From security-alert@cisco.com Fri Dec 26 01:20:00 1997 From: security-alert@cisco.com To: BUGTRAQ@NETSPACE.ORG Date: Mon, 15 Dec 1997 19:58:04 -0800 Reply-To: psirt@cisco.com Subject: Security field notice: Cisco 7xx password buffer overflow -----BEGIN PGP SIGNED MESSAGE----- Interim Field Notice: 7xx Router Password Buffer Overflow December 15, 1997, 17:00 US/Pacific, Revision 1 Summary - ----- Some Cisco 7xx routers can be crashed by connecting with TELNET and typing very long password strings. There exists a possibility that this bug could be exploited to take complete control of the router, rather than simply crashing it. Who Is Affected - ------------- All Cisco 7xx routers running IOS/700 software version 4.1(1), 4.1(2), or 4.1 interim releases earlier than 4.1(2.1) are affected. Systems running releases earlier than 4.1 are not affected. In order to exploit the vulnerability, an attacker must have access to the password prompt. This means that the attacker must be able to TELNET to the target router, or to gain access to its console port. Impact - ---- This vulnerability allows attackers to force 7xx routers to reboot, denying service to legitimate users during the reboot period, and possibly causing excessive "call flapping" as routers shut down and restart. It is possible that including the right data at the right place in the too-long password string could enable an attacker to take complete control of the router. Cisco has not fully evaluated the actual feasibility of this attack. A person who succeeded in such an attack would be able to reconfigure the router or modify its functionality, theoretically in any way at all. It is also possible that certain data strings, while not permitting total control of the router, could cause it to hang indefinitely rather than crashing, or to malfunction in other ways. Cisco has not fully evaluated the possible effects of all possible data strings. Details - ----- This vulnerability has been assigned bug ID CSCdj66458. Insufficient bounds checking on the data buffer used for password input allows the incoming password to exceed the buffer size, overwriting the contents of memory beyond the end of the buffer. When the system tries to use the now-incorrect data in that memory, unpredictable results occur. If the data are randomly chosen, this unpredictable behavior can be expected to result in the detection of errors, such as accesses to illegal addresses, which result in system crashes. It might be possible to craft a data string that, instead of creating detectable errors, caused particular system behavior desired by the attacker. Affected Cisco IOS/700 Software Versions - -------------------------------------- This vulnerability affects systems running IOS/700 version 4.1 releases, including 4.1(1), 4.1(2), and 4.1 interim releases earlier than 4.1(2.1). IOS/700 releases other than 4.1 are not affected. Planned Software Fixes - -------------------- Cisco is presently testing a software fix for this problem. We expect