SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Router/Bridge/Hub)  >   Cisco ONS Vendors:   Cisco
Cisco ONS Optional Networking Software Flaws May Let Remote Users Gain Full Control of the ONS Platform
SecurityTracker Alert ID:  1005508
SecurityTracker URL:  http://securitytracker.com/id/1005508
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 31 2002
Impact:   Denial of service via network, Disclosure of authentication information, Disclosure of system information, Modification of system information, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): ONS15454, ONS15327; ONS software prior to 3.4
Description:   A series of vulnerabilities were reported in the Cisco ONS15454 optical transport platform and the Cisco ONS15327 edge optical transport platform. In the most severe case, a remote user can gain full control of the platform.

Cisco reported that the flaws are related to the TCC, TCC+, TCCi or the XTC control cards, used to manage the ONS hardware. ONS Software prior to version 3.4 is affected.

A remote user can gain FTP access to the control cards using any non-existent username and password. Then, the remote user can upload modified configuration files and delete software images from the TCC, TCC+ or XTC.

The running image database of the TCC, TCC+ or XTC stores usernames and passwords in clear text. A local user with access to the backup of the image database can view usernames and passwords. Also, (separately) a remote user can analyze an offline database backup of the TCC, TCC+ or XTC to view username and password pairs. If the remote user can obtain the administrator password, the remote user can gain complete control over the Cisco ONS platform.

A remote user can use the default "public" SNMP community string to gain SNMP access to the TCC, TCC+ or XTC. Apparently, this string cannot be changed in the ONS software.

A remote user can request an invalid CORBA Interoperable Object Reference (IOR) via HTTP to potentially cause the TCC, TCC+ or XTC to reset.

A remote user can send an HTTP request that begins with a character other than '/' to possibly cause the TCC, TCC+, TCCi or XTC to reset.

A remote user can use a default username and password to telnet to the TCC, TCC+ and XTC and access to the underlying VxWorks Operating System and gain complete control over the Cisco ONS platform. Apparently, the password for this default account cannot be changed and the account cannot be disabled.

A remote user may use the SNMP read-only community string to view potentially sensitive system information in the SNMP MIBs on the TCC, TCC+ or XTC.

Cisco reports that the following hardware is *not* affected: Cisco ONS15540 extended service platform, ONS15800 series, ONS15200 series metro DWDM systems, and the ONS15194 IP transport concentrator.

Cisco has assigned Cisco bug ID CSCds52295, CSCdt84146, CSCdv62307, CSCdw15690, CSCdx82962 and CSCdy70756 to these vulnerabilities.

Impact:   A remote user can gain complete control over the Cisco ONS platform. A remote user can cause the control cards to reset.
Solution:   Cisco has released fixed versions of Cisco ONS software (3.4 and later) for the TCC+ card installed in the ONS 15454, the TCCi card installed in the ONS 15454E, and the XTC card installed in the ONS 15327. For the TCC control cards, Cisco plans to release Cisco ONS software release 2.3.3 on November 4, 2002.

To upgrade the Cisco ONS 15454, see:

http://www.cisco.com/univercd/cc/td/doc/product/ong/15400/r34dohcs/procedur/r34pctc.htm

To upgrade the Cisco ONS 15327, see:

http://www.cisco.com/univercd/cc/td/doc/product/ong/15327/r34userd/2734ctc.htm

Some workarounds are provided in the Cisco advisory, available at:

http://www.cisco.com/warp/public/707/ons-multiple-vuln-pub.shtml

Vendor URL:  www.cisco.com/warp/public/707/ons-multiple-vuln-pub.shtml (Links to External Site)
Cause:   Access control error, Authentication error, Exception handling error

Message History:   None.


 Source Message Contents

Subject:  Cisco ONS15454 and Cisco ONS15327 Vulnerabilities


http://www.cisco.com/warp/public/707/ons-multiple-vuln-pub.shtml

Cisco Security Advisory: Cisco ONS15454 and Cisco ONS15327 Vulnerabilities
Revision 1.0
For Public Release 2002 October 31 at 1600 UTC

Contents

      Summary
      Affected Products
      Details
      Impact
      Software Versions and Fixes
      Obtaining Fixed Software
      Workarounds
      Exploitation and Public Announcements
      Status of This Notice
      Distribution
      Revision History
      Cisco Security Procedures

Summary

Multiple vulnerabilities exist in the Cisco ONS15454 optical transport platform and the
Cisco ONS15327 edge optical transport platform. All Cisco ONS software releases earlier
than 3.4 are vulnerable.

The Cisco ONS15454E is affected only by CSCdx82962.

These vulnerabilities are documented as Cisco bug ID CSCds52295, CSCdt84146, CSCdv62307,
CSCdw15690, CSCdx82962 and CSCdy70756. There are workarounds available to mitigate the
effects of these vulnerabilities.

This advisory will be posted at
http://www.cisco.com/warp/public/707/ons-multiple-vuln-pub.shtml.
Affected Products

All Cisco ONS15454 and ONS15327 hardware running Cisco ONS releases earlier than 3.4 are
affected by these vulnerabilities.

