Cisco Information for VU#745371

Multiple vendor telnet daemons vulnerable to buffer overflow via crafted protocol options

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

Cisco Security Advisory: Cisco CatOS Telnet Buffer Vulnerability
================================================================

Revision 1.0

For Public Release 2002 January 29 at 1500 UTC

- -------------------------------------------------------------------------------

Summary
- -------
Some Cisco Catalyst switches, running certain CatOS based software releases,
have a vulnerability wherein a buffer overflow in the telnet option handling
can cause the telnet daemon to crash and result in a switch reload. This
vulnerability can be exploited to initiate a denial of service (DoS) attack.

This vulnerability is documented as Cisco bug ID CSCdw19195. There are
workarounds available to mitigate the vulnerability.

This advisory will be posted at http://www.cisco.com/warp/public/707/
catos-telrcv-vuln-pub.shtml .

Affected Products
- -----------------
Cisco's various Catalyst family of switches run CatOS-based releases or
IOS-based releases. IOS-based releases are not vulnerable.

The following Cisco Catalyst Switches are vulnerable :

  * Catalyst 6000 series
 * Catalyst 5000 series
 * Catalyst 4000 series
 * Catalyst 2948G
 * Catalyst 2900

For the switches above, the following CatOS based switch software revisions are
vulnerable.

+-----------------------------------------------------------------------------+
|               |   Release 4   |   Release 5   |  Release 6   |  Release 7   |
|               |   code base   |   code base   |  code base   |  code base   |
|---------------+---------------+---------------+--------------+--------------|
| Catalyst 6000 |      Not      | earlier than  | earlier than | earlier than |
| series        |  Applicable   |    5.5(13)    |    6.3(4)    |    7.1(2)    |
|---------------+---------------+---------------+--------------+--------------|
| Catalyst 5000 | earlier than  | earlier than  | earlier than |     Not      |
| series        |   4.5(13a)    |    5.5(13)    |    6.3(4)    |  Applicable  |
|---------------+---------------+---------------+--------------+--------------|
| Catalyst 4000 | All releases  | earlier than  | earlier than | earlier than |
| series        |               |    5.5(13)    |    6.3(4)    |    7.1(2)    |
+-----------------------------------------------------------------------------+

To determine your software revision, type show version at the command line
prompt.

Not Affected Products
- ---------------------
The following Cisco Catalyst Switches are not vulnerable :

  * Catalyst 8500 series
 * Catalyst 4800 series
 * Catalyst 4200 series
 * Catalyst 3900 series
 * Catalyst 3550 series
 * Catalyst 3500 XL series
 * Catalyst 4840G
 * Catalyst 4908G-l3
 * Catalyst 2948G-l3
 * Catalyst 2950
 * Catalyst 2900 XL
 * Catalyst 2900 LRE XL
 * Catalyst 2820
 * Catalyst 1900

No other Cisco product is currently known to be affected by this vulnerability.

Details
- -------
Some Cisco Catalyst switches, running certain CatOS-based software releases,
have a vulnerability wherein a buffer overflow in the telnet option handling
can cause the telnet daemon to crash and result in a switch reload. This
vulnerability can be exploited to initiate a denial of service (DoS) attack.
Once the switch has reloaded, it is still vulnerable and the attack can be
repeated as long as the switch is IP reachable on port 23 and has not been
upgraded to a fixed version of CatOS switch software.

This vulnerability is documented as Cisco bug ID CSCdw19195, which requires a
CCO account to view and can be viewed after 2002 January 30 at 1500 UTC.

Impact
- ------
This vulnerability can be exploited to produce a denial of service (DoS)
attack. When the vulnerability is exploited it can cause the Cisco Catalyst
switch to crash and reload.

Software Versions and Fixes
- ---------------------------
This vulnerability has been fixed in the following switch software revisions
and the fix will be carried forward in all future releases.

+-------------------------------------------------------------------------------+
|               |   Release 4   |   Release 5   |   Release 6   |   Release 7   |
|               |   code base   |   code base   |   code base   |   code base   |
|---------------+---------------+---------------+---------------+---------------|
| Catalyst 6000 |      Not      |  5.5(13) and  |  6.3(4) and   |  7.1(2) and   |
| series        |  Applicable   |     later     |     later     |     later     |
|---------------+---------------+---------------+---------------+---------------|
| Catalyst 5000 |   4.5(13a)    |  5.5(13) and  |  6.3(4) and   |      Not      |
| series        |               |     later     |     later     |  Applicable   |
|---------------+---------------+---------------+---------------+---------------|
| Catalyst 4000 | Not Available |  5.5(13) and  |  6.3(4) and   |  7.1(2) and   |
| series        |               |     later     |     later     |     later     |
+-------------------------------------------------------------------------------+

All previous releases must upgrade to the above releases. CatOS switch software
release 4.5(13a) for the Catalyst 5000 series is expected on CCO by 2002
February 4. CatOS switch software release 7.1(2) is expected on CCO by 2002
February 4.

Software upgrade can be performed via the console interface. Please refer to
software release notes for instructions.