the fix to be ready for customer use by December 24, 1997. Because of the exigencies of the software development and testing process, we cannot guarantee this date. Please check the copy of this notice on Cisco's Web page for updated information about the status of the fixed release. When the fixed software is available, this page will include instructions for obtaining it. Cisco will be making the fixed software available to all IOS/700 customers who are presently running 4.1 software, regardless of contract status. Workaround - -------- The vulnerability may be avoided by controlling access to the system console port, and by restricting access to the TELNET facility to trusted hosts. TELNET access may be restricted either by using filters on firewalls or surrounding routers, or by using filters on the 7xx router itself. To restrict access to the TELNET service on a 7xx router running 4.1(x) software to a single trusted management host, use the command set ip filter tcp in source = not trusted-ip-address destination = 7xx-address:23 block The command should be applied in every profile that may be active when the router is connected to a potentially hostile network. Exploitation and Public Announcements - ----------------------------------- Cisco has had no known reports of malicious exploitation of this vulnerability. This vulnerability has been discussed on the "bugtraq@netspace.org" mailing list, and is therefore certain to be widely known in the cracker community. The first public announcement of this vulnerability of which Cisco is aware was on December 11, 1997. The vulnerability can be exploited to crash systems with no special tools or knowledge; no exploitation program as such is required. Assuming that it is possible to exploit the vulnerability to take total control of the system, an exploitation program would be needed in order to do so. A person seeking to develop such an exploitation program would need to be a competent assembly language programmer. She would also need detailed knowledge of the internal workings of the IOS/700 software and/or the 7xx router hardware. Such knowledge has not been made public by Cisco, but could be obtained by reverse engineering or by theft of trade secrets from Cisco. Status of This Notice - ------------------- This is an interim field notice. Because Cisco customers are in immediate need of timely information about the issues addressed, this notice has been issued with less review and less fact-checking than is customary in corporate public statements. Although Cisco believes all statements in this notice to be correct, readers must understand that the potential for error does exist. Errors may include both factual errors and errors of editing, formatting, and emphasis. Readers of this notice rely on the information herein at their own risk. This notice will be updated as more information becomes available. The status of this notice will be changed from interim to final when complete, fully verified information is