|
|
|
|
| |
Certain Cisco products containing support for the Secure Shell (SSH) server are vulnerable to a Denial of Service (DoS) if the SSH server is enabled on the device. A malformed SSH packet directed at the affected device can cause a reload of the device. No authentication is necessary for the packet to be received by the affected device. The SSH server in Cisco IOS is disabled by default.
Cisco will be making free software available to correct the problem as soon as possible.
The malformed packets can be generated using the SSHredder test suite from Rapid7, Inc. Workarounds are available. The Cisco PSIRT is not aware of any malicious exploitation of this vulnerability. |
| |
Credit:
The information has been provided by Cisco Systems Product Security Incident Response Team.
|
| |
Affected Products:
Multiple Cisco products which contain support for an SSH server are vulnerable if the SSH server is enabled. Cisco routers and Catalyst switches running the affected versions of Cisco IOS shown in the Software Version and Fixes section below have been confirmed to be vulnerable.
Cisco products which contain SSH server functionality that are confirmed not to be vulnerable include:
* Cisco Catalyst Switches running Cisco CatOS
* Cisco VPN3000 series concentrators
* Cisco PIX Firewall
* Cisco Secure Intrusion Detection System (NetRanger) appliance
* Cisco Secure Intrusion Detection System Catalyst Module
* Cisco SN5400 Series Storage Routers
* CiscoWorks 1105 Wireless LAN Solution Engine (WLSE)
* CiscoWorks 1105 Hosting Solution Engine (WLSE)
Details:
A suite of crafted packets has been developed to test implementations of the Secure Shell (SSH) protocol. If the SSH server has been enabled, several of the test cases cause a forced reload of the device before the authentication process is called. Each time an SSH connection attempt is made to a Cisco device running Cisco IOS with one of the crafted packets, and the SSH server is enabled on the device, the device reboots.
The SSH server feature is available in the following Cisco IOS release trains: 12.0S, 12.0ST, 12.1T, 12.1E, 12.2, 12.2T, 12.2S. All releases which have the SSH server feature are vulnerable when the SSH server is enabled by issuing the command "crypto key generate rsa" in configuration mode.
All products running vulnerable versions of Cisco IOS except the Cisco 3550 will automatically reload and resume service following the crash. The Cisco 3550 will not reload, and will require manual intervention to resume normal processing.
This Cisco IOS defect is documented in DDTS CSCdz60229.
Impact:
The vulnerability can be exploited to make an affected product unavailable for several minutes while the device reloads. Once it has resumed normal processing, the device is still vulnerable and can be forced to reload repeatedly.
Software Versions and Fixes:
A table listing all the versions being affected, and their available fixes can be found here:
http://www.cisco.com/warp/public/707/ssh-packet-suite-vuln.shtml#Software
Obtaining Fixed Software:
Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com/tacpage/sw-center/.
Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with obtaining the free software upgrade(s).
Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows:
* +1 800 553 2447 (toll-free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* email: tac@cisco.com .
See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages.
Please have your product serial number available and give the URL of this advisory as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC.
Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades.
Workarounds:
Workarounds consist of disabling the SSH server, removing SSH as a remote access method, permitting only trusted hosts to connect to the server, and blocking SSH traffic to the device completely via external mechanisms.
Caution: The following workaround will have undesirable side effects for IPSEC sessions that terminate on the device that use RSA key pairs for device authentication, or that use certificates based on those RSA key pairs. IPSEC sessions using other authentication methods will not be affected.
For Cisco IOS the SSH server can be disabled by applying the command "crypto key zeroize rsa" while in configuration mode. The SSH server is enabled automatically upon generating an RSA key pair. Zeroing the RSA keys is the only way to completely disable the SSH server.
Access to the SSH server on Cisco IOS may also be disabled via removing SSH as a valid transport protocol. This can be done by reapplying the "transport input" command with 'ssh' removed from the list of permitted transports on VTY lines while in configuration mode. For example:
line vty 0 4
transport input telnet
end
If SSH server functionality is desired, access to the server can be restricted to specific source IP addresses or blocked entirely through the use of Access Control Lists (ACLs) on the VTY lines as shown in the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/1219ea1/scg/swacl.htm#xtocid14
More information on configuring ACLs can be found on Cisco's public website:
http://www.cisco.com/warp/public/707/confaccesslists.html
An example of a VTY access-list can be found here:
access-list 2 permit 10.1.1.0 0.0.0.255
access-list 2 deny any
line vty 0 4
access-class 2 in
end
You may also block inbound SSH connections for your device with an external packet filtering device such as a firewall or a router that blocks traffic to TCP port 22.
|
|
|
|
|
|
|
|
|
|
