Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.2581
Cisco ASR 900 Series Aggregation Services Routers Buffer
Overflow Vulnerability
3 November 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco ASR 900 Series
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2016-6441
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-tl1
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Security Advisory
Cisco ASR 900 Series Aggregation Services Routers Buffer Overflow
Vulnerability
Critical
Advisory ID: cisco-sa-20161102-tl1
First Published: 2016 November 2 16:00 GMT
Version 1.0: Final
Workarounds: Yes
Cisco Bug IDs:
CSCuy15175
CVSS Score:
Base 10.0, Temporal 8.3
AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
CVE-2016-6441
CWE-119
Summary
A vulnerability in the Transaction Language 1 (TL1) code of Cisco ASR 900
Series routers could allow an unauthenticated, remote attacker to cause a
reload of, or remotely execute code on, the affected system.
The vulnerability exists because the affected software performs incomplete
bounds checks on input data. An attacker could exploit this vulnerability by
sending a malicious request to the TL1 port, which could cause the device to
reload. An exploit could allow the attacker to execute arbitrary code and
obtain full control of the system or cause a reload of the affected system.
Cisco has released software updates that address this vulnerability. There are
workarounds that address this vulnerability.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-tl1
Affected Products
Vulnerable Products
This vulnerability affects Cisco ASR 900 Series Aggregation Services Routers
(ASR902, ASR903, and ASR907) that are running the following releases of Cisco
IOS XE Software:
3.17.0S
3.17.1S
3.17.2S
3.18.0S
3.18.1S
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device,
administrators can log in to the device, use the show version command in the
CLI, and then refer to the system banner that appears. If the device is
running Cisco IOS XE Software, the system banner displays Cisco IOS XE
Software or similar text.
The following example shows the output of the show version command on a device
that is running Cisco IOS XE Software Release 3.17.01.S:
Router>show version
Cisco IOS XE Software, Version 03.17.01.S - Standard Support Release
Cisco IOS Software, ASR903 Software (PPC_LINUX_IOSD-UNIVERSALK9_NPE-M),
Version 15.6(1)S1, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Wed 09-Mar-16 06:34 by mcpre
Cisco IOS-XE software, Copyright (c) 2005-2016 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
For information about the naming and numbering conventions for Cisco IOS XE
Software releases, see White Paper: Cisco IOS and NX-OS Software Reference
Guide.
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by this
vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
products:
Cisco ASR 901 Series Aggregation Services Routers
Cisco ASR 901 10G Series Aggregation Services Routers
Cisco ASR 901S Series Aggregation Services Routers
Cisco ASR 920 Series Aggregation Services Routers
Indicators of Compromise
Exploitation of this vulnerability could cause potential remote code execution
or a reload of the device. The exploit could be confirmed by a decode of the
stack trace, indicating that the device crashed in the TL1 Helper Process. An
error message similar to the following example could be found in the device
logs:
Exception to IOS Thread:
Frame pointer 0x348D3D18, PC = 0x150255E4
UNIX-EXT-SIGNAL: Segmentation fault(11), Process = TL1 Helper Process
- -Traceback= 1#c2f8cd10bbd769d41be54f5792c0ec33 :10000000+50255E4
:10000000+33DEED0 :10000000+33DEED0 :10000000+33D6718 :10000000+33D5444
Workarounds
There are workarounds for this vulnerability. The following mitigation may
help protect an infrastructure until an upgrade to a fixed version of Cisco
IOS XE software can be scheduled:
Infrastructure Access Control Lists
To protect infrastructure devices and minimize the risk, impact, and
effectiveness of direct infrastructure attacks, administrators are advised to
deploy infrastructure access control lists (iACLs) to perform policy
enforcement of traffic sent to infrastructure equipment. Administrators can
construct an iACL by explicitly permitting only authorized traffic sent to
infrastructure devices in accordance with existing security policies and
configurations. For the maximum protection of infrastructure devices, deployed
iACLs should be applied in the ingress direction on all interfaces to which an
IP address has been configured. An iACL workaround cannot provide complete
protection against this vulnerability when the attack originates from a
trusted source address.
The iACL policy denies unauthorized TL1 packets on TCP and UDP ports 3082 and
3083 that are sent to affected devices. In the following example,
192.168.60.0/24 is the IP address space that is used by the affected devices,
and the host at 192.168.100.1 is considered a trusted source that requires
access to the affected devices. Care should be taken to allow required traffic
for routing and administrative access prior to denying all unauthorized
traffic. Whenever possible, infrastructure address space should be distinct
from the address space used for user and services segments. Using this
addressing methodology will assist with the construction and deployment of
iACLs.
ip access-list extended Infrastructure-ACL-Policy
remark - permit trusted TL1 traffic - won't prevent exploitation from these
hosts.
remark - The exploit has only been seen on TCP port 3083, others are included
for completeness.
remark - Do not use these four lines if not using TL1 feature.
