[LWN Logo]

Date:         Thu, 20 Apr 2000 09:21:08 -0400
From: Cisco Systems Product Security Incident Response Team <psirt@CISCO.COM>
Subject:      Cisco Security Advisory: Cisco IOS Software TELNET Option
To: BUGTRAQ@SECURITYFOCUS.COM

-----BEGIN PGP SIGNED MESSAGE-----


Cisco IOS Software TELNET Option Handling Vulnerability

Revision 1.0

For public release Thursday 2000/04/20 at 09:00 AM US/Eastern (UTC-0400).

  ---------------------------------------------------------------------------

Summary
=======

A defect in multiple Cisco IOS software versions will cause a Cisco router
to reload unexpectedly when the router is tested for security
vulnerabilities by security scanning software programs. The defect can be
exploited repeatedly to produce a consistent denial of service (DoS) attack.

Customers using the affected Cisco IOS software releases are urged to
upgrade as soon as possible to later versions that are not vulnerable to
this defect. Vulnerable products and releases are listed in detail below.

The security scanner is testing for the presence of two specific
vulnerabilities that affect certain UNIX-based systems. The vulnerabilities
are unrelated to Cisco IOS software and Cisco IOS software is not directly
at risk from them. However, a side-effect of the tests exposes the defect
described in this security advisory, and the router will reload unexpectedly
as soon as it receives any subsequent traffic.

This defect is documented as Cisco Bug ID CSCdm70743.


Affected Products
=================

The following Major Releases of Cisco IOS software are vulnerable to this
defect:

   * 11.3AA
   * 12.0 releases: 12.0(2) up to and including 12.0(6)
   * 12.0(7), except that 12.0(7)S, 12.0(7)T, and 12.0(7)XE are not
     vulnerable

Cisco customers running Cisco IOS software versions 11.3, 11.3T, 11.2 or
lower, and 12.0(8) or 12.1 or higher are not affected. Details regarding
specific releases of Cisco IOS software and suggested upgrade paths are
provided below in the section "Software Versions and Fixes".

This vulnerability affects the following Cisco hardware products if they are
running affected software:

   * AS5200, AS5300, and AS5800 series access servers
   * 7200 and 7500 series routers
   * ubr7200 series cable routers
   * 7100 series routers
   * 3660 series routers
   * SC3640 System Controllers (see the explanation below)
   * AS5800 series Voice Gateway products
   * AccessPath LS-3, TS-3, and VS-3 Access Solutions products

The SC3640 System Controller is a Cisco 3640 router customized to provide
local management of multiple access servers. The Cisco SC3640 binary image
contains the defect and thus is vulnerable if it is possible for the
attacker to telnet to the device. However, the original Cisco 3640 router
does not contain the defect and is not vulnerable to the denial of service
attack described in this notice.

No other Cisco products are affected by this vulnerability.


Description
===========

Software packages are available from various commercial and free sites that
perform automated remote tests for computer security vulnerabilities by
scanning computers on a network for known security flaws. Two security
vulnerabilities associated with several UNIX-based platforms are the subject
of two specific tests that have the same effect on vulnerable Cisco routers.
The scanning program is asserting the Telnet ENVIRON option, #36, before the
router indicates that it is willing to accept it, and this causes the router
to reload unexpectedly.


Impact
======

The described defect can be used to mount a consistent and repeatable denial
of service (DoS) attack on any vulnerable Cisco product, which may result in
violations of the availability aspects of a customer's security policy. This
defect by itself does not cause the disclosure of confidential information
nor allow unauthorized access.


Software Versions and Fixes
===========================

For the affected Cisco IOS software Major Release version shown in the first
column of the table below, customers should upgrade to the known
invulnerable releases listed to the right in the same row. In general,
customers should upgrade to the release in the column furthest to the right
within the same row. For example, any customer running 12.0 "mainline"
(Major Release) should upgrade at least to 12.0(7.1), but preferably to
12.0(8).

Any release not specifically listed in the left-most column below is
unaffected by the vulnerability.

The projected release date is shown with the software release version number
for those releases that are not yet complete or available on CCO.*

An "interim release" is scheduled and contains numerous fixes and occasional
enhancements that carry forward into all later versions.** A "maintenance
release" is a regularly scheduled event that incorporates significant
enhancements and cumulative fixes; it may be the entry point for support of
noteworthy new technology in Cisco IOS software.

