Summary

• A vulnerability in the EnergyWise module of Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of the affected device.
  
  The vulnerability is due to improper parsing of crafted EnergyWise packets destined to an affected device. An attacker could exploit this vulnerability by sending a crafted EnergyWise packet to be processed by an affected device. An exploit could allow the attacker to cause a reload of the affected device.
  
  Cisco has released software updates that address this vulnerability.
  
  There are no workarounds for this vulnerability.
  
  This advisory is available at the following link:
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140806-energywise

Affected Products

• Vulnerable Products

  Cisco devices that are running an affected release of Cisco IOS and Cisco IOS XE Software and configured for EnergyWise operation are affected by this vulnerability.
  
  The EnergyWise feature is not enabled by default on Cisco IOS and Cisco IOS XE devices.
  
  To determine whether a Cisco IOS device is configured with EnergyWise, use the show run | include energywise command. The following example is the output of the show run | include energywise command on a Cisco IOS device configured with the minimum EnergyWise configuration needed to enable its operation:
  
  

  Router#show run | include energywise 
  energywise domain test_domain security shared-secret 0 test123
  
  

  Note: The EnergyWise domain configuration is the minimum configuration required to enable the EnergyWise feature on a Cisco IOS device.
  

  
  To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software." The image name displays in parentheses, followed by "Version" and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output.
  
  The following example identifies a Cisco product that is running Cisco IOS Software Release 15.0(1)M1 with an installed image name of C3900-UNIVERSALK9-M:
  

  
  

  Router>show version 
  Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1) 
  Technical Support: http://www.cisco.com/techsupport 
  Copyright (c) 1986-2009 by cisco Systems, Inc. 
  Compiled Wed 02-Dec-09 17:17 by prod_rel_team 
  
  
  

  Products Confirmed Not Vulnerable

  Products and services included in the Cisco EnergyWise Suite, formerly known as JouleX Energy Manager solutions, are not affected by this vulnerability.
  
  The Cisco EnergyWise Management for Data Center, Cisco EnergyWise Management for Distributed Office, Cisco EnergyWise Discovery Service, and Cisco EnergyWise Optimization Service are not affected by this vulnerability.
  
  Cisco IOS XR is not affected by this vulnerability.
  
  No other Cisco products are currently known to be affected by this vulnerability.

Details

• Cisco EnergyWise began as a Cisco IOS Software-based protocol used to measure and control the energy use of an enterprise IT network.
  
  In a Cisco EnergyWise network, EnergyWise monitors and manages the power usage of powered devices in a domain including Cisco networking devices, Power over Ethernet (PoE) endpoints, and endpoints running agents built using the software development kit (SDK).
  
  A vulnerability in the EnergyWise module of Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of the affected device.
  
  The vulnerability is due to improper parsing of crafted EnergyWise packets destined to an affected device. An attacker could exploit this vulnerability by sending a crafted EnergyWise packet to be processed by an affected device. An exploit could allow the attacker to cause a reload of the affected device.
  
  Both UDP and TCP packets destined to an affected device can be used to exploit this vulnerability. Traffic transiting an affected device cannot be used to exploit this vulnerability.
  
  Cisco IOS Software and Cisco IOS XE Software support EnergyWise for IP version 4 (IPv4) communication.
  
  Only IPv4 packets destined to a device configured as an EnergyWise domain member can trigger this vulnerability. IPv6 packets cannot be used to trigger this vulnerability.
  
  An attacker could exploit this vulnerability using IPv4 packets sent on TCP or UDP port 43440.
  
  An exploit could cause Cisco IOS and Cisco IOS XE Software to reload, leading to a denial of service (DoS) condition.
  
  This vulnerability is documented in Cisco bug ID CSCup52101 (registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2014-3327.
  
  

  Protocol and Port Details

  Cisco EnergyWise domain members communicate with other EnergyWise-enabled devices over three independent communication channels:
  

  • Cisco Discovery Protocol or UDP messages for neighbor discovery
  • TCP packets for management applications
  • TCP packets for control messages sent to EnergyWise-enabled endpoints

  
  

  Cisco Discovery Protocol or UDP Messages

  
  Cisco EnergyWise domain members use Cisco Discovery Protocol when it is enabled or EnergyWise UDP messages to automatically discover neighbors. By default, UDP port 43440 is enabled on an EnergyWise domain member.
  
  Only packets sent on UDP port 43440 for neighbor discovery can be used to exploit this vulnerability.
  
  Note: You have the option to change the default UDP port number (43440) that the EnergyWise device will listen to by using the energywise domain domain security shared-secret 0 secret protocol udp port udp-port-number command.
  
  

  TCP Packets for Management Applications

  
  In addition, a domain member may also have a management port configured for the Cisco EnergyWise management API (MAPI). Applications that use the MAPI can connect to the management port configured on a domain member and use that port for communication between the management workstation and domain members.
  
  The management port is not enabled by default. Administrators can configure this option with the energywise management security shared-secret 0 shared-secret command. The configuration defaults to TCP port 43440.
  
