-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We can confirm the finding made by kim0@phenoelit.de. The issue has been assigned Cisco Bug ID CSCdy03429. Workarounds exist which can prevent the router affected from a device reset. At this time Cisco does not believe that software upgrades are necessary to resolve this issue. Cisco IOS versions 12.0 and higher are not affected by this problem. Cisco IOS versions 11.1, 11.2 and 11.3 (most trains) contain a buffer overflow in the embedded Trivial FTP (TFTP) server which can cause a reset of the device. The buffer overflow occurs due to an unchecked buffer containing the filename reqested via a TFTP read-request. From our testing, to cause the device to reset requires the use of a crafted TFTP packet, as the TFTP client side software which we tested would not permit a long enough filename to demonstrate the problem. The workarounds are for all users running affected Cisco IOS versions who have enabled the tftp server on the device, to either disable the server or to add an alias onto the filenames being served via TFTP. If TFTP server functionality is not needed the service may be disabled by removing all commands beginning with the string "tftp-server" from the configuration. In order to add an alias onto the filename being served via TFTP, you will need to first remove that line and add it back. For instance, if the following configuration existed: tftp-server flash c2500-js-l.112-20 you would need to issue the following commands. #config terminal Enter configuration commands, one per line. End with CNTL/Z. (config)#no tftp-server flash c2500-js-l.112-20 (config)#tftp-server flash c2500-js-l.112-20 alias CiscoIOS If multiple filenames are being served via TFTP on the device and you desire to use the workaround of adding an alias to the filename, you will have to add an alias on each entry. Any "tftp-server" entry without an alias on a device running an affected version of Cisco IOS would be sufficient to be vulnerable to a device reset. - -Mike- -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.2 iQA/AwUBPULi05PS/wbyNnWcEQLtegCgi+7+96I5Ur1z0JHSU0OHauUnpsEAn0jC SoK69ovAbXtWqAyzeoQcf45d =GWjh -----END PGP SIGNATURE----- > kim0 <kim0@phenoelit.de> [2002-07-27 12:52] wrote: > > -- > kim0 <kim0@phenoelit.de> > Phenoelit (http://www.phenoelit.de) > 90C0 969C EC71 01DC 36A0 FBEF 2D72 33C0 77FC CD42 > Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 ++--> > > [ Authors ] > FX <fx@phenoelit.de> > FtR <ftr@phenoelit.de> > kim0 <kim0@phenoelit.de> > > Phenoelit Group (http://www.phenoelit.de) > Advisory http://www.phenoelit.de/stuff/Cisco_tftp.txt > > [ Affected Products ] > Cisco IOS > > Tested on > IOS 11.1 - 11.3 > > Cisco Bug ID: <not assigned> > CERT Vulnerability ID: 689579 > > [ Vendor communication ] > 06/29/02 Initial Notification, > security-alert@cisco.com & psirt@cisco.com > *Note-Initial notification by phenoelit > includes a cc to cert@cert.org by default > 06/30/02 Human confirmation from PSIRT @ Cisco > 06/30/02 (2) Discussion of detail > 07/01/02 Continued discussion for reproducing problem > 07/01/02 Receipt, ack. and clarification by CERT@CERT.ORG > 07/03/02 Continued discussions with PSIRT > 07/19/02 Notification of intent to post publically > in apx. 7 days. > 07/25/02 Final coordination for release. > > [ Overview ] > Cisco Systems Routers are the most widely used routers. > Cisco Routers are embedded network devices that run a dedicated > Operating System, the Cisco IOS. > > [ Description ] > The Cisco IOS integrated TFTP server suffers from a buffer overflow > condition. > When requesting a file name with approximately 700 characters, the device > crashes and may reboot. This only happens, if the served file is on a > flash device and no alias is assigned to it. > > Vulnerable: > router# conf t > router# tftp-server flash:ios_11.3_a-b-c-d.bin > > Not vulnerable: > router# conf t > router# tftp-server flash:ios_11.3_a-b-c-d.bin alias TheStuff > > [ Example ] > OpenBSD# tftp cisco53.navy.smil.mil > tftp> get AAAAAAAAA....(700 times) > > [ Solution ] > None available at this time > > [ end of file ] > > > [ ----- End of Included Message ----- ] -- ---------------------------------------------------------------------------- | || || | Mike Caudill | mcaudill@cisco.com | | || || | PSIRT Incident Manager | 919.392.2855 | | |||| |||| | DSS PGP: 0xEBBD5271 | 919.522.4931 (cell)| | ..:||||||:..:||||||:.. | RSA PGP: 0xF482F607 ---------------------| | C i s c o S y s t e m s | http://www.cisco.com/go/psirt | ----------------------------------------------------------------------------