 ==========================================================================
    Major                          Projected Fixed      Projected Fixed
   Release      Description     Regular or Interim**  Regular Maintenance
                                      Releases              Releases
 ==========================================================================
                        Unaffected Earlier Releases
 --------------------------------------------------------------------------
  11.2 and
  earlier,
     all     Multiple releases       Unaffected            Unaffected
  variants
 ==========================================================================
                            11.3-based Releases
 --------------------------------------------------------------------------
              AS5800 support
   11.3AA          and                    -               11.3(11a)AA
                other dial
                 platforms
 ==========================================================================
                            12.0-based Releases
 --------------------------------------------------------------------------
    12.0       12.0 mainline          12.0(7.1)             12.0(8)
 --------------------------------------------------------------------------
               ISP support:          12.0(6.6)S             12.0(7)S
    12.0S       7200, RSP,      -------------------------------------------
                 GSR12000            12.0(7.1)S             12.0(8)S
 --------------------------------------------------------------------------
   12.0SC        Cable ISP          12.0(6.6)SC1          12.0(8)SC***
             support: ubr7200        12.0(7.1)SC          or 12.0(9)SC
 --------------------------------------------------------------------------
                 12.0 new            12.0(6.5)T3
    12.0T    technology early   ---------------------       12.0(7)T
            deployment release       12.0(6.5)T4
 --------------------------------------------------------------------------
    12.0W    12.0 for Catalyst   12.0(6.5)W5(16.0.9)    12.0(6.5)W5(17),
              8500 and LS1010                             2000/04/18*
 --------------------------------------------------------------------------
                Short-life
                release for
   12.0XE        selected            Unavailable           12.0(7)XE1
                enterprise
             features, 7200 &
                   7500
 --------------------------------------------------------------------------
                Short-life
                release for
   12.0XJ    Dial/Voice, 5200,       Unavailable           12.0(4)XJ4
             5300, 5800, 2600,
                  & 3600
 ==========================================================================
                            12.1-based Releases
 --------------------------------------------------------------------------
  12.1 and
 later, all  Multiple releases       Unaffected            Unaffected
  variants
 ==========================================================================

* All dates are tentative and subject to change

** Interim releases are subjected to less internal testing and verification
than are regular releases, may have serious bugs, and should be installed
with great care.

*** 12.0(8)SC is not vulnerable to this defect, but due to other issues it
is no longer available on CCO as of the date of this notice. Upgrade instead
to 12.0(9)SC.


Obtaining Fixed Software
========================

Cisco is offering free software upgrades to remedy this vulnerability for
all affected customers. Customers with service contracts may upgrade to any
software version. Customers without contracts may upgrade only within a
single row of the table above, except that any available fixed software will
be provided to any customer who can use it and for whom the standard fixed
software is not yet available. Customers may install only the feature sets
they have purchased.

Note that not all fixed software may be available as of the release date of
this notice.

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades should
be obtained via the Software Center on Cisco's Worldwide Web site at
http://www.cisco.com/.

Customers without contracts should get their upgrades by contacting the
Cisco Technical Assistance Center (TAC). TAC contacts are as follows:

   * +1 800 553 2447 (toll-free from within North America)
   * +1 408 526 7209 (toll call from anywhere in the world)
   * e-mail: tac@cisco.com

Give the URL of this notice as evidence of your entitlement to a free
upgrade. Free upgrades for non-contract customers must be requested through
the TAC. Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.


Workarounds
===========

The vulnerability described in this notice can only be exploited if the
Telnet service is configured on the affected system and reachable from the
attacker's computer. The following recommendations provide an interactive
login capability without using the Telnet service, thus mitigating the
threat in lieu of a software upgrade while preserving remote access to the
router for administrative purposes:

   * Prevent access using the Telnet service by defining an appropriate
     access control list and applying it to the vty line or the router's
     interfaces using the "access-group" keyword. Security can be increased
     further by restricting both the virtual terminal lines and the router's
     physical interfaces with two access-groups, one to control who can
     connect to the vtys, and the other on the interfaces to control from
     where those connections can be attempted.
   * Disable Telnet and use SSH (if it is available to you) to connect to
     the router for administrative purposes.. After "line vty 0 4" in the
     router's configuration, add "transport input ssh". This stipulates that
     only the SSH protocol may be used for interactive logins to the router.
     As of the date of this notice, SSH is only available on certain
     products: 7200, 7500, and 12000 series running Cisco IOS software
     releases such as 12.0S, 12.1S, and 12.1T.
   * Disable interactive network logins to the router completely by removing
     the "line" command such that virtual consoles are never enabled. Use an
     out-of-band method to login to and administer the router such as a
     hard-wired console. Consider connecting the console to a terminal
     server which itself is only reachable via a separate parallel network
     that in turn is restricted by site policy exclusively for
     administrative purposes.