  If a management port is configured, management packets sent on TCP port 43440 can be used to exploit this vulnerability.
  
  Note: You have the option to change the TCP port number that the EnergyWise device will listen to for management communication by using the energywise management security shared-secret 0 shared-secret port tcp-port-number command. The default is TCP port 43440.
  
  

  TCP Packets for Control Messages

  
  Cisco EnergyWise domain members can also be configured to send queries and control messages to PoE endpoints and endpoints running agents built using the SDK.
  
  Domain members and endpoints receive power from an AC or DC power source or a power supply. PoE domain members and endpoints also receive power from PoE switches or Cisco EtherSwitch service modules.
  
  The Cisco EnergyWise domain member can be configured to communicate with endpoints with the following configuration command: energywise endpoint security shared-secret.
  
  If configured, EnergyWise endpoint communication uses TCP port 43440. EnergyWise endpoint communication is not enabled by default.
  
  If EnergyWise endpoint communication is configured, packets from endpoints sent on TCP port 43440 can be used to exploit this vulnerability.
  
  Note: EnergyWise domain members configured for endpoint communication listen on the same TCP socket used for management. If EnergyWise management functionality is not configured, the default TCP port used for endpoint communication cannot be changed.
  
  

Workarounds

• There are no workarounds for this vulnerability.

  Additional mitigations that can be deployed on Cisco devices in the network are in the Cisco Applied Intelligence companion document for this advisory: https://sec.cloudapps.cisco.com/security/center/viewAMBAlert.x?alertId=34962

Fixed Software

• When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

  In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
  
  

  Cisco IOS Software

  
  Each row of the following Cisco IOS Software table corresponds to a Cisco IOS Software train. If a particular train is vulnerable, the earliest releases that contain the fix are listed in the First Fixed Release column. Cisco recommends upgrading to the latest available release where possible.
  
  The Cisco IOS Software Checker allows customers to search for Cisco Security Advisories that address specific Cisco IOS Software releases. This tool is available on the Cisco Security (SIO) portal at https://sec.cloudapps.cisco.com/security/center/selectIOSVersion.x
  
  

  Major Release	Availability of Repaired Releases
  Affected 12.0-Based Releases	First Fixed Release
  There are no affected 12.0 based releases
  Affected 12.2-Based Releases	First Fixed Release
  12.2EX	Vulnerable; migrate to any release in 12.2SEG Releases up to and including 12.2(55)EX2 are not vulnerable.
  12.2EY	Vulnerable; migrate to any release in 15.1EY Releases up to and including 12.2(55)EY are not vulnerable.
  12.2EZ	Releases up to and including 12.2(55)EZ are not vulnerable.
  12.2IRB	Not vulnerable
  12.2IRC	Not vulnerable
  12.2IRD	Not vulnerable
  12.2IRE	Not vulnerable
  12.2IRF	Not vulnerable
  12.2IRG	Not vulnerable
  12.2IRH	Not vulnerable
  12.2IRI	Not vulnerable
  12.2IXG	Not vulnerable
  12.2IXH	Not vulnerable
  12.2MC	Not vulnerable
  12.2MRA	Not vulnerable
  12.2MRB	Not vulnerable
  12.2SB	Not vulnerable
  12.2SCA	Not vulnerable
  12.2SCB	Not vulnerable
  12.2SCC	Not vulnerable
  12.2SCD	Not vulnerable
  12.2SCE	Not vulnerable
  12.2SCF	Not vulnerable
  12.2SCG	Not vulnerable
  12.2SCH	Not vulnerable
  12.2SCI	Not vulnerable
  12.2SE	Releases up to and including 12.2(55)SE9 are not vulnerable.
  12.2SEG	Not vulnerable
  12.2SG	Not vulnerable
  12.2SGA	Not vulnerable
  12.2SM	Not vulnerable
  12.2SQ	Not vulnerable
  12.2SRA	Not vulnerable
  12.2SRB	Not vulnerable
  12.2SRC	Not vulnerable
  12.2SRD	Not vulnerable
  12.2SRE	Not vulnerable
  12.2STE	Not vulnerable
  12.2SV	Not vulnerable
  12.2SVD	Not vulnerable
  12.2SVE	Not vulnerable
  12.2SW	Not vulnerable
  12.2SXF	Not vulnerable Please see IOS Software Modularity Patch
  12.2SXH	Not vulnerable Please see IOS Software Modularity Patch
  12.2SXI	Not vulnerable
  12.2SXJ	Not vulnerable
  12.2SY	Not vulnerable
  12.2WO	Not vulnerable
  12.2XNA	Please see Cisco IOS-XE Software Availability
  12.2XNB	Please see Cisco IOS-XE Software Availability
  12.2XNC	Please see Cisco IOS-XE Software Availability
  12.2XND	Please see Cisco IOS-XE Software Availability
  12.2XNE	Please see Cisco IOS-XE Software Availability
  12.2XNF	Please see Cisco IOS-XE Software Availability
  12.2XO	Not vulnerable
  12.2ZYA	Not vulnerable
  Affected 12.3-Based Releases	First Fixed Release
  There are no affected 12.3 based releases
  Affected 12.4-Based Releases	First Fixed Release
  There are no affected 12.4 based releases
  Affected 15.0-Based Releases	First Fixed Release
  15.0EA	Not vulnerable
  15.0EB	Not vulnerable
  15.0EC	Not vulnerable
  15.0ED	Vulnerable; First fixed in Release 15.2E
  15.0EH	Vulnerable; First fixed in Release 15.2E
  15.0EJ	Vulnerable; First fixed in Release 15.2E
  15.0EK	Releases prior to 15.0(2)EK1 are vulnerable; Releases 15.0(2)EK1 and later are not vulnerable. First fixed in Release 15.2E
  15.0EX	Not vulnerable
  15.0EY	Not vulnerable
  15.0EZ	Not vulnerable
  15.0M	Not vulnerable
  15.0MR	Not vulnerable
  15.0S	Not vulnerable
  15.0SE	Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.
  15.0SG	Not vulnerable
  15.0SQC	Not vulnerable
  15.0SY	Not vulnerable
  15.0XA	Not vulnerable
  15.0XO	Not vulnerable
  Affected 15.1-Based Releases	First Fixed Release
  15.1EY	Not vulnerable
  15.1GC	Not vulnerable
  15.1M	Not vulnerable
  15.1MR	Not vulnerable
  15.1MRA	Not vulnerable
  15.1S	Not vulnerable
  15.1SG	Vulnerable; First fixed in Release 15.2E
  15.1SNG	Not vulnerable
  15.1SNH	Not vulnerable
  15.1SNI	Not vulnerable
  15.1SY	15.1(1)SY4; Available on 31-OCT-14
  15.1T	Not vulnerable
  15.1XO	Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.
  Affected 15.2-Based Releases	First Fixed Release
  15.2E	15.2(3)E; Available on 23-OCT-14
  15.2EA	Not vulnerable
  15.2EB	Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.
  15.2EY	Not vulnerable
  15.2GC	Not vulnerable
  15.2JA	Not vulnerable
  15.2JAC	Not vulnerable
  15.2JAX	Not vulnerable
  15.2JB	Not vulnerable
  15.2JN	Not vulnerable
  15.2M	Not vulnerable
  15.2S	Not vulnerable
  15.2SA	Not vulnerable
  15.2SNG	Not vulnerable
  15.2SNH	Not vulnerable
  15.2SNI	Not vulnerable
  15.2T	Not vulnerable
  Affected 15.3-Based Releases	First Fixed Release
  There are no affected 15.3 based releases
  Affected 15.4-Based Releases	First Fixed Release
  15.4CG	Not vulnerable
  15.4M	Not vulnerable
  15.4S	Not vulnerable
  15.4T	Not vulnerable