Hardware not affected includes the Cisco ONS15540 extended service platform, ONS15800
series, ONS15200 series metro DWDM systems and the ONS15194 IP transport concentrator.

The Cisco ONS15454E is affected only by CSCdx82962.

No other Cisco product is currently known to be affected by these vulnerabilities.

To determine your software revision, view the help-about window on the CTC network
management software.
Details

The ONS hardware is managed via the TCC, TCC+, TCCi or the XTC control cards which are
usually connected to a network isolated from the Internet and local to the customer's
environment. This limits the exposure to the exploitation of the vulnerabilites from the
Internet.

These vulnerabilities are documented as Cisco bug ID CSCds52295, CSCdt84146, CSCdv62307,
CSCdw15690, CSCdx82962 and CSCdy70756, which requires a CCO account to view and can be
viewed after 2002 November 1 at 1600 UTC.

CSCds52295
It is possible to open a FTP connection to the TCC, TCC+ or XTC using any nonexistent
user-name and password. In order to exploit this vulnerability a person must be able to
establish a FTP connection to the TCC, TCC+ or XTC.

CSCdt84146
User-names and passwords are stored in clear text in the running image database of the
TCC, TCC+ or XTC. In order to exploit this vulnerability a person needs access to the
backup of the image database.

CSCdv62307
The SNMP community string "public" cannot be changed in the Cisco ONS software. In order
to exploit this vulnerability a person must be able to establish a SNMP connection to the
TCC, TCC+ or XTC.

CSCdw15690
Requesting an invalid CORBA Interoperable Object Reference (IOR) via HTTP may cause the
TCC, TCC+ or XTC to reset. In order to exploit this vulnerability a person must be able to
establish a HTTP connection to the TCC, TCC+ or XTC.

CSCdx82962
HTTP requests starting with any character other than '/' may cause the TCC, TCC+, TCCi or
XTC to reset. In order to exploit this vulnerability a person must be able to establish a
HTTP connection to the TCC, TCC+ or XTC.

CSCdy70756
The TCC, TCC+ and XTC have a user-name and password that can be used to gain access to the
underlying VxWorks Operating System and it is not possible to change or disable this
account. In order to exploit this vulnerability a person must be able to establish a
Telnet connection to TCC, TCC+ or XTC.
Impact

CSCds52295
Once a FTP connection has been opened a person could upload modified configuration files
and delete software images from the TCC, TCC+ or XTC.

CSCdt84146
By analyzing an offline database backup of the TCC, TCC+ or XTC, it is possible to extract
user-name and password pairs. Using the administrator password a person can access the
TCC, TCC+ or XTC either remotely or locally and gain complete control over the Cisco ONS
platform.

CSCdv62307
By using the SNMP read-only community string a person may gain unauthorized access to
information in the SNMP MIBs on the TCC, TCC+ or XTC. User-names and passwords cannot be
extracted using this method.

CSCdw15690
By requesting an invalid CORBA IOR object via HTTP a person may cause the TCC, TCC+ or XTC
to reset. This does not impact the traffic already flowing through the switch.

CSCdx82962
By requesting URLs starting with a character other than '/' via HTTP a person may cause
the TCC, TCC+, TCCi or XTC to reset. This does not impact the traffic already flowing
through the switch.

CSCdy70756
Using the VxWorks OS account a person can access the TCC, TCC+ or XTC either remotely or
locally and gain complete control over the Cisco ONS platform.
Software Versions and Fixes

All vulnerabilities are fixed in the Cisco ONS software release 3.4 and later for the TCC+
installed in the ONS 15454, the TCCi installed in the ONS 15454E and the XTC installed in
the ONS 15327. For the TCC control cards, the Cisco ONS software release 2.3.3 will be
available on CCO on November 4, 2002.

The procedure to upgrade to the fixed software version on the Cisco ONS 15454 is detailed
at
http://www.cisco.com/univercd/cc/td/doc/product/ong/15400/r34dohcs/procedur/r34pctc.htm.

The procedure to upgrade to the fixed software version on the Cisco ONS 15327 is detailed
at http://www.cisco.com/univercd/cc/td/doc/product/ong/15327/r34userd/2734ctc.htm.
Obtaining Fixed Software

Cisco is offering free software upgrades to address these vulnerabilities for all affected
customers. Customers may only install and expect support for the feature sets they have
purchased.

Customers with service contracts should contact their regular update channels to obtain
the free software upgrade identified via this advisory. To see the detailed information
below, you must be a registered user and you must be logged in.

Customers whose Cisco products are provided or maintained through a prior or existing
agreement with third-party support organizations such as Cisco Partners, authorized
resellers, or service providers should contact that support organization for assistance
with obtaining the free software upgrade(s).

Customers who purchased directly from Cisco but who do not hold a Cisco service contract,
and customers who purchase through third party vendors but are unsuccessful at obtaining
fixed software through their point of sale, should obtain fixed software by contacting the
Cisco Technical Assistance Center (TAC) using the contact information listed below. In
these cases, customers are entitled to obtain an upgrade to a later version of the same
release or as indicated by the applicable corrected software version in the Software
Versions and Fixes section (noted above).