The wide variety of customer configurations make it impossible to judge the
effectiveness and relative merits of these workarounds in lieu of a software
upgrade. Customers are cautioned to evaluate these recommendations carefully
with regard to their specific network configurations.


Exploitation and Public Announcements
=====================================

As of the date of this notice, Cisco knows of no publicity, discussion, nor
reports of malicious exploitation of this specific vulnerability applied
directly against a Cisco product.

The denial of service (DoS) aspect of this vulnerability was reported to
Cisco by several different customers who found it while conducting security
scans of their networks. The defect that causes this vulnerability,
documented in CSCdm70743, was discovered internally by a Cisco development
engineer.


Status of This Notice: FINAL
============================

This is a final field notice. Although Cisco cannot guarantee the accuracy
of all statements in this notice, all of the facts have been checked to the
best of our ability. Cisco does not anticipate issuing updated versions of
this notice unless there is some material change in the facts. Should there
be a significant change in the facts, Cisco may update this notice. Please
make note of the posting details in the next section and periodically check
for changes.


Notice Distribution
===================

This notice is posted at
http://www.cisco.com/warp/public/707/iostelnetopt-pub.shtml.

In addition to posting on the World-Wide Web, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail lists and Usenet newsgroups:

   * cust-security-announce@cisco.com
   * first-teams@first.org (includes CERT/CC)
   * bugtraq@securityfocus.com
   * cisco@spot.colorado.edu
   * comp.dcom.sys.cisco
   * firewalls@lists.gnac.com
   * Various internal Cisco mailing lists

Future updates of this notice, if any, will be placed on Cisco's World-Wide
Web server, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
URL given above for any updates.


Revision History
================

 1.0 2000/04/20 Initial public release


Cisco Product Security Procedures
=================================

The web page at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml describes
how to report security vulnerabilities in Cisco products, obtain assistance
with security incidents, and register to receive product security
information from Cisco. This includes instructions for press inquiries
regarding Cisco Security Advisories and notices. This advisory is Cisco's
complete public statement regarding this vulnerability.
  ---------------------------------------------------------------------------
This notice is copyright 2000 by Cisco Systems, Inc. This notice may be
redistributed freely after the release date given at the top of the text,
provided that redistributed copies are complete and unmodified, including
all date and version information.
  ---------------------------------------------------------------------------

All contents copyright © 1992--2000 Cisco Systems Inc. Important notices.

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2

iQEVAwUBOP6YRmiN3BRdFxkbAQHRsQf/VB8ihP0FO2bZF2B6RGShmeTrO0ucDj1h
ZklgXgorWRZXGoqgD4mJa26mc4UfZgP+XljTOKLtRW4r/YcvBmv1D4Kl17Ry16o4
Hqm+84d7CJLU+DAm1XYrNuQ6jrriM4qoo8jbd0Qa7OIdTbZaK9FatftTcOaGIlTX
lmGr8GVhIYSCwO8LZuudaR2bhee76xImXEEh8koXEbFHJayrIkJPHszXXCiUUiWD
Fp5F33QeR4OzcPCGvdPWwbV8N/uaYQ/39z6ckOng//rbrEKT4XKjxkST6A1zUqSE
asTjQ0WAOgwxoQk94+PC2dNKKkwl+ZOqovtw7aRXwy5YTiFBZAD91w==
=8ss4
-----END PGP SIGNATURE-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 6.5.2

