Cisco Security Advisory
Multiple Vulnerabilities in Cisco Intrusion Prevention System Software
High
Advisory ID:
cisco-sa-20130717-ips
First Published:
2013 July 17 16:00 GMT
Version 1.0:
Workarounds:
Cisco Bug IDs:
CVSS Score:
Base 7.8,
Temporal 7.0
Click Icon to Copy Verbose Score
AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:W/RC:C
Click Icon to Copy Verbose Score
AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:W/RC:C
-
Cisco Intrusion Prevention System (IPS) Software is affected by the following vulnerabilities:
- Cisco IPS Software Malformed IP Packets Denial of Service Vulnerability
- Cisco IPS Software Fragmented Traffic Denial of Service Vulnerability
- Cisco IPS NME Malformed IP Packets Denial of Service Vulnerability
- Cisco IDSM-2 Malformed TCP Packets Denial of Service Vulnerability
The Cisco IPS Software Fragmented Traffic Denial of Service Vulnerability could allow an unauthenticated, remote attacker to cause the Analysis Engine process to become unresponsive due to memory corruption or could cause the reload of the affected system.
The Cisco IPS NME Malformed IP Packets Denial of Service Vulnerability could allow an unauthenticated, remote attacker to cause a reload of a Cisco Intrusion Prevention System Network Module Enhanced (IPS NME).
The Cisco IDSM-2 Malformed TCP Packets Denial of Service Vulnerability could allow an unauthenticated, remote attacker to cause the kernel of the Cisco Catalyst 6500 Series Intrusion Detection System (IDSM-2) Module to become unresponsive.
Successful exploitation of any of these vulnerabilities could result in a denial of service (DoS) condition.
Cisco has released software updates that address all the vulnerabilities in this advisory with the exception of the Cisco IDSM-2 Malformed TCP Packets Denial of Service Vulnerability. Customers running a vulnerable version of the Cisco IDSM-2 Module should refer to the "Workarounds" section of this advisory for available mitigations.
Workarounds that mitigate the Cisco IPS Software Fragmented Traffic Denial of Service Vulnerability and Cisco IDSM-2 Malformed TCP Packets Denial of Service Vulnerability are available.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130717-ips
-
Vulnerable Products
Cisco IPS Software Malformed IP Packets Denial of Service Vulnerability
The following products are affected by the Cisco IPS Software Malformed IP Packets Denial of Service Vulnerability:- Cisco ASA 5500-X Series IPS Security Services Processor (IPS SSP) software and hardware modules running Cisco IPS Software 7.1 through version 7.1(4)E4
- Cisco IPS 4500 Series Sensors running Cisco IPS Software version 7.1(4)E4
- Cisco IPS 4300 Series Sensors running Cisco IPS Software versions 7.1(3)E4 and 7.1(4)E4
Cisco IPS Software Fragmented Traffic Denial of Service Vulnerability
The following products are affected by the Cisco IPS Software Fragmented Traffic Denial of Service Vulnerability:- Cisco ASA 5500-X Series (IPS SSP) software modules running Cisco IPS Software versions 7.1(4)E4 through 7.1(7)E4
Cisco IPS NME Malformed IP Packets Denial of Service Vulnerability
The following product is affected by the Cisco IPS NME Malformed IP Packets Denial of Service Vulnerability:- Cisco Intrusion Prevention System Network Module Enhanced (IPS NME)
The following product is affected by the Cisco IDSM-2 Malformed TCP Packets Denial of Service Vulnerability:- Cisco Catalyst 6500 Series Intrusion Detection System (IDSM-2) Module
How to Determine the Running Software Version
To determine whether a vulnerable version of Cisco IPS Software is running on an appliance, administrators can issue the show version command. The following example shows a Cisco IPS 4345 that is running software version 7.1(3)E4:
Customers who use Cisco Intrusion Prevention System Device Manager (IDM) to manage devices can locate the software version in the table that is displayed in the login window or top left corner of the Cisco IDM window.sensor# show version
Application Partition:
Cisco Intrusion Prevention System, Version 7.1(3)E4
Host:
Realm Keys key1.0
Signature Definition:
Signature Update S605.0 2011-10-25
OS Version: 2.6.29.1
Platform: IPS-4345-K9Products Confirmed Not Vulnerable
The following products are not affected by the vulnerabilities described in this advisory:- Cisco IOS IPS
- Cisco IPS 4200 Series Sensors
- Cisco Intrusion Prevention System Advanced Integration Module (IPS AIM)
- Cisco ASA 5500 Series Advanced Inspection and Prevention Security Services Card (AIP SSC)
- Cisco ASA 5500 Series Advanced Inspection and Prevention Security Services Module (AIP SSM)
-
Cisco IPS Software Malformed IP Packets Denial of Service Vulnerability
The Cisco IPS is a family of network security devices that provide network-based threat prevention services. Cisco IPS Software includes several applications that are used by the system to run different tasks. In particular, the MainApp process is responsible for multiple critical tasks including reading the configuration, starting and stopping applications and authentication service.
