Vulnslist

Cisco vulnerabilities by product, model, software, and advisory.

Multiple Vulnerabilities in Cisco IPS Software

cisco-sa-20140219-ips · High · Published · Updated

Cisco Intrusion Prevention System (IPS) Software is affected by the following vulnerabilities: Cisco IPS Analysis Engine Denial of Service Vulnerability Cisco IPS Control-Plane MainApp Denial of Service Vulnerability Cisco IPS Jumbo Frame Denial of Service Vulnerability The Cisco IPS Analysis Engine Denial of Service Vulnerability and the Cisco IPS Jumbo Frame Denial of Service Vulnerability could allow an unauthenticated, remote attacker to cause the Analysis Engine process to become unresponsive or crash. When this occurs, the Cisco IPS will stop inspecting traffic. The Cisco IPS Control-Plane MainApp Denial of Service Vulnerability could allow an unauthenticated, remote attacker to cause the MainApp process to become unresponsive and prevent it from executing several tasks including alert notification, event store management, and sensor authentication. The Cisco IPS web server will also be unavailable while the MainApp process is unresponsive, and other processes such as the Analysis Engine process may not work properly.   Cisco has released software updates that address these vulnerabilities. Workarounds that mitigate some of the vulnerabilities are available. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140219-ips

Cisco advisory · CSAF JSON

Workarounds

To work around the Cisco IPS Analysis Engine Denial of Service Vulnerability administrator can disable the produce-verbose-alert action.

Use show configuration command to determine which signature has the produce-verbose-alert option enabled or wheter the produce-verbose-alert option is enabled as EAO.

If the produce-verbose-alert has been configured at the signature level, the value can be modified by entering the signature configuration prompt and modifying the event action for each signature that needs modification to use produce-alert instead of the produce-verbose-alert action. The following example shows the procedure to change the event action from produce-verbose-alert to produce-alert for signature 1475/0:

sensor(config)# service signature-definition sig0
sensor(config-sig)# signatures 1475 0
sensor(config-sig-sig)# engine string-tcp
sensor(config-sig-sig-str)# event-action produce-alert
sensor(config-sig-sig-str)# exit
sensor(config-sig-sig)# exit
sensor(config-sig)# exit
Apply Changes?[yes]: yes
sensor(config)#

Alternatively, an administrator can use the Cisco Intrusion Prevention System Device Manager (IDM) to
connect to the Cisco IPS and navigate to Configuration > Policies
> Signature Definitions >  -Sig-Definition-Name- > Active
Signatures and filter by using Filter: Action Produce Verbose Alert in order to verify any active signatures with the produce-verbose-alert option enabled.

For each of the signatures, right-click and choose Edit Action. From the panel, uncheck the Produce Verbose Alert check box, click the OK and apply the changes.

If the produce-verbose-alert action is enabled as EAO, this can be disable by modifying the settings for the event action rules policy.

The following example shows how to disable the override with produce-verbose-alert configured in the rules0 event action rules policy:

sensor(config)# service event-action-rules rules0
sensor(config-eve)# no overrides produce-verbose-alert
sensor(config-eve)# exit
Apply Changes?[yes]: yes
sensor(config)# 

There is no workaround for the Cisco IPS Control-Plane MainApp Denial of Service Vulnerability , however restricting the number of allowed hosts may reduce the exposure of this vulnerability.

To restrict the number of allowed hosts, the administrator should use the access-list command. The no access-list command should be used to remove any hosts or networks from the list.

The following example shows the sequence of commands to remove
access to the full 192.168.1.0/24 network and allow access only to the
host with IP address 192.168.1.1:

Use the show settings command in
network-setting configuration mode to see the current allowed hosts or
networks. The following example shows that the Cisco IDSM-2 is
configured to allow all the hosts in the 192.168.1.0/24 network:

sensor(config-hos-net)# show settings
   network-settings
   -----------------------------------------------
[...]
      access-list (min: 0, max: 512, current: 1)
      -----------------------------------------------
         network-address: 192.168.1.0/24
         -----------------------------------------------
      -----------------------------------------------
      ftp-timeout: 300 seconds
      login-banner-text:
   [...]

Use the access-list command in network-setting
configuration mode to add the 192.168.1.1 hosts.

Note: make sure that if this
is the only allowed host, it is also the one from which you are
executing the configuration commands to avoid losing connectivity to the Cisco
IDSM-2 Module.

sensor(config-hos-net)#access-list 192.168.1.1/32

Use the no access-list command in network-setting configuration mode to remove the 192.168.1.0/32 network for the allowed hosts list:

sensor(config-hos-net)#no access-list 192.168.1.0/24

Use the show settings command in network-setting configuration mode to check that the list of allowed hosts is correct:

sensor(config-hos-net)# show settings
   network-settings
   -----------------------------------------------
[...]
      access-list (min: 0, max: 512, current: 1)
      -----------------------------------------------
         network-address: 192.168.1.1/32
         -----------------------------------------------
      -----------------------------------------------
      ftp-timeout: 300 seconds
      login-banner-text:
   [...]

Exit and apply the configuration:

sensor(config-hos-net)# exit
sensor(config-hos)# exit
Apply Changes:?[yes]:

There is no workaround for the Cisco IPS Jumbo Frame Denial of Service Vulnerability.

Additional mitigations that can be deployed on Cisco devices within the
network are available in the Cisco Applied Intelligence companion
document for this Advisory: http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=32605 ["http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=32605"]

CVEsCVE-2014-0718, CVE-2014-0719, CVE-2014-0720
Cisco Bug IDsCSCuh94944, CSCui67394, CSCui91266
CVSS ScoreBase 7.1
Base 7.1 AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
Base 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C
Product Names From Source
Cisco Intrusion Prevention System (IPS), Intrusion Prevention System (IPS)

Related Products

Product CVE Evidence
Intrusion Prevention System (IPS) CVE-2014-0720 Cisco OpenVuln
Intrusion Prevention System (IPS) CVE-2014-0719 Cisco OpenVuln
Intrusion Prevention System (IPS) CVE-2014-0718 Cisco OpenVuln
Cisco Intrusion Prevention System (IPS) CVE-2014-0720 Cisco OpenVuln
Cisco Intrusion Prevention System (IPS) CVE-2014-0719 Cisco OpenVuln
Cisco Intrusion Prevention System (IPS) CVE-2014-0718 Cisco OpenVuln