Next Page >>
TCP
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Software Multiple Features Crafted
TCP Sequence Vulnerability
Advisory ID: cisco-sa-20090325-tcp
http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Software TCP Denial of Service
Vulnerability
Advisory ID: cisco-sa-20100812-tcp
http://www.cisco.com/warp/public/707/cisco-sa-20100812-tcp.shtml
=======
Cisco ASA 5500 Series Adaptive Security Appliances are affected by the
following vulnerabilities:
* TCP Connection Exhaustion Denial of Service Vulnerability
* Session Initiation Protocol (SIP) Inspection Denial of Service
Vulnerabilities
* Skinny Client Control Protocol (SCCP) Inspection Denial of
Service Vulnerability
* WebVPN Datagram Transport Layer Security (DTLS) Denial of Service
Cisco IOS Software contains a vulnerability when the Cisco IOS SSL
VPN feature is configured with an HTTP redirect. Exploitation could
allow a remote, unauthenticated user to cause a memory leak on the
affected devices, that could result in a memory exhaustion condition
that may cause device reloads, the inability to service new TCP
connections, and other denial of service (DoS) conditions.
Cisco has released free software updates that address this
vulnerability. There is a workaround to mitigate this vulnerability.
* VPN Authentication Bypass when Account Override Feature is Used
vulnerability
* Crafted HTTP packet denial of service (DoS) vulnerability
* Crafted TCP Packet DoS vulnerability
* Crafted H.323 packet DoS vulnerability
* SQL*Net packet DoS vulnerability
Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive
Security Appliances and Cisco PIX Security Appliances. This security
advisory outlines details of these vulnerabilities:
* Crafted TCP ACK Packet Vulnerability
* Crafted TLS Packet Vulnerability
* Instant Messenger Inspection Vulnerability
* Vulnerability Scan Denial of Service
* Control-plane Access Control List Vulnerability
A buffer overflow vulnerability exists in a system driver used by the
Cisco Security Agent for Microsoft Windows. This buffer overflow can be
exploited remotely and causes corruption of kernel memory, which leads
to a Windows stop error (blue screen) or to arbitrary code execution.
The vulnerability is triggered during processing of a crafted TCP
segment destined to TCP port 139 or 445. These ports are used by the
Microsoft Server Message Block (SMB) protocol.
Cisco has released free software updates that address this
vulnerability.
A number of sensitive Java Servlets delivered via a Java Servlet
framework within the Cisco TelePresence Recording Server could allow
a remote, unauthenticated attacker to perform actions that should be
restricted to administrative users. To successfully exploit this
vulnerability, the attacker would need the ability to submit a
crafted request to an affected device on TCP port 80, TCP port 443,
or TCP port 8080.
An attacker must perform a three-way TCP handshake and establish a
valid session to exploit these vulnerabilities.
In addition to inspecting the Cisco IOS device configuration for a
dial-peer command that causes the device to process SIP messages,
administrators can also use the show processes | include SIP command
to determine whether Cisco IOS Software is running the processes that
handle SIP messages. In the following example, the presence of the
processes CCSIP_UDP_SOCKET or CCSIP_TCP_SOCKET indicates that the
Cisco IOS device will process SIP messages:
Router# show processes | include SIP
149 Mwe 40F48254 4 1 400023108/24000 0 CCSIP_UDP_SOCKET
150 Mwe 40F48034 4 1 400023388/24000 0 CCSIP_TCP_SOCKET
In addition to inspecting the Cisco IOS device configuration for a
"dial-peer" command that causes the device to process SIP messages,
administrators can also use the command "show processes | include SIP"
to determine whether Cisco IOS Software is running the processes that
handle SIP messages. In the following example, the presence of the
processes "CCSIP_UDP_SOCKET" or "CCSIP_TCP_SOCKET" indicates that the
Cisco IOS device will process SIP messages:
Router#show processes | include SIP
149 Mwe 40F48254 4 1 400023108/24000 0 CCSIP_UDP_SOCKET
150 Mwe 40F48034 4 1 400023388/24000 0 CCSIP_TCP_SOCKET
In addition to inspecting the Cisco IOS device configuration for a
"dial-peer" command that causes the device to process SIP messages,
administrators can also use the "show processes | include SIP" command
to determine whether Cisco IOS Software is running the processes that
handle SIP messages. In the following example, the presence of the
processes CCSIP_UDP_SOCKET or CCSIP_TCP_SOCKET indicates that the Cisco
IOS device will process SIP messages:
Router# show processes | include SIP
149 Mwe 40F48254 4 1 400023108/24000 0 CCSIP_UDP_SOCKET
150 Mwe 40F48034 4 1 400023388/24000 0 CCSIP_TCP_SOCKET
Cisco devices that are running Cisco IOS Software are vulnerable when
they are configured for NAT and contain support for one or more of
the following features:
* NetMeeting Directory NAT (LDAP on TCP port 389)
* NAT for Session Initiation Protocol (SIP)
* NAT for H.323
The preferred method to verify whether NAT is enabled on a Cisco IOS
device is to log in to the device and issue the "show ip nat
In addition to inspecting the Cisco IOS device configuration for a
dial-peer command that causes the device to process SIP messages,
administrators can also use the command show processes | include SIP
to determine whether Cisco IOS Software is running the processes that
handle SIP messages. In the following example, the presence of the
processes CCSIP_UDP_SOCKET or CCSIP_TCP_SOCKET indicates that the
Cisco IOS device is processing SIP messages:
Router#show processes | include SIP
149 Mwe 40F48254 4 1 400023108/24000 0 CCSIP_UDP_SOCKET
150 Mwe 40F48034 4 1 400023388/24000 0 CCSIP_TCP_SOCKET
4. Exotic Protocols: Advanced options and protocol crafting for RSVP, EIGRP, OSPF and GRE were added, allowing users to make any combination while using those exotic protocols. By the way, EIGRP is a proprietary protocol developed by CISCO Systems, Inc.