available. Distribution - ---------- The initial version of this notice is being sent to the following Internet mailing lists and newsgroups: * cisco@spot.colorado.edu * comp.dcom.sys.cisco * bugtraq@netspace.org * first-teams@first.org (includes CERT/CC) Future versions of this notice will be posted on Cisco's Web site, but will not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the Web site for updates. This notice will be posted in the "Field Notices" section of Cisco's Worldwide Web site, which can be found under "Technical Tips" in the "Software and Support" section. The URL is http://www.cisco.com/warp/public/770/pwbuf-pub.shtml. The copy on the Worldwide Web will be updated as appropriate. Revision History - -------------- Revision 1, 17:00, Initial version. 15-DEC-1997 Cisco Security Procedures - ----------------------- Please report security issues with Cisco products, and/or sensitive security intrusion emergencies involving Cisco products, to security-alert@cisco.com. Reports may be encrypted using PGP; public RSA and DSS keys for security-alert@cisco.com are on the public PGP keyservers. The alias security-alert@cisco.com is used only for reports incoming to Cisco. Mail sent to security-alert@cisco.com goes only to a very small group of users within Cisco. Neither outside users nor unauthorized Cisco employees may subscribe to security-alert@cisco.com. We will shortly be creating a security announcement mailing list for outgoing information. When that list is created, an announcement will be sent to appropriate Internet forums. Please do not use security-alert@cisco.com for configuration questions, for security intrusions that you do not consider to be sensitive emergencies, or for general, non-security-related support requests. We do not have the capacity to handle such requests through this channel, and will have to refer them to Cisco's Technical Assistance Center, delaying response to your questions. We advise contacting the Technical Assistance Center directly with this type of question. - ------------------------------------------------------------------------- This notice is copyright 1997 by Cisco Systems, Inc. This notice may be redistributed freely provided that redistributed copies are complete and unmodified, including all date and version information. - ------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQEVAwUBNJX7ZwyPsuGbHvEpAQGxlAf9Ge17KxUheGFPJt7rNHjZQhf8cLM0Xzz5 POu7RklgnE9/L23nFyyzsn1x6nEq4OK/P33q2uI9dERRzcaPlZnAgmpSj+bTul8n /QZ8jJKJfXK11q1Hu+OWk3F25Dk4cyxXC5ftNqk/tEaHzBSXTFUIDnYs73h9S2Hv CKzCJioemiFAeTecssivxbwCM2UbZHYHIBNfb0TqfqQoyh2i7AGSbYkBwdD+wNar r//qBMGVraUbKGQIsK9q5WZJltignt5Wv6nOZ2WcEBW1xS69Mxqiml4P+I7/7oV9 3y/c5A/V4vVsfCfoTYgOivw11gj/U9DgPW65J6jcSPaiYu8RGbGaZw== =HxeU -----END PGP SIGNATURE----- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP for Personal Privacy 5.0 mQGhBDPvjDARBAD82RXM1EyVSEpL6mpDMyxI8Scc22yVqRYL+Ckv0SXHEPaZNIgQ blVx32jyfnmGIZeVYK2sDRTB6vXJt1k+R5HRRhTG7fB0f309gT/Zgmk64zC7L4nL