Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > September 2007 > 3404 - Cisco Security Response: Catalyst 6500 and Cisco 7600 Series Devices Accessible via Loopback Address

September 2007

3404 - Cisco Security Response: Catalyst 6500 and Cisco 7600 Series Devices Accessible via Loopback Address

ID: 3404
Date: 27 September 2007 11:26
Title: 3404 - Cisco Security Response: Catalyst 6500 and Cisco 7600 Series Devices Accessible via Loopback Address
Abstract: This document is the Cisco PSIRT response to an issue regarding Cisco Catalyst 6500 and Cisco 7600 series devices that was discovered and reported to Cisco by Lee E. Rian.
Vendors affected:Cisco
Availability of fix: Available
Type of fix: Patch
Source: Cisco
Reliability of source: Trusted
Source URL: http://www.cisco.com/warp/public/707/cisco-sr-20070926-lb.shtml

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Response: Catalyst 6500 and Cisco 7600 Series Devices Accessible via Loopback Address

http://www.cisco.com/warp/public/707/cisco-sr-20070926-lb.shtml

Revision 1.0

For Public Release 2007 September 26 2200 UTC (GMT)

Cisco Response
==============

This document is the Cisco PSIRT response to an issue regarding Cisco Catalyst 6500 and Cisco 7600 series devices that was discovered and reported to Cisco by Lee E. Rian.

The original report has been posted to full-disclosure mailing list.

Cisco PSIRT greatly appreciates the opportunity to work with researchers on security vulnerabilities, and we welcome the opportunity to review and assist in product reports.

This vulnerability is documented in Cisco bug ID CSCsg02323.

This Cisco Security Response is available at the following link:
http://www.cisco.com/warp/public/707/cisco-sr-20070926-lb.shtml

Additional Information
======================

Cisco Catalyst 6500 and Cisco 7600 series devices use addresses from the 127.0.0.0/8 (loopback) range in the Ethernet Out-of-Band Channel
(EOBC) for internal communication.

Addresses from this range that are used in the EOBC on Cisco Catalyst 6500 and Cisco 7600 series devices are accessible from outside of the system. The Supervisor module, Multilayer Switch Feature Card (MSFC), or any other intelligent module may receive and process packets that are destined for the 127.0.0.0/8 network. An attacker can exploit this behavior to bypass existing access control lists that do not filter 127.0.0.0/8 address range; however, an exploit will not allow an attacker to bypass authentication or authorization. Valid authentication credentials are still required to access the module in question.

Per RFC 3330, a packet that is sent to an address anywhere within the
127.0.0.0/8 address range should loop back inside the host and should never reach the physical network. However, some host implementations send packets to addresses in the 127.0.0.0/8 range outside their Network Interface Card (NIC) and to the network. Certain implementations that normally do not send packets to addresses in the
127.0.0.0/8 range may also be configured to do so.

Destination addresses in the 127.0.0.0/8 range are not routed on the Internet. This factor limits the exposure of this issue.

This issue is applicable to systems that run Hybrid Mode (Catalyst OS
(CatOS) software on the Supervisor Engine and IOS Software on the
MSFC) and Native Mode (IOS Software on both the Supervisor Engine and the MSFC).

This issue has been documented by the Cisco bug ID CSCsg02323 ( registered customers only) . All software versions that run on Cisco Catalyst 6500 and Cisco 7600 series devices are affected. A fix is available in 12.2(33)SXH.

As a workaround, administrators can apply an access control list that filters packets to the 127.0.0.0/8 address range to interfaces where attacks may be launched.

    ip access-list extended block_loopback
      deny   ip any 127.0.0.0 0.255.255.255
      permit ip any any

    interface Vlan x
     ip access-group block_loopback in


Control Plane Policing (CoPP) can be used to block traffic with a destination IP address in the 127.0.0.0/8 address range sent to the device. Cisco IOS Software releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support the CoPP feature. CoPP may be configured on a device to protect the management and control planes to minimize the risk and effectiveness of direct infrastructure attacks. CoPP protects the management and control planes by explicitly permitting only authorized traffic that is sent to infrastructure devices in accordance with existing security policies and configurations.


    !-- Permit all traffic with a destination IP
    !-- addresses in the 127.0.0.0/8 address range sent to
    !-- the affected device so that it will be policed and
    !-- dropped by the CoPP feature
    !

    access-list 111 permit icmp any 127.0.0.0 0.255.255.255
    access-list 111 permit udp any 127.0.0.0 0.255.255.255
    access-list 111 permit tcp any 127.0.0.0 0.255.255.255
    access-list 111 permit ip any 127.0.0.0 0.255.255.255

    !
    !-- Permit (Police or Drop)/Deny (Allow) all other Layer3
    !-- and Layer4 traffic in accordance with existing security
    !-- policies and configurations for traffic that is authorized
    !-- to be sent to infrastructure devices
    !
    !-- Create a Class-Map for traffic to be policed by the
    !-- CoPP feature
    !

    class-map match-all drop-127/8-netblock-class
      match access-group 111

    !
    !-- Create a Policy-Map that will be applied to the
    !-- Control-Plane of the device.
    !

    policy-map drop-127/8-netblock-traffic
      class drop-127/8-netblock-class
        police 32000 1500 1500 conform-action drop exceed-action drop

    !
    !-- Apply the Policy-Map to the Control-Plane of the
    !-- device
    !

    control-plane
      service-policy input drop-127/8-netblock-traffic

    !

 

Additional information on the configuration and use of the CoPP feature is available at the following links:

http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd804fa16a.shtml

http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a008052446b.html

Infrastructure Access Control Lists (iACLs) are also considered a network security best practice and should be considered as, long-term additions to effective network security as well as a workaround for this specific issue. The white paper entitled "Protecting Your Core:
Infrastructure Protection Access Control Lists" presents guidelines and recommended deployment techniques for infrastructure protection ACLs. The white paper is available at the following link:

http://www.cisco.com/warp/public/707/iacl.html

Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this response:

http://www.cisco.com/warp/public/707/cisco-air-20070926-lb.shtml

Additional Information
======================

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

Revision History
================

+-----------------------------------------+
| Revision |                   | Initial  |
| 1.0      | 2007-September-26 | public   |
|          |                   | release. |
+-----------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security notices.  All Cisco security advisories are available at http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFG+tis8NUAbBmDaxQRApn2AKCLXskG0SFfsCYARui1Uc5EmdlQKwCgr0DI
V7JrMgq2C5up8UNGOZkCUM8=
=tFEA
-----END PGP SIGNATURE-----

This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.

The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.

CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.

  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |