In late July Cisco released security updates to address a range of security vulnerabilities across their product range. The following devices/products were affected:
Cisco Application Policy Infrastructure Controller (APIC) and Cisco Nexus 9000 Series ACI Mode Switch
Cisco IOS Software
Cisco Unified MeetingPlace Web Conferencing application
Cisco ASR 1000 Series Aggregation Services Routers
The Application Policy Infrastructure Controller (APIC) and Cisco Nexus 9000 Series ACI Mode Switch were affected by an access vulnerability that could allow an authenticated but remote attacker to access these devices with root pirivileges. The attacker would need to access the cluster management configuration of the APIC. No workarounds are available for this vulnerability but there are no known instances of this issue being publically exploited. Cisco discovered this flaw during internal testing.
In addition, any Cisco device that runs their IOS operating system (not to be confused with Apple’s iOS , note the lower case i) and that has the TFTP file server functionality enabled is vulnerable to a denial of service (DoS) attack by an unauthenticated remote attacker by sending a number of TFTP requests to such a device. The device will then hang (stop functioning normally) and need to be restarted to resume normal operation. Workarounds for this issue are available (in addition, the TFTP server feature is not enabled by default). Cisco discovered this issue during internal product testing but an external security researcher also found this issue and developed publically available exploit code.
What is TFTP?
Trivial File Transfer Protocol (TFTP) is simplified file transfer protocol that lacks security features and the more advanced capabilities of the more widely known and used File Transfer Protocol (FTP). TFTP operates over UDP usually on port 69 (but can be configured to work on other nonstandard port numbers).
User Datagram Protocol (UDP) is a connectionless transport protocol (as opposed to the connection oriented nature of Transmission Control Protocol (TCP)). UDP is used by services such as Domain Name Service DNS (port 53) and Dynamic Host Configuration Protocol DHCP (ports 67 (server), port 68 (client)). UDP is also used for broadcasting on a computer network as well as real-time multiplayer video games, streaming videos services and Voice over IP (VoIP).
What is a DoS (Denial of Service) attack?
In the context of a Cisco device mentioned above a DoS (Denial of Service) attack is the result of a person or an organization being without (not having the use of) a necessary service or device needed for them to do business or carry out a desired task. In this instance the Cisco device (but this could also be used in the context of another device from another vendor) would need to be powered off and on in order for it to resume its normal operation/function. This
The Cisco Unified MeetingPlace Web Conferencing application is vulnerable to specifically crafted HTTP requests being sent to it by an unauthenticated remote attacker. This attack will result in that attacker being able to then reset the password of authorized users of this application and thus gain full access to the application. No workarounds are available for this vulnerability but there are no known instances of this issue being publically exploited. Cisco discovered this flaw during internal testing.
The final security update delivered by Cisco affected the ASR 1000 Series Aggregation Services Routers. This issue is caused by the improper re-assembly of fragmented IPv4 or IPv6 packets which can be sent by an unauthenticated remote attacker. This type of attack is sometimes known as a Teardrop attack (where the fragment offsets of packets overlap and cause the device attempting to reassembling them to crash) resulting in a denial of service (DoS) condition i.e. your Cisco router no longer functions as expected. It would be necessary to power on/off to resolve this.
How Can I Protect Myself From These Issues?
If your company uses any of the above mentioned Cisco products, please follow the directions within the four Cisco security advisories mentioned at the beginning of this post to install the necessary security updates.