You are here

T-663: Cisco Content Services Gateway ICMP Processing Flaw Lets Remote Users Deny Service

July 7, 2011 - 12:41pm

Addthis

PROBLEM:

A denial of service (DoS) vulnerability exists in the Cisco Content Services Gateway - Second Generation, that runs on the Cisco Service and Application Module for IP (SAMI). An unauthenticated, remote attacker could exploit this vulnerability by sending a series of crafted ICMP packets to an affected device. Exploitation could cause the device to reload. There are no workarounds available to mitigate exploitation of this vulnerability other than blocking ICMP traffic destined to the affected device.

PLATFORM:

Second Generation only Cisco IOS 12.4(24)MDA3,Cisco IOS 12.4(24)MDA3,Cisco IOS 12.4(24)MDA; 12.4MDA prior to 12.4(24)MDA5

ABSTRACT:

The Cisco Content Services Gateway: Second Generation provides intelligent network capabilities such as flexible policy management and billing based on deep-packet inspection, as well as subscriber and application awareness capabilities that enable mobile operators to quickly and easily offer value-added, differentiated services over their mobile data networks. A DoS vulnerability exists in the Cisco Content Services Gateway: Second Generation could allow an unauthenticated attacker to cause a device reload by sending crafted ICMP messages to the affected device. Note: The Cisco Gateway GPRS Support Node (GGSN), the Cisco Mobile Wireless Home Agent (HA), the Cisco Wireless Security Gateway (WSG), the Cisco Broadband Wireless Gateway and Cisco IP Transfer Point (ITP), and the Cisco Long Term Evolution (LTE) Gateway are not affected. This vulnerability is documented in Cisco bug ID CSCtl79577 ( registered customers only) and has been assigned CVE ID CVE-2011-2064.

reference LINKS:

SecurityTracker Alert ID: 1025748
Cisco Security Advisory - CVE-2011-2064
SecurityFocus - Cisco Content Services Gateway Malformed ICMP Messages

IMPACT ASSESSMENT:

High

Discussion:

A denial of service (DoS) vulnerability exists in the Cisco Content Services Gateway - Second Generation, that runs on the Cisco Service and Application Module for IP (SAMI). An unauthenticated, remote attacker could exploit this vulnerability by sending a series of crafted ICMP packets to an affected device. Exploitation could cause the device to reload.There are no workarounds available to mitigate exploitation of this vulnerability other than blocking ICMP traffic destined to the affected device.

Impact:

Successful exploitation of this vulnerability could cause an affected device to reload. Repeated exploitation could result in a sustained DoS condition. The Cisco 7600 Series Router is not affected by this vulnerability, only the Cisco Content Services Gateway: Second Generation module is affected.

Solution:

There are no available workarounds to mitigate this vulnerability other than applying infrastructure access control lists (iACLs) on the Cisco 7600 router to block ICMP traffic destined to the IP address of the Cisco CSG. Administrators can construct an iACL by explicitly permitting only authorized traffic to enter the network at ingress access points or permitting authorized traffic to transit the network in accordance with existing security policies and configurations. An iACL workaround cannot provide complete protection against these vulnerabilities when the attack originates from a trusted source address.
The iACL policy denies unauthorized ICMP packet types, including echo request, echo-reply, host-unreachable, traceroute, packet-too-big, time-exceeded, and unreachable, that are sent to affected devices. In the following example, 192.168.60.0/24 is the IP address space that is used by the affected devices, and the host at 192.168.100.1 is considered a trusted source that requires access to the affected devices. Care should be taken to allow required traffic for routing and administrative access prior to denying all unauthorized traffic. Whenever possible, infrastructure address space should be distinct from the address space used for user and services segments. Using this addressing methodology will assist with the construction and deployment of iACLs.

Addthis