Additional information about the MainApp process is in the "System Architecture" section of the product configuration guide:
http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/idm/idm_system_architecture.html#wp1126061
A vulnerability in the IP stack could allow an unauthenticated, remote attacker to cause the MainApp process to become unresponsive. This creates a denial of service (DoS) condition because the Cisco IPS sensor is not able to execute several critical tasks including alert notification, event store management, and sensor authentication. The Cisco IPS web server will also be unavailable while the MainApp process is unresponsive. Additionally, due to this general system failure, other processes such as the Analysis Engine may not work properly. The vulnerability is due to improper handling of malformed IP packets from the management interface of the affected system. An attacker may exploit this vulnerability by sending malformed IP packets to the management interface.
The vulnerability can be triggered only by IPv4 traffic directed to the management interface. Traffic passing through the sensing interfaces will not trigger this vulnerability. If the Cisco IPS is configured in promiscuous mode, mitigation actions that require MainApp processing such as shun or rate-limit may be unavailable. If the Cisco IPS is configured in inline mode, the sensor may not correctly perform inspection and mitigation actions because the Analysis Engine process may not be working properly.
This vulnerability is documented in Cisco bug ID CSCtx18596 (registered customers only) and Common Vulnerabilities and Exposures (CVE) ID CVE-2013-1243.
Cisco IPS Software Fragmented Traffic Denial of Service Vulnerability
Cisco IPS SSP is an integrated module running on Cisco ASA 5500-X Series. The module could be deployed in hardware for the Cisco ASA 5585-X, or as an integrated software module for the Cisco ASA 5512-X, Cisco ASA 5515-X, Cisco ASA 5525-X, Cisco ASA 5545-X, and Cisco ASA 5555-X Series.
Cisco IPS Software running on the ASA 5500-X IPS SSP processes only traffic that it receives from the Cisco ASA. Cisco ASA needs to be configured with Modular Policy Framework (MPF) to redirect specific traffic to the Cisco IPS Software.
A vulnerability in the implementation of the code that processes fragmented traffic could allow an unauthenticated, remote attacker to cause the Analysis Engine process to become unresponsive or cause the affected system to reload.
The vulnerability is due to improper handling of fragmented IP packets sent from the Cisco ASA data plane to the Cisco IPS processor for inspection and processing. An attacker could exploit this vulnerability by sending a combination of fragmented and other IP packets through the affected system. An exploit could allow the attacker to cause a reload of the affected system or cause the Analysis Engine process to become unresponsive. When the Analysis Engine process is unresponsive, the affected system will not process traffic, which will cause that traffic to be dropped. Additionally, if the Cisco ASA with a Cisco IPS SSP software module running an affected version of software is configured in High-Availability mode (HA), a failover event may be triggered when the Cisco IPS SSP reloads or stops forwarding traffic.
The vulnerability can be triggered by IPv4 and IPv6 fragmented packets passing through the affected system. Traffic directed to the management IP address of the Cisco IPS software module will not trigger this vulnerability.
Note: This vulnerability affects only the Cisco ASA 5500-X Series IPS SSP software module. Cisco IPS SSP hardware modules supported on the Cisco ASA5585-X Series are not affected by this vulnerability.
This vulnerability is documented in Cisco bug ID CSCue51272 (registered customers only) and has been assigned CVE ID CVE-2013-1218.
Cisco IPS NME Malformed IP Packets Denial of Service Vulnerability
A vulnerability in the memory allocation code could allow an unauthenticated, remote attacker to cause a reload of the affected system. The vulnerability is due to improper handling of memory allocation when malformed IP packets are received on the management interface of the affected system. An attacker may exploit this vulnerability by sending malformed IP packets to the management IP address.
The vulnerability can be triggered only by IPv4 traffic directed to the management interface. Traffic passing through the sensing interfaces will not trigger this vulnerability.
This vulnerability affects only Cisco IPS Software running on Cisco IPS NME.
This vulnerability is documented in Cisco bug ID CSCua61977 (registered customers only) and has been assigned CVE ID CVE-2013-3410.
