS)
  Model Number: GSS-4491-k9
  Copyright (c) 1999-2007 by Cisco Systems, Inc.
  
  Version 2.0(1)
  
  Uptime: 19 Hours 18 Minutes and 14 seconds
  
  gss.cisco.com#

  In order to determine if CNR is enabled on the GSS device, users should log in to the device and issue the show running-config | grep cnr command to display the system CNR configuration. If CNR is enabled, cnr enable will be displayed in the output. If CNR is disabled, no cnr enable will be displayed. The following example shows a GSS that does not have CNR enabled:

  GSS.cisco.com#show running-config | grep cnr
  no cnr enable
  GSS.cisco.com#
  

  Products Confirmed Not Vulnerable

  The following products have been confirmed not vulnerable:

  • Cisco Global Site Selector using interaction with Cisco Network Registrar
    
  • Cisco Application Control Engine Module
    
  • Cisco Network Registrar
    
  • Cisco Content Services Switch (CSS)
    

  No other Cisco products are currently known to be affected by this vulnerability.

Details

• The Cisco GSS platform allows customers to leverage global content deployment across multiple distributed and mirrored data locations, optimizing site selection, improving Domain Name System (DNS) responsiveness, and ensuring data center availability.

  The GSS is inserted into the traditional DNS hierarchy and is closely integrated with the Cisco CSS, Cisco Content Switching Module (CSM), or third-party server load balancers (SLBs) to monitor the health and load of the SLBs in customers data centers. The GSS uses this information and user-specified routing algorithms to select the best-suited and least-loaded data center in real time.

  A vulnerability exists in the GSS when processing a specific sequence of DNS requests. An exploit of the vulnerability may result in a crash of the DNS service on the GSS.

  When the DNS server crashes, an error message will appear in the logs similar to the following example:

  Dec 18 04:47:21 gss NMR-6-LAUNCHSVR_EXIT[27261] dnsserver' has exited [ExitUnknown(139)]"
  

  This vulnerability is documented in Cisco Bug ID: CSCsj70093 ( registered customers only)

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-3819.

Workarounds

• A workaround for this vulnerability requires the administrator to disable the property "ServerConfig.dnsserver.returnError" ( set to zero). On GSS version 1.1(x), 1.2(x) and 1.3(x), this property is disabled by default.

  On GSS version 2.0(x), this property is enabled by default (set to one).

  The following example shows how to disable this property:

  GSS#config terminal
      GSS(config)#property set ServerConfig.dnsserver.returnError 0
      GSS(config)#exit
      GSS#write memory

  To ensure the workaround has been applied properly, from privileged exec mode, execute the show properties command and verify that the response returned shows "ServerConfig.dnsserver.returnError" parameter set to zero. The following example shows how to verify the workaround has been sucessfully applied:

  gss.cisco.com#show properties | grep ServerConfig.dnsserver.returnError 
           ServerConfig.dnsserver.returnError                 : 0

  For the property to take affect, the GSS should be stopped and restarted:

  GSS#gss stop
      GSS#gss start

  Note:

  1. GSS version 3.0(x) is not impacted by the issue in the advisory.
     
  2. GSS version 1.x(y) is not impacted by the issue in the advisory so long as the negative return property has not been changed from its default settings. [GSS versions 1.1(x), 1.2(x) and 1.3(x) ship with this property disabled. GSS version 1.0(x) does not allow user customization of the property command].
     
  3. GSS version 2.0.x is vulnerable. [GSS version 2.0.x ships with this property enabled].
     

  Mechanics of the Workaround

  If there is a query for which there is no domain match on the GSS, such a query is dropped and the DNSQueriesUnmatched counter is incremented. As a side-effect of the workaround, neither of the negative responses NXDOMAIN,NODATA are sent for queries for which there is no domain match.

  Impact of the Workaround

  1. If there are no Authority Domains configured on the GSS, there is no impact that will be noticed by the end-user.
     
  2. If there are Authority Domains configured on the GSS, and since disabling negative response will result in no communication to the resolver, the resolver receives no indication whether the lack of response is because of network failure or because that domain was not supported by the GSS. This lack of knowledge will result in the resolver attempting to send the same query for a domain that does not exist on the GSS again if it receives a request for such a domain from a DNS client.
     

Fixed Software

• When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.

  In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.

  GSS Major Version	First Fixed Release	Recommended Release
  1.x(y)	Vulnerable; Option1: Migrate to 3.0(1) or later; Option 2: Migrate to 2.0(5) or later.	3.0(2)
  2.x(y)	Vulnerable; Migrate to 2.0(5) or later;	3.0(2)
  3.x(y)	Not Vulnerable

  GSS fixed system software is available for download from http://www.cisco.com/pcgi-bin/tablebuild.pl/gss-3des?psrtdcat20e2

Exploitation and Public Announcements

• The Cisco PSIRT is aware of active exploitations where malicious use of the vulnerability described in this advisory has occurred.

  This vulnerability was discovered by investigating customer TAC service requests.

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090107-gss

Revision History

• Revision 1.1	2009-November-12	Updated workarounds
  Revision 1.0	2009-January-07	Initial public release

  Show Less