|
|
|
|
| |
A series of failed telnet authentication attempts to the switch can cause the Catalyst Switch to fail to pass traffic or fail to accept management connections until the system is rebooted or a power cycle is performed. All types of telnet authentication are affected, including Kerberized telnet, and AAA authentication.
This enables remote attackers to launch a Denial of Service attack against the switch. |
| |
Credit:
The complete advisory can be viewed at:
http://www.cisco.com/warp/public/707/catalyst-memleak-pub.shtml.
|
| |
Vulnerable systems:
Catalyst 4000 and 5000 images running version 4.5(2) up to 5.5(4) and 5.5(4a).
Catalyst 6000 images running version 5.3(1)CSX, up to and including 5.5(4), 5.5(4a).
Immune systems:
Catalyst Release 4.5(10) for Catalyst 4000 and 5000.
Catalyst Release 5.5(4b) for Catalyst 4000, 5000 and 6000.
The telnet process fails to release resources upon a failed authentication, or a successful login of extremely short duration such as a telnet from within an automated script. This memory leak eventually results in the failure of the switch to perform any other processes, such as forwarding traffic or management; a power cycle or reboot is required for recovery.
The command "show process memory" will indicate increased "Holding" memory after failed telnet authentication attempts. This value will not decrease over time except when a reboot, reload, or power cycle occurs. Legitimate users that occasionally fail authentication may trigger this bug over a period of time in the course of normal operation.
lt-6509-e> (enable) sh proc mem
Memory Used: 3974544
Free: 15265168
Total: 19239712
PID TTY Allocated Freed Holding Process
- ---------- ---------- ---------- ---------- ---------- ---------------
1 -2 1707632 3488 1704144 Kernel and Idle
24 -2 16 0 16 telnetd
Impact
This vulnerability enables a Denial of Service attack on the Catalyst switch.
Software Versions and Fixes
Cisco has made the following fixed software available to customers:
Catalyst Release 4.5(10) for Catalyst 4000 and 5000.
Catalyst Release 5.5(4b) for Catalyst 4000, 5000 and 6000.
The fix will be carried forward into all future releases.
Getting Fixed Software
Cisco is offering free software upgrades to remedy this vulnerability for all affected customers.
Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's Worldwide Web site at http://www.cisco.com.
Workarounds
There is no configuration workaround to eliminate the problem. However, if you are unable to upgrade to an unaffected version, you may use other devices to strictly control or prohibit telnet access to the switch, permitting only connections from your local network.
Access control lists on the switch can limit the remote exploitation of the vulnerability. To limit access to known hosts use the following commands:
set ip permit enable telnet
set ip permit <addr> [mask]
Remote management of the switch can also be disabled.
The above workarounds are provided as an option; however, the recommendation is to upgrade to fixed code as soon as possible.
|
|
|
|
|
|
|
|
|
|
