Summary

• Cisco IOS software contains two vulnerabilities within the Cisco IOS WebVPN or Cisco IOS SSLVPN feature (SSLVPN) that can be remotely exploited without authentication to cause a denial of service condition. Both vulnerabilities affect both Cisco IOS WebVPN and Cisco IOS SSLVPN features:

  1. Crafted HTTPS packet will crash device.
     
  2. SSLVPN sessions cause a memory leak in the device.
     

  Cisco has released software updates that address these vulnerabilities.

  There are no workarounds that mitigate these vulnerabilities.

  This advisory is posted at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090325-webvpn.

  Note: The March 25, 2009, Cisco IOS Security Advisory bundled publication includes eight Security Advisories. All of the advisories address vulnerabilities in Cisco IOS Software. Each advisory lists the releases that correct the vulnerability or vulnerabilities in the advisory.

  Individual publication links are listed below:

  • Cisco IOS cTCP Denial of Service Vulnerability
    https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090325-ctcp
    
  • Cisco IOS Software Multiple Features IP Sockets Vulnerability
    https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090325-ip
    
  • Cisco IOS Software Mobile IP and Mobile IPv6 Vulnerabilities
    https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090325-mobileip
    
  • Cisco IOS Software Secure Copy Privilege Escalation Vulnerability
    https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090325-scp
    
  • Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability
    https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090325-sip
    
  • Cisco IOS Software Multiple Features Crafted TCP Sequence Vulnerability
    https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090325-tcp
    
  • Cisco IOS Software Multiple Features Crafted UDP Packet Vulnerability
    https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090325-udp
    
  • Cisco IOS Software WebVPN and SSLVPN Vulnerabilities
    https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090325-webvpn
    

Affected Products

• Vulnerable Products

  Devices running affected versions of Cisco IOS software are affected if configured with SSLVPN.

  To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the "show version" command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software." The image name displays in parentheses, followed by "Version" and the Cisco IOS Software release name. Other Cisco devices do not have the "show version" command or may provide different output.

  The following example identifies a Cisco product that is running Cisco IOS Software Release 12.3(26) with an installed image name of C2500-IS-L:

  Router#show version
  Cisco Internetwork Operating System Software
  IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2008 by cisco Systems, Inc.
  Compiled Mon 17-Mar-08 14:39 by dchih
  
  

  The following example shows a product that is running Cisco IOS Software release 12.4(20)T with an image name of C1841-ADVENTERPRISEK9-M:

  Router#show version
  Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2008 by Cisco Systems, Inc.
  Compiled Thu 10-Jul-08 20:25 by prod_rel_team
  
  

  Additional information about Cisco IOS Software release naming conventions is available in "White Paper: Cisco IOS Reference Guide" at the following link: http://www.cisco.com/warp/public/620/1.html .

  To determine that SSLVPN is enabled on your device, log in to the device and issue the command-line interface (CLI) command "show running-config | include webvpn". If the device returns any output this means that SSLVPN is configured on the device and the device may be vulnerable. Vulnerable configurations vary depending on whether the device is supporting Cisco IOS WebVPN (introduced in Release 12.3(14)T) or Cisco IOS SSLVPNs (introduced in Release 12.4(6)T). The following methods describe how to confirm if the device is vulnerable:

  If the output from "show running-config | include webvpn" contains "webvpn enable" then the device is configured with the original Cisco IOS WebVPN. The only way to confirm the device is vulnerable is to examine the output of "show running-config" to confirm that webvpn is enabled via the command "webvpn enable" and that a "ssl trustpoint" has been configured. The following example shows a vulnerable device configured with Cisco IOS WebVPN:

  webvpn enable
  !
  webvpn
   ssl trustpoint TP-self-signed-29742012

  If the output from "show running-config | include webvpn" contains "webvpn gateway " then the device is supporting the Cisco IOS SSLVPN feature. A device is vulnerable if it has the "inservice"command in at least one of the "webvpn gateway" sections. The following example shows a vulnerable device configured with Cisco IOS SSLVPN:

  Router# show running | section webvpn        
  webvpn gateway Gateway
   ip address 10.1.1.1 port 443  
   ssl trustpoint Gateway-TP
   inservice
   !
  Router#

  A device that supports the Cisco IOS SSLVPN is not vulnerable if it has no "webvpn gateways" configured or all the configured "webvpn gateways" contain the "no inservice" "webvpn gateway" command.

  Products Confirmed Not Vulnerable

  The following products are not affected by this vulnerability:

  • Cisco ASA 5500 Series Adaptive Security Appliances
    
  • Cisco IOS XR Software
    
  • Cisco IOS XE Software
    

  No other Cisco products are currently known to be affected by these vulnerabilities.

Details

• The Cisco SSLVPN feature provides remote access to enterprise sites by users from anywhere on the Internet. The SSLVPN provides users with secure access to specific enterprise applications, such as e-mail and web browsing, without requiring them to have VPN client software installed on their end-user devices.

  The WebVPN Enhancements feature (Cisco IOS SSLVPN), released in Cisco IOS Release 12.4(6)T, obsoletes the commands and configurations originally put forward in Cisco IOS WebVPN.