permit tcp host 192.168.100.1 192.168.60.0 0.0.0.255 eq 3082
permit tcp host 192.168.100.1 192.168.60.0 0.0.0.255 eq 3083
permit udp host 192.168.100.1 192.168.60.0 0.0.0.255 eq 3082
permit udp host 192.168.100.1 192.168.60.0 0.0.0.255 eq 3083
!-- The following vulnerability-specific access control entry
!-- (ACE) can aid in identification of attacks.
remark deny all other traffic to TL1 port.
deny tcp any 192.168.60.0 0.0.0.255 eq 3082 log
deny tcp any 192.168.60.0 0.0.0.255 eq 3083 log
deny udp any 192.168.60.0 0.0.0.255 eq 3082 log
deny udp any 192.168.60.0 0.0.0.255 eq 3083 log
!-- Permit or deny all other Layer 3 and Layer 4 traffic in accordance
!-- with existing security policies and configurations
!-- Apply iACL to interfaces in the ingress direction
permit ip any any
interface GigabitEthernet0
ip access-group Infrastructure-ACL-Policy in
Fixed Software
Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support for
software versions and feature sets for which they have purchased a license. By
installing, downloading, accessing, or otherwise using such software upgrades,
customers agree to follow the terms of the Cisco software license:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
Additionally, customers may only download software for which they have a valid
license, procured from Cisco directly, or through a Cisco authorized reseller
or partner. In most cases this will be a maintenance upgrade to software that
was previously purchased. Free security software updates do not entitle
customers to a new software license, additional software feature sets, or
major revision upgrades.
When considering software upgrades, customers are advised to regularly consult
the advisories for Cisco products, which are available from the Cisco Security
Advisories and Alerts page, to determine exposure and a complete upgrade
solution.
In all cases, customers should ensure that the devices to be upgraded contain
sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release. If
the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale should
obtain upgrades by contacting the Cisco Technical Assistance Center (TAC):
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
Customers should have the product serial number available and be prepared to
provide the URL of this advisory as evidence of entitlement to a free upgrade.
Fixed Releases
This vulnerability affects the 3.17S and 3.18S release trains running on
affected products.
Cisco IOS XE Major Affected Release First Fixed Release
3.17S 3.17.3S; Scheduled for 30th November
3.18S 3.18.2S
Additionally to help customers determine their exposure to vulnerabilities in
Cisco IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker,
that identifies any Cisco Security Advisories that impact a specific Cisco IOS
XE Software release and the earliest release that fixes the vulnerabilities
described in each advisory (First Fixed). If applicable, the tool also returns
the earliest release that fixes all the vulnerabilities described in all the
advisories identified (Combined First Fixed).
Customers can use this tool to perform the following tasks:
Initiate a search by choosing one or more releases from a drop-down menu or
uploading a file from a local system for the tool to parse
Enter the output of the show version command for the tool to parse
Create a custom search by including all previously published Cisco Security
Advisories, a specific advisory, or all advisories in the most recent bundled
publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS
XE Software releasefor example, 3.17.0Sin the following field:
Check
Exploitation and Public Announcements
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any
public announcements or malicious use of the vulnerability that is described
in this advisory.
Source
This vulnerability was discovered when handling customer service requests.
URL
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-tl1
Revision History
Version Description Section Status Date
1.0 Initial public release Final 2016-November-02
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWBqLiox+lLeg9Ub1AQjSLw/9EOaVczxFdILEiTtSdibPKXLMTWmTrb3X
qUZlokW5FIypuPYF3u4BTHBATgrr3xo0zBGfI8mdbaR7ozu8NQzDlzh/4daKPaOh
F4CElND8PqIKMvVgYBukkeWV4VA0PpHzQV0Q06k1lI9eFTlqTwCbTofPhl8OjoZG
QA/LAKdS00JPbqDxHB15vS2Lufj+YWeIJbehLNzUVkNNB3AboiM0SRWFL/pjXLyg
qq2T83p9YR8hybZxHhNPwox/h7/LNobtAsZOpFlNwyISynvlsWqrS4TmmRbkf2bD
op9EcJ5SfyfZ1TGBsVRz/ypUSLbbfXvTb0ql0rywDfnYDfda3Sty0O8XicFe6hIv
cIlVaLxK9jfEBRz3R38tp4/m8pRvOEWD8KYVM321Uj4xWxGb+M4I6tseBMPCXl+J
klR+HjEVOjEtGjr9Mo5XcytWu/pAsIN7ocYrpQm5gyKpN/1nepXwXiE9F+Dma2FO
6pXDTUPIkx8UEwKOpBVry2P3Bt55n65B9O4pWE8rkHMycjsH+xK97+V2SOeQHdvb
+TpEaRlTefPpELE3r2uZpPAmXkES24NZhOkWQXphA43ChWCDweZqLjl3Ww46Ke2M
woMUtnVCa0ir15V86FjeHPwa1e+3HW7goBDMZ1nU/tnuISJxOWueh/Vm0AW5C+l0
lmldK15NuPY=
=M1jC
-----END PGP SIGNATURE-----