-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.2581
         Cisco ASR 900 Series Aggregation Services Routers Buffer
                          Overflow Vulnerability
                              3 November 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco ASR 900 Series
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-6441  

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-tl1

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Security Advisory

Cisco ASR 900 Series Aggregation Services Routers Buffer Overflow 
Vulnerability

Critical

Advisory ID: cisco-sa-20161102-tl1

First Published: 2016 November 2 16:00 GMT

Version 1.0: Final

Workarounds: Yes

Cisco Bug IDs:

CSCuy15175

CVSS Score:

Base 10.0, Temporal 8.3 

AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C

CVE-2016-6441

CWE-119

Summary

A vulnerability in the Transaction Language 1 (TL1) code of Cisco ASR 900 
Series routers could allow an unauthenticated, remote attacker to cause a 
reload of, or remotely execute code on, the affected system.

The vulnerability exists because the affected software performs incomplete 
bounds checks on input data. An attacker could exploit this vulnerability by 
sending a malicious request to the TL1 port, which could cause the device to 
reload. An exploit could allow the attacker to execute arbitrary code and 
obtain full control of the system or cause a reload of the affected system.

Cisco has released software updates that address this vulnerability. There are
workarounds that address this vulnerability.

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-tl1

Affected Products

Vulnerable Products

This vulnerability affects Cisco ASR 900 Series Aggregation Services Routers 
(ASR902, ASR903, and ASR907) that are running the following releases of Cisco
IOS XE Software:

3.17.0S

3.17.1S

3.17.2S

3.18.0S

3.18.1S

Determining the Cisco IOS XE Software Release

To determine which Cisco IOS XE Software release is running on a device, 
administrators can log in to the device, use the show version command in the 
CLI, and then refer to the system banner that appears. If the device is 
running Cisco IOS XE Software, the system banner displays Cisco IOS XE 
Software or similar text.

The following example shows the output of the show version command on a device
that is running Cisco IOS XE Software Release 3.17.01.S:

Router>show version

Cisco IOS XE Software, Version 03.17.01.S - Standard Support Release

Cisco IOS Software, ASR903 Software (PPC_LINUX_IOSD-UNIVERSALK9_NPE-M), 
Version 15.6(1)S1, RELEASE SOFTWARE (fc3)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2016 by Cisco Systems, Inc.

Compiled Wed 09-Mar-16 06:34 by mcpre

Cisco IOS-XE software, Copyright (c) 2005-2016 by cisco Systems, Inc.

All rights reserved. Certain components of Cisco IOS-XE software are

licensed under the GNU General Public License ("GPL") Version 2.0. The

software code licensed under GPL Version 2.0 is free software that comes

with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such

GPL code under the terms of GPL Version 2.0. For more details, see the

documentation or "License Notice" file accompanying the IOS-XE software,

or the applicable URL provided on the flyer accompanying the IOS-XE

software.

For information about the naming and numbering conventions for Cisco IOS XE 
Software releases, see White Paper: Cisco IOS and NX-OS Software Reference 
Guide.

Products Confirmed Not Vulnerable

No other Cisco products are currently known to be affected by this 
vulnerability.

Cisco has confirmed that this vulnerability does not affect the following 
products:

Cisco ASR 901 Series Aggregation Services Routers

Cisco ASR 901 10G Series Aggregation Services Routers

Cisco ASR 901S Series Aggregation Services Routers

Cisco ASR 920 Series Aggregation Services Routers

Indicators of Compromise

Exploitation of this vulnerability could cause potential remote code execution
or a reload of the device. The exploit could be confirmed by a decode of the 
stack trace, indicating that the device crashed in the TL1 Helper Process. An
error message similar to the following example could be found in the device 
logs:

Exception to IOS Thread:

Frame pointer 0x348D3D18, PC = 0x150255E4

UNIX-EXT-SIGNAL: Segmentation fault(11), Process = TL1 Helper Process

- -Traceback= 1#c2f8cd10bbd769d41be54f5792c0ec33 :10000000+50255E4 
:10000000+33DEED0 :10000000+33DEED0 :10000000+33D6718 :10000000+33D5444

Workarounds

There are workarounds for this vulnerability. The following mitigation may 
help protect an infrastructure until an upgrade to a fixed version of Cisco 
IOS XE software can be scheduled:

Infrastructure Access Control Lists

To protect infrastructure devices and minimize the risk, impact, and 
effectiveness of direct infrastructure attacks, administrators are advised to
deploy infrastructure access control lists (iACLs) to perform policy 
enforcement of traffic sent to infrastructure equipment. Administrators can 
construct an iACL by explicitly permitting only authorized traffic sent to 
infrastructure devices in accordance with existing security policies and 
configurations. For the maximum protection of infrastructure devices, deployed
iACLs should be applied in the ingress direction on all interfaces to which an
IP address has been configured. An iACL workaround cannot provide complete 
protection against this vulnerability when the attack originates from a 
trusted source address.