  Further information about Cisco IOS WebVPN is available in the "Cisco IOS Software Release 12.3T WebVPN feature guide" at the following link: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/g_sslvpn.html

  Further information about Cisco IOS SSLVPN is available in the "Cisco IOS Software Release 12.4T SSLVPN feature guide" at the following link: http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htwebvpn.html

  Details regarding these two vulnerabilities in Cisco IOS devices that are running affected versions of system software are:

  Crafted HTTPS packet will crash device

  A device configured for SSLVPN may reload or hang when it receives a specially crafted HTTPS packet. Completion of the 3-way handshake to the associated TCP port number of the SSLVPN feature is required in order for the vulnerability to be successfully exploited, however authentication is "not" required. The default TCP port number for SSLVPN is 443.

  This vulnerability is documented in Cisco bug ID CSCsk62253 (registered customers only) and Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-0626 has been assigned to this vulnerability.

  SSLVPN sessions cause a memory leak in the device

  A device configured for SSLVPN may leak transmission control blocks (TCBs) when processing an abnormally disconnected SSL session. Continued exploitation may result in the device depleting its memory resources and result in a crash of the device. Authentication is "not" required to exploit this vulnerability.

  The memory leak can be detected by running the command "show tcp brief", like in the following example:

  Router#show tcp brief
  TCB       Local Address      Foreign Address     (state)
  468BBDC0  192.168.0.22.443   192.168.0.33.19794   CLOSEWAIT
  482D4730  192.168.0.22.443   192.168.0.33.22092   CLOSEWAIT
  482779A4  192.168.0.22.443   192.168.0.33.16978   CLOSEWAIT
  4693DEBC  192.168.0.22.443   192.168.0.33.21580   CLOSEWAIT
  482D3418  192.168.0.22.443   192.168.0.33.17244   CLOSEWAIT
  482B8ACC  192.168.0.22.443   192.168.0.33.16564   CLOSEWAIT
  46954EB0  192.168.0.22.443   192.168.0.33.19532   CLOSEWAIT
  468BA9B8  192.168.0.22.443   192.168.0.33.15781   CLOSEWAIT
  482908C4  192.168.0.22.443   192.168.0.33.19275   CLOSEWAIT
  4829D66C  192.168.0.22.443   192.168.0.33.19314   CLOSEWAIT
  468A2D94  192.168.0.22.443   192.168.0.33.14736   CLOSEWAIT
  4688F590  192.168.0.22.443   192.168.0.33.18786   CLOSEWAIT
  4693CBA4  192.168.0.22.443   192.168.0.33.12176   CLOSEWAIT
  4829ABC4  192.168.0.22.443   192.168.0.33.39629   CLOSEWAIT
  4691206C  192.168.0.22.443   192.168.0.33.17818   CLOSEWAIT
  46868224  192.168.0.22.443   192.168.0.33.16774   CLOSEWAIT
  4832BFAC  192.168.0.22.443   192.168.0.33.39883   CLOSEWAIT
  482D10CC  192.168.0.22.443   192.168.0.33.13677   CLOSEWAIT
  4829B120  192.168.0.22.443   192.168.0.33.20870   CLOSEWAIT
  482862FC  192.168.0.22.443   192.168.0.33.17035   CLOSEWAIT
  482EC13C  192.168.0.22.443   192.168.0.33.16053   CLOSEWAIT
  482901D8  192.168.0.22.443   192.168.0.33.16200   CLOSEWAIT

  In the output above, those Transmission Control Blocks (TCBs) in the state CLOSEWAIT will not go away and represent memory leaks. Please note that only TCP connections with a local TCP port of 443 (the well-known port for HTTPS) are relevant.

  This vulnerability is documented in Cisco bug ID CSCsw24700 (registered customers only) and Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-0628 has been assigned to this vulnerability.

Workarounds

• There are no workarounds for the vulnerabilities described in this advisory.

Fixed Software

• When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.

  In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.

  Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table.