Qp6fNEVJLfxRdrwXCOPfBf56Y8vKBFZSvwK4qLNHurMP2MVUuYfCl2UpHwCg/6Wz FTHW34HvDKgD+3k0ap0lMq8EAME9i5IEdwTnGO2zsyyc/gw6QKoSGNEkbGmciZuk AQTulVKQpYMv1jIm6Uy91HbsR0mUWxPzCBPCvJzvZOW0O+AJq4m/h1dQD2kdIHt+ nYAdfZjY26YUpB6gfFmQucGhH/o8GfhkmN6Lw21+gx4lctfia2/46poasCNo961y KyuQA/ID6qpHargBoOk2n/av9jV1Rox8vhYVGwQhmVpYVUMzdw8ldo3CejaqyW97 IyOU7tZo4WUzJ2Z3sG0DHdim+VoeDjb5hsd34MzoGL7KjRFGldbNr2H/DhmItLyz xJ5YXgMXNGy3IhfOjCwZsGhZ1eTddxbD7rb7+VN/ROhTpCSXtEdDaXNjbyBTeXN0 ZW1zIFByb2R1Y3QgU2VjdXJpdHkgSW5jaWRlbnQgUmVzcG9uc2UgVGVhbSA8cHNp cnRAY2lzY28uY29tPrRQQ2lzY28gU3lzdGVtcyBwcm9kdWN0IHNlY3VyaXR5IGlu Y2lkZW50L2J1ZyByZXBvcnRpbmcgPHNlY3VyaXR5LWFsZXJ0QGNpc2NvLmNvbT65 Ag0EM++MTxAIANfnEviV6GSqF/7SMetsaCkKUe/TmcEtoYRdE9ZorvLlruvSaFHM gXCg4SqyC689BJJBaKN2MTYIV0T3idlbHp4mXHDyU28tTEFenA9m4ER0PxEO/wIT I3XoOO7SCxUnxyvxPy8Jn9PYBHMpF+iWqUbzLsX4tZI7LJj73i0vi+5tGNaBBFu4 cD2UJis7lb/CSK7bb4RJ6lHYVWHtbcFApwSRheeusvN0YwKpPg5hy6gwaUSKtddJ DadcJcQ/G2I820onsqgYRfDncEBYuLavuu2h5CuR+Qz6jrwNUAX1f6UxC2WYY7ts p+wzQJ9VuTnKQEFPc6GIoiSSeyV3KibzVZ8AAgIIAKDBdTFi6kQSB1+x7XQgQ8SN L0HFjtr25TMJr/eeU6m1NkrtCVg3llA+lhTmpork6ZDu3GXp/IW02o246G57Z23p HU1VkEwjsWl1sdUY5QH+wIV6uZJubZW1TroDI86l0m7WeWC+mqQXn6GuvkX+YpF5 qU1OCY9Pnen6sWkYXiqE5LW3USyYxglTac8EQqcs3JYevV1/M6oTWXdMSEDV2/Bq d9g5qZBYQFkkftdW6YsJPMGgn2EIyu4kTyazk3UafH/yqemCbGX6S5j3krCoIMwf UpeOHPB1OxACLB0loA2cwCpq5p7WhXUCyRuqdXYN50NUrmKDo8+hsL/e89PofQWZ AQ0DM++M2AFtAQgA0rsqUAdCxqMH23R11iGtk2Zo6fI8vxPkllEOru5J/cd9dn2B wT4NTf/b9O4JruX8/R9uWlS3E6jYVJyN2Dpl39X7wUf77B8fsY/4zaUkjDU39Q2E t+pR7tElm0C8BvZVGkDelXzXqeCTQfu1vZHICy7cfsy/BMNlpn93OEz/jS4PPZs5 SORqjEL9wouw/44MvJ08rdc/OOr1eKkLcBfzMMtuMAxLI1OlA/hzY28h/pfhDhAP 7Jkm7R1gDyL9ALYX1xvixPp8q2hEQ3BUtCEfCTHAouqbKiQss5ntC9DDVGqzxlQT ijk4V1/Re+pbb4LX4JZDln3ztkcMj7Lhmx7xKQAFEbRHQ2lzY28gU3lzdGVtcyBQ cm9kdWN0IFNlY3VyaXR5IEluY2lkZW50IFJlc3BvbnNlIFRlYW0gPHBzaXJ0QGNp c2NvLmNvbT6JARUDBRAz74zYDI+y4Zse8SkBAWVjCACT3Ia+8fVGzPd1ACBvMFGI Dry7lhhf9vz+flpOu3ErVn0qW2N0ONxT+u/Z+qbCGxz1DYlgTWt7+KJRS7FNNdzE J2ct9nvnDo/u/VdoTwdtpe9RtiYW4rG+HMjqCdnc5YSpVD8/VEHvPNLAe28wA6au S3L68XPyDjfa0N5T9YSJ/Q8B41qyxWMgETeZIVyegX0/BHv73zegsj5BRPP4pnem juvsRMVcFqJ7wxjm8yjZrR2zoZSysxWkWInbOu5IIlAm9VWh71VP2mD3Z8fDq9Jh kF/qNw937eRSMBwBlCPkmS6jlC0Nz4mkKzoDglL6eTZQ9iKwU5/EeNHZu/f3rKaV iQA/AwUQM++M9JaBp3w9UuB/EQLzmwCgtbsVjd1ZZcuJkPoVs3cbzX9JibYAoLcQ 8+WP7M0y3zdSUEhHToFY6E+ZiQA/AwUQM++N6GFYFsU6zlX+EQKEywCggc3awk02 yj6RivcbYFn3Qon77scAn29CR0lHAjsdLIv6LJ9BLdhXiK8piQCVAwUQM++6KXem vD4nAHb9AQG6OQQAq/GzwDk4yT9MPy25AwBMgsPGePRkZ6kBXTBsmMnHxthDniyE Xqvg6XJYRU86f2wyfzVDJY55qmukl9haCqe3Inxo7gyHaB8ji4rMqfmEn2fjbiAv dw5wlQqYBEEYWAviAHpBlTqT7naq5u/TyAdgENROnFu1jLT39uJ4RPpO7o2JAHUD BRAz8OcoAFBd0vcu1XkBAQHWAwCe0KmW5QKgf1Kmf7hEEpBT2pViNkv3J7tB33Py 4ohQYztUUwP8QJq9EQR3qCBgUJfa3VhXWPrzTn6hE7H/GHEJ7g5IbY9fo1DHcxyE xaBBKIEoWKR/FdxsNPBTgcaT9TyJAJUDBRAz8OTdGKb4qo5nGiEBAU7QA/4+RFkA yy4YnrZc6Y7btnCgHXIwH4tqFL3NaVVS4KsGzQ2WgLRRz1rJ3D61aqvk9Tz3vY5m YwjWY+eOwBqjuEl5UUQqY2kn6c8XHnp+Y7XfwPqH7V5hixcwSTHgU0diav+E/1FP sm6oUKEHh4cC0vfsYOjqlSoilF1sjqKZT5MZZIkAlQMFEDPw6Yx61S0GnPSVuQEB meoD/1VyOvmqnEQsTBiYmEGKHgSFrRs95vEOlP/ANCVYXwpBVP51Vrj+RcNkNJAQ 5xX5D5nRgDGoUVpYcjUJivalH6MOrPHF2zG/As9onZira+dv9SjM/MJhdpGvx0oT YtpGlQh79+uloqCAZ9P4c/flZZICRLjI/3Uj73HDbEAcLsX8iQA/AwUQM/DxS7iw R2HEkUMHEQJK7gCfRWzVa9mGDX4X2BdUB1Z5l5DCM+MAn2SIHiZS3o94TVhp+jTL 2HWHbnPjiQCVAwUQM/DpqtRZvFG/tj1hAQGsZgP8DJgX+4foQlVnDD+gBKXmnG3Z D1hHkpvrR/tGww6LjxKAhXSWtQKTysQ3seIQyUxLOOq0K4A9vFzzmW1gDZXwYwG7 PXoNn4uyGY3YF2jke+Unug41F9POcBp4pUfjQxgj7iiPRn6ZduEhPjw6RBRpYDH5 fF3Mu5/E01TygWisn8WJARUDBRAz81dfH2q6+RwPtwkBAcNnCACSHlH85LxLMRVY 46WdQ9Joj8809J4p0Q469Tkrq7wMyxv8znvvl+D2loIaL5SeBGIvfFaPKQnN+un3 gX/R3g+l2RxBQRqjr65kGAhsMr1L9bRsMAUKAKfDLbQk9fEmB2KRBvQYsHM/7fVY eXglIxdO40AUnzPtRz9rYlZ7dBn7Dy5k/kjIBKKZhgu77X0fGjh9hP9s45D3vnNq sKBoM7pvgdTrwYbdarK2a4GPpWm7XHkhr1w2nGA+a0zjCDzfObHTp8NMY3z0Rgeu 3t2W7EIF6zE+FSyZmfTvVd2rXMxgjMeeziPHAJESnmQ0y0+xQoDx1IDhQ7YF2Q6r khfqxxM6iQA/AwUQM/KsxSLcSmI6S/dwEQKA0QCfR1O0vDQ0M8ef9c+DHPyNydGz OOQAnRscGYHbrrXrN1yuA9mti29pz2BViQCVAwUQM/EQTX+11HSaYdsJAQE7ZgQA 8Z5GzK1Qd4vu1Rt0OAubPp9yug2QmTqyNAsDDQdiqcdvCF9cK8VCYBvTRaHDjFBx Jd6PclQlLBcPIQnkCE4Pch1OQomckDzXEnNgleGnyQlMXT0zm+gHl5mDUWnRtwTD drYxfLdJZFZ8ntJIDYN7t0Gl/ag5l4j0C5GW0d9WYo+0UENpc2NvIFN5c3RlbXMg cHJvZHVjdCBzZWN1cml0eSBpbmNpZGVudC9idWcgcmVwb3J0aW5nIDxzZWN1cml0 eS1hbGVydEBjaXNjby5jb20+iQEVAwUQM++NXQyPsuGbHvEpAQEIKwf/eLwnERXH CP4X999/aUJEMPzd8lMaFg1i84ALFhpFKzWHBnWkBZItTM35xzciq5v51P3OBu5u scU/yRgHmg/ESH3abJXt3SKMsjzZE1zvKuqX0wjYf3Ihh2CtPZo/3wpsa6XGuLdT 0dDUCdU8Tjd67wX3p+CI6CBGoMqLuVY/0AO9xoo7drVoOT9fYQ7UjSNIkxN9nVzI yWmaudOzeLnHaVf7jYYeOmADe1YaVM3oMVZrmTZ1TtPMTd0ovWrPll27zVYx1PjE NuTZDpnysa7agoD5hemtKUXR0GwbeoVMpIWCceKNNPh8kjb6B5sTOl7y8ZR/gUld CaNn5sbZ1N1QrIkAPwMFEDPvjXSWgad8PVLgfxECp2MAn1VUzoaLFiek6lky++m4 qTc4ejAoAJ9DE/8NyaqDkq0M+d3qEcxpVsQEBokAPwMFEDPvjflhWBbFOs5V/hEC GTAAoNaAhsFpD+qhH0X8IyGaljO1ywwHAKDYNOETuHePkca+yLDLwyxlmYurmYkA lQMFEDPvuil3prw+JwB2/QEBcpsD/25lxJqT+7jW4W6jDm7CTJ2OR8fPtdEUrj0d fujPCgltXJ3OVREwg69vCl/rCz9sVPKEzVFEbdvkTmjimxeg1ajBcb642SZMuFcg E60fhNyNsteyktZSI20E2UnZ0MrGK33J7Vn/1xPCl9o3ICa1vRo8E3ixnyvoGaB3 jhXHSdIviQCVAwUQM/Dk6him+KqOZxohAQEn9QQAtd5uSls7cYT+MZvjWrMxyhNV e3eSqHWZjXImWg8SWVey0/XI7ze5zMt8+GEpQoAaD9ZlLl4WthNG8iq7YdnsXQ99 OqpF4pRSvsYVv5BRPO3XvwNDN8jJMdP7jcIgwXo08Zt1YWTDMxpSNcF7ARfZ5M2D V9FKhgLris+9IRcWeemJAJUDBRAz8OmTetUtBpz0lbkBAdxmBACq97OI8lyJWvN1 qeZQca3wtrauXWpehi1gBxLnWBUPYPGV78nVIi/JFbKxMTT6zxf7ODDvXNBebngp Qp2gVO8TJ6tzrk2dVUKA9Sk03z8fRdSk13WhnYoojPPebFBtXBrnSxEq9gEVSj2Z R9u/5qUUrjKtZqoAXcPHfwqJCuo5rYkAPwMFEDPw8fC4sEdhxJFDBxEC75sAmgMQ NrF121TfmZ6QKCU2NscuY5H6AKCJinLR8Hwm00kTSTfFAO5bQfy4bYkAlQMFEDPw 6bfUWbxRv7Y9YQEBJtkD/3BgNhOa+2hK68jTI4hMaCaHyRII4wCZeKSEjoBJnLwa GQ9fs5jbJtfYjDtdcCkvSZy4OvXcWb7Gu31PKbJgBtGeY+Ns+fUahhUz+is35H+3 +ZuV91v56SW8wqcKEDt40V9g1TP5X6VE+QfXnoScFdjCbOViwoR6saPEkujJASuy iQA/AwUQM/Ks2CLcSmI6S/dwEQKghwCeOY2rw3OcrQdiDCJxZhSMMCa17pAAoIrq 3Epb5UdZEnZxJ/aZpGR/ROaaiQCVAwUQM/EQdH+11HSaYdsJAQGKBAP+LRkDVCwW NCpAAFOag6ou3SmFfxD19qRfLPbjlm3nLk6wYvbSXBVp1VXMRJkdmCXSxMe0vo1r xCMoL66qVutyHrSgifPPN6AYNPKTTNUx5o0Ck5xXf4PWoy8cfvyrKJtd/wDi4Ryf WOsZNYKVAf1ItbZse243ICsgMAduzZLgygo= =OrTt -----END PGP PUBLIC KEY BLOCK-----