[c-nsp] Cisco Security Advisory: Cisco Firewall Services Module Skinny Client Control Protocol Inspection Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Cisco Firewall Services Module Skinny Client Control Protocol Inspection Denial of Service Vulnerability Document ID: 112893 Advisory ID: cisco-sa-20110223-fwsm Revision 1.0 For Public Release 2011 February 23 1600 UTC (GMT) +- Summary === A vulnerability exists in the Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers that may cause the Cisco FWSM to reload after processing a malformed Skinny Client Control Protocol (SCCP) message. Devices are affected when SCCP inspection is enabled. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110223-fwsm.shtml. Note: Cisco ASA 5500 Series Adaptive Security Appliances are affected by the vulnerability described in this advisory. A separate Cisco Security Advisory has been published to disclose this and other vulnerabilities that affect the Cisco ASA 5500 Series Adaptive Security Appliances. The advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20110223-asa.shtml. Affected Products = Vulnerable Products +-- Versions 3.1.x, 3.2.x, 4.0.x, and 4.1.x of Cisco FWSM software are affected by this vulnerability if SCCP inspection is enabled. SCCP inspection is enabled by default. To determine whether SCCP inspection is enabled, issue the show service-policy | include skinny command and confirm that the command returns output. Example output follows: fwsm#show service-policy | include skinny Inspect: skinny , packet 0, drop 0, reset-drop 0 Alternatively, a device that has SCCP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect skinny ... ! service-policy global_policy global Note: The service policy could also be applied to a specific interface. (Global application is shown in the previous example.) To determine the version of Cisco FWSM software that is running, issue the show module command from Cisco IOS Software or Cisco Catalyst Operating System Software to identify what modules and submodules are installed on the system. The following example shows a system with a Cisco FWSM (WS-SVC-FWM-1) installed in slot 2: switchshow module Mod Ports Card Type Model Serial No. --- - -- -- --- 1 16 SFM-capable 16 port 1000mb GBICWS-X6516-GBIC SAL06334NS9 26 Firewall ModuleWS-SVC-FWM-1 SAD10360485 38 Intrusion Detection System WS-SVC-IDSM-2 SAD0932089Z 44 SLB Application Processor Complex WS-X6066-SLB-APC SAD093004BD 52 Supervisor Engine 720 (Active) WS-SUP720-3B SAL0934888E Mod MAC addresses HwFw Sw Status --- -- -- --- 1 0009.11e3.ade8 to 0009.11e3.adf7 5.1 6.3(1) 8.5(0.46)RFW Ok 2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 3.2(2)10 Ok 3 0014.a90c.9956 to 0014.a90c.995d 5.0 7.2(1) 5.1(6)E1 Ok 4 0014.a90c.66e6 to 0014.a90c.66ed 1.74.2(3) Ok 5 0013.c42e.7fe0 to 0013.c42e.7fe3 4.4 8.1(3) 12.2(18)SXF1 Ok [...] After locating the correct slot, issue the show module slot number command to identify the software version that is running, as shown in the following example: switchshow module 2 Mod Ports Card Type Model Serial No. --- - -- -- --- 26 Firewall ModuleWS-SVC-FWM-1 SAD10360485 Mod MAC addresses HwFw Sw Status --- -- -- --- 2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 3.2(2)10 Ok [...] The preceding example shows that the FWSM is running software version 3.2(2)10 as indicated by the Sw column. Note: Recent versions of Cisco IOS Software will show the software version of each module in the output from the show module command; therefore, executing the show module slot number command is not necessary. If a Virtual Switching System (VSS) is used to allow two physical Cisco Catalyst 6500 Series Switches to operate as a single logical virtual switch, the show module switch all command can display the software version of all
[c-nsp] Cisco Security Advisory: Cisco Firewall Services Module Skinny Client Control Protocol Inspection Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Firewall Services Module Skinny Client Control Protocol Inspection Denial of Service Vulnerability Advisory ID: cisco-sa-20100217-fwsm http://www.cisco.com/warp/public/707/cisco-sa-20100217-fwsm.shtml Revision 1.0 For Public Release 2010 February 17 1600 UTC (GMT) +- Summary === A vulnerability exists in the Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers that may cause the Cisco FWSM to reload after processing a malformed Skinny Client Control Protocol (SCCP) message. The vulnerability exists when SCCP inspection is enabled. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100217-fwsm.shtml. Affected Products = Vulnerable Products +-- All non-fixed 4.x versions of Cisco FWSM Software are affected by this vulnerability if SCCP inspection is enabled. SCCP inspection is enabled by default. To check if SCCP inspection is enabled, issue the show service-policy | include skinny command and confirm that the command returns output. Example output follows: fwsm#show service-policy | include skinny Inspect: skinny , packet 0, drop 0, reset-drop 0 Alternatively, a device that has SCCP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect skinny ... ! service-policy global_policy global To determine the version of Cisco FWSM Software that is running, issue the show module command-line interface (CLI) command from Cisco IOS Software or Cisco Catalyst Operating System Software to identify what modules and sub modules are installed on the system. The following example shows a system with a Cisco FWSM (WS-SVC-FWM-1) installed in slot 2: switchshow module Mod Ports Card Type Model Serial No. --- - -- -- --- 1 16 SFM-capable 16 port 1000mb GBICWS-X6516-GBIC SAL06334NS9 26 Firewall ModuleWS-SVC-FWM-1 SAD10360485 38 Intrusion Detection System WS-SVC-IDSM-2 SAD0932089Z 44 SLB Application Processor Complex WS-X6066-SLB-APC SAD093004BD 52 Supervisor Engine 720 (Active) WS-SUP720-3B SAL0934888E Mod MAC addresses HwFw Sw Status --- -- -- --- 1 0009.11e3.ade8 to 0009.11e3.adf7 5.1 6.3(1) 8.5(0.46)RFW Ok 2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 3.2(2)10 Ok 3 0014.a90c.9956 to 0014.a90c.995d 5.0 7.2(1) 5.1(6)E1 Ok 4 0014.a90c.66e6 to 0014.a90c.66ed 1.74.2(3) Ok 5 0013.c42e.7fe0 to 0013.c42e.7fe3 4.4 8.1(3) 12.2(18)SXF1 Ok [...] After locating the correct slot, issue the show module slot number command to identify the software version that is running. Example output follows: switchshow module 2 Mod Ports Card Type Model Serial No. --- - -- -- --- 26 Firewall ModuleWS-SVC-FWM-1 SAD10360485 Mod MAC addresses HwFw Sw Status --- -- -- --- 2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 3.2(2)10 Ok [...] The preceding example shows that the FWSM is running software version 3.2(2)10 as indicated by the column under Sw. Note: Recent versions of Cisco IOS Software will show the software version of each module in the output from the show module command; therefore, executing the show module slot number command is not necessary. If a Virtual Switching System (VSS) is used to allow two physical Cisco Catalyst 6500 Series Switches to operate as a single logical virtual switch, the show module switch all command can display the software version of all FWSMs that belong to switch 1 and switch 2. The output from this command will be similar to the output from the show module slot number but will include module information for the modules in each switch in the VSS. Alternatively, version information can be obtained directly from the FWSM through the show version command. Example output follows: FWSM show version FWSM Firewall Version 3.2(2)10 [...] Customers who use the Cisco