![[LWN Logo]](/images/lwn.banner.gif)
Date: Wed, 24 Mar 1999 19:39:53 -0000
From: psirt@CISCO.COM
Subject: Cisco security notice: Cisco Catalyst Supervisor Remote Reload
To: BUGTRAQ@NETSPACE.ORG
-----BEGIN PGP SIGNED MESSAGE-----
Cisco Catalyst Supervisor Remote Reload
Revision 1.2
For release Wednesday, March 24, 1999, 12:00 PM US/Pacific
Cisco internal use only until release
=================================================================
Summary
=======
A software bug (Cisco bug ID CSCdi74333) allows remote TCP/IP users to cause
reloads of Cisco Catalyst LAN switches running Catalyst 5000 supervisor
software versions from 1.0 through 2.1(5). The affected software was last
shipped with new units in early 1997. In addition to the Catalyst 5xxx
series, some, but not all, Catalyst 29xx family switches may run the
affected software; see "Who is Affected" for more information.
A similar bug, Cisco bug ID CSCdj71684, exists in the supervisor software
for the older, and now discontinued, Catalyst 12xx family, up through
software version 4.29.
Fixes are available for both bugs. The fixes have been in the field for some
time. Most Catalyst switch users have probably already installed the fixes.
Who Is Affected
===============
The following Cisco Catalyst LAN switch models are affected by this
vulnerability--
* The Catalyst 12xx family, running supervisor software versions up to
and including 4.29.
* The Catalyst 29xx family (but not the Catalyst 2900XL), running
supervisor software versions up to and including 2.1(5), 2.1(501), and
2.1(502). This includes the Catalyst 2901, 2902, and 2903 switches.
Catalyst 2926 switches are not affected, because the Catalyst 2926 was
not released until after the software fix was made. Catalyst 2900XL
switches run unrelated software, and are not affected by this
vulnerability.
* The Catalyst 5xxx series (including the Catalyst 55xx family), running
supervisor software versions up to and including 2.1(5), 2.1(501), and
2.1(502).
Catalyst 5xxx and 29xx switches running versions 2.1(6) and later are not
affected. Catalyst 12xx switches running versions 4.30 and later are not
affected. Some Cisco Catalyst switches include intelligent modules that run
software independent of the supervisor software. These modules, which
include a variety of media controllers as well as the route switch module
(RSM), are not affected.
Fixed software for the Catalyst 5xxx and Catalyst 29xx series began shipping
with new switches in mid-1997. Sales of the Catalyst 12xx family were
stopped before the release of software version 4.30; if you have not
upgraded your software since installing your Catalyst 12xx switch, you are
affected by this vulnerability.
The affected Cisco Catalyst LAN switches are rack-mountable units typically
found in data centers and cable closets.
Impact
======
A remote attacker who knows how to exploit this vulnerability, and who can
make a connection to TCP port 7161 on an affected switch, can cause the
supervisor module of that switch to reload. While the supervisor is
reloading, the switch will not forward traffic, and the attack will
therefore deny service to the equipment attached to the switch. The switch
will recover automatically, but repeated attacks can extend the denial of
service indefinitely.
Software Details
================
For the Catalyst 29xx and Catalyst 5xxx switches, this vulnerability has
Cisco bug ID CSCdi74333. The bug is present in all supervisor software
versions through 2.1(5), including the spot fix releases 2.1(501) and
2.1(502). The bug is fixed in 2.1(6) and later versions, including all 2.2,
2.3, and 2.4 versions, and all 3.x, 4.x, and later versions.
For the Catalyst 1200, this vulnerability has Cisco bug ID CSCdj71684. The
bug is present in all software versions through 4.29, and is fixed in 4.30
and later versions.
Getting Fixed Software
- --------------------
Cisco is offering free software upgrades to remedy this vulnerability for
all vulnerable Catalyst 5xxx, Catalyst 29xx, and Catalyst 12xx customers,
regardless of contract status. Customers with service contracts may upgrade
to any software version. Catalyst 5xxx and Catalyst 29xx customers without
contracts may upgrade either to any 2.1 version from 2.1(6) onward; 2.1(12)
is suggested. Catalyst 12xx customers without contracts may upgrade to
version 4.30.
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades should
be obtained via the Software Center on Cisco's Worldwide Web site at
http://www.cisco.com.
Customers without contracts should get their upgrades by contacting the
Cisco Technical Assistance Center (TAC). TAC contacts are as follows:
* +1 800 553 2447 (toll-free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Give the URL of this notice as evidence of your entitlement to a free
upgrade. Free upgrades for non-contract customers must be requested through
the TAC. Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.
Workarounds
===========
This vulnerability may be worked around by assigning no IP addresses to
affected Cisco Catalyst switches. However, this workaround will have the
effect of disabling all remote management of those switches.
Another possible workaround is to use the filtering capabilities of
surrounding routers and/or dedicated firewall devices to prevent untrusted
hosts from making connections to TCP port 7161 on affected switches.
