|
Brought to you by:
Suppliers of:
|
|
|
| |
| After receiving eight TCP connection attempts using a non-standard TCP flags combination, a Catalyst switch will stop responding to further TCP connections to that particular service. In order to re-establish functionality of that service, the switch must be rebooted. There is no workaround. This vulnerability affects only CatOS. No other Cisco products are affected. |
| |
Credit:
The information has been provided by Cisco Systems Product Security Incident Response Team.
|
| |
Affected Products:
The CatOS for the following Catalyst models are affected:
* Catalyst 4000 Series including models 2948G and 2980G/2980G-A
* Catalyst 5000 Series including models 2901, 2902 and 2926
* Catalyst 6000
No other Cisco products are affected.
Details:
After receiving eight connection attempts on any TCP service, the switch will stop responding to any further connection attempts to that service. These attempts must use a non-standard combination of TCP flags. The switch will continue to pass other switched traffic normally and the console is not affected. Only the service to which connections were made will become unresponsive. Standard TCP services include HTTP, Telnet, and SSH.
Impact:
By exploiting this vulnerability, an attacker can prevent further use of the specified TCP-based service. Depending on the configuration of the device, if SSH or Telnet are enabled and exploited, the availability of those services could be affected, possibly resulting in a loss of management capability using those same services. However, UDP-based services such as Simple Network Management Protocol (SNMP) would still be available and unaffected.
Software Versions and Fixes:
The vulnerability is fixed in the following releases. All previous releases are vulnerable and all higher releases, from the ones in the table, are fixed. A table listing available software versions and fixes is available at: http://www.cisco.com/warp/public/707/cisco-sa-20030709-swtcp.shtml
Obtaining Fixed Software:
Cisco is offering free software upgrades to address these vulnerabilities for all affected customers. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, Customers agree to be bound by the terms of Cisco software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at the Cisco Connection Online Software Center at http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Customers with service contracts should contact their regular update channels to obtain the free software upgrade identified via this advisory. For most customers with service contracts, this means that upgrades should be obtained through the Software Center on the Cisco worldwide website at http://www.cisco.com/tacpage/sw-center/sw-lan.shtml. To access the software download URL, you must be a registered user and you must be logged in.
Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with the upgrade, which should be free of charge.
Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Please have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC.
Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades.
Workarounds:
There is no workaround. In order to continue using an affected TCP service, the switch must be rebooted.
It is possible to mitigate the exposure by configuring VLAN Access Control Lists (VACLs) on the switch (where they are supported) that will allow only legitimate hosts to connect to the desired services. This must be combined with Unicast Reverse Path Forwarding (uRPF), or some other anti-spoofing technique, on the network edge to protect against spoofed packets from the outside of the network.
|
|
|
|
|
