Wednesday, September 27, 2017

Cisco IOS Software Network Address Translation Denial of Service Vulnerability

This vulnerability affects Cisco devices that meet all the following criteria:

  • The device is running a vulnerable release of Cisco IOS Software. For information about which Cisco IOS Software releases are vulnerable, see the Fixed Software section of this advisory.
  • The device is configured to perform NAT.
  • The device is configured to use an application layer gateway with NAT (NAT ALG) for H.323 RAS messages. By default, a NAT ALG is enabled for H.323 RAS messages.

This vulnerability does not affect devices that are configured to perform NAT via the NAT Virtual Interface feature or the Cisco Easy VPN Remote client feature of Cisco IOS Software.

Assessing the NAT Configuration

To assess whether a device is configured to perform NAT, administrators can determine whether NAT is active on the device (preferred) or NAT commands are present in the device configuration.

To determine whether NAT is active on a device, administrators can log in to the device and issue the show ip nat statistics command in the CLI. If NAT is active, the Outside interfaces and Inside interfaces sections of the command output will include at least one interface.

The following example shows the output of the show ip nat statistics command for a device where NAT is active:

Router# show ip nat statistics

Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Peak translations: 10, occurred 00:24:01 ago
Outside interfaces:
  FastEthernet0/0
Inside interfaces: 
  FastEthernet0/1
Hits: 134280  Misses: 0
CEF Translated packets: 134270, CEF Punted packets: 10
Expired translations: 11
Dynamic mappings:
-- Inside Source
[Id: 1] access-list NET-192.168.20.0_24 pool POOL-NET-192.168.1.0_24 refcount 0
 pool POOL-NET-192.168.1.0_24: netmask 255.255.255.0
start 192.168.1.120 end 192.168.1.128
type generic, total addresses 9, allocated 0 (0%), misses 0

Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0
Router#

If the output of the show ip nat statistics command does not list any interfaces, NAT is not active on the device.

Alternatively, administrators can determine whether NAT is active on a device by issuing the show running-config command in the CLI and assessing whether NAT commands are present in the device configuration. If NAT is active on the device, the output of the show running-config command will include the ip nat inside and ip nat outside interface commands.

Determining Whether a NAT ALG Is Enabled for H.323 RAS

By default, a NAT ALG is enabled for H.323 RAS messages and the NAT ALG does not appear in the running configuration information for a device.

To determine the status of the NAT ALG for H.323 RAS messages, administrators can log in to the device and issue the show running-config | include ip nat service ras command in the CLI, for example:

Router# show running-config | include ip nat service ras

no ip nat service ras
Router#

In the preceding example, the NAT ALG is disabled for H.323 RAS messages, as indicated by the no ip nat service ras output.

If there is no output for the show running-config | include ip nat service ras command, the NAT ALG is enabled for H.323 RAS messages.

Determining the Cisco IOS Software Release

To determine which Cisco IOS Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS Software, the system banner displays text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The banner also displays the installed image name in parentheses, followed by the Cisco IOS Software release number and release name. Some Cisco devices do not support the show version command or may provide different output.

The following example shows the output of the command for a device that is running Cisco IOS Software Release 15.5(2)T1 and has an installed image name of C2951-UNIVERSALK9-M:

Router> show version

Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1)
Technical Support: http://ift.tt/yGenYU
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Mon 22-Jun-15 09:32 by prod_rel_team
.
.
.

For information about the naming and numbering conventions for Cisco IOS Software releases, see White Paper: Cisco IOS and NX-OS Software Reference Guide.

No other Cisco products are currently known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect devices that are running Cisco IOS Software and are configured to perform NAT via the NAT Virtual Interface feature or the Cisco Easy VPN Remote client feature.

Cisco has also confirmed that this vulnerability does not affect Cisco IOS XE Software, Cisco IOS XR Software, or Cisco NX-OS Software.

In addition, Cisco has confirmed that this vulnerability does not affect Cisco ASA 5500 Series Adaptive Security Appliances.



from Cisco Security Advisory http://ift.tt/2xKrwKw
Posted by at

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)