Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2007.0818 -- [Cisco]
Cisco Security Response: Extensible Authentication Protocol Vulnerability
25 October 2007
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Wireless EAP
Wired EAP (Cisco IOS)
Wired EAP (Cisco CatOS)
Publisher: Cisco Systems
Operating System: Cisco
Impact: Denial of Service
Access: Remote/Unauthenticated
CVE Names: CVE-2007-5651
Original Bulletin:
http://www.cisco.com/warp/public/707/cisco-sr-20071019-eap.shtml
Revision History: October 25 2007: Added CVE
October 22 2007: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Response: Extensible Authentication Protocol
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sr-20071019-eap.shtml
Revision 1.0
============
For Public Release 2007 October 19 1600 UTC (GMT)
- - ---------------------------------------------------------------------
Cisco Response
==============
This is the Cisco PSIRT response to a presentation that was delivered
by Laurent Butti, Julien Tinnes and Franck Veysset of France Telecom
Group at Hack.lu on October 19th, 2007.
The presentation identifies a vulnerability in Cisco's implementation
of Extensible Authentication Protocol (EAP) that exists when
processing a crafted EAP Response Identity packet. This vulnerability
affects several Cisco products that have support for wired or
wireless EAP implementations.
The Cisco PSIRT team greatly appreciates the opportunity to work with
researchers on security vulnerabilities, and we welcome the
opportunity to review and assist in product reports.
This vulnerability is documented in the following Cisco bug IDs:
* Wireless EAP - CSCsj56438
* Wired EAP - CSCsb45696 and CSCsc55249
This Cisco Security Response is available at the following link:
http://www.cisco.com/warp/public/707/cisco-sr-20071019-eap.shtml.
Additional Information
======================
As described in RFC3748, EAP is an authentication framework that
supports multiple authentication methods. Typically, EAP runs
directly over data link layers, such as Point-to-Point Protocol (PPP)
or IEEE 802, without requiring IP.
Vulnerable Products
+------------------
This vulnerability affects both wired and wireless implementation on
Cisco devices.
EAP is not configured by default on any of these Cisco devices.
The following Cisco products support Wireless EAP and are affected by
this vulnerability (CSCsj56438):
* Access Points and 1310 Wireless Bridges running Cisco IOS in
autonomous mode.
Access Points and 1310 Wireless Bridges running in LWAPP mode are
not affected.
To confirm if an Access Point runs Cisco IOS in autonomous mode,
log into the device and issue the command line interface (CLI)
command "show version | include IOS". Access Points in autonomous
mode will have -K9W7- in the image names, while Access Points in
LWAPP mode will have -K9W8- in their name. The example below
shows an Access Point in autonomous mode:
AP#show version | include IOS
Cisco IOS Software, C1240 Software (C1240-K9W7-M), Version 12.4(3g)JA, RELEASE SOFTWARE (fc2)
AP#
To determine if EAP is enabled on the Access Point, log into the
device and issue the "show running-config" CLI command. If the
output contains the "authentication open eap <method_name>" or
"authentication network-eap <method_name>" then the device is
vulnerable. The example below shows a vulnerable Access Point:
AP#show running-config
...
dot11 ssid test
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
guest-mode
infrastructure-ssid optional
...
AP#
If an attacker successfully exploits this vulnerability against
an Access Point, the device will reload. Repeated exploitation
will result in a sustained Denial of Service (DoS) attack.
This vulnerability was reported to Cisco by Laurent Butti and
Benoit Stopin.
The following Cisco products support Wired EAP and are affected by
this vulnerability.
* All Cisco switches running affected versions of Cisco IOS
(CSCsb45696).
Cisco switches are vulnerable if they run an EAP authenticator.
EAP supplicants are not vulnerable.
To determine if EAP authenticator is enabled on a switch, log
into the device and issue the
"show running-config | include dot1x" CLI command. If the output
contains either "dot1x pae authenticator" or "dot1x pae both",
then the device is vulnerable to exploits via the interface
where these commands appear. The example below shows a device
that has EAP authenticator enabled:
switch#show running-config | include dot1x
dot1x system-auth-control
dot1x pae authenticator
dot1x port-control auto
dot1x timeout quiet-period 1
dot1x timeout ratelimit-period 1
dot1x max-start 10
dot1x max-req 10
switch#
A related Cisco bug ID, CSCsi70426, exists and displays a
traceback message on the console or syslogs when receiving the
crafted EAP-ID-RESPONSE packet. However, the device will continue
to operate.
* All Cisco switches running affected versions of Cisco CatOS
(CSCsc55249).
Cisco switches are vulnerable if they run an EAP authenticator.
EAP supplicants are not vulnerable.
To determine if EAP authenticator is enabled on a switch, log
into the device and issue the "show run all | include dot1x" CLI
command. If the output contains both
"set dot1x system-auth-control enable" and any occurrence of
"set port dot1x <mod/port> port-control auto", then the device is
vulnerable for exploitation via the port where the
"set port dot1x" commands appear. An example is shown below of a
device that has EAP authenticator enabled:
Console> (enable) show run all | include dot1x
#dot1x
set dot1x system-auth-control enable
set dot1x quiet-period 60
set dot1x tx-period 30
set dot1x shutdown-timeout 300
set dot1x supp-timeout 30
set dot1x server-timeout 30
set dot1x max-req 2
set dot1x max-reauth-req 2
set dot1x re-authperiod 3600
set dot1x radius-accounting disable
set dot1x radius-vlan-assignment enable
set dot1x radius-keepalive enable
set dot1x critical-recovery-delay 100
set port dot1x 10/2 port-control auto
Console> (enable)
There are no workarounds for this vulnerability on wired or wireless
implementations of EAP.
