After the upgrading, I have tried to downlad an ISO image but the speed was very low (about 300KB/s and not 700KB/s). Mhhh this is strange! I have begun the troubleshooting but no error, no warning message. So I have reset my current configuration, but nothing… no real improvement.

Fortunately my better friend (google hihihi) help me and I have found how to fix the ‘download speed’: define manually the ‘clockrate’ into the atm interface!

Ciscozine(config-if)#clock rate aal5 ?
        1000000
        1300000
        1600000
        2000000
        2600000 (default)
        3200000
        4000000
        5300000
        7000000

  <1000000-7000000>  clock rates in bits per second,
                     choose one from above

Ciscozine(config-if)#

In fact, if you don’t define the clock rate command into the atm interface, the IOS set to 2600000 this parameter. To force it, use the command ‘clock rate aal5′; in my case I use the command ‘clock rate aal5 7000000′.

Below the download speed test guarantee the bandwith improvement.

Without clock rate command

With clock rate command

That’s all! I hope this tutorial can help you!

© Fabio Semperboni for CiscoZine, 2009. | Permalink | No comment
Post tags: ADSL, Advanced configuration, Tips

On 13 October 2009, Cisco and Starent Networks announced a definitive agreement for Cisco to acquire Starent Networks. Starent Networks is a leading supplier of IP-based mobile infrastructure solutions targeting mobile and converged carriers. The Mobile Internet is at an inflection point as IP-enabled Smartphones and other connected mobile devices gain rapid acceptance. Service Providers have been actively investing in this market as global mobile data traffic is expected to more than double every year through 2013, according to the Cisco Visual Networking Index.

Under the terms of the agreement, Cisco will pay $35 per share in cash in exchange for each share of Starent Networks and assume outstanding equity awards for an aggregate purchase price of approximately $2.9 billion. The acquisition has been approved by the boards of directors of both companies.

The acquisition is expected to close during the first half of calendar year 2010; however, the close date is subject to customary closing conditions and regulatory reviews. Cisco expects the acquisition to be dilutive to non-GAAP earnings in fiscal years 2010 and 2011 and accretive to non-GAAP earnings in fiscal year 2012.

“We are very pleased that Starent Networks will be joining the Cisco team, and we believe their products and engineering talent will greatly benefit our Service Provider customers as they build out their Mobile Internet offerings,” said John Chambers, Chairman and Chief Executive Officer.

“Cisco and Starent Networks share a common vision and bring complementary technologies designed to accelerate the transition to the Mobile Internet, where the network is the platform for Service Providers to launch, deliver and monetize the next generation of mobile multimedia applications and services,” said Pankaj Patel, Senior Vice President/General Manager, Service Provider Business.

“Combining Cisco’s strength in Video and IP with Starent Networks’ leading mobile infrastructure solutions, creates a compelling portfolio of products that provides an integrated architecture to offer rich, quality multimedia experiences to mobile subscribers on 3G and 4G networks,” said Starent Networks President and Chief Executive Officer Ashraf Dahod.

Starent Networks’ mobile infrastructure solutions play an important role in enabling Service Providers to scale their mobile infrastructure and monetize their investments via differentiated experiences. The company provides the multimedia intelligence, core network functions and services to manage access from any 2.5G, 3G, and 4G radio network to a mobile operator’s packet core network. Starent Networks’ access-independent technology is deployed in CDMA2000 (1X, EV-DO), UMTS/HSPA and WiMax networks.

Starent Networks was founded in 2000 and completed its initial public offering in 2007. The company is based in Tewksbury, Mass. and has approximately 1,000 employees worldwide. For the year ended Dec. 31, 2008, Starent Networks reported revenue of $254.1 million, up 74 percent from the prior year.

References: http://newsroom.cisco.com/dlls/2009/corp_101309.html

© Fabio Semperboni for CiscoZine, 2009. | Permalink | No comment
Post tags: Business, Starent Networks

Cisco Unified Presence contains two denial of service (DoS) vulnerabilities that may cause an interruption to presence services. These vulnerabilities were discovered internally by Cisco, and there are no workarounds.