Cisco TAC contacts are as follows:

    * +1 800 553 2447 (toll free from within North America)
    * +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com

See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact
information, including special localized telephone numbers and instructions and e-mail
addresses for use in various languages.

Please have your product serial number available and give the URL of this advisory as
evidence of your entitlement to a free upgrade.

Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software
upgrades.
Workarounds

CSCds52295

    Restrict FTP traffic to the gateway node(s) with a router configured to restrict FTP
access to the TCC, TCC+ or XTC so that FTP access is only allowed from authorized
workstations. This can be done by adding Access Control Lists and turning on Unicast
Reverse Path Forwarding on the router.

Please note, this will not prevent spoofed IP packets, from the local segment, with the
source IP address set to that of the authorized workstation from reaching the TCC, TCC+ or
XTC.

CSCdt84146

It is possible to mitigate the effects of this vulnerability by making sure that the
backup Cisco ONS images from the TCC, TCC+ or XTC are secure from unauthorized access.

CSCdv62307

    Restrict SNMP traffic to the gateway node(s) with a router configured to restrict SNMP
access to the TCC, TCC+ or XTC so that SNMP access is only allowed from valid network
management workstations. This can be done by adding Access Control Lists and turning on
Unicast Reverse Path Forwarding on the router.

Please note, this will not prevent spoofed IP packets, from the local segment, with the
source IP address set to that of the network management station from reaching the TCC,
TCC+ or XTC.

CSCdw15690

    Restrict HTTP traffic to the gateway node(s) with a router configured to restrict HTTP
access to the TCC, TCC+ or XTC so that HTTP access is only allowed from valid network
management workstations. This can be done by adding Access Control Lists and turning on
Unicast Reverse Path Forwarding on the router.

Please note, this will not prevent spoofed IP packets, from the local segment, with the
source IP address set to that of the network management station from reaching the TCC,
TCC+ or XTC.

CSCdx82962

    Restrict HTTP traffic to the gateway node(s) with a router configured to restrict HTTP
access to the TCC, TCC+ or XTC so that HTTP access is only allowed from valid network
management workstations. This can be done by adding Access Control Lists and turning on
Unicast Reverse Path Forwarding on the router.

Please note, this will not prevent spoofed IP packets, from the local segment, with the
source IP address set to that of the network management station from reaching the TCC,
TCC+ or XTC.

CSCdy70756

    Restrict Telnet traffic to the gateway node(s) with a router configured to restrict
Telnet access to the TCC, TCC+ or XTC so that Telnet access is only allowed from
authorized workstations. This can be done by adding Access Control Lists and turning on
Unicast Reverse Path Forwarding on the router.

Please note, this will not prevent spoofed IP packets, from the local segment, with the
source IP address set to that of the workstation from reaching the TCC, TCC+ or XTC.
Exploitation and Public Announcements

All defects were reported to Cisco by customers. The Cisco PSIRT is not aware of any
public announcements or malicious use of the vulnerabilities described in this advisory.
Status of This Notice: FINAL

This is a final advisory. Although Cisco cannot guarantee the accuracy of all statements
in this advisory, all of the facts have been checked to the best of our ability. Cisco
does not anticipate issuing updated versions of this advisory unless there is some
material change in the facts. Should there be a significant change in the facts, Cisco may
update this advisory.

A stand-alone copy or paraphrase of the text of this security advisory that omits the
distribution URL in the following section is an uncontrolled copy, and may lack important
information or contain factual errors.
Distribution

This advisory will be posted on Cisco's worldwide website at
http://www.cisco.com/warp/public/707/ons-multiple-vuln-pub.shtml.

In addition to worldwide website posting, a text version of this advisory is clear-signed
with the Cisco PSIRT PGP key having the fingerprint FEB1 1B89 A64B 60BB 4770 D1CE 93D2
FF06 F236 759C and is posted to the following e-mail and Usenet news recipients:

    * cust-security-announce@cisco.com
    * bugtraq@securityfocus.com
    * full-disclosure@lists.netsys.com
    * first-teams@first.org (includes CERT/CC)
    * cisco-nsp@puck.nether.net
    * cisco@spot.colorado.edu
    * comp.dcom.sys.cisco
* Various internal Cisco mailing lists

Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but
may or may not be actively announced on mailing lists or newsgroups. Users concerned about
this problem are encouraged to check the above URL for any updates.
Revision History
Revision 1.0 31-October-2002 Initial public release.
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco products, obtaining
assistance with security incidents, and registering to receive security information from
Cisco, is available on Cisco's worldwide website at http://www.cisco.com/go/psirt. This
includes instructions for press inquiries regarding Cisco security advisories.

This notice is Copyright 2002 by Cisco Systems, Inc. This notice may be redistributed
freely after the release date given at the top of the text, provided that redistributed
copies are complete and unmodified, and include all date and version information.



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC