Privacy and Legal Notice

CIAC INFORMATION BULLETIN

S-376: Cisco uBR10012 Series Devices SNMP Vulnerability

[Cisco Security Advisory Document ID: 107696]

September 25, 2008 14:00 GMT
PROBLEM: Cisco uBR10012 series devices automatically enable Simple Network Management Protocol (SNMP) read/write access to the device if configured for linecard redundancy. This can be exploited by an attacker to gain complete control of the device.
PLATFORM: Cisco uBR10012 series devices that are configured for linecard redundancy are affected
DAMAGE: Attacker may gain complete control of the device.
SOLUTION: Upgrade to the appropriate version.
VULNERABILITY
ASSESSMENT:		 The risk is HIGH. Successful exploitation of the vulnerability may allow an attacker to gain complete control of the device.
CVSS 2 BASE SCORE:
   TEMPORAL SCORE:
   VECTOR:		 10.0
8.3
(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C)
LINKS:  
  CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-376.shtml
  ORIGINAL BULLETIN: http://www.cisco.com/en/US/products/products_security_advisory09186a0080a014b1.shtml
  CVE: CVE-2008-3807 
[***** Start Cisco Security Advisory Document ID: 107696 *****]

Cisco Security Advisory: Cisco uBR10012 Series Devices SNMP Vulnerability

 

Document ID: 107696


Advisory ID: cisco-sa-20080924-ubr

http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml

Revision 1.0

For Public Release 2008 September 24 1600 UTC (GMT)

Summary

Cisco uBR10012 series devices automatically enable Simple Network Management Protocol (SNMP) read/write access to the device if configured for linecard redundancy. This can be exploited by an attacker to gain complete control of the device. Only Cisco uBR10012 series devices that are configured for linecard redundancy are affected.

Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml.

NOTE: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS® software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008:

http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml

Individual publication links are listed below:

[Expand all sections]     [Collapse all sections]

Affected Products

Vulnerable Products

Cisco uBR10012 series devices that are running Cisco IOS and configured for linecard redundancy are affected. Cisco uBR10012 series devices can be identified by issuing the show version command. The following example shows output from a Cisco uBR10012 series device running Cisco IOS software release 12.3(17b)BC7:

ubr10k#show version | include IOS
IOS (tm) 10000 Software (UBR10K-K8P6U2-M), Version 12.3(17b)BC7, RELEASE SOFTWARE (fc1)
ubr10k#

Please refer to the document entitled "White Paper: Cisco IOS Reference Guide" for additional information on the Cisco IOS release naming conventions. This document is available at the following link: http://www.cisco.com/warp/public/620/1.html

A Cisco uBR10012 series device configured for linecard redundancy will have a line similar to the following in the output of show running-config command:

member subslot <slot>/<card> working

or 

hccp <group> protect <worker-member-id> <worker-ip-address>

Any version of Cisco IOS prior to the versions listed in the Software Versions and Fixes section below is vulnerable.

Products Confirmed Not Vulnerable

Cisco uBR10012 series devices that are not configured for linecard redundancy are not affected.

Cisco 10000 series devices are not affected even if they are configured for linecard redundancy.

Other uBR platforms are not affected.

No other Cisco products are currently known to be affected by this vulnerability.

Top of the section     Close Section

Details

Cisco uBR10012 series devices need to communicate with an RF Switch when configured for linecard redundancy. This communication is based on SNMP (Simple Network Management Protocol). When linecard redundancy is enabled on a Cisco uBR10012 series device, SNMP is also automatically enabled with a default community string of private that has read/write privileges. Since there are no access restrictions on this community string, it may be exploited by an attacker to gain complete control of the device.

Changing the default community string, adding access restrictions on SNMP or doing both will mitigate this vulnerability. The recommended mitigation is to do both.

This vulnerability is documented in the Cisco Bug ID CSCek57932 ( registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2008-3807.

Top of the section     Close Section

Vulnerability Scoring Details

Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding CVSS at

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html .

Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at

http://intellishield.cisco.com/security/alertmanager/cvss .

CSCek57932 - SNMP enabled after redundancy is configured

Calculate the environmental score of CSCek57932

CVSS Base Score - 10

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Low

None

Complete

Complete

Complete

CVSS Temporal Score - 8.3

Exploitability

Remediation Level

Report Confidence

Functional

Official-Fix

Confirmed

Top of the section     Close Section

Impact

Successful exploitation of the vulnerability may allow an attacker to gain complete control of the device.

