Fun stuff! Not really Linux related, but since many of you are dsl.


>         Cisco Security Advisory: More multiple vulnerabilities in CBOS
>                                        
> Revision 1.0
> 
>   For public release 2001 May 22 08:00 (GMT -0800)
>    ______________________________________________________________________
>    
> Summary
> 
>    Multiple vulnerabilities have been identified and fixed in CBOS, an
>    operating system for the Cisco 600 family of routers.
>      * Cisco CBOS Software contains a flaw that permits the successful
>        prediction of TCP Initial Sequence Numbers. It only affects the
>        security of TCP connections that originate or terminate on the
>        affected Cisco device itself; it does not apply to TCP traffic
>        forwarded through the affected device in transit between two other
>        hosts.
>        This vulnerability is documented as Cisco bug ID CSCds16078.
>      * A Cisco 600 router may stop passing the traffic and responding to
>        the console when an ECHO REQUEST packet with the record route
>        option is routed through it.
>        This vulnerability is documented as Cisco bug ID CSCds30150.
>      * Passwords, exec and enable, are stored in the cleartext in the
>        NVRAM.
>        This vulnerability is documented as Cisco bug ID CSCdt04882.
>      * When multiple, large ECHO REPLY packets are routed through an
>        affected Cisco 600 router, it will enter the ROMMON mode and stop
>        passing any further traffic.
>        This vulnerability is documented as Cisco bug ID CSCds74567.
>        
>    The following releases of CBOS are containing all of mentioned
>    vulnerabilities: 2.0.1, 2.1.0, 2.1.0a, 2.2.0, 2.2.1, 2.2.1a, 2.3,
>    2.3.2, 2.3.5, 2.3.7 and 2.3.8.
>    
>    These vulnerabilities are fixed in the following CBOS releases: 2.3.9,
>    2.4.1 and 2.4.2. Customers are urged to upgrade to releases that are
>    not vulnerable as shown in detail in the section Software Versions and
>    Fixes below.
>    
>    This advisory is available at the
>    http://www.cisco.com/warp/public/707/CBOS-multiple2-pub.html.
>    
> Affected Products
> 
>    The affected models are: 627, 633, 673, 675, 675E, 677, 677i and 678.
>    
>    These models are vulnerable if they run any of the following, or
>    earlier, CBOS releases: 2.0.1, 2.1.0, 2.1.0a, 2.2.0, 2.2.1, 2.2.1a,
>    2.3, 2.3.2, 2.3.5, 2.3.7 and 2.3.8.
>    
>    No other releases of CBOS software are affected by these
>    vulnerabilities. No other Cisco products are affected by these
>    vulnerabilities.
>    
>    These vulnerabilities are fixed in the following CBOS releases: 2.3.9,
>    2.4.1 and 2.4.2.
>    
> Details
> 
>    CSCds16078
>           See also
>           http://www.cisco.com/warp/public/707/ios-tcp-isn-random-pub.
>           shtml
>           
>           TCP sequence numbers are 32-bit integers in the circular range
>           of 0 to 4,294,967,295. The host devices at both ends of a TCP
>           connection exchange an Initial Sequence Number (ISN) selected
>           at random from that range as part of the setup of a new TCP
>           connection.
>           
>           This method provides reasonably good protection against
>           accidental receipt of unintended data. However, to guard
>           against malicious use, it should not be possible for an
>           attacker to infer a particular number in the sequence. If the
>           initial sequence number is not chosen randomly or if it is
>           incremented in a non-random manner between the initialization
>           of subsequent TCP sessions, then it is possible, with varying
>           degrees of success, to forge one half of a TCP connection with
>           another host in order to gain access to that host, or hijack an
>           existing connection between two hosts in order to compromise
>           the contents of the TCP connection. To guard against such
>           compromises, ISNs should be generated as randomly as possible.
>           
>    CSCds30150
>           By sending ICMP ECHO REQUEST packets (ping) with the IP Record
>           Route option set it is possible to freeze a Cisco 600 router.
>           This can be done either by sending the specially crafted packet
>           or by specifying the "-r" option on the most ping programs.
>           
>           The packet should not be destined to a router itself.
>           
>    CSCdt04882
>           The exec and enable passwords are stored in the cleartext in
>           NVRAM. Similarly, they are also stored in the cleartext in the
>           configuration file if one is stored on a computer. Anyone who
>           is in a position to see a router's configuration, either
>           directly from the device or in the file on a computer, can
>           learn the passwords.
>           
>           This vulnerability is corrected by storing only an MD5 hash of
>           the password in both NVRAM and in the configuration file, and
>           the plaintext password itself is never retained.
>           
>    CSCds74567
>           When multiple ICMP ECHO REPLY packets, non standard size, are
>           passed through the affected device the device will stop passing
>           any further traffic. Packets must be larger than the usual size
>           (64 bytes) but that can be easily accomplished either by
>           crafting packets or by adjusting the response size, either via
>           command line or by modifying the program source.
>           
> Impact
> 
>    CSCds16078
>           Forged packets can be injected into a network from a location
>           outside its boundary so that they are trusted as authentic by
>           the receiving host, thus resulting in a failure of integrity.
>           Such packets could be crafted to gain access or make some other
>           modification to the receiving system in order to attain some
>           goal, such as gaining unauthorized interactive access to a
>           system or compromising stored data. From a position within the
>           network where it is possible to receive the return traffic (but
>           not necessarily in a position that is directly in the traffic
>           path), a greater range of violations is possible. For example,
>           the contents of a message could be diverted, modified, and then
>           returned to the traffic flow again, causing a failure of
>           integrity and a possible failure of confidentiality. NOTE: Any
>           compromise using this vulnerability is only possible for TCP
>           sessions that originate or terminate on the affected Cisco
>           device itself. It does not apply to TCP traffic that is merely
>           forwarded through the device.
