|
Brought to you by:
Suppliers of:
|
|
|
| |
The Cisco Wide Area Application Services (WAAS) software contains a denial of service (DoS) vulnerability that may cause some devices that run WAAS software (WAE appliance and NM-WAE-502 module) to stop processing all types of traffic, including data traffic and management traffic. This condition may occur if a device running WAAS software is configured for Edge Services, which utilizes Common Internet File System (CIFS) optimization and receives a flood of TCP SYN packets on port 139 or 445.
Cisco has made free software available to address this vulnerability for affected customers. Workarounds are available to mitigate the effects of this vulnerability. |
| |
Credit:
The information has been provided by Cisco Systems Product Security Incident Response Team.
The original article can be found at: http://www.cisco.com/warp/public/707/cisco-sa-20070718-waas.shtml
|
| |
Affected Products:
Vulnerable Products
The vulnerability described in this document applies to both the WAE appliance and the NM-WAE-502 network module with Edge Services configured, which use CIFS optimization. Edge Services and CIFS optimization are disabled by default. CIFS functionality is only available once Edge Services are manually configured from the WAAS Central Manager. Only WAAS software versions 4.0.7 and 4.0.9 are affected by this vulnerability.
In order to determine whether Edge Services are configured and to display the WAAS software version information, use the WAAS Central Manager GUI. The show version EXEC command from the CLI will also display the WAAS software version information.
Determine whether Edge Services are configured and display the WAAS software version information by following the steps below.
1. Log on to WAAS Central Manager.
2. Select the "Devices" tab.
3. Look under the Services column. "Edge" will denote if Edge Services are configured.
4. Look under the Software Version column. The software version for each device is identified.
The example below shows the output of the show version command from a WAE appliance CLI. In this example, the WAE is running version 4.0.9.
CE-115-16#show version
Cisco Wide Area Application Services Software (WAAS)
Copyright (c) 1999-2007 by Cisco Systems, Inc.
Cisco Wide Area Application Services Software Release 4.0.9 (build b10 Apr 6 2007)
Version: fe611-4.0.9.10
Compiled 15:26:06 Apr 6 2007 by cnbuild
System was restarted on Sat Jun 16 05:03:41 2007.
The system has been up for 33 minutes, 40 seconds.
CE-115-16#
Products Confirmed Not Vulnerable
No other Cisco products or versions of WAAS software that are not explicitly identified in this advisory are currently known to be affected by this vulnerability.
WAE appliances and NM-WAE-502 modules that are not configured to provide Edge Services performing CIFS optimization are not affected. The NM-WAE-302 is not susceptible to this vulnerability as it cannot be configured for CIFS optimization.
Details:
The Cisco Wide Area Application Services solution uses a combination of application acceleration and WAN optimization techniques to mitigate application and transport latency. WAAS software is utilized on the Wide Area Application Engine appliance and the Wide Area Application Services Network Module that are incorporated in the solution.
A DoS vulnerability exists in some versions of WAAS software that may cause some devices that run WAAS software (WAE appliance and NM-WAE-502 module) to stop processing all types of traffic, including traffic going through the device (data traffic) and traffic terminating on the device (management traffic). If the WAAS device has Edge Services, which uses CIFS optimization configured, and receives a flood of TCP SYN packets on ports 139 or 445, this vulnerability may be triggered, resulting in a DoS condition. Ports 139 and 445 are utilized by the CIFS functionality of the WAAS software. This condition may result from network traffic that is sent directly to the WAAS platform, or by automated systems such as hostscanners, portscanners, or network worms.
This vulnerability is documented in Cisco Bug ID CSCsi58809 ( registered customers only)
Impact:
Successful exploitation of the vulnerability described in this document may allow a remote host to cause a device that is running an affected version of the WAAS software with Edge Services using CIFS optimization configured to enter into an unresponsive state. During this unresponsive state, no services are provided, including management access to the device. Recovery of the system from this unresponsive state can only be accomplished by resetting or power cycling the affected device. The following process can be used to remotely recover the NM-WAE-502.
Remote Recovery of the NM-WAE-502
Log in to the router and issue the following command from IOS CLI to reboot the NM-WAE-502:
Router# service-module integrated-Service-Engine <slot>/<port> reset
Workarounds:
If the device that is running WAAS software does not need to provide Edge Services, then disabling Edge Services is a viable workaround. When the Edge Services are turned off, CIFS clients may not benefit from the response time reduction that is associated with the operation of the CIFS cache, preposition and other CIFS latency optimizations. However, other Layer 4 optimizations will continue to apply according to the application policy settings.
In order to disable Edge Services, which includes the CIFS accelerator and CIFS auto discovery features, follow the steps below.
1. Log in to WAAS Central Manager.
2. Select the "Devices" tab.
3. Select the "Devices" category (or "Device Groups" if using multiple devices in groups).
4. Choose target device or group.
5. Choose "File Services" located in the left column under "Contents."
6. Choose "Edge configuration" located under "File Services."
7. Uncheck "Enable Edge Server."
8. Click Submit.
Transit ACLs (tACL)
Filters that block access to TCP ports 139 and 445 packets should be deployed at the network edge as part of a transit access list, which will protect the router where the filter is configured as well as other devices behind it. Filters should also be deployed in front of vulnerable network devices so that TCP ports 139 and 445 packets are only allowed from trusted CIFS Clients to trusted CIFS Servers.
Further information about transit ACLs is available in the white paper "Transit Access Control Lists: Filtering at Your Edge" at the following link: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml
Further information about configuring ACLs on the WAAS client is in the "Creating and Managing IP Access Control Lists for WAAS Devices" chapter of the WAAS Configuration Guide at the following link: http://www.cisco.com/en/US/products/ps6870/products_configuration_guide_chapter09186a00807bb6b9.html
Additional mitigations that can be deployed on Cisco devices within the network are discussed in the Cisco Applied Intelligence companion document for this advisory available at the following link: http://www.cisco.com/warp/public/707/cisco-air-20070718-waas.shtml
|
|
|
|
|