5. Encapsulation: T50 is capable now to encapsulate all its packet within the Generic Routing Encapsulation, making it the most powerful tool ever.
6. TCP Options Support: TCP Options are now supported to improve the TCP protocol, such as:
1. TCP End of Option List (RFC 793)
2. TCP No-Operation Option (RFC 793)
3. TCP Maximum Segment Size Option (RFC 793)
4. TCP Window Scale Option (RFC 1323)
5. TCP Timestamps Option (RFC 1323)
the device is listening on the SIP ports.
The command show processes | include SIP can be used to determine
whether Cisco IOS is running the processes that handle SIP messages.
In the following example, the presence of the processes
CCSIP_UDP_SOCKET and CCSIP_TCP_SOCKET indicates that the Cisco IOS
device is processing SIP messages:
Router#show processes | include SIP
147 Mwe 40F46DF4 12 2 600023468/24000 0 CCSIP_SPI_CONTRO
148 Mwe 40F21244 0 1 0 5524/6000 0 CCSIP_DNS
session-based services providing protocol interworking, security, and
admission control and management. The SBC is a multimedia device that
sits on the border of a network and controls call admission to that
network. A vulnerability exists in the Cisco SBC where an
unauthenticated attacker may cause the Cisco SBC card to reload by
sending crafted TCP packets over port 2000. Repeated exploitation
could result in a sustained DoS condition.
Note: Only the Cisco SBC module reloads after successful
exploitation. The Cisco 7600 series router does not reload and it is
not affected by this vulnerability.
Multiple CGI command injection vulnerabilities exist in Cisco
TelePresence endpoint devices that could allow a remote,
authenticated attacker to execute arbitrary commands with elevated
privileges. To exploit these vulnerabilities, an attacker must submit
a malformed request to an affected device via TCP port 8082.
An attacker must perform a three-way TCP handshake and establish a
valid session to exploit this vulnerability.
* Cisco TelePresence endpoint - CSCtb31640 ( registered customers
Cisco Unified Communications Manager contains two DoS vulnerabilities
that involve the processing of SIP packets. Each vulnerability is
triggered by a malformed SIP message that could cause a critical
process to fail, resulting in the disruption of voice services. All
SIP ports (TCP 5060 and 5061, UDP 5060 and 5061) are affected by
these vulnerabilities.
The first SIP DoS vulnerability is documented in Cisco Bug ID
CSCsi46466 and has been assigned the CVE identifier CVE-2009-2050.
The first vulnerability is fixed in Cisco Unified Communications
A number of sensitive Java Servlets delivered via a Java Servlet
framework in the Cisco Telepresence Multipoint Switch could allow a
remote, unauthenticated attacker to perform actions that should be
restricted to administrative users only. The attacker would need the
ability to submit a crafted request to an affected device on TCP port
80, 443, or 8080.
An attacker must perform a three-way TCP handshake and establish a
valid session to exploit these vulnerabilities.
http://www.cisco.com/pcgi-bin/tablebuild.pl/cat6000-fwsm?psrtdcat20e2
Workarounds
===========
* Disable the TCP normalizing function
Disabling the TCP normalizing function in the FWSM will mitigate
this vulnerability.
