[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Multiple Vulnerabilities in CBOS

Title: Multiple Vulnerabilities in CBOS
Released by: Cisco
Date: 4th December 2000
Printable version: Click here

                        Multiple Vulnerabilities in CBOS

Revision 1.0

   For Public Release 2000 December 04 08:00 (GMT +0800)



    Multiple vulnerabilities have been identified and fixed in CBOS, an

    operating system for the Cisco 600 family of routers.

      * Any router in the Cisco 600 family that is configured to allow Web

        access can be locked by sending a specific URL. Web access is

        disabled by default, and it is usually enabled in order to

        facilitate remote configuration. This defect is documented as

        Cisco bug ID CSCdr98772.

      * By sending a stream of TCP SYN packets to the router, it is

        possible to exhaust all available TCP sockets. The consequence is

        that no new TCP sessions addressed to the router will be

        established. The difference between this vulnerability and a SYN

        Denial-of-Service attack is that this one can be accomplished by a

        slow stream of packets (one per second). This defect is documented

        as Cisco bug ID CSCds59206.

      * Invalid login attempts using the Web interface are not logged.

        This defect is documented as Cisco bug ID CSCds19142.

      * It is possible to lock up the router by sending a large ICMP ECHO

        (PING) packet to it. This defect is documented as Cisco bug ID


    The following releases of CBOS are vulnerable to all defects: 2.0.1,

    2.1.0, 2.1.0a, 2.2.0, 2.2.1, 2.2.1a, 2.3, 2.3.2, 2.3.5, 2.3.7 and


    These defects will be fixed in the following CBOS releases:,, 2.3.9 and 2.4.1. Customers are urged to upgrade to releases

    that are not vulnerable to this defect as shown in detail in the

    section Software Versions and Fixes below.

    This advisory is available at the

    http://www.cisco.com/warp/public/707/CBOS-multiple.html .

Affected Products

    The affected models are: 627, 633, 673, 675, 675E, 677, 677i and 678.

    These models are vulnerable if they run any of the following, or

    earlier, CBOS releases: 2.0.1, 2.1.0, 2.1.0a, 2.2.0, 2.2.1, 2.2.1a,

    2.3, 2.3.2, 2.3.5, 2.3.7 and 2.3.8.

    No other releases of CBOS software are affected by this vulnerability.

    No other Cisco products are affected by this vulnerability.

    These defects will be fixed in the following CBOS releases:,, 2.3.9 and 2.4.1



           The behavior is caused by inadequate URL parsing in CBOS. Each

           URL was expected to terminate with a minimum of a single space

           character (ACSII code 32, decimal). Sending a URL that does not

           terminate with a space causes CBOS to enter an infinite loop.

           It is necessary to power cycle the router to resume operation.

           In order to exploit this vulnerability, a router must be

           configured to accept Web connections. Having a Web access

           password configured does not provide protection against this


           Note:Web access on all Cisco 600 routers is disabled by default

           and must be explicitly enabled.


           By sending a stream of SYN packets addressed to the router, it

           is possible to exhaust all available TCP sockets within CBOS.

           This is due to the memory leak in CBOS. When a router is set

           into a state where it cannot accept a new connection, it can be

           maintained in this state by a slow stream of SYN packets until

           the router is rebooted. The stream can be as slow as one packet

           per second, so one machine with a 64Kb connection can hold up

           approximately 150 routers.

           Note: This does not effect non-TCP traffic. All User Datagram

           Protocol (UDP) and Internet Control Message Protocol (ICMP)

           packets can be handled by a router without any problems. All

           existing and new TCP sessions through the router will not be


           When an attacking stream is terminated, a router recovers

           itself within a few minutes.


           Using the Cisco Web Management interface, it is possible to

           keep guessing an access password without those password

           attempts being logged. A password may be either "exec-only" or

           "enable". A user with an "exec-only" password cannot change a

           router configuration.


           By sending a large (at least 65500 bytes in size) ICMP ECHO

           (PING) packet to the router itself, it is possible to overflow

           an internal variable and cause router lockup. The router is not

           affected by the packets which are routed through it.



           By sending a tailored URL to a router, it is possible to cause

           a Denial-of-Service. Every affected router must be powered off

           and back on in order to restore its normal functionality.


           It is possible to prevent all TCP access to a router. This

           blocks all attempts at remote router administration.


           Long term, brute force password guessing can be