Vulnslist

Cisco IPS Software Malformed IP Packets Denial of Service Vulnerability and Cisco IPS NME Malformed IP Packets Denial of Service Vulnerability

There are no workarounds to mitigate this vulnerability.

Cisco IPS Software Fragmented Traffic Denial of Service Vulnerability

If an exploit of this vulnerability is causing traffic interruption, administrators can remove the Modular Policy Framework (MPF) configuration on the Cisco ASA that is used to direct the user traffic toward the Cisco IPS SSP. This change will cause all user traffic to bypass Cisco IPS SSP module inspection and allow it to pass through the Cisco ASA.

The following example shows how to disable the redirecting of web traffic to the Cisco IPS Software module from the Cisco ASA firewall:

ASA(config)# class-map ips_traffic
ASA(config-cmap)# match any
ASA(config)# policy-map ips_traffic_policy
ASA(config-pmap)# class ips_traffic
ASA(config-pmap-c)# no ips inline|promiscious

Note: Configuring IPS bypass with the command fail-open or fail-close will not have any effect on the Cisco IPS software module for the Cisco ASA.

If the IPS is running in promiscuous mode, as a mitigation, fragmented traffic can be disabled for IPS processing.

The following example shows how to disable fragmented traffic on the Cisco IPS software module:

sensor# conf t
sensor(config)# ser sig sig0
sensor(config-sig)# sig 1200 0
sensor(config-sig-sig)# engine normalizer
sensor(config-sig-sig-nor)# edit-default-sigs-only default-signatures-only
sensor(config-sig-sig-nor-def)# specify-max-fragments yes
sensor(config-sig-sig-nor-def-yes)# max-fragments 0
sensor(config-sig-sig-nor-def-yes)# exit
sensor(config-sig-sig-nor-def)# exit
sensor(config-sig-sig-nor)# exit
sensor(config-sig-sig)# exit
sensor(config-sig)# exit
Apply Changes?[yes]: yes

This change requires a Cisco IPS software module reload.

Note: This change will cause all non-TCP fragments to pass uninspected.

Alternatively, fragmented traffic can be disallowed on the Cisco ASA firewall. This will cause the Cisco ASA firewall not to accept any fragments on its interfaces. Consequently, the Cisco ASA will not send any fragments to the Cisco IPS software module for inspection.

The following example shows how to disable fragmented traffic on the Cisco ASA firewall:

ASA(config)# fragment chain 1 

Note: The preceding example will disable fragments on all the Cisco ASA interfaces.

Cisco IDSM-2 Malformed TCP Packets Denial of Service Vulnerability

There is no workaround for this vulnerability however, the Cisco IDSM-2 Module administrator should make sure to limit the number of hosts (IP addresses) allowed to connect to the management interface of system.

To restrict the number of allowed hosts, the administrator should use the access-list command. The no access-list command should be used to remove any hosts or networks from the list.

The following example shows the sequence of commands to remove the access to the full 192.168.1.0/24 network and allow access only to the host with IP address 192.168.1.1:

Use the show settings command in network-setting configuration mode to see the current allowed hosts or networks. The following example shows that the Cisco IDSM-2 is configured to allow all the hosts in the 192.168.1.0/24 network

sensor(config-hos-net)# show settings
   network-settings
   -----------------------------------------------
[...]
      access-list (min: 0, max: 512, current: 1)
      -----------------------------------------------
         network-address: 192.168.1.0/24
         -----------------------------------------------
      -----------------------------------------------
      ftp-timeout: 300 seconds
      login-banner-text:
   [...]

Use the access-list command in network-setting configuration mode, to add the 192.168.1.1 hosts. Make sure that if this is the only allowed host, it is also the one from which you are executing the configuration to avoid losing connectivity to the Cisco IDSM-2 Module.

sensor(config-hos-net)#access-list 192.168.1.1/32

Use the no access-list command in network-setting configuration mode, to remove the 192.168.1.0/32 network for the allowed hosts list.

sensor(config-hos-net)#no access-list 192.168.1.0/24

Use the show setting command in network-setting configuration mode to check that the list of allowed hosts is correct:

sensor(config-hos-net)# show settings
   network-settings
   -----------------------------------------------
[...]
      access-list (min: 0, max: 512, current: 1)
      -----------------------------------------------
         network-address: 192.168.1.1/32
         -----------------------------------------------
      -----------------------------------------------
      ftp-timeout: 300 seconds
      login-banner-text:
   [...]

Exit and apply the configuration:

sensor(config-hos-net)# exit
sensor(config-hos)# exit
Apply Changes:?[yes]:

Note: Internal tests performed by Cisco have shown that this vulnerability cannot be exploited if the total number of hosts allowed is less than or equal to 254 hosts. Administrators who cannot reduce the number of allowed hosts to the number indicated in this advisory should contact Cisco Technical Assistance Center for additional support.

Additional mitigation information for the vulnerabilities described in this advisory is available in the companion Applied Mitigation Bulletin (AMB) at the following location:

http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=29271["http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=29271"]