Vulnerable Products
The following products are affected:

• Cisco Unified Presence 1.x versions
• Cisco Unified Presence 6.x versions prior to 6.0(6)
• Cisco Unified Presence 7.x versions prior to 7.0(4)

Administrators of systems running Cisco Unified Presence can determine the software version by viewing the main page of the Cisco Unified Presence Administration interface. The software version can be determined by running the command show version active via the Command Line Interface (CLI).

Details

• Network Flooding Vulnerability: Cisco Unified Presence contains a denial of service (DoS) vulnerability that may cause the TimesTenD process to fail when TCP ports 16200 or 22794 are flooded with connections. TCP 3-way handshakes must be completed for the attack to be successful. The TimesTenD process will be automatically restarted upon failure. This vulnerability is documented in Cisco Bug ID CSCsy17662 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2009-2874.
• Network Connection Tracking Vulnerability: Cisco Unified Presence contains a DoS vulnerability that involves the tracking of network connections by the embedded firewall. An attacker can overwhelm the table that is used to track network connections and prevent new connections from being established to system services by establishing many TCP connections with a vulnerable system. Any service that listens to a TCP port on a vulnerable system could be affected by this vulnerability. This vulnerability is documented in Cisco Bug ID CSCsw52371 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2009-2052.

Impact
Successful exploitation of any of the vulnerabilities may result in the interruption of presence services.

Link: http://www.cisco.com/…/products_security_advisory09186a0080afc930.shtml

© Fabio Semperboni for CiscoZine, 2009. | Permalink | No comment
Post tags: DOS

Under the terms of the agreement, Cisco will commence a cash tender offer to purchase all the outstanding shares of TANDBERG for 153.5 Norwegian Kroner per share for an aggregate purchase price of approximately $3.0 billion.  This represents an 11.0% premium to the previous day closing price of TANDBERG’s stock, and a 25.2% premium to the 3-month volume weighted average closing price for TANDBERG’s stock.  The proposal was recommended unanimously by TANDBERG’s board of directors.

The acquisition is expected to close during the first half of calendar year 2010; however, the close date is subject to customary closing conditions, including regulatory review in the United States and elsewhere.  Cisco expects the acquisition to be accretive to Cisco’s non-GAAP earnings in fiscal year 2011.

Highlights:

• Cisco’s collaboration vision is to enable a sustainable, new level of enterprise productivity, agility and innovation by transforming the way people interact, share knowledge and deliver productive outcomes within and across organizations.
• TelePresence and high-quality video have redefined how users communicate through easy-to-use, immersive, high-quality video experiences and are becoming a larger segment of the broader collaboration market.
• TANDBERG’s leading video endpoints and network infrastructure solution will be integrated into Cisco’s world-class collaboration architecture. 
• This will enable intercompany and multi-vendor interoperability and ease of use across the full product portfolio – from desktop to immersive, multi-screen TelePresence.  This interoperability will benefit Cisco’s customers, but also competitors and partners by accelerating customer interest in video collaboration globally.
• Cisco continues to invest in the European market as a center of innovation across all market segments, and will continue to drive global growth by positioning TANDBERG’s Norway operations as a European center of video excellence alongside our Service Provider video team in Kortrijk, Belgium.
• TANDBERG’s 1,500 employees globally, with innovation centers in Norway and the United Kingdom, will be extremely important as Cisco’s team continues to drive video innovation and growth.
• Upon completion of the transaction, TANDBERG’s CEO Fredrik Halvorsen will lead the new TelePresence Technology Group, reporting to Marthin De Beer, senior vice president of Cisco’s Emerging Technologies Group.

References: http://newsroom.cisco.com/dlls/2009/corp_093009.html

© Fabio Semperboni for CiscoZine, 2009. | Permalink | No comment
Post tags: Business, Tandberg, Video

Cisco Unified Communications Manager Express Vulnerability
Cisco IOS® devices that are configured for Cisco Unified Communications Manager Express (CME) and the Extension Mobility feature are vulnerable to a buffer overflow vulnerability. Successful exploitation of this vulnerability may result in the execution of arbitrary code or a Denial of Service (DoS) condition on an affected device.

