Next Page >>
access list
The following mitigations have been identified for this
vulnerability, which may help protect an infrastructure until an
upgrade to a fixed version of Cisco IOS software can be scheduled:
Infrastructure Access Control Lists
+----------------------------------
Although it is often difficult to block traffic that transits a
network, it is possible to identify traffic that should never be
allowed to target infrastructure devices and block that traffic at
===========
Workarounds consist of filtering packets that are sent to 127.0.0.0/8
range and UDP packets that are sent to port 1975.
Using Interface Access Control Lists
+-----------------------------------
Access lists that filter UDP packets destined to port 1975 can be
used to mitigate this vulnerability. UDP port 1975 is a registered
port number that can be used by certain applications. However,
===========
The following mitigation and identification methods have been
identified for these vulnerabilities:
Infrastructure Access Control Lists
+----------------------------------
Although it is often difficult to block traffic that transits a
network, it is possible to identify traffic that should never be
allowed to target infrastructure devices and block that traffic at
control restrictions that only permit authorized devices SNMP access
to the device.
The following configuration example provides operators with
information on changing the community string and adding SNMP access
control restrictions using an access control list (ACL).
access-list 90 permit host <RF-Switch-IP-1>
access-list 90 permit host <RF-Switch-IP-2>
access-list 90 permit host <up-converter-IP-if-exists>
access-list 90 deny any
Filtering Packets to UDP Port 3232
+---------------------------------
MDT Data Join messages are sent to UDP port 3232. Creating an
access-list that filters destination UDP port 3232 and applying it on
the VRF interface of the PE router mitigates this vulnerability. Such
an access-list looks like this:
access-list 100 deny udp any any eq 3232
access-list 100 permit ip any any
control-plane
service-policy input control-plane-policy
Note: Because SIP can use UDP as a transport protocol, it is possible
to spoof the source address of an IP packet, which may bypass access
control lists that permit communication to these ports from trusted
IP addresses.
In the preceding CoPP example, the access control entries (ACEs) that
match the potential exploit packets with the permit action cause these
packets to be discarded by the policy-map drop function, whereas
NTP Access Group
+---------------
Warning: Because the feature in this vulnerability utilizes
UDP as a transport, it is possible to spoof the sender's IP address,
which may defeat access control lists (ACLs) that permit
communication to these ports from trusted IP addresses. Unicast
Reverse Path Forwarding (Unicast RPF) should be considered to be used
in conjunction to offer a better mitigation solution.
control-plane
service-policy input drop-sip-traffic
Warning: Because SIP can use UDP as a transport protocol, it
is possible to easily spoof the IP address of the sender, which may
defeat access control lists that permit communication to these ports
from trusted IP addresses.
In the above CoPP example, the access control entries (ACEs) that
match the potential exploit packets with the "permit" action result
in these packets being discarded by the policy-map "drop" function,
control-plane
service-policy input control-plane-policy
Warning: Because SIP can use UDP as a transport protocol, it
is possible to easily spoof the IP address of the sender, which may
defeat access control lists that permit communication to these ports
from trusted IP addresses.
In the above CoPP example, the access control entries (ACEs) that
match the potential exploit packets with the "permit" action result
in these packets being discarded by the policy-map "drop" function,
control-plane
service-policy input control-plane-policy
Note: Because SIP can use UDP as a transport protocol, it is possible
to easily spoof the IP address of the sender, which may defeat access
control lists that permit communication to these ports from trusted
IP addresses.
In the above CoPP example, the access control entries (ACEs) that
match the potential exploit packets with the "permit" action result
in these packets being discarded by the policy-map "drop" function,
Warning: Because SIP can utilize UDP as a transport protocol,
it is possible to easily spoof the sender's IP address, which may
defeat ACLs that permit communication to these ports from trusted
IP addresses.
In the above CoPP example, the access control list entries (ACEs)
that match the potential exploit packets with the "permit" action
result in these packets being discarded by the policy-map "drop"
function, while packets that match the "deny" action (not shown) are
not affected by the policy-map drop function. Additional information
on the configuration and use of the CoPP feature can be found at
Services Module" > "Firewall Services Module (FWSM) Software".
Workarounds
===========
There are no workarounds for this vulnerability. Access control lists
(ACLs) that are deployed on the FWSM itself to block through-the-device
or to-the-device ICMP messages are not effective to prevent this
vulnerability. However, blocking unnecessary ICMP messages on screening
devices or on devices in the path to the FWSM will prevent the FWSM
from triggering the vulnerability. For example, the following ACL,
access-list 150 permit ip any any
interface serial 2/0
ip access-group 150 in
The white paper entitled "Protecting Your Core: Infrastructure
Protection Access Control Lists" presents guidelines and recommended
deployment techniques for infrastructure protection access lists.
This white paper can be obtained at the following link:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml
WORKAROUNDS
Aruba Networks recommends not allowing access to the Aruba Remote Access
Point's diagnostic web interface after initial provisioning by applying an
access list (acl) to block HTTP and HTTPS protocol to its local IP. This
restricted acl needs to be in the highest position of the acl rules for
each user-role that should not have access to the diagnostic web
interface.
Example restricted IP access list added to a user-role called guest:
full mitigation as the source addresses may be spoofed.
Note: L2TPv3 over IP only implementations need to deny all UDP 1701
from anywhere to the infrastructure addresses.
