Public Safety and Emergency Preparedness Canada - Sécurité publique et Protection civile Canada
Skip all menus (access key: 2) Skip first menu (access key: 1)
Français Contact Us Help Search Canada Site
About us Policy Research Programs Newsroom
Public Safety and Emergency Preparedness Canada
Home

INFORMATION FOR...
Citizens
Communities
Governments
Business
First responders
Educators
ALTERNATE PATHS...
A-Z index
Site map
Organization
OF INTEREST...
SafeCanada.ca
Tackling Crime
EP Week
Proactive disclosure


Printable versionPrintable version
Send this pageSend this page

Home Programs Emergency management Response CCIRC Analytical releases2 AV06-036: Cisco Intrusion Prevention System Management Interface Denial of Service and Fragmented Packet Evasion Vulnerabilities

Cisco Intrusion Prevention System Management Interface Denial of Service and Fragmented Packet Evasion Vulnerabilities

Number: AV06-036
Date: 20 September 2006

Purpose

The purpose of this advisory is to bring attention to two vulnerabilities in the Cisco Intrusion Prevention System (IPS) software.  The first is a denial of service vulnerability in the web administration interface involving malformed Secure Socket Layer (SSL) packets, and the second is a fragmented packet evasion vulnerability.

Assessment

The web administration interface of Cisco IPS/IDS devices contains a denial of service vulnerability. It is possible to send a malformed SSLv2 Client Hello packet to the IPS/IDS web administration interface, which may cause the process (mainApp) responsible for managing remote access to fail. This results in an IPS/IDS device becoming unresponsive to all future remote management requests through the web administration interface or the command-line interface (CLI) via SSH and the console.  This vulnerability is documented in Cisco bug IDs CSCsd91720 and CSCsd92033.  This vulnerability was originally fixed in Cisco IPS version 5.1(2).  Successful exploitation of the web administration interface SSL denial of service vulnerability may result in the failure of the mainApp process.  If the mainApp process fails, the following tasks will cease operation:

  • Reporting alerts to remote monitoring systems
  • Automated modification of access control lists (ACLs) on remote firewall systems (PIX and IOS)
  • Sending SNMP traps

Even though the mainApp has failed, the IPS/IDS device will continue to perform inspection of traffic for malicious activity.  If configured, the device will continue to drop packets/connections inline and send TCP resets in response to any malicious activity.  IPS/IDS devices must be rebooted to recover from this vulnerability.  If an IPS/IDS device is configured with a service account, it is possible to log in to an affected device with the service account via SSH or the console and manually reboot the device.

By using a specially crafted sequence of fragmented IP packets, it is possible for malicious traffic to evade inspection by a Cisco IPS device.  This may allow an attacker to circumvent the protection provided by an IPS device and access internal systems.  IPS devices running in inline and promiscuous modes are affected.  This vulnerability is documented in Cisco bug IDs CSCse17206 and SCsf12379.  This vulnerability was originally fixed in Cisco IPS version 5.1(2).  Successful exploitation of the fragmented packet IPS evasion vulnerability may result in an attacker being able to evade detection by an IPS device.  This could allow protected systems to be covertly attacked.

The following Cisco IPS/IDS versions are vulnerable to the web administration interface SSL denial of service issue:

  • Cisco IDS 4.1(x) software prior to 4.1(5c)
  • Cisco IPS 5.0(x) software prior to 5.0(6p1)
  • Cisco IPS 5.1(x) software prior to 5.1(2)

The following Cisco IPS versions are vulnerable to the fragmented packet IPS evasion issue:

  • Cisco IPS 5.0(x) software prior to 5.0(6p2)
  • Cisco IPS 5.1(x) software prior to 5.1(2)

All platforms running vulnerable versions of Cisco IPS/IDS software are affected. This includes 4200 series appliances, IDSM2, NM-CIDS router modules, and ASA IPS modules (also referred to as Advanced Inspection and Prevention (AIP) Security Services Module [SSM]).

Suggested action

PSEPC recommends that administrators test and upgrade to the fixed software versions listed on the Cisco web page, or test and implement one of the workarounds provided on the Cisco web page until the upgrade can be scheduled and performed.

For more information and instructions, please refer to:

http://www.cisco.com/warp/public/707/cisco-sa-20060920-ips.shtml

Note to readers

Canadian Cyber Incident Response Centre (CCIRC) collects information related to cyber threats to, and incidents involving, Canadian critical infrastructure. This allows us to monitor and analyze threats and to issue alerts, advisories and other information products. To report threats or incidents, please contact the Government Operations Centre (GOC) at (613) 991-7000 or goc-cog@psepc.gc.ca by e-mail.

Unauthorized use of computer systems and mischief in relation to data are serious Criminal Code offences in Canada. Any suspected criminal activity should be reported to local law enforcement organizations. The Royal Canadian Mounted Police (RCMP) National Operations Centre (N.O.C.) provides a 24/7 service to receive such reports or to redirect callers to local law enforcement organizations. The N.O.C. can be reached at (613) 993-4460. National security concerns should be reported to the Canadian Security Intelligence Service (CSIS) at (613) 993-9620.

For urgent matters or to report any incidents, please contact the Government Operations Centre at:

Phone: (613) 991-7000
Fax: (613) 996-0995
Secure Fax: (613) 991-7094
Email: goc-cog@psepc.gc.ca

For general information on critical infrastructure protection and emergency preparedness, please contact PSEPC's Public Affairs division at:

Telephone: (613) 944-4875 or 1-800-830-3118
Fax: (613) 998-9589
E-mail: communications@psepc.gc.ca
Top of Page
Last updated: 2006-09-20 Top of Page Important notices