Vulnerable Products
To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to “Cisco Internetwork Operating System Software” or “Cisco IOS Software.” The image name is displayed in parentheses, followed by “Version” and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output.

Details
A vulnerability in the login section of the Extension Mobility feature may allow an unauthenticated attacker to execute arbitrary code or cause a Denial of Service (DoS) condition. Such packets can only come from registered phone IP addresses in the form of HTTP requests. If the auto-registration feature is enabled, an attacker can register its IP address and subsequently send a crafted payload to exploit this vulnerability. The auto-registration feature is enabled by default.

Impact
Successful exploitation of this vulnerability may result in the execution of arbitrary code or a Denial of Service (DoS) condition on an affected device.

Link: http://www.cisco.com/…/advisory09186a0080af8116.shtml

Cisco IOS Software Internet Key Exchange Resource Exhaustion Vulnerability
Cisco IOS® devices that are configured for Internet Key Exchange (IKE) protocol and certificate based authentication are vulnerable to a resource exhaustion attack. Successful exploitation of this vulnerability may result in the allocation of all available Phase 1 security associations (SA) and prevent the establishment of new IPsec sessions.

Vulnerable Products
Cisco IOS devices that are configured for IKE and certificate based authentication are affected.

Details
A vulnerability exists in the IKE implementation of Cisco IOS Software, if the certificate based authentication method is used. Successful exploitation of this vulnerability may result in the allocation of all available Phase 1 SAs, which may prevent new IPSec sessions from being established.

Impact
Successful exploitation of this vulnerability may result in the allocation of all available Phase 1 SAs, which may prevent new IPsec sessions from being established.

Link: http://www.cisco.com/…/advisory09186a0080af8117.shtml

Cisco IOS Software Tunnels Vulnerability
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.

Vulnerable Products
Cisco devices are vulnerable when running an affected version of Cisco IOS Software and configured for Generic Routing Encapsulation (GRE), IPinIP, Generic Packet Tunneling in IPv6 or IPv6 over IP tunnels with Cisco Express Forwarding enabled. The Cisco IOS Point to Point Tunneling Protocol (PPTP) feature creates GRE tunnels that are transparent to the user. Therefore systems configured for PPTP are also vulnerable. The Cisco multicast Virtual Private Network (MVPN) feature also creates GRE tunnels that are transparent to the user, however MVPN configurations are not vulnerable, unless there are other tunnels that are configured explicitly.

Details
A tunnel protocol encapsulates a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link between internetworking devices over an IP network. Cisco Express Forwarding is a Layer 3 IP switching technology. It improves network performance and scalability for networks with high and dynamic traffic patterns.

Impact
Successful exploitation of the vulnerability may result in the reload of an affected system, causing a DoS condition.

Link: http://www.cisco.com/…/advisory09186a0080af8115.shtml

Cisco IOS Software Object-group Access Control List Bypass Vulnerability
A vulnerability exists in Cisco IOS® software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature.

Vulnerable Products
Any Cisco device configured with ACLs using the object group feature and running an affected Cisco IOS software version is affected by this vulnerability.

Details
In Cisco IOS Software an object group can contain a single object (such as a single IP address, network, or subnet) or multiple objects (such as a combination of multiple IP addresses, networks, or subnets). In an ACL that is based on an object group, administrators can create a single access control entry (ACE) that uses an object group name instead of creating many ACEs, which each would require a different IP address. A similar object group, such as a protocol port group, can be extended to limit access to a set of applications for a user group to a server group.

Impact
Successful exploitation of the vulnerability may allow an attacker to access resources that should be protected by the Cisco IOS device.

Link: http://www.cisco.com/…/advisory09186a0080af8119.shtml

Cisco Unified Communications Manager Session Initiation Protocol Denial of Service Vulnerability
Cisco Unified Communications Manager, which was formerly Cisco Unified CallManager, contains a denial of service (DoS) vulnerability in the Session Initiation Protocol (SIP) service. An exploit of this vulnerability may cause an interruption in voice services.