Obtaining Fixed Software
- ------------------------
Cisco is offering free software upgrades to remedy this vulnerability for all
affected customers. Customers with service contracts may upgrade to any
software release containing the feature sets they have purchased.

Customers with contracts should obtain upgraded software through their regular
update channels. For most customers, this means that upgrades should be
obtained through the Software Center on Cisco's Worldwide Web site at http://
www.cisco.com .

Customers whose Cisco products are provided or maintained through prior or
existing agreement with third-party support organizations such as Cisco
Partners, authorized resellers, or service providers should contact that
support organization for assistance with the upgrade, which should be free of
charge.

Customers who purchased directly from Cisco but who do not hold a Cisco service
contract, and customers who purchase through third party vendors but are
unsuccessful at obtaining fixed software through their point of sale, should
get their upgrades by contacting the Cisco Technical Assistance Center (TAC).
TAC contacts are as follows:

  * +1 800 553 2447 (toll free from within North America)
 * +1 408 526 7209 (toll call from anywhere in the world)
 * e-mail: tac@cisco.com

See http://www.cisco.com/warp/public/687/Directory.shtml for additional TAC
contact information, including instructions and e-mail addresses for use in
various languages.

Please have your product serial number available and give the URL of this
notice as evidence of your entitlement to a free upgrade. Free upgrades for non
contract customers must be requested through the TAC.

Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com"
for software upgrades.

Workarounds
- -----------
The following workarounds can be implemented.

  * If ssh is available in the code base use ssh instead of Telnet and disable
   Telnet.

    For instructions how to do this please refer http://www.cisco.com/warp/
   public/707/ssh_cat_switches.html

  * Apply Access Control Lists (ACLs) on routers / switches / firewalls in
   front of the vulnerable switches such that traffic destined for the Telnet
   port 23 on the vulnerable switches is only allowed from the network
   management subnets.

    For an example see http://www.cisco.com/univercd/cc/td/doc/product/lan/
   cat6000/sw_5_4/msfc/acc_list.htm

Exploitation and Public Announcements
- -------------------------------------
This vulnerability has been exploited to initiate Denial of Service (DoS)
attacks.

This vulnerability was reported by TESO and is detailed at http://www.cert.org/
advisories/CA-2001-21.html

Status of This Notice: Final
- ----------------------------
This is a final notice. Although Cisco cannot guarantee the accuracy of all
statements in this notice, all of the facts have been checked to the best of
our ability. Cisco does not anticipate issuing updated versions of this notice
unless there is some material change in the facts. Should there be a
significant change in the facts, Cisco may update this notice.

A standalone copy or paraphrase of the text of this security advisory that
omits the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.

Distribution
- ------------
This notice will be posted on Cisco's Worldwide Web site at http://
www.cisco.com/warp/public/707/catos-telrcv-vuln-pub.shtml .

In addition to Worldwide Web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail
and Usenet news recipients:

  * cust-security-announce@cisco.com
 * bugtraq@securityfocus.com
 * firewalls@lists.gnac.com
 * first-teams@first.org (includes CERT/CC)
 * cisco@spot.colorado.edu
 * cisco-nsp@puck.nether.net
 * comp.dcom.sys.cisco
 * Various internal Cisco mailing lists

Future updates of this notice, if any, will be placed on Cisco's Worldwide Web
server, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.

Revision History
- ----------------
+-----------------------------------------------------------------------------+
| Revision 1.0 | 2002-Jan-29 | For Public Release 2002 January 29 at 1500 UTC |
+-----------------------------------------------------------------------------+

Cisco Security Procedures
- -------------------------
Complete information on reporting security vulnerabilities in Cisco products,
obtaining assistance with security incidents, and registering to receive
security information from Cisco, is available on Cisco's Worldwide Web site at
http://www.cisco.com/go/psirt . This includes instructions for press inquiries
regarding Cisco security notices.
- -------------------------------------------------------------------------------
This notice is copyright 2002 by Cisco Systems, Inc. This notice may be
redistributed freely after the release date given at the top of the text,
provided that redistributed copies are complete and unmodified, including all
date and version information.
- -------------------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Signed by Sharad Ahlawat, Cisco Systems PSIRT

iQEVAwUBPFa4iw/VLJ+budTTAQGkywf9GkyUO77MFWJHqhGR+ZtNpk63NAzK4ath
TGE/GyRJlht4YXvP4sTuKgRmsBkefXRoFttN0T8G1HytxTfFP75THbh5kk2kRFYo
R4qcxM6QExs1FbJwx42MOjmD5Cyds8pdZ8ZSGdVTDe96k/0D+BNiN1oe672x1hkM
6Nrt1wnyRzKj7ZfF7NRnlN7DsR4gAPIIP0yLiP2KLJheqDnZNThANng97i9YP1Mz
gve9jAwZtiKij6mv0LDG/Jkk/NUl5VijxfuoRFM4ZvAEn8hFYDLnvPJUVb+CvKpt
3AJ3/J+MBS8EAKTM98sGr5ywp7/cQfXWZsoJAYgHbGtEs3Qy6xbK+w==
=1bxQ
-----END PGP SIGNATURE-----
.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.