  Major Release	Availability of Repaired Releases
  Affected 12.0-Based Releases	First Fixed Release	Recommended Release
  There are no affected 12.0 based releases
  Affected 12.1-Based Releases	First Fixed Release	Recommended Release
  There are no affected 12.1 based releases
  Affected 12.2-Based Releases	First Fixed Release	Recommended Release
  There are no affected 12.2 based releases
  Affected 12.3-Based Releases	First Fixed Release	Recommended Release
  12.3	Not Vulnerable
  12.3B	Not Vulnerable
  12.3BC	Not Vulnerable
  12.3BW	Not Vulnerable
  12.3EU	Not Vulnerable
  12.3JA	Not Vulnerable
  12.3JEA	Not Vulnerable
  12.3JEB	Not Vulnerable
  12.3JEC	Not Vulnerable
  12.3JK	Not Vulnerable
  12.3JL	Not Vulnerable
  12.3JX	Not Vulnerable
  12.3T	Vulnerable; first fixed in 12.4T	12.4(22)T1 12.4(15)T9; Available on 29-APR-2009
  12.3TPC	Not Vulnerable
  12.3VA	Vulnerable; contact TAC
  12.3XA	Not Vulnerable
  12.3XB	Not Vulnerable
  12.3XC	Not Vulnerable
  12.3XD	Not Vulnerable
  12.3XE	Not Vulnerable
  12.3XF	Not Vulnerable
  12.3XG	Not Vulnerable
  12.3XI	Not Vulnerable
  12.3XJ	Not Vulnerable
  12.3XK	Not Vulnerable
  12.3XL	Not Vulnerable
  12.3XQ	Not Vulnerable
  12.3XR	Not Vulnerable
  12.3XS	Not Vulnerable
  12.3XU	Not Vulnerable
  12.3XW	Not Vulnerable
  12.3XX	Not Vulnerable
  12.3XY	Not Vulnerable
  12.3XZ	Not Vulnerable
  12.3YA	Not Vulnerable
  12.3YD	Not Vulnerable
  12.3YF	Not Vulnerable
  12.3YG	Not Vulnerable
  12.3YH	Not Vulnerable
  12.3YI	Not Vulnerable
  12.3YJ	Not Vulnerable
  12.3YK	Releases prior to 12.3(11)YK3 are vulnerable, release 12.3(11)YK3 and later are not vulnerable; first fixed in 12.4T	12.4(22)T1 12.4(15)T9; Available on 29-APR-2009
  12.3YM	Not Vulnerable
  12.3YQ	Vulnerable; first fixed in 12.4T	12.4(22)T1 12.4(15)T9; Available on 29-APR-2009
  12.3YS	Vulnerable; first fixed in 12.4T	12.4(22)T1 12.4(15)T9; Available on 29-APR-2009
  12.3YT	Vulnerable; first fixed in 12.4T	12.4(22)T1 12.4(15)T9; Available on 29-APR-2009
  12.3YU	Vulnerable; first fixed in 12.4T	12.4(22)T1 12.4(15)T9; Available on 29-APR-2009
  12.3YX	Not Vulnerable
  12.3YZ	Not Vulnerable
  12.3ZA	Not Vulnerable
  Affected 12.4-Based Releases	First Fixed Release	Recommended Release
  12.4	12.4(18e) 12.4(23a); Available on 05-JUN-2009	12.4(18e) 12.4(23a); Available on 05-JUN-2009
  12.4JA	Not Vulnerable
  12.4JDA	Not Vulnerable
  12.4JK	Not Vulnerable
  12.4JL	Not Vulnerable
  12.4JMA	Not Vulnerable
  12.4JMB	Not Vulnerable
  12.4JX	Not Vulnerable
  12.4MD	Not Vulnerable
  12.4MR	12.4(16)MR	12.4(19)MR2
  12.4SW	Not Vulnerable
  12.4T	12.4(15)T7 12.4(20)T 12.4(15)T9; Available on 29-APR-2009	12.4(22)T1 12.4(15)T9; Available on 29-APR-2009
  12.4XA	Vulnerable; first fixed in 12.4T	12.4(22)T1 12.4(15)T9; Available on 29-APR-2009
  12.4XB	Vulnerable; first fixed in 12.4T	12.4(22)T1 12.4(15)T9; Available on 29-APR-2009
  12.4XC	Vulnerable; first fixed in 12.4T	12.4(22)T1 12.4(15)T9; Available on 29-APR-2009
  12.4XD	12.4(4)XD12; Available on 27-MAR-2009	12.4(4)XD12; Available on 27-MAR-2009
  12.4XE	Vulnerable; first fixed in 12.4T	12.4(22)T1 12.4(15)T9; Available on 29-APR-2009
  12.4XF	Not Vulnerable
  12.4XG	Not Vulnerable
  12.4XJ	Vulnerable; first fixed in 12.4T	12.4(22)T1 12.4(15)T9; Available on 29-APR-2009
  12.4XK	Not Vulnerable
  12.4XL	Not Vulnerable
  12.4XM	Not Vulnerable
  12.4XN	Not Vulnerable
  12.4XP	Vulnerable; contact TAC
  12.4XQ	Not Vulnerable
  12.4XR	Not Vulnerable
  12.4XT	Vulnerable; first fixed in 12.4T	12.4(22)T1 12.4(15)T9; Available on 29-APR-2009
  12.4XV	Vulnerable; contact TAC
  12.4XW	12.4(11)XW10	12.4(11)XW10
  12.4XY	12.4(15)XY4	12.4(22)T1
  12.4XZ	12.4(15)XZ1	12.4(15)XZ2
  12.4YA	Not Vulnerable
  12.4YB	Not Vulnerable
  12.4YD	Not Vulnerable

Exploitation and Public Announcements

• The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory.

  These vulnerabilities were discovered when handling customer support calls.

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090325-webvpn

Revision History

• Revision 1.3	2009-June-26	Removed references to the March/09 combined fixed software table.
  Revision 1.2	2009-June-1	Updated expected public availability date for release 12.4(23a).
  Revision 1.1	2009-May-1	Updated expected public availability date for release 12.4(23a).
  Revision 1.0	2009-March-25	Initial public release.

  Show Less