Vulnerable Products
The following Cisco Unified Communications Manager versions are affected:

• Cisco Unified Communications Manager 5.x versions prior to 5.1(3g)
• Cisco Unified Communications Manager 6.x versions prior to 6.1(4)
• Cisco Unified Communications Manager 7.0.x versions prior to 7.0(2a)su1
• Cisco Unified Communications Manager 7.1.x versions prior to 7.1(2)

Details
A DoS vulnerability exists in the SIP implementation of the Cisco Unified Communications Manager. This vulnerability could be triggered when Cisco Unified Communications Manager processes crafted SIP messages. An exploit could lead to a reload of the main Cisco Unified Communications Manager process.

Impact
Successful exploitation of the vulnerability that is described in this advisory could result in a reload of the Cisco Unified Communications Manager process, which may result in the interruption of voice services.

Link: http://www.cisco.com/…/advisory09186a0080af8118.shtml

Cisco IOS Software H.323 Denial of Service Vulnerability
The H.323 implementation in Cisco IOS® Software contains a vulnerability that can be exploited remotely to cause a device that is running Cisco IOS Software to reload.

Vulnerable Products
Cisco devices that are running affected Cisco IOS Software versions that are configured to process H.323 messages are affected by this vulnerability. H.323 is not enabled by default. To determine the Cisco IOS Software device is running H.323 services use the show process cpu | include 323 command

Details
The H.323 implementation in Cisco IOS Software contains a vulnerability. An attacker can exploit this vulnerability remotely by sending an H.323 crafted packet to the affected device that is running Cisco IOS Software. A TCP three-way handshake is needed to exploit this vulnerability.

Impact
Successful exploitation of the vulnerability described in this document may cause the affected device to reload. The issue could be exploited repeatedly to cause an extended DoS condition.

Link: http://www.cisco.com/…/advisory09186a0080af811a.shtml

Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability
A vulnerability exists in the Session Initiation Protocol (SIP) implementation in Cisco IOS® Software that could allow an unauthenticated attacker to cause a denial of service (DoS) condition on an affected device when the Cisco Unified Border Element feature is enabled.

Vulnerable Products
This vulnerability only affects devices running Cisco IOS Software with SIP voice services enabled.

Details
SIP is a popular signaling protocol that is used to manage voice and video calls across IP networks such as the Internet. SIP is responsible for handling all aspects of call setup and termination. Voice and video are the most popular types of sessions that SIP handles, but the protocol has the flexibility to accommodate other applications that require call setup and termination. SIP call signaling can use UDP (port 5060), TCP (port 5060), or TLS (TCP port 5061) as the underlying transport protocol. A DoS vulnerability exists in the SIP implementation in Cisco IOS Software when devices are running a Cisco IOS image that contains the Cisco Unified Border Element feature. This vulnerability is triggered by processing a series of crafted SIP messages.

Impact
Successful exploitation of the vulnerability described in this document may result in a reload of the device. The issue could be repeatedly exploited to cause an extended DoS condition.

Link: http://www.cisco.com/…/advisory09186a0080af811b.shtml

Cisco IOS Software Crafted Encryption Packet Denial of Service Vulnerability
Cisco IOS® Software contains a vulnerability that could allow an attacker to cause a Cisco IOS device to reload by remotely sending a crafted encryption packet.

Vulnerable Products
Devices running affected versions of Cisco IOS Software are susceptible if configured with any of the following features:

• Secure Socket Layer (SSL) Virtual Private Network (VPN)
• Secure Shell (SSH)
• Internet Key Exchange (IKE) Encrypted Nonces

Details
A Cisco IOS device that is configured for SSLVPN or SSH may reload when it receives a specially crafted TCP packet on TCP port 443 (SSLVPN) or TCP port 22 (SSH). Completion of the three-way handshake to the associated TCP port number of these features is required for the vulnerability to be successfully exploited; however, authentication is not required. A Cisco IOS device that is configured for IKE encrypted nonces may reload when it receives a specially crafted UDP packet on port 500 or 4500 (if configured for NAT Traversal (NAT-T)).

