| VID |
29059 |
| Severity |
40 |
| Port |
161 |
| Protocol |
UDP |
| Class |
CISCO |
| Detailed Description |
The Cisco IOS has SSH Denial of Service Vulnerabilities(CISCO Bug ID CSCdz60229, CSCdy87221, CSCdu75477).
These vulnerabilities arise due to multiple buffer overflows and can be exploited to make an affected product unavailable for several minutes while the device reloads. Once it has resumed normal processing, the device is still vulnerable and can be forced to reload repeatedly. A suite of crafted packets has been developed to test implementations of the Secure Shell (SSH) protocol from Rapid7, Inc. If the SSH server has been enabled, several of the test cases cause a forced reload of the device before the authentication process is called. Each time an SSH connection attempt is made to a affected Cisco device with one of the crafted packets, the device may hang or reboot.
* Note: This check solely relied on the version number of the remote system to assess this vulnerability, so this might be a false positive. Also, it requires a read access SNMP community string to collect the version number. To provide this access, add the valid community string to the check item, "snmp/guessable/r" from the Policy Editor.
* References:
http://www.cisco.com/warp/public/707/ssh-packet-suite-vuln.shtml
http://www.cert.org/advisories/CA-2002-36.html
http://www.rapid7.com/advisories/R7-0009.txt
* Platforms Affected:
Cisco IOS releases 12.0S, 12.0ST, 12.1T, 12.1E, 12.2, 12.2T, 12.2S |
| Recommendation |
Upgrade to the fixed version of Cisco IOS, as listed in "Software Versions and Fixes" of Cisco Security Advisory (SSH Malformed Packet Vulnerabilities), http://www.cisco.com/warp/public/707/ssh-packet-suite-vuln.shtml . Upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com/tacpage/sw-center/ .
Workarounds:
For Cisco IOS Software:
1. Disable the SSH server by applying the command "crypto key zeroize rsa" while in configuration mode. The SSH server is enabled automatically upon generating an RSA key pair. Zeroing the RSA keys is the only way to completely disable the SSH server.
2. Remove SSH as a valid transport protocol by reapplying the transport input command with 'ssh' removed from the list of permitted transports on VTY lines while in configuration mode. For example:
line vty 0 4
transport input telnet
end
3. Restrict to specific source IP addresses or block entirely through the use of Access Control Lists (ACLs) on the VTY lines as shown in the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/1219ea1/scg/swacl.htm#xtocid14
* Caution: The following workaround will have undesirable side effects for IPSEC sessions that terminate on the device that use RSA key pairs for device authentication, or that use certificates based on those RSA key pairs.
For Cisco Aironet Software:
Use an IP Port Filter feature on Cisco Aironet Access Points. Information on the configuration of IP Port filters can be found in the Access Point Configuration Guide: http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/accsspts/ap350scg/ap350ch5.htm
Also, block inbound SSH connections for your device with an external packet filtering device such as a firewall or a router that blocks traffic to TCP port 22.
For details, see http://www.cisco.com/warp/public/707/ssh-packet-suite-vuln.shtml |
| Related URL |
CVE-2002-1357,CVE-2002-1358,CVE-2002-1359,CVE-2002-1360 (CVE) |
| Related URL |
6397,6405,6407,6408,6410 (SecurityFocus) |
| Related URL |
10868,10869,10870,10871 (ISS) |
|