Cisco IDSM-2 Malformed TCP Packets Denial of Service Vulnerability
A vulnerability in the IDSM-2 drivers could allow an unauthenticated, remote attacker to cause the system kernel to become unresponsive. This creates a denial of service (DoS) condition because the Cisco IPS sensor is not able to execute several critical tasks, including alert notification, event store management, sensor authentication, and traffic inspection. The Cisco IPS web server will also be unavailable.
The vulnerability is due to improper handling of malformed TCP packets from the management interface of the affected system. An attacker may exploit this vulnerability by sending malformed IP packets to the management interface. A TCP three-way handshake is not required to exploit this vulnerability. A hard system reboot is needed to restore the functionality of the system.
The vulnerability can be triggered only by IPv4 traffic directed to the management interface. Traffic passing through the sensing interfaces will not trigger this vulnerability.
This vulnerability affects only Cisco IPS Software running on Cisco IDSM-2 Module.
This vulnerability is documented in Cisco bug ID CSCuh27460 (registered customers only) and has been assigned CVE ID CVE-2013-3411.
-
Cisco IPS Software Malformed IP Packets Denial of Service Vulnerability and Cisco IPS NME Malformed IP Packets Denial of Service Vulnerability
There are no workarounds to mitigate this vulnerability.
Cisco IPS Software Fragmented Traffic Denial of Service Vulnerability
If an exploit of this vulnerability is causing traffic interruption, administrators can remove the Modular Policy Framework (MPF) configuration on the Cisco ASA that is used to direct the user traffic toward the Cisco IPS SSP. This change will cause all user traffic to bypass Cisco IPS SSP module inspection and allow it to pass through the Cisco ASA.
The following example shows how to disable the redirecting of web traffic to the Cisco IPS Software module from the Cisco ASA firewall:
Note: Configuring IPS bypass with the command fail-open or fail-close will not have any effect on the Cisco IPS software module for the Cisco ASA.ASA(config)# class-map ips_traffic
ASA(config-cmap)# match any
ASA(config)# policy-map ips_traffic_policy
ASA(config-pmap)# class ips_traffic
ASA(config-pmap-c)# no ips inline|promiscious
If the IPS is running in promiscuous mode, as a mitigation, fragmented traffic can be disabled for IPS processing.
The following example shows how to disable fragmented traffic on the Cisco IPS software module:
This change requires a Cisco IPS software module reload.sensor# conf t
sensor(config)# ser sig sig0
sensor(config-sig)# sig 1200 0
sensor(config-sig-sig)# engine normalizer
sensor(config-sig-sig-nor)# edit-default-sigs-only default-signatures-only
sensor(config-sig-sig-nor-def)# specify-max-fragments yes
sensor(config-sig-sig-nor-def-yes)# max-fragments 0
sensor(config-sig-sig-nor-def-yes)# exit
sensor(config-sig-sig-nor-def)# exit
sensor(config-sig-sig-nor)# exit
sensor(config-sig-sig)# exit
sensor(config-sig)# exit Apply Changes?[yes]: yes
Note: This change will cause all non-TCP fragments to pass uninspected.
Alternatively, fragmented traffic can be disallowed on the Cisco ASA firewall. This will cause the Cisco ASA firewall not to accept any fragments on its interfaces. Consequently, the Cisco ASA will not send any fragments to the Cisco IPS software module for inspection.
The following example shows how to disable fragmented traffic on the Cisco ASA firewall:
Note: The preceding example will disable fragments on all the Cisco ASA interfaces.ASA(config)# fragment chain 1
Cisco IDSM-2 Malformed TCP Packets Denial of Service Vulnerability
There is no workaround for this vulnerability however, the Cisco IDSM-2 Module administrator should make sure to limit the number of hosts (IP addresses) allowed to connect to the management interface of system.
To restrict the number of allowed hosts, the administrator should use the access-list command. The no access-list command should be used to remove any hosts or networks from the list.