>           
>    CSCds30150
>           It is possible to cause the Denial-of-Service.
>           
>    CSCdt04882
>           Anyone who is in a position to see a router's configuration,
>           either directly from the device or in the file on a computer,
>           can learn the exec and enable passwords. Armed with that
>           knowledge, an attacker can log into the device and change the
>           router's configuration.
>           
>           This vulnerability can be even more dangerous if the ISP is
>           using the same passwords for all of the devices which it
>           manages. Such practice, using the same passwords for multiple
>           devices, is strongly discouraged.
>           
>    CSCds74567
>           It is possible to cause the Denial-of-Service to many affected
>           devices.
>           
> Software Versions and Fixes
> 
>    The following table summarizes the CBOS software releases affected by
>    the vulnerabilities described in this notice and scheduled dates on
>    which the earliest corresponding fixed releases will be available.
>    
>    +===========+================+=====================================+
>    |           |                |                                     |
>    |  Release  | Description or |  Availability of Repaired Releases  |
>    |           |   Platform     |=====================================+
>    |           |                |      General Availability (GA)      |
>    +===========+================+=====================================+
>    |    All    | All platforms  |      2.3.9                          |
>    | releases  |                |      2001-Mart-19                   |
>    +-----------+----------------+-------------------------------------+
>    |    All    | All platforms  |      2.4.1                          |
>    | releases  |                |      2000-December-11               |
>    +-----------+----------------+-------------------------------------+
>    |    All    | All platforms  |      2.4.2                          |
>    | releases  |                |      2001-May-14                    |
>    +===========+================+=====================================+
> 
> Obtaining Fixed Software
> 
>    Cisco is offering free software upgrades to eliminate this
>    vulnerability for all affected customers.
>    
>    Customers with contracts should obtain upgraded software through their
>    regular update channels. For most customers, this means that upgrades
>    should be obtained via the point-of-sale or, if they posses a Cisco
>    Connection Online account, they can download it from the Software
>    Center on Cisco's Worldwide Web site at http://www.cisco.com.
>    
>    Customers without contracts should get their upgrades by contacting
>    the Cisco Technical Assistance Center (TAC). TAC contacts are as
>    follows:
>      * +1 800 553 2447 (toll-free from within North America)
>      * +1 408 526 7209 (toll call from anywhere in the world)
>      * e-mail: tac at cisco.com
>        
>    Give the URL of this notice as evidence of your entitlement to a
>    free upgrade. Free upgrades for non-contract customers must be
>    requested through the TAC.
>    
>    Please do not contact either "psirt at cisco.com" or
>    "security-alert at cisco.com" for software upgrades.
>    
> Workarounds
> 
>    CSCds16078
>           There is no workaround.
>           
>    CSCds30150
>           There is no workaround.
>           
>    CSCdt04882
>           There is no workaround.
>           
>    CSCds74567
>           There is no workaround.
>           
> Exploitation and Public Announcements
> 
>    Vulnerabilitiy CSCds30150 has been made public on VULN-DEV list.
>    
>    Altough we have not seen public discussion of vulnerability CSCdt04882
>    we understand that it is commonly known among users.
>    
>    Vulnerability CSCds74567 has been reported to us by a customer.
>    
> Status of This Notice: FINAL
> 
>    This is a final notice. Although Cisco cannot guarantee the accuracy
>    of all statements in this notice, all of the facts have been checked
>    to the best of our ability. Cisco does not anticipate issuing updated
>    versions of this notice unless there is some material change in the
>    facts. Should there be a significant change in the facts, Cisco may
>    update this notice.
>    
> Distribution
> 
>    This notice will be posted on Cisco's Worldwide Web site at
>    http://www.cisco.com/warp/public/707/CBOS-multiple2-pub.html. In
>    addition to Worldwide Web posting, a text version of this notice is
>    clear-signed with the Cisco PSIRT PGP key and is posted to the
>    following e-mail and Usenet news recipients:
>      * cust-security-announce at cisco.com
>      * bugtraq at securityfocus.com
>      * first-teams at first.org (includes CERT/CC)
>      * cisco at spot.colorado.edu
>      * comp.dcom.sys.cisco
>      * firewalls at lists.gnac.com
>      * Various internal Cisco mailing lists
>        
>    Future updates of this notice, if any, will be placed on Cisco's
>    Worldwide Web server, but may or may not be actively announced on
>    mailing lists or newsgroups. Users concerned about this problem are
>    encouraged to check the URL given above for any updates.
>    
> Revision History
> 
>    Revision 1.0 2001-May-22 08:00 GMT-0800 Public release
>    
> Cisco Security Procedures
> 
>    Complete information on reporting security vulnerabilities in Cisco
>    products, obtaining assistance with security incidents, and
>    registering to receive security information from Cisco, is available
>    on Cisco's Worldwide Web site at
>    http://www.cisco.com/warp/public/707/sec_incident_response.shtml.
>    This includes instructions for press inquiries regarding Cisco
>    security notices.
>      _________________________________________________________________
>    
>    This notice is Copyright 2000 by Cisco Systems, Inc. This notice may
>    be redistributed freely after the release date given at the top of the
>    text, provided that redistributed copies are complete and unmodified,
>    and include all date and version information.

-- 
Bob Tanner <tanner at real-time.com>       | Phone : (952)943-8700
http://www.mn-linux.org                 | Fax   : (952)943-8500
Key fingerprint =  6C E9 51 4F D5 3E 4C 66 62 A9 10 E5 35 85 39 D9