The iACL policy denies unauthorized TL1 packets on TCP and UDP ports 3082 and
3083 that are sent to affected devices. In the following example, 
192.168.60.0/24 is the IP address space that is used by the affected devices,
and the host at 192.168.100.1 is considered a trusted source that requires 
access to the affected devices. Care should be taken to allow required traffic
for routing and administrative access prior to denying all unauthorized 
traffic. Whenever possible, infrastructure address space should be distinct 
from the address space used for user and services segments. Using this 
addressing methodology will assist with the construction and deployment of 
iACLs.

ip access-list extended Infrastructure-ACL-Policy

 remark - permit trusted TL1 traffic - won't prevent exploitation from these 
hosts.

 remark - The exploit has only been seen on TCP port 3083, others are included
for completeness.

 remark - Do not use these four lines if not using TL1 feature.

 permit tcp host 192.168.100.1 192.168.60.0 0.0.0.255 eq 3082

 permit tcp host 192.168.100.1 192.168.60.0 0.0.0.255 eq 3083

 permit udp host 192.168.100.1 192.168.60.0 0.0.0.255 eq 3082

 permit udp host 192.168.100.1 192.168.60.0 0.0.0.255 eq 3083

!-- The following vulnerability-specific access control entry

!-- (ACE) can aid in identification of attacks.

 remark deny all other traffic to TL1 port.

 deny tcp any 192.168.60.0 0.0.0.255 eq 3082 log

 deny tcp any 192.168.60.0 0.0.0.255 eq 3083 log

 deny udp any 192.168.60.0 0.0.0.255 eq 3082 log

 deny udp any 192.168.60.0 0.0.0.255 eq 3083 log

!-- Permit or deny all other Layer 3 and Layer 4 traffic in accordance

!-- with existing security policies and configurations

!-- Apply iACL to interfaces in the ingress direction

 permit ip any any

interface GigabitEthernet0

 ip access-group Infrastructure-ACL-Policy in

Fixed Software

Cisco has released free software updates that address the vulnerability 
described in this advisory. Customers may only install and expect support for
software versions and feature sets for which they have purchased a license. By
installing, downloading, accessing, or otherwise using such software upgrades,
customers agree to follow the terms of the Cisco software license:

http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html

Additionally, customers may only download software for which they have a valid
license, procured from Cisco directly, or through a Cisco authorized reseller
or partner. In most cases this will be a maintenance upgrade to software that
was previously purchased. Free security software updates do not entitle 
customers to a new software license, additional software feature sets, or 
major revision upgrades.

When considering software upgrades, customers are advised to regularly consult
the advisories for Cisco products, which are available from the Cisco Security
Advisories and Alerts page, to determine exposure and a complete upgrade 
solution.

In all cases, customers should ensure that the devices to be upgraded contain
sufficient memory and confirm that current hardware and software 
configurations will continue to be supported properly by the new release. If 
the information is not clear, customers are advised to contact the Cisco 
Technical Assistance Center (TAC) or their contracted maintenance providers.

Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service 
contract and customers who make purchases through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale should 
obtain upgrades by contacting the Cisco Technical Assistance Center (TAC):

http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html

Customers should have the product serial number available and be prepared to 
provide the URL of this advisory as evidence of entitlement to a free upgrade.

Fixed Releases

This vulnerability affects the 3.17S and 3.18S release trains running on 
affected products.

Cisco IOS XE Major Affected Release First Fixed Release

3.17S 3.17.3S; Scheduled for 30th November

3.18S 3.18.2S

Additionally to help customers determine their exposure to vulnerabilities in
Cisco IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker,
that identifies any Cisco Security Advisories that impact a specific Cisco IOS
XE Software release and the earliest release that fixes the vulnerabilities 
described in each advisory (First Fixed). If applicable, the tool also returns
the earliest release that fixes all the vulnerabilities described in all the 
advisories identified (Combined First Fixed).

Customers can use this tool to perform the following tasks:

Initiate a search by choosing one or more releases from a drop-down menu or 
uploading a file from a local system for the tool to parse

Enter the output of the show version command for the tool to parse

Create a custom search by including all previously published Cisco Security 
Advisories, a specific advisory, or all advisories in the most recent bundled
publication

To determine whether a release is affected by any published Cisco Security 
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS
XE Software releasefor example, 3.17.0Sin the following field:

  Check

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any
public announcements or malicious use of the vulnerability that is described 
in this advisory.

Source

This vulnerability was discovered when handling customer service requests.

URL

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-tl1

Revision History

Version Description Section Status Date

1.0 Initial public release Final 2016-November-02

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWBqLiox+lLeg9Ub1AQjSLw/9EOaVczxFdILEiTtSdibPKXLMTWmTrb3X
qUZlokW5FIypuPYF3u4BTHBATgrr3xo0zBGfI8mdbaR7ozu8NQzDlzh/4daKPaOh
F4CElND8PqIKMvVgYBukkeWV4VA0PpHzQV0Q06k1lI9eFTlqTwCbTofPhl8OjoZG
QA/LAKdS00JPbqDxHB15vS2Lufj+YWeIJbehLNzUVkNNB3AboiM0SRWFL/pjXLyg
qq2T83p9YR8hybZxHhNPwox/h7/LNobtAsZOpFlNwyISynvlsWqrS4TmmRbkf2bD
op9EcJ5SfyfZ1TGBsVRz/ypUSLbbfXvTb0ql0rywDfnYDfda3Sty0O8XicFe6hIv
cIlVaLxK9jfEBRz3R38tp4/m8pRvOEWD8KYVM321Uj4xWxGb+M4I6tseBMPCXl+J
klR+HjEVOjEtGjr9Mo5XcytWu/pAsIN7ocYrpQm5gyKpN/1nepXwXiE9F+Dma2FO
6pXDTUPIkx8UEwKOpBVry2P3Bt55n65B9O4pWE8rkHMycjsH+xK97+V2SOeQHdvb
+TpEaRlTefPpELE3r2uZpPAmXkES24NZhOkWQXphA43ChWCDweZqLjl3Ww46Ke2M
woMUtnVCa0ir15V86FjeHPwa1e+3HW7goBDMZ1nU/tnuISJxOWueh/Vm0AW5C+l0
lmldK15NuPY=
=M1jC
-----END PGP SIGNATURE-----