Cisco Biannual Patch Day: Eleven Advisories Affect IOS and UCM Severity: High 23 September, 2009 Summary: § These vulnerabilities affect: Devices running Cisco IOS and Cisco's Unified Communications Manager (UCM) § How an attacker exploits them: Multiple vectors of attack; in the most common, the attacker sends specially crafted network packets § Impact: Various results; these include many Denial of Service (DoS) issues, or access control or authentication bypass flaws. § What to do: Administrators who manage Cisco IOS or UCM devices should download, test, and deploy the appropriate Cisco updates as soon as possible Exposure: Following their plan to implement a twice-yearly patch cycle falling on the fourth Wednesday of March and September, today marks Cisco's biannual patch day for September 2009, with eleven security advisories released. Most of these advisories cover security vulnerabilities that affect devices running Cisco's Internetwork Operating System (IOS) software. IOS is the operating system that runs on most Cisco routers and switches. However, two of the advisories also cover vulnerabilities in Unified Communications Manager (UCM), which is Cisco's enterprise-level, IP telephony call-processing system. While Cisco's IOS advisories differ technically, all but two of them cover vulnerabilities that attackers could exploit in Denial of Service (DoS) attacks. The remaining flaws involve both an Access Control List (ACL) bypass vulnerability and an authentication bypass vulnerability. For a complete list of today's Cisco advisories, check out Cisco's Bundled Advisory for September 23rd or their Security Advisories page. We summarize three of the IOS advisories below: Cisco Document ID 110396: IOS H.323 DoS vulnerability. H.323 is a protocol designed to stream multimedia over a network, and often used in video conferencing. IOS's H.323 implementation suffers from an unspecified vulnerability involving the way it handles H.323 traffic. By sending specially crafted H.323 packets, a remote attacker could exploit this vulnerability to reload your IOS device. If you use a Cisco IOS router to get to the Internet, an attacker could repeatedly exploit these vulnerabilities to knock your network offline.
Base CVSS Score: 7.8 (10 being the most severe) Cisco Document ID 110447: IOS NTP DoS vulnerability. The Network Time Protocol (NTP) is a standard designed to help computers synchronize their clocks over a network. IOS suffers from an unspecified vulnerability involving the way it handles NTPv4 traffic. By sending specially crafted NTP packets to your Cisco device, a remote attacker could exploit this vulnerability to reload your IOS device. If you use a Cisco IOS router to get to the Internet, an attacker could repeatedly exploit these vulnerabilities to knock your network offline.
Base CVSS Score: 7.8 Cisco Document ID 110478: IOS Authentication Proxy bypass vulnerability. Cisco's Authentication Proxy allows administrators to apply policies on a per user basis, by forcing users to perform a web-based authentication to access the Internet. Administrators can also use this feature to force users to agree to a consent page before accessing certain network resources. Unfortunately, the Authentication Proxy suffers from a complex race condition vulnerability. By authenticating to a Cisco device at just the right time, with just the right conditions, an attacker can exploit this flaw to authenticate as a previously authenticated user, regardless of the credentials the attacker uses. This allows the attacker to essentially bypass the authentication process and skip any forced consent pages.
Base CVSS Score: 7.1 The remaining advisories fix DoS flaws just as severe as the ones described above. For greater detail on all of Cisco's September vulnerabilities, check out the individual advisories in the References section of this alert, or refer to Cisco's bundled security advisory for September 2009. Cisco also published two advisories describing vulnerabilities in their Unified Communications Manager (UCM). The advisories include both a serious code execution vulnerability and another DoS flaw. If you use Cisco UCM, be sure to apply these patches as well. Solution Path: Cisco has released patches to fix these vulnerabilities. If you use any Cisco device running IOS software or Cisco's Unified Communications Manager (UCM), you should immediately consult the "Software Versions and Fixes" and "Obtaining Fixed Software" sections of the advisories listed in Cisco's bundled security advisory for September 2009 to learn which fixes apply to your devices, and how to obtain them. You can also refer to the "Software Versions and Fixes" and "Obtaining Fixed Software" section of each of the individual alerts linked below. For All WatchGuard Users: Since these vulnerabilities can affect your router, which is typically in front of your WatchGuard firewall, the solutions above are your primary recourse. Status: Cisco has made fixes available. References: § Cisco Bundled September 2009 Security Advisory § Cisco Unified Communications Manager Express Vulnerability § Cisco IOS Software Internet Key Exchange Resource Exhaustion Vulnerability § Cisco IOS Software Tunnels Vulnerability § Cisco IOS Software Object-group Access Control List Bypass Vulnerability § Cisco Unified Communications Manager Session Initiation Protocol Denial of Service Vulnerability § Cisco IOS Software H.323 Denial of Service Vulnerability § Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability § Cisco IOS Software Crafted Encryption Packet Denial of Service Vulnerability § Cisco IOS Software Authentication Proxy Vulnerability § Cisco IOS Software Zone-Based Policy Firewall Vulnerability § Cisco IOS Software Network Time Protocol Packet Vulnerability
This alert was researched and written by Corey Nachreiner, CISSP. Try the LiveSecurity Online Glossary. | 