Impact
Successful exploitation of the vulnerability described in this document may result in a reload of the device. The issue could be repeatedly exploited to cause an extended DoS condition.

Link: http://www.cisco.com/…/advisory09186a0080af811c.shtml

Cisco IOS Software Authentication Proxy Vulnerability
Cisco IOS® Software configured with Authentication Proxy for HTTP(S), Web Authentication or the consent feature, contains a vulnerability that may allow an unauthenticated session to bypass the authentication proxy server or bypass the consent webpage.

Vulnerable Products
Devices running affected versions of Cisco IOS Software and configured with Authentication Proxy for HTTP(S) or Web Authentication or the consent feature are vulnerable.

Details
This vulnerability allows a session to be permitted without first being authenticated by the authentication proxy, or to be permitted without first acknowledging the consent webpage. At least one successfully authenticated session or accepted consent session must exist for the vulnerability to be exposed. When this occurs, the RADIUS or TACACS+ server will show subsequent users as authenticated, all with the same username as the initial connection if performing authentication, regardless of the authentication information provided by the user and whether it was defined on the AAA server, and regardless of whether the password was correct.

Impact
Successful exploitation of the vulnerability may result in an unauthenticated and unauthorized user bypassing the authentication proxy services offered in Cisco IOS Authentication Proxy for HTTP(S) and/or bypassing the consent accept webpage.

Link: http://www.cisco.com/…/advisory09186a0080af8132.shtml

Cisco IOS Software Zone-Based Policy Firewall Vulnerability
Cisco IOS® devices that are configured with Cisco IOS Zone-Based Policy Firewall Session Initiation Protocol (SIP) inspection are vulnerable to denial of service (DoS) attacks when processing a specific SIP transit packet. Exploitation of the vulnerability could result in a reload of the affected device.

Vulnerable Products
Only devices that are configured with Cisco IOS Zone-Based Policy Firewall SIP inspection (UDP port 5060, TCP ports 5060, and 5061) are vulnerable. Cisco IOS devices that are configured with legacy Cisco IOS Firewall Support for SIP (context-based access control (CBAC)) are not vulnerable.

Details
Firewalls are networking devices that control access to the network assets of an organization. Firewalls are often positioned at the entrance points into networks. Cisco IOS software provides a set of security features that enable you to configure a simple or elaborate firewall policy, according to your particular requirements. Cisco IOS Software that is configured with Cisco IOS Zone-Based Policy Firewall SIP inspection are vulnerable to a DoS attack when processing a specific SIP transit packet. Exploitation of this vulnerability will result in a reload of the affected device.

Impact
Successful exploitation of the vulnerability may result in a reload of the affected device. Repeated exploit attempts may result in a sustained DoS attack.

Link: http://www.cisco.com/…/advisory09186a0080af8130.shtml

Cisco IOS Software Network Time Protocol Packet Vulnerability
Cisco IOS® Software with support for Network Time Protocol (NTP) version (v4) contains a vulnerability processing specific NTP packets that will result in a reload of the device. This results in a remote denial of service (DoS) condition on the affected device.

Vulnerable Products
Cisco IOS Software devices are vulnerable if they support NTPv4 and are configured for NTP operations. NTP is not enabled in Cisco IOS Software by default.

Details
The Network Time Protocol (NTP) is a protocol designed to time-synchronize a network of machines. NTP runs over UDP, which in turn runs over IP. NTPv3 is documented in RFC1305 . NTPv4 is a significant revision of the NTP standard, and is the current development version, but has not been formalized into an RFC at the time of publication of this advisory. NTPv4 is currently documented in draft-ietf-ntp-ntpv4-proto-11.

Impact
Successful exploitation of the vulnerability may result in a reload of the device. The vulnerability could be repeatedly exploited to cause an extended DoS condition.

Link: http://www.cisco.com/…/advisory09186a0080af8131.shtml

© Fabio Semperboni for CiscoZine, 2009. | Permalink | No comment
Post tags: DOS, Remote Control

Multiple Cisco products are affected by denial of service (DoS) vulnerabilities that manipulate the state of Transmission Control Protocol (TCP) connections. By manipulating the state of a TCP connection, an attacker could force the TCP connection to remain in a long-lived state, possibly indefinitely. If enough TCP connections are forced into a long-lived or indefinite state, resources on a system under attack may be consumed, preventing new TCP connections from being accepted. In some cases, a system reboot may be necessary to recover normal system operation. To exploit these vulnerabilities, an attacker must be able to complete a TCP three-way handshake with a vulnerable system.

In addition to these vulnerabilities, Cisco Nexus 5000 devices contain a TCP DoS vulnerability that may result in a system crash. This additional vulnerability was found as a result of testing the TCP state manipulation vulnerabilities.

Details
Multiple Cisco products are affected by DoS vulnerabilities in the TCP protocol. By manipulating the state of TCP connections, an attacker could force a system that is under attack to maintain TCP connections for long periods of time, or indefinitely in some cases. With a sufficient number of open TCP connections, the attacker may be able to cause a system to consume internal buffer and memory resources, resulting in new TCP connections being denied access to a targeted port or an entire system. A system reboot may be required to restore full system functionality. A full TCP three-way handshake is required to exploit these vulnerabilities.

Network devices are not directly impacted by TCP state manipulation DoS attacks transiting a device; however, network devices that maintain the state of TCP connections may be impacted. If the attacker can establish enough TCP connections through a transit device that maintains TCP state, device resources may be exhausted and prevent the device from processing new TCP connections, resulting in a DoS condition. If an affected device that forwards traffic (that is, routes) in a network is the target of a TCP state manipulation attack, the attacker could cause a network-impacting DoS condition.

Impact
Successful exploitation of the TCP state manipulation vulnerabilities may result in a DoS condition where new TCP connections are not accepted on an affected system. Repeated exploitation may result in a sustained DoS condition. A reboot may be required to recover affected systems. In addition, Cisco Nexus 5000 systems may crash upon receiving a specific sequence of TCP packets.

Link: http://www.cisco.com/…/products_security_advisory09186a0080af511d.shtml

© Fabio Semperboni for CiscoZine, 2009. | Permalink | No comment
Post tags: DOS

To create a command alias, issue the alias command in global configuration mode. The syntax of the command is alias mode command-alias original-command. Who have never typed repeatedly the commands show cdp neigh or show ip inter brief?

Some helpful alias could be:

• scn -> show cdp neighbor
  • command: alias exec scn show cdp neighbor
• ifconfig -> show ip interface brief
  • command: alias exec ifconfig show ip interface brief
• sint [interface number] ->show run interface fastEthernet
  • command: alias exec sint show run interface fastethernet
• proc -> show proc cpu | excl 0.00%__0.00%__0.00%
  • command: alias exec proc show proc cpu | excl 0.00%__0.00%__0.00
• eth0 -> interface fastethernet0/0
  • command: alias configure eth0 interface fastethernet0/0
• ns -> no shutdown
  • command: alias interface ns no shutdown

Tips: if you would create an alias for ’interface mode’ and ’priviledge mode’, you must define the same alias for the two environment. See you below:

alias configure sir do show ip route
alias interface sir do show ip route

Remember: There are some built-in command aliases:

Ciscozine#sh aliases
Exec mode aliases:
  h                     help
  lo                    logout
  p                     ping
  r                     resume
  s                     show
  u                     undebug
  un                    undebug
  w                     where

Ciscozine#

References: http://www.cisco.com/…/usingios.html#wp1013134

© Fabio Semperboni for CiscoZine, 2009. | Permalink | No comment
Post tags: Basic configuration, Tips, Video

1) Cisco IOS XR Software Border Gateway Protocol Vulnerabilities
Cisco IOS XR Software contains multiple vulnerabilities in the Border Gateway Protocol (BGP) feature. These vulnerabilities include:

• Cisco IOS XR Software will reset a BGP peering session when receiving a specific invalid BGP update.
  The vulnerability manifests when a BGP peer announces a prefix with a specific invalid attribute. On receipt of this prefix, the Cisco IOS XR device will restart the peering session by sending a notification. The peering session will flap until the sender stops sending the invalid/corrupt update. This vulnerability was disclosed in revision 1.0 of this advisory.
• Cisco IOS XR BGP process will crash when sending a long length BGP update message
  When Cisco IOS XR sends a long length BGP update message, the BGP process may crash. The number of AS numbers required to exceed the total/maximum length of update message and cause the crash are well above normal limits seen within production environments.
• Cisco IOS XR BGP process will crash when constructing a BGP update with a large number of AS prepends
  If the Cisco IOS XR BGP process is configured to prepend a very large number of Autonomous System (AS) Numbers to the AS path, the BGP process will crash. The number of AS numbers required to be prepended and cause the crash are well above normal limits seen within production environments.

Vulnerable Products
To determine the Cisco IOS XR Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS XR Software by displaying text similar to “Cisco IOS XR Software”. The software version is displayed after the text “Cisco IOS XR Software”.

Details
These vulnerabilities affect Cisco IOS XR devices running affected software versions and configured with the BGP routing feature.

Impact
Successful exploitation of these vulnerabilities may result in the continuous resetting of BGP peering sessions, or the continuous resetting of the BGP process itself. This may lead to routing inconsistencies and a denial of service for those affected networks.

Link: http://www.cisco.com/…/security_advisory09186a0080af150f.shtml

2) Cisco Unified Communications Manager Denial of Service Vulnerabilities
Cisco Unified Communications Manager (formerly CallManager) contains multiple denial of service (DoS) vulnerabilities that if exploited could cause an interruption to voice services. The Session Initiation Protocol (SIP) and Skinny Client Control Protocol (SCCP) services are affected by these vulnerabilities. Cisco has released free software updates for select Cisco Unified Communications Manager versions that address these vulnerabilities. There are no workarounds for these vulnerabilities.

Vulnerable Products
The following products are affected by vulnerabilities described in this advisory:

• Cisco Unified Communications Manager 4.x
• Cisco Unified Communications Manager 5.x
• Cisco Unified Communications Manager 6.x
• Cisco Unified Communications Manager 7.x

Details
Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, VoIP gateways, and multimedia applications.

Impact
Successful exploitation of the vulnerabilities described in this advisory could result in the interruption of voice services. To restore voice services, affected Cisco Unified Communications Manager services may require a manual restart.

Link: http://www.cisco.com/…/security_advisory09186a0080af2d11.shtml

3) Firewall Services Module Crafted ICMP Message Vulnerability
A vulnerability exists in the Cisco Firewall Services Module (FWSM) for the Catalyst 6500 Series Switches and Cisco 7600 Series Routers. The vulnerability may cause the FWSM to stop forwarding traffic and may be triggered while processing multiple, crafted ICMP messages. There are no known instances of intentional exploitation of this vulnerability. However, Cisco has observed data streams that appear to trigger this vulnerability unintentionally. Cisco has released free software updates that address this vulnerability.

Vulnerable Products
All non-fixed 2.x, 3.x and 4.x versions of the FWSM software are affected by this vulnerability. To determine the version of the FWSM software that is running, issue the show module command-line interface (CLI) command from Cisco IOS Software or Cisco Catalyst Operating System Software to identify what modules and sub-modules are installed in the system.

Details
A vulnerability exists in the Cisco FWSM Software that may cause the FWSM to stop forwarding traffic between interfaces, or stop processing traffic that is directed at the FWSM (management traffic) after multiple, crafted ICMP messages are processed by the FWSM. Any traffic that transits or is directed towards the FWSM is affected, regardless of whether ICMP inspection (inspect icmp command under Class configuration mode) is enabled.

Impact
Successful exploitation of the vulnerability may cause the FWSM to stop forwarding traffic between interfaces (transit traffic), and stop processing traffic directed at the FWSM (management traffic). If the FWSM is configured for failover operation, the active FWSM may not fail over to the standby FWSM.

Link: http://www.cisco.com/…/security_advisory09186a0080af0d1d.shtml

© Fabio Semperboni for CiscoZine, 2009. | Permalink | No comment
Post tags: DOS

1) Active Template Library (ATL) Vulnerability
Certain Cisco products that use Microsoft Active Template Libraries (ATL) and headers may be vulnerable to remote code execution. In some instances, the vulnerability may be exploited against Microsoft Internet Explorer to perform kill bit bypass. In order to exploit this vulnerability, an attacker must convince a user to visit a malicious web site.

Vulnerable Products
The following products are affected by this vulnerability:Cisco Unity 4.x, 5x., and 7.x

Details
Microsoft has identified vulnerabilities in the Active Template Library (ATL) headers that are shipped with the Software Development Kit (SDK) for Microsoft Windows systems and used in Cisco products. In general, this vulnerability, if exposed by an ActiveX control, could lead to remote code execution on a client’s system.

Impact
Successful exploitation of the vulnerability may result in remote code execution.

Link: http://www.cisco.com/…/advisory09186a0080ae9e43.shtml

2) Cisco IOS Software Border Gateway Protocol 4-Byte Autonomous System Number Vulnerabilities
Recent versions of Cisco IOS Software support RFC4893 (”BGP Support for Four-octet AS Number Space”) and contain two remote denial of service (DoS) vulnerabilities when handling specific Border Gateway Protocol (BGP) updates. These vulnerabilities affect only devices running Cisco IOS Software with support for four-octet AS number space (here after referred to as 4-byte AS number) and BGP routing configured.

• The first vulnerability could cause an affected device to reload when processing a BGP update that contains autonomous system (AS) path segments made up of more than one thousand autonomous systems.

• The second vulnerability could cause an affected device to reload when the affected device processes a malformed BGP update that has been crafted to trigger the issue.

Vulnerable Products
These vulnerabilities affect only devices running Cisco IOS and Cisco IOS XE Software (here after both referred to as simply Cisco IOS) with support for RFC4893 and that have been configured for BGP routing.

Details

• The first vulnerability could cause an affected device to reload when processing a BGP update that contains AS path segments made up of more than one thousand autonomous systems. If an affected 4-byte AS number BGP speaker receives a BGP update from a 2-byte AS number BGP speaker that contains AS path segments made up of more than one thousand autonomous systems, the device may crash with memory corruption, and the error “%%Software-forced reload” will be displayed.

• The second vulnerability could cause an affected device to reload when the affected device processes a malformed BGP update that has been crafted to trigger the issue.

Impact
Successful exploitation of the vulnerabilities described in this document may result in a reload of the device. The issue could result in repeated exploitation to cause an extended DoS condition.

Link: http://www.cisco.com/…/dvisory09186a0080aea4c9.shtml

© Fabio Semperboni for CiscoZine, 2009. | Permalink | No comment
Post tags: DOS, Remote Control

“The goal is to map out the problem space in order to allow for the anticipation of developments in the future, as current research suggests that exploitation of such vulnerabilities in the wild is not currently the case. By understanding the challenges that an attacker faces, defensive strategies can be better planned, a required evolution with the current state of Cisco IOS router networks.” says Felix ‘FX’ Lindner in his “Cisco IOS Router Exploitation” abstract.

“This paper will highlight reasons for the lack of binary exploits and which developments will herald the dawn of reliable remote exploitation of Cisco IOS based network infrastructure equipment. The author strongly believes that eventually, attacks on network infrastructure will use binary exploitation methods to massively gain unauthorized access. Therefore, research from the offensive point of view must be conducted and published, in order to allow the defenses to be chosen in anticipation of such future developments.” he says again.

In his speech Felix touches six points:

• Introduction & Motivation
• Vulnerabilities in routers
• Architectural considerations
• The Return Address Dilemma
• Shellcode for Routers
• Protecting Routers

References:

• http://www.blackhat.com/…/BHUSA09-Lindner-RouterExploit-SLIDES.pdf
• http://www.blackhat.com/…/BHUSA09-Lindner-RouterExploit-PAPER.pdf

© Fabio Semperboni for CiscoZine, 2009. | Permalink | No comment
Post tags: IOS, Secure a router