Top of the section     Close Section

Software Versions and Fixes

When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.

Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table.

Major Release

Availability of Repaired Releases

Affected 12.0-Based Releases

First Fixed Release

Recommended Release

There are no affected 12.0 based releases

Affected 12.1-Based Releases

First Fixed Release

Recommended Release

There are no affected 12.1 based releases

Affected 12.2-Based Releases

First Fixed Release

Recommended Release

12.2

Not Vulnerable

  

12.2B

Not Vulnerable

  

12.2BC

Vulnerable; migrate to any release in 12.3

12.2(33)SCA1

12.3(23)BC4

12.4(15)T7

12.4(18c)

12.2BW

Not Vulnerable

  

12.2BX

Not Vulnerable

  

12.2BY

Not Vulnerable

  

12.2BZ

Not Vulnerable

  

12.2CX

Vulnerable; migrate to any release in 12.3

12.2(33)SCA1

12.3(23)BC4

12.4(15)T7

12.4(18c)

12.2CY

Vulnerable; migrate to any release in 12.3

12.2(33)SCA1

12.3(23)BC4

12.4(15)T7

12.4(18c)

12.2CZ

Not Vulnerable

  

12.2DA

Not Vulnerable

  

12.2DD

Not Vulnerable

  

12.2DX

Not Vulnerable

  

12.2EW

Not Vulnerable

  

12.2EWA

Not Vulnerable

  

12.2EX

Not Vulnerable

  

12.2EY

Not Vulnerable

  

12.2EZ

Not Vulnerable

  

12.2FX

Not Vulnerable

  

12.2FY

Not Vulnerable

  

12.2FZ

Not Vulnerable

  

12.2IRB

Not Vulnerable

  

12.2IXA

Not Vulnerable

  

12.2IXB

Not Vulnerable

  

12.2IXC

Not Vulnerable

  

12.2IXD

Not Vulnerable

  

12.2IXE

Not Vulnerable

  

12.2IXF

Not Vulnerable

  

12.2IXG

Not Vulnerable

  

12.2JA

Not Vulnerable

  

12.2JK

Not Vulnerable

  

12.2MB

Not Vulnerable

  

12.2MC

Not Vulnerable

  

12.2S

Not Vulnerable

  

12.2SB

Not Vulnerable

  

12.2SBC

Not Vulnerable

  

12.2SCA

Not Vulnerable

  

12.2SE

Not Vulnerable

  

12.2SEA

Not Vulnerable

  

12.2SEB

Not Vulnerable

  

12.2SEC

Not Vulnerable

  

12.2SED

Not Vulnerable

  

12.2SEE

Not Vulnerable

  

12.2SEF

Not Vulnerable

  

12.2SEG

Not Vulnerable

  

12.2SG

Not Vulnerable

  

12.2SGA

Not Vulnerable

  

12.2SL

Not Vulnerable

  

12.2SM

Not Vulnerable

  

12.2SO

Not Vulnerable

  

12.2SRA

Not Vulnerable

  

12.2SRB

Not Vulnerable

  

12.2SRC

Not Vulnerable

  

12.2SU

Not Vulnerable

  

12.2SV

Not Vulnerable

  

12.2SVA

Not Vulnerable

  

12.2SVC

Not Vulnerable

  

12.2SVD

Not Vulnerable

  

12.2SW

Not Vulnerable

  

12.2SX

Not Vulnerable

  

12.2SXA

Not Vulnerable

  

12.2SXB

Not Vulnerable

  

12.2SXD

Not Vulnerable

  

12.2SXE

Not Vulnerable

  

12.2SXF

Not Vulnerable

  

12.2SXH

Not Vulnerable

  

12.2SY

Not Vulnerable

  

12.2SZ

Not Vulnerable

  

12.2T

Not Vulnerable

  

12.2TPC

Not Vulnerable

  

12.2XA

Not Vulnerable

  

12.2XB

Not Vulnerable

  

12.2XC

Not Vulnerable

  

12.2XD

Not Vulnerable

  

12.2XE

Not Vulnerable

  

12.2XF

Vulnerable; migrate to any release in 12.3

12.2(33)SCA1

12.3(23)BC4

12.4(15)T7

12.4(18c)

12.2XG

Not Vulnerable

  

12.2XH

Not Vulnerable

  

12.2XI

Not Vulnerable

  

12.2XJ

Not Vulnerable

  

12.2XK

Not Vulnerable

  

12.2XL

Not Vulnerable

  

12.2XM

Not Vulnerable

  

12.2XN

Not Vulnerable

  

12.2XNA

Not Vulnerable

  

12.2XNB

Not Vulnerable

  

12.2XO

Not Vulnerable

  

12.2XQ

Not Vulnerable

  

12.2XR

Not Vulnerable

  

12.2XS

Not Vulnerable

  

12.2XT

Not Vulnerable

  

12.2XU

Not Vulnerable

  

12.2XV

Not Vulnerable

  

12.2XW

Not Vulnerable

  

12.2YA

Not Vulnerable

  

12.2YB

Not Vulnerable

  

12.2YC

Not Vulnerable

  

12.2YD

Not Vulnerable

  

12.2YE

Not Vulnerable

  

12.2YF

Not Vulnerable

  

12.2YG

Not Vulnerable

  

12.2YH

Not Vulnerable

  

12.2YJ

Not Vulnerable

  

12.2YK

Not Vulnerable

  

12.2YL

Not Vulnerable

  

12.2YM

Not Vulnerable

  

12.2YN

Not Vulnerable

  

12.2YO

Not Vulnerable

  

12.2YP

Not Vulnerable

  

12.2YQ

Not Vulnerable

  

12.2YR

Not Vulnerable

  

12.2YS

Not Vulnerable

  

12.2YT

Not Vulnerable

  

12.2YU

Not Vulnerable

  

12.2YV

Not Vulnerable

  

12.2YW

Not Vulnerable

  

12.2YX

Not Vulnerable

  

12.2YY

Not Vulnerable

  

12.2YZ

Not Vulnerable

  

12.2ZA

Not Vulnerable

  

12.2ZB

Not Vulnerable

  

12.2ZC

Not Vulnerable

  

12.2ZD

Not Vulnerable

  

12.2ZE

Not Vulnerable

  

12.2ZF

Not Vulnerable

  

12.2ZG

Not Vulnerable

  

12.2ZH

Not Vulnerable

  

12.2ZJ

Not Vulnerable

  

12.2ZL

Not Vulnerable

  

12.2ZP

Not Vulnerable

  

12.2ZU

Not Vulnerable

  

12.2ZX

Not Vulnerable

  

12.2ZY

Not Vulnerable

  

12.2ZYA

Not Vulnerable

  

Affected 12.3-Based Releases

First Fixed Release

Recommended Release

12.3

Not Vulnerable

  

12.3B

Not Vulnerable

  

12.3BC

12.3(17b)BC8

12.3(21)BC

12.3(23)BC4

12.3BW

Not Vulnerable

  

12.3EU

Not Vulnerable

  

12.3JA

Not Vulnerable

  

12.3JEA

Not Vulnerable

  

12.3JEB

Not Vulnerable

  

12.3JEC

Not Vulnerable

  

12.3JK

Not Vulnerable

  

12.3JL

Not Vulnerable

  

12.3JX

Not Vulnerable

  

12.3T

Not Vulnerable

  

12.3TPC

Not Vulnerable

  

12.3VA

Not Vulnerable

  

12.3XA

Not Vulnerable

  

12.3XB

Not Vulnerable

  

12.3XC

Not Vulnerable

  

12.3XD

Not Vulnerable

  

12.3XE

Not Vulnerable

  

12.3XF

Not Vulnerable

  

12.3XG

Not Vulnerable

  

12.3XI

Not Vulnerable

  

12.3XJ

Not Vulnerable

  

12.3XK

Not Vulnerable

  

12.3XL

Not Vulnerable

  

12.3XQ

Not Vulnerable

  

12.3XR

Not Vulnerable

  

12.3XS

Not Vulnerable

  

12.3XU

Not Vulnerable

  

12.3XW

Not Vulnerable

  

12.3XX

Not Vulnerable

  

12.3XY

Not Vulnerable

  

12.3XZ

Not Vulnerable

  

12.3YA

Not Vulnerable

  

12.3YD

Not Vulnerable

  

12.3YF

Not Vulnerable

  

12.3YG

Not Vulnerable

  

12.3YH

Not Vulnerable

  

12.3YI

Not Vulnerable

  

12.3YJ

Not Vulnerable

  

12.3YK

Not Vulnerable

  