mQENAzhQ8qUCYQEIALshjezuQIzQT3zZrKrQit2HTNarH8iba6HLdN2niIDGW9LN
ShhH0kPdD57EeOAkO2ccNvgY4HvJESgykBS6z86HULeiSVMv89TfQsKOv34cczYm
BeYtcfbgkm4MM/37UjFxUGAIoOxVX/bzya/tegiYPAaTsOcaonxqaOds/kLIR32S
/+3vcV6tu9QiiLwdKAGSN+KkrREP3qTFzKxmus1DKFz5o03yDMtYGplRQ62iae21
I8NbQtVXvARN5bdG5+4KaqI9hsT/tz8dh8OgapdaD6ht0qkY8J2DGIa1xnai4Vbe
hoz7Vozf65LErlbRWBVAn6XBD3qtaI3cFF0XGRsABRG0R0Npc2NvIFN5c3RlbXMg
UHJvZHVjdCBTZWN1cml0eSBJbmNpZGVudCBSZXNwb25zZSBUZWFtIDxwc2lydEBj
aXNjby5jb20+iQEVAwUQOFDypWiN3BRdFxkbAQEVgAf/Qins/ms1PNhD4ucJyGCY
V60wz6hQX5FXCKxewSxPOMOxkbQeiNxqENYldTwH6RZ2eVXYJX0PKZjhUmpQCwg7
aYQUv8GeROxQYlJx/j2FKmQcjIWLHQZImb7FxTFt0rgcCJI+ChGu8U3IqOmyeBmE
44qXxU/IGhJaXj8jIkSUxeKFQtI9JSxsfNiqX8itjeJlYTF8Y1MnTiuhikM3y7JM
sQFzrKSzhzfPcc3RqDAtbwYtvmb+6/9IGkHks2hox5ltJZ5v2c4lbReEpmLweDSf
enojuPPoPug8zRS/xa1uHzSZ3XKQwLWfjwZwGMzTTHOAiMWo6wlbhNnR4LlN/upv
uIkARgQQEQIABgUCOFDzRAAKCRBwkpqcbcMYIVfZAJ4z5xm+IJuj+byK+gNsNY7X
FK4THgCfS0n95c/Gxvu9tOvRFH+uwQh2dgGJAHUDBRA4UPNs3nAfbKMmz4kBAejY
AvoD771l0JZWwf5XmoCWLL0ChzbdFJqTsnd2zG4jGr1J91dkES4YDir4itqyWVRA
VFzalYCYouNPhOJZKLXUphQnAQ7x74cDznEw+MYT9eavbYcSeKkBZNEdjE3vf67x
4fSJAJUDBRA4UP5XwAV6rQ+eJbkBAX2CA/9GPlvk9EWTS54M6uTJCtC/6Bcx7phz
InAUYEX7gjlBmNF7MdIy1UdUsNL2rTdR26peB6VwzT6uXRG+RbhpGVvfHdEmJ2ec
brKaUmFisrVWB7Ho9NOo72xTru7GeJxGHb0xRcsDMCIYfyOCMvbr6lxMMAcD9zx3
nMx4VDJ7RfSStrRQQ2lzY28gU3lzdGVtcyBQcm9kdWN0IFNlY3VyaXR5IEluY2lk
ZW50IFJlc3BvbnNlIFRlYW0gPHNlY3VyaXR5LWFsZXJ0QGNpc2NvLmNvbT6JARUD
BRA4UPL6aI3cFF0XGRsBAdYKCACIhd2yDPXITE2pQzukNo+jxrMeSnqvl4DUoP6f
Ai64KLGYAqo+ZWuyFd1JLT5CtsaWuLXEBvt/9SevI/qbN18c9eSBko3wNcO49C+T
s0uttahHplxMgArqTK8y1u35C7QUz0T9xRLPaKvXYARw3/wFdaPQYehrVWBThbxk
KxJuamT3OT5uB7NgtkHK1nHpxuATj39EnvZSUTWe45ZBVulduGMG7grYRCQJ1jrG
2Ei0FO/adFKZU6DxSygwjWCM9Fdh/dncs00G7tXW8fpfIRmdsVZuYIQ7HPkoiUJF
87Hw+mdkZHiTAhPMuNO9AamZsIF65QcD4vera/zOXwU+MUcaiQBGBBARAgAGBQI4
UPNYAAoJEHCSmpxtwxghi9gAn12vk1AazXrc9GVCdXC5oFpi1TmlAJ9BsHkWwGUr
mLSAE3OE70LjxHHhDokAdQMFEDhQ84DecB9soybPiQEB2NoC/jSF5glFC5jfYjAp
VMiZHgGZDA49lcf/VZDz7ZeJAkOtZZHzlycVAlCukLl0sXfIhgygmWj6WQPPIF2z
COEjVgR625CRbYhrqC0H9ieWYJ3fu7GILoEb200GbSgUZifvq4kAlQMFEDhQ/mvA
BXqtD54luQEBWzAD/31F6aic5ZV/u6HY/ChORildURolK8LfNTwwsmwN32ZcJOUb
gSsU5cafE5XGaWvgVrPVKwAH9DFcviElBK+n7fhw+SRS5x+Ar8tZMKEgP5I9yIZX
DHwNZmFdpmk95xoK4TvCd3iyj23HcaoAGroRtuVrv5UtBG9P+FDMxScgO/cR
=sJ3p
-----END PGP PUBLIC KEY BLOCK-----