* Infrastructure Access Control Lists
Although it is often difficult to block traffic that transits a
network, it is possible to identify traffic that should never be
allowed to target infrastructure devices and block that traffic
at the border of networks. Infrastructure Access Control Lists
(iACLs) are a network security best practice and should be
* Crafted TCP ACK Packet Vulnerability
* Crafted TLS Packet Vulnerability
* Instant Messenger Inspection Vulnerability
* Vulnerability Scan Denial of Service
* Control-plane Access Control List Vulnerability
The first four vulnerabilities may lead to a denial of service (DoS)
condition and the fifth vulnerability may allow an attacker to bypass
control-plane access control lists (ACL).
interface serial 2/0
ip access-group 150 in
The white paper titled "Protecting Your Core: Infrastructure
Protection Access Control Lists" presents guidelines and recommended
deployment techniques for infrastructure protection access lists.
This white paper can be obtained here:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml
Control Plane Policing (CoPP)
===========
The following workarounds have been identified for these
vulnerabilities.
Infrastructure Access Control Lists
+----------------------------------
Although it is often difficult to block traffic that transits a
network, it is possible to identify traffic that should never be
allowed to target infrastructure devices and block that traffic at
* Crafted H.323 packet DoS vulnerability
* SQL*Net packet DoS vulnerability
* Access control list (ACL) bypass vulnerability
Workarounds are available for some of the vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml.
Management Configuration Guide - Embedded Event Manager Overview at
the following link:
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_overview_ps6441_TSD_Products_Configuration_Guide_Chapter.html
Infrastructure Access Control Lists
+----------------------------------
Although it is often difficult to block traffic that transits a
network, it is possible to identify traffic that should never be
allowed to target infrastructure devices and block that traffic at
Services Module (FWSM) that may result in a reload of the FWSM. These
vulnerabilities can be triggered during the processing of HTTPS
requests, or during the processing of Media Gateway Control Protocol
(MGCP) packets.
A third vulnerability may cause access control list (ACL) entries to not
be evaluated after the access list has been manipulated.
Note: These vulnerabilities are independent of each other; a device may
be affected by one and not by the others.
Filters for TLS packets using TCP port 443 and MGCP packets on UDP port
2427 should also be deployed in front of vulnerable network devices so
that traffic is only allowed from trusted clients.
Additional information about tACLs is available in "Transit Access
Control Lists : Filtering at Your Edge":
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml.
Additional mitigations techniques that can be deployed on Cisco devices
within the network are available in the Cisco Applied Intelligence
+-------------------------------------------------------------------+
Workarounds
===========
The workaround consists of adding an Access Control List (ACL) to
every Cisco IOS IPS policy configured on the device so that traffic
destined to ports 53/udp or 53/tcp is not inspected by the Cisco IOS
IPS feature. The following ACL would need to be added to the device
configuration:
Additional information on the configuration and use of the CoPP
feature is available at the following links:
http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd804fa16a.shtml
and http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a008052446b.html
Access Control List (ACL)
+------------------------
An Access Control List (ACL) can be used to help mitigate attacks
that target this vulnerability. ACLs can specify that only packets
from legitimate sources are permitted to reach a device, and all
There are no workarounds to mitigate the vulnerability apart from
disabling H.323 if the Cisco IOS device does not need to run H.323
for VoIP services. Affected devices that must run H.323 are
vulnerable, and there are not any specific configurations that can be
used to protect them. Applying access lists on interfaces that should
not accept H.323 traffic and putting firewalls in strategic locations
may greatly reduce exposure until an upgrade can be performed.
Cisco provides Solution Reference Network Design (SRND) guides to
help design and deploy networking solutions, which can be found at
"transport input none" on the vty lines of a vulnerable device will
prevent it from being exploited on TCP port 23. However, if the Cisco
IOS SSH server feature is configured on the device, "transport input
none" will not prevent the device from being exploited on TCP port 22.
Configuration of vty access control lists can partially mitigate this
vulnerability because the vulnerability can be exploited using spoofed
IP source addresses.
Border Gateway Protocol
+----------------------
Router(config-sip-ua)#no transport tcp
If IPv4 UDP-based Services Are Required
+---------------------------------------
By deploying IPv6 Access Control List (ACL) it is possible to prevent
offending IPv6 packets reaching vulnerable UDP services. The ACL in
the following example will block all IPv6 traffic from reaching
vulnerable services.
Router(config)#ipv6 access-list protect_IPv4_services
Local exploitation of an insecure permission vulnerability in multiple
Check Point Zone Labs products allows attackers to escalate privileges
or disable protection.
The vulnerability specifically exists in the default file Access Control
List (ACL) settings that are applied during installation. When an
administrator installs any of the Zone Labs ZoneAlarm tools, the
default ACL allows any user to modify the installed files. Some of the
programs run as system services. This allows a user to simply replace
an installed ZoneAlarm file with their own code that will later be
executed with system-level privileges.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Cisco Nexus 5000 and 3000 Series Switches
Access Control List Bypass Vulnerability
Advisory ID: cisco-sa-20110907-nexus
Revision 1.0
The Cisco Wireless LAN Controller (WLC) product family is affected by
these vulnerabilities:
* Two denial of service (DoS) vulnerabilities
* Three privilege escalation vulnerabilities
* Two access control list (ACL) bypass vulnerabilities
Note: These vulnerabilities are independent of one another. A device
may be affected by one vulnerability and not affected by another.
Cisco has released free software updates that address these
Next Page>>
|