Exploitation and Public Announcements
=====================================
Cisco knows of no public announcements or discussion of this vulnerability
before the date of this notice. Cisco has had no reports of malicious
exploitation of this vulnerability. These bugs were identified and reported
by outside companies conducting laboratory testing.
No special tools, and only the most basic of skills, are needed to exploit
this vulnerability. It would not be difficult for a person with minimal
sophistication to find a way to exploit this vulnerability.
Status of This Notice
=====================
This is a final field notice. Although Cisco cannot guarantee the accuracy
of all statements in this notice, all of the facts have been checked to the
best of our ability. Cisco does not anticipate issuing updated versions of
this notice unless there is some material change in the facts. Should there
be a significant change in the facts, Cisco may update this notice.
Distribution
- ----------
This notice will be posted on Cisco's Worldwide Web site at
http://www.cisco.com/warp/public/770/cat7161-pub.shtml . In addition to
Worldwide Web posting, the initial version of this notice is being sent to
the following e-mail and Usenet news recipients:
* cust-security-announce@cisco.com
* bugtraq@netspace.org
* first-teams@first.org (includes CERT/CC)
* Various internal Cisco mailing lists
Future updates of this notice, if any, will be placed on Cisco's Worldwide
Web server, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
URL given above for any updates.
Acknowledgements
- --------------
Cisco thanks the Internet Security Systems (ISS) X-Force, for independently
discovering this matter and bringing it to the attention of Cisco's Product
Security Incident Response Team (PSIRT).
The initial report of CSCdi74333 was received before the establishment of
the PSIRT, from a customer who has neither requested credit nor given
permission to be named in this notice. Cisco security notices do not name or
credit third parties without their specific permission.
Revision History
- --------------
Revision 1.0, Initial release candidate version
17:45 US/Pacific
22-MAR-1999
Revision 1.1, Cosmetic changes
09:30 US/Pacific
23-MAR-1999
Revision 1.2, Remove erroneous mention of unaffected products.
11:00 US/Pacific
24-MAR-1999
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering to
receive security information from Cisco, is available on Cisco's Worlwide
Web site at http://www.cisco.com/warp/public/791/sec_incident_response.shtml .
This includes instructions for press inquiries regarding Cisco security
notices.
- ------------------------------------------------------------------------
This notice is copyright 1999 by Cisco Systems, Inc. This notice may be
redistributed freely after the release date given at the top of the text,
provided that redistributed copies are complete and unmodified, including
all date and version information.
- ------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: Big secret
iQEVAwUBNvk9/3LSeEveylnrAQHf9wf/U4xZAlW6mX4xI7cbz2Iyc5R5B78hm0NI
i6o2iVMCrrHZN1g+vcEP+QOaDo3ZMxWcbcdSQNi5+f+qsrd+v354kKCpNrr1fhWU
YUny3NINKIkBLjrO9R6QR/nuzVcDrC2XIBin9enGz4njTs9nBGvXdPZBcxy0C685
yKp/ti/mt7t+vH05pBJLFFZKcuMg3EdOHgLHhD70Iz6V6LnzSKl1YHhHW727lsEv
bk/5gHwUnaZHMII32MpM0SDErXNVCd8MyjUN2O/zM9bno9h6yHrNrrgt56tNBpfw
ihip4rk3HepH9zOgSQOQw4QRFoyx4QU4DVI6w9BMDjFpUd1Cd2Eo6g==
=KeRG
-----END PGP SIGNATURE-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: Big secret
mQENAzXPH5oC2wEIAMeLeBbPlxIznjaMMKWFlhVgQ85n4wm6A1ZeVCm0D8zRzATl
IKC365xXRKx8bwTn5XjKxZ5/XVuZjhsMS/CCa7B4FfxqjYBpEvfWEYDmPfzipTC3
nPAEc3T4yNWfaDKPxqv85WK+3yn0rpygWEgqw8+/n8QvoSbBEA9DU+5RTHIDEfOF
vmqtDYB/2luIubN4X2jazwLeGhocarrbZmEW4fKsOpQ1xS1IuWbn9AWXjchMfL8z
i+ow9p6BA2I0eqmP/c1Ld+cL/befk3/l8rPA7UUFOn1je7Fng0WAAUvjoHU56fO2
oF6rO5jfHFu6yBt2ouRem/KMzx6WctJ4S97KWesABRG0R0Npc2NvIFN5c3RlbXMg
UHJvZHVjdCBTZWN1cml0eSBJbmNpZGVudCBSZXNwb25zZSBUZWFtIDxwc2lydEBj
aXNjby5jb20+iQEVAwUTNeY8KkZi51ggEbh5AQE64Af9HKKrj19Z5URxpZu1J/IG
LpIJUsix8IHAudPCw/sNc7yipqwHVSDUGu1UKIEnQHP0jeAX98seyMCFdFzxChzc
ZbUMXoa0H8nDhlHrAHUKWY66slfdDTBDV8ICdGTOZ9XcQOvoOAL8xhZJ0HTBcdM4
b2w3ECgEdxPiPhL0+gBbqZ4c1YQzVnxKG20G1Vs/NtIJW1nQrapCI5EysQO/srUL
u1J/BHsVKfSjayROrQVGWU5pnpxiCr8PRivWFOEXu1xcJLs05wiVvuWmA3x8v8Bt
c9xPx3bnpAiiaKOKDqZh0eja6+7/pYWnTdpXwXdS+lwNBneVLLF4I1IOs412BNpa
TIkBFQMFEDXPH5py0nhL3spZ6wEBPzgH/Axh9Q8T4Gviyhcqn+pSk+Ug55nkzrvQ
+IZx3v9eFbvgBX5q16pRifhniuppTUzkklvOKeQ0Oz7MG6ekDSQcP9PAAJL8Kik5
6MB1HbQTNxkr3qTBJELmXBRT7a6G4F2KzoEbphtS27p4v1MrJ2MWcc5HHrUpD8mE
s4x9WhxXfPQSTRmJ9XcvIbv852y1bVMXwISt7TzpQuxH8oBLDhdlQu51ANd7hlAa
7N+M8CYvxmpYCgxlPh8XhAuZZmMSVbtX7TMvoPtFRkwaV0kitxvfch36JMrGK/0b
AedGRFGSqa8+bZmCBFABsn+pziHwuXLZhsJ14e8V+zqacxZe2apOQ4mIPwMFEDXP
IpCWgad8PVLgfxECuK8AoNBJNor02wuTI9mVACgaknKdSqn9AJ9vZg3u0d5lx3l+
QmkupOtBU40us4kBFQMFEDXPJBwMj7Lhmx7xKQEBhscIAJEkpzdvpzjHfETEZyml
eUvq9IO1mVDQDQiyG02akI2PUe39Tl57jKjQ8Lyus0cfvHs7qVc8jj2e1+mUyXA1
AwWOZaJsgVdkZIFKJnU9MfN3XIxwwkg7g3dB99oPrAbTgWkKdodJmTnKsXntAYcm
g7/4a5UYujJ2+J/7z1ZmiMtqHu4hU7B36DoxZadmaOPe1cIzsy+5vBgg5vesDLb4
O+3dae6BgsCay0eSLdfLkxI9hTGGiFTHrkgBaxOvQn6oUxVxnJC3EWfasJzFjjxS
rXxNuUqL9fRXDNOYH2P9tcQtjOypZPOGgtLvwCf0rQl/6jNxIWTJHk/WXKbunvRK
DIS0USBDaXNjbyBTeXN0ZW1zIHByb2R1Y3Qgc2VjdXJpdHkgaW5jaWRlbnQvYnVn
IHJlcG9ydGluZyA8c2VjdXJpdHktYWxlcnRAY2lzY28uY29tPokBFQMFEDXPIS9y
0nhL3spZ6wEBGHEH/2CYREeuDDx1lrlqKcTuSn13eyuVasAC4nIRkuY5T+ipAHq0
p2fwQ0QyxGvMD8naoEiTwtO4tHWEfqaqG/txt0draa+//mX/qr865K/4qtDe2n6d
Dz3uBy/wUn5i76302dthoUnbHpxug1NkKqop/FHYk9GztBMFlF+5COlBk5fYtYzD
2Nrhc5oA8lPBmJNAcM9ifVIEzYHEnJIcdoqrwGKCz91xxAjW+XnyWtiJ80mRDJx8
88qF5lmmmkopgrxrRwikHprFMsSzT9Vqt3Rts7PtPPOaSBlEcGgKOhN5PcWnpIar
MeytrOkctsTjrqMaOEKudgaGgDrIgsBc6iYHwaaIPwMFEDXPIuWWgad8PVLgfxEC
L9wAoOo4XEm03MsnyprNhw85ALRew0gZAKD6eXHl1C1ywrNTiWDH0SfR0j9qdokB
FQMFEDXPJG8Mj7Lhmx7xKQEBcEQH/2mE5RbDsiZ++EAtWleejNT720qAEUQCtPdj
yFRFiNhbc0yUhmoQ9dZKdujxKQWpZJt/5h7ax4VtPm3JtbQz8jgrugJYPYeERQSA
qyimvjXwa4AFDsGwC1chtN+HnJwsixpLiHqx8k4CxKtPiKCVjLmZI3n+jZYXtlqb
73pMXOEzOMuKNkM8eteUO29b/h++rN6WPGlS4Ua9t4/sxy7yz6m6FLHzwudub6wl
ZfDrBZJuhsOq81j7P+QJ0pAi9fjsyn0Kh4LfjFefcp+9AmRgYFW4N/RTcKLlakkq
rj6iCGUMm174zA4vYEohi1ottOEfAxDtF+uLVM5+ONUc6s+1kns=
=l8tP
-----END PGP PUBLIC KEY BLOCK-----