The TCP normalizer performs the following action: for traffic that
Certificate Trust List Provider Related Vulnerabilities
The Certificate Trust List (CTL) Provider service of Cisco Unified
Communications Manager version 5.x contains a memory consumption
vulnerability that occurs when a series of malformed TCP packets are
received by a vulnerable Cisco Unified Communications Manager system
and may result in a DoS condition. The CTL Provider service listens
by default on TCP port 2444 and is user configurable. The CTL
Provider service is enabled by default. There is a workaround for
this vulnerability. The vulnerability is fixed in Cisco Unified
Interestingly enough, OpenBSD uses a flavor of this PRNG for
another field, this time the IP fragmentation ID, part of the
OpenBSD kernel network stack. The analysis carries out quite
similarly to show that OpenBSD's IP ID is predictable as well,
which gives way to O/S fingerprinting, idle-scanning, host alias
detection, traffic analysis, and in some cases, even to TCP blind
data injection.
But it gets more interesting. Several other BSD operating systems
copied the OpenBSD code for their own IP ID PRNG, so they're
vulnerable too. This is particularly so with Apple's Mac OS X,
Certificate Trust List Provider Related Vulnerabilities
The Certificate Trust List (CTL) Provider service of Cisco Unified
Communications Manager version 5.x contains a memory consumption
vulnerability that occurs when a series of malformed TCP packets are
received by a vulnerable Cisco Unified Communications Manager system
and may result in a DoS condition. The CTL Provider service listens
by default on TCP port 2444 and is user configurable. The CTL
Provider service is enabled by default. There is a workaround for
this vulnerability. The vulnerability is fixed in Cisco Unified
> Interestingly enough, OpenBSD uses a flavor of this PRNG for
> another field, this time the IP fragmentation ID, part of the
> OpenBSD kernel network stack. The analysis carries out quite
> similarly to show that OpenBSD's IP ID is predictable as well,
> which gives way to O/S fingerprinting, idle-scanning, host alias
> detection, traffic analysis, and in some cases, even to TCP blind
> data injection.
>
> But it gets more interesting. Several other BSD operating systems
> copied the OpenBSD code for their own IP ID PRNG, so they're
> vulnerable too. This is particularly so with Apple's Mac OS X,
=======
Multiple vulnerabilities exist in the Cisco Firewall Services Module
(FWSM) for the Cisco Catalyst 6500 Series Switches and Cisco 7600
Series Routers that may cause the Cisco FWSM to reload after
processing crafted SunRPC or certain TCP packets. Repeated
exploitation could result in a sustained DoS condition.
Cisco has released free software updates that address these
vulnerabilities. Workarounds are available for the vulnerabilities
disclosed in this advisory.
RTSP Inspection DoS Vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4,
RealPlayer, and Cisco IP/TV connections. RTSP applications use the
well-known port 554 with TCP and UDP as the control channel. The
module and the appliance only support RTSP over TCP.
The Cisco ACE Application Control Engine Module and Cisco ACE 4710
Application Control Engine contain a DoS vulnerability that can be
exploited by an unauthenticated attacker while sending crafted RTSP
Hi Fernando+list
I'm glad to see that someone takes aim at this issue.
However, it seems that your proposal only attempts to address one
consequence of predictable TCP source ports, namely blind TCP attacks
(in all fairness, it appears that the object of your proposal is to
solve the blind TCP attacks, rather than the issue of predictable TCP
source ports; I look at it the other way around...). Naturally this is a
major outcome, but there are still other consequences, perhaps less
severe, such as traffic analysis. For example, the nave (and as
===============================
- Advisory -
===============================
Tittle: Editran editcp V4.1 R7 - Remote buffer overflow
Risk: High
Date: 25.Jun.2010
Author: Pedro Andujar <pandujar *@* segfault.es>
* HTTP Server DoS
Cisco Unified IP Phone 7935 and 7936 devices running SCCP
firmware contain a DoS vulnerability in their internal HTTP
server. By sending a specially crafted HTTP request to TCP port
80 on a vulnerable phone, it may be possible to cause the phone
to reboot. It is possible to workaround this issue by disabling
the internal HTTP server on vulnerable phones. The internal HTTP
server only listens to TCP port 80. This vulnerability is
corrected in SCCP firmware version 3.2(17) for 7935 devices and
Details
=======
The Skinny Call Control Protocol (SCCP) enables voice communication
between an SCCP client and a Call Manager (CM). Typically, the CM
provides service to the SCCP clients on TCP Port 2000 by default.
Initially, an SCCP client connects to the CM by establishing a TCP
connection; the client will also establish a TCP connection with a
secondary CM, if available.
The NAT SCCP Fragmentation Support feature prevents skinny control
Next Page>>
|