  
  

  Cisco IOS XE Software

  
  

  Affected Release	First Fixed Release
  2.x	Not vulnerable
  3.1.xSG	Not vulnerable
  3.2.xSG	Not vulnerable
  3.2.xSE	Not vulnerable
  3.2.xSQ	Not vulnerable
  3.2.xXO	Vulnerable
  3.3.xXO	Vulnerable
  3.3.xSG	Vulnerable
  3.3.xSQ	Not vulnerable
  3.4.xSG	Vulnerable
  3.5.xE	3.5.3E
  3.6.xE	Vulnerable
  3.2.xS	Not vulnerable
  3.3.xS	Not vulnerable
  3.4.xS	Not vulnerable
  3.5.xS	Not vulnerable
  3.6.xS	Not vulnerable
  3.7.xS	Not vulnerable
  3.8.xS	Not vulnerable
  3.9.xS	Not vulnerable
  3.10.xS	Not vulnerable
  3.11.xS	Not vulnerable
  3.12.xS	Not vulnerable

  
  For mapping of Cisco IOS XE to Cisco IOS releases, please refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, and Cisco IOS XE 3SG Release Notes, available at http://www.cisco.com/en/US/docs/ios/ios_xe/2/release/notes/rnasr21.html#wp2310700,
  http://www.cisco.com/en/US/docs/ios/ios_xe/3/release/notes/asr1k_rn_3s_sys_req.html#wp2999052 and
  http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/release/note/OL_24726.html#wp2570252 respectively.

  
  

  Customers with service contracts should contact Cisco support organization per the instructions in the "Obtaining Fixed Software" section of this advisory.
  

Exploitation and Public Announcements

• The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

  This vulnerability was found and reported to Cisco by Ayhan Koca and Matthias Luft of ERNW GmbH.

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140806-energywise

Revision History

• Revision 1.2	2014-August-20	Added 3.3xXO to the list of vulnerable IOS XE releases. Marked 15.0EX, 15.0EZ, 15.2S, and 15.4S not vulnerable and removed from affected IOS releases.
  Revision 1.1	2014-August-15	Added 3.6xE to the list of vulnerable IOS XE releases.
  Revision 1.0	2014-August-06	Initial public release.

  Show Less