The following example shows the sequence of commands to remove the access to the full 192.168.1.0/24 network and allow access only to the host with IP address 192.168.1.1:- Use the show settings command in network-setting configuration mode to see the current allowed hosts or networks. The following example shows that the Cisco IDSM-2 is configured to allow all the hosts in the 192.168.1.0/24 network
sensor(config-hos-net)# show settings
network-settings
-----------------------------------------------
[...]
access-list (min: 0, max: 512, current: 1)
-----------------------------------------------
network-address: 192.168.1.0/24
-----------------------------------------------
-----------------------------------------------
ftp-timeout: 300 seconds
login-banner-text:
[...]- Use the access-list command in network-setting configuration mode, to add the 192.168.1.1 hosts. Make sure that if this is the only allowed host, it is also the one from which you are executing the configuration to avoid losing connectivity to the Cisco IDSM-2 Module.
sensor(config-hos-net)#access-list 192.168.1.1/32
- Use the no access-list command in network-setting configuration mode, to remove the 192.168.1.0/32 network for the allowed hosts list.
sensor(config-hos-net)#no access-list 192.168.1.0/24
- Use the show setting command in network-setting configuration mode to check that the list of allowed hosts is correct:
sensor(config-hos-net)# show settings
network-settings
-----------------------------------------------
[...]
access-list (min: 0, max: 512, current: 1)
-----------------------------------------------
network-address: 192.168.1.1/32
-----------------------------------------------
-----------------------------------------------
ftp-timeout: 300 seconds
login-banner-text:
[...]- Exit and apply the configuration:
Note: Internal tests performed by Cisco have shown that this vulnerability cannot be exploited if the total number of hosts allowed is less than or equal to 254 hosts. Administrators who cannot reduce the number of allowed hosts to the number indicated in this advisory should contact Cisco Technical Assistance Center for additional support.sensor(config-hos-net)# exit
sensor(config-hos)# exit
Apply Changes:?[yes]:
Additional mitigation information for the vulnerabilities described in this advisory is available in the companion Applied Mitigation Bulletin (AMB) at the following location:
https://sec.cloudapps.cisco.com/security/center/viewAMBAlert.x?alertId=29271
-
Cisco has released software updates that address all the vulnerabilities in this advisory with the exception of the Cisco IDSM-2 Malformed TCP Packets Denial of Service Vulnerability. Customers running a vulnerable version of Cisco IDSM-2 module should refer to the "Workarounds" section of this advisory for available mitigations.
Recommended Releases
The following table lists the recommended Cisco IPS Software releases that correct all the vulnerabilities described in this security advisory:
Products
Recommended
Cisco ASA 5500-X Series IPS SSP software modules
7.1(7p1)E4 and higher
Cisco ASA 5585-X Series IPS SSP hardware modules
7.1(7)E4 and higher
Cisco IPS 4500 Series Sensors
7.1(7)E4 and higher
Cisco IPS 4300 Series Sensors
7.1(7)E4 and higher
Cisco IPS NME 7.0(9)E4 and higher
Cisco IDSM-2
No available releases - See "Workarounds" section for available mitigations
The following tables list the first fixed releases that contain the fixes for individual vulnerabilities in this advisory for each of the affected products. Note that this information is provided for completeness only because different vulnerabilities have different first-fixed releases. Refer to the previous table for releases that have fixes for all vulnerabilities in this advisory.
Cisco IPS Software Malformed IP Packets Denial of Service Vulnerability
The following table lists the fixed releases for the Cisco IPS Software Malformed IP Packets Denial of Service Vulnerability for each of the affected products:
Products
Affected Releases
Resolved In
Cisco ASA 5500-X Series IPS-SSP software and hardware modules
7.1(x)E4
7.1(5)E4
Cisco IPS 4500 Series Sensors
7.1(4)E4 7.1(6)E4 Cisco IPS 4300 Series Sensors
7.1(3)E4 and 7.1(4)E4
7.1(5)E4
Note: Cisco IPS Software release 7.1(5)E4 is not available for download anymore due to instability issues.
Cisco IPS Software Fragmented Traffic Denial of Service Vulnerability
The following table lists the fixed releases for the Cisco IPS Software Fragmented Traffic Denial of Service Vulnerability for each of the affected products:
Products
Affected Releases
Resolved In
Cisco ASA 5500-X Series IPS SSP software modules
7.1(4)E4 through 7.1(7)E4
7.1(7p1)E4
Cisco IPS NME Malformed IP Packets Denial of Service Vulnerability
The following table lists the fixed releases for the Cisco IPS NME Malformed IP Packets Denial of Service Vulnerability for each of the affected products:
Products
Affected Releases
Resolved In
Cisco Intrusion Prevention System Network Module Enhanced (IPS NME)
All
7.0(9)E4
When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
The Cisco IPS Software Malformed IP Packets Denial of Service Vulnerability, Cisco IPS NME Malformed IP Packets Denial of Service Vulnerability, and Cisco IDSM-2 Malformed TCP Packets Denial of Service Vulnerability were discovered during internal testing.
The Cisco IPS Software Fragmented Traffic Denial of Service Vulnerability was discovered during resolution of support cases.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show LessRevision 1.0 2013-July-17 Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.