12.3YM

Not Vulnerable

  

12.3YQ

Not Vulnerable

  

12.3YS

Not Vulnerable

  

12.3YT

Not Vulnerable

  

12.3YU

Not Vulnerable

  

12.3YX

Not Vulnerable

  

12.3YZ

Not Vulnerable

  

12.3ZA

Not Vulnerable

  

Affected 12.4-Based Releases

First Fixed Release

Recommended Release

There are no affected 12.4 based releases

Top of the section     Close Section

Workarounds

Changing SNMP community string and restricting access

By default, Cisco uBR10012 series devices that are configured for linecard redundancy use a community string of private. This community string can be changed in Cisco IOS versions 12.3(13)BC and later. It is recommended to change the community string and apply access control restrictions that only permit authorized devices SNMP access to the device.

The following configuration example provides operators with information on changing the community string and adding SNMP access control restrictions using an access control list (ACL).

access-list 90 permit host <RF-Switch-IP-1>
access-list 90 permit host <RF-Switch-IP-2>
access-list 90 permit host <up-converter-IP-if-exists>
access-list 90 deny any

redundancy
  linecard-group 1 cable
    rf-switch snmp-community <RF-Switch-SNMP-community>

snmp-server community <RF-Switch-SNMP-community> rw 90

When the SNMP community is changed on a Cisco uBR10012 device, is must also be changed on the RF Switch. It can be changed by the following command: 

set SNMP COMMUNITY <RF-Switch-SNMP-community>

If there is an up-converter in the network, the SNMP community used by the up-converter must also be changed after changing the community string on the Cisco uBR10012 device. Information on changing the community string used by the up-converter can be found at the following link:

http://www.cisco.com/en/US/tech/tk86/tk804/technologies_tech_note09186a00801f7622.shtml#communication

If the Cisco IOS version does not support changing the community string, access control restrictions can be applied to the default community string. The following configuration example provides operators with information on applying access control restrictions to the default community string. 

access-list 90 permit host <RF-Switch-IP-1>
access-list 90 permit host <RF-Switch-IP-2>
access-list 90 permit host <up-converter-IP-if-exists>
access-list 90 deny any

snmp-server community private rw 90

Using Infrastructure ACLs at Network Boundary

Although it is often difficult to block traffic transiting your network, it is possible to identify traffic which should never be allowed to target your infrastructure devices and block that traffic at the border of your network. iACLs are a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The iACL example shown below should be included as part of the deployed infrastructure access-list which will protect all devices with IP addresses in the infrastructure IP address range: 


!-- Permit SNMP (UDP port 161) packets from trusted hosts
!-- destined to infrastructure addresses.

!
access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 161
!

!-- Deny SNMP (UDP port 161) packets from all other sources
!-- destined to infrastructure addresses.

!
access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 161
!

!-- Permit/deny all other Layer 3 and Layer 4 traffic in
!-- accordance with existing security policies and
!-- configurations.

!

!-- Permit all other traffic to transit the device.

!
access-list 150 permit ip any any
!

!-- Apply iACL to interfaces in the ingress direction.

!
interface GigabitEthernet0/0
  ip access-group 150 in
!

The white paper entitled "Protecting Your Core: Infrastructure Protection Access Control Lists" presents guidelines and recommended deployment techniques for infrastructure protection access lists. This white paper can be obtained here:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml

Additional Mitigation Techniques

Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link:

http://www.cisco.com/warp/public/707/cisco-amb-20080924-ipc-and-ubr.shtml

Top of the section     Close Section

Obtaining Fixed Software

Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml .

Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades.

Customers with Service Contracts

Customers using Third Party Support Organizations

Customers without Service Contracts

Top of the section     Close Section

Exploitation and Public Announcements

The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.

This vulnerability was found internally.

Top of the section     Close Section

Status of this Notice: FINAL

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.

 Top of the section     Close Section

Distribution

This advisory is posted on Cisco's worldwide website at :

http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml

In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients.

Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.

Top of the section     Close Section

Revision History

Revision 1.0

2008-Sep-24

Initial public release.

 


[***** End Cisco Security Advisory Document ID: 107696 *****]
CIAC wishes to acknowledge the contributions of Cisco for the information contained in this bulletin.
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at: 
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@ciac.org
    World Wide Web:  http://www.ciac.org/
    Anonymous FTP:   ftp.ciac.org
This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]