Successful exploitation of the vulnerability on either the wired or
wireless device will result in a reload of the device. Repeated
exploitation could result in a sustained DoS attack.
The list below describes the affected trains and the first fixed
release:
+-------------------------------------------------------------------+
| Wireless EAP - CSCsj56438 |
|-------------------------------------------------------------------|
| Affected Release | First Fixed Releases |
|---------------------+---------------------------------------------|
| 12.3.JA | Vulnerable; |
| | For AP1100s & AP1200s migrate to |
| | 12.3(8)JEC or later. |
| | For AP1130, AP1240, AP1310 & AP1410 |
| | migrate to 12.4(3g)JA2 or later. |
|-------------------------------------------------------------------|
| 12.3.JEA | Vulnerable; migrate to 12.3(8)JEC or later |
|-------------------------------------------------------------------|
| 12.3.JEB | Vulnerable; migrate to 12.3(8)JEC or later |
|-------------------------------------------------------------------|
| 12.3.JEC | 12.3(8)JEC or later; available 24-Oct-07 |
|-------------------------------------------------------------------|
| 12.4.JA | 12.4(3g)JA2 or later |
+-------------------------------------------------------------------+
+-------------------------------------------------------------------+
| Wired EAP (Cisco IOS) - CSCsb45696 |
|-------------------------------------------------------------------|
| Affected Major Release | First Fixed Releases |
|------------------------+------------------------------------------|
| | 12.1(27b)E2 or later |
| |------------------------------------------|
| 12.1 | 12.1(22)EA6 or later |
| |------------------------------------------|
| | 12.1(26)EB2 or later |
|------------------------+------------------------------------------|
| | 12.2(18)EW6 or later |
| |------------------------------------------|
| | 12.2(18)S13 or later |
| |------------------------------------------|
| | 12.2(18)SXF9 or later |
| |------------------------------------------|
| | 12.2.18-ZY1 or later |
| |------------------------------------------|
| | 12.2(20)S13 or later |
| |------------------------------------------|
| | 12.2(25)EWA4 or later |
| 12.2 |------------------------------------------|
| | 12.2(25)EX or later |
| |------------------------------------------|
| | 12.2(25)FX or later |
| |------------------------------------------|
| | 12.2(25)SED or later |
| |------------------------------------------|
| | 12.2(25)SG or later |
| |------------------------------------------|
| | 12.2(31)SB6 or later |
| |------------------------------------------|
| | 12.2(33)SRA4 or later |
+-------------------------------------------------------------------+
+-------------------------------------------------------------------+
| Wired EAP (Cisco CatOS) - CSCsc55249 |
|-------------------------------------------------------------------|
| Affected Major Release | First Fixed Releases |
|------------------------+------------------------------------------|
| 6.x | Vulnerable; migrate to 8.5 or 8.6 |
|------------------------+------------------------------------------|
| 7.x | Vulnerable; migrate to 8.5 or 8.6 |
|------------------------+------------------------------------------|
| | 8.5(9) or later. |
| 8.x |------------------------------------------|
| | 8.6(1) or later. |
+-------------------------------------------------------------------+
No other Cisco IOS major release trains are known to be affected by
this vulnerability.
For more information on the terms "releases" and "trains," consult
the following URL:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_white_paper09186a008018305e.shtml
Products Confirmed Not Vulnerable
+--------------------------------
The following Cisco products that support the EAP framework have been
confirmed as not affected by this vulnerability:
* Access Points
- Access Points running VxWorks (cisco 1000s)
- Lightweight Access Point (LAP) in local mode
- Lightweight Access Point (LAP) in H-/REAP mode
- 1310 Wireless Bridge operating in LWAPP mode
- 1410 Wireless Bridge.
* Wireless LAN Controllers
- Cisco Airespace 3500 Series WLAN Controller
- Cisco Airespace 4000 Series Wireless LAN Controller
- Cisco 2000 series wireless LAN controllers
- Cisco 2100 Series Wireless LAN Controllers
- Cisco 4100 Series Wireless LAN Controllers
- Cisco 4400 Series Wireless LAN Controllers
- Cisco Wireless LAN Controller Module (NM-AIR-WLC6-K9)
- Cisco Catalyst 3750 Series Integrated WLC
- Cisco Catalyst 6500 Series WiSM
* Wireless Integrated Routers (Wireless Access Point - Wireless EAP
and Wired EAP)
- Cisco 800 Series Routers
- Cisco 1800 Series Integrated Services Routers
- Cisco 2800 Series Integrated Services Routers
- Cisco 3200 Series Wireless and Mobile Routers
- Cisco 3800 Series Integrated Services Routers
* Mobile Wireless
- Cisco 521 Wireless Express Access Point (both as Autonomous AP
and LWAPP)
- Cisco 526 Wireless Express Mobility Controller
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
Revision History
================
+---------------------------------------------------------+
| Revision 1.0 | 2007-October-19 | Initial Public Release |
+---------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
iD8DBQFHGNev8NUAbBmDaxQRAj/AAJ9BKS9a+XGHBPoCQgSy9nJEBeuyHACfWWyx
OUq29HMA8gctByeB/WflHHg=
=JjUD
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRyBKfyh9+71yA2DNAQKYxgP/Q6isQELs+X/iPzGVQTNFtkEWIVbu8MhJ
6qGhMzDrUGdacrN9nGkPHNswVqdvZPZBGQGO++XxTwIq2FeRm4zdZ42UtdM/rx3t
UKRx+fxJHIlGtgQyMbMYqa9IOPpM5HRnJaTz05FLs3u7Wv+uKp+25XDM0w9uF189
SJJFL1krej0=
=eVHh
-----END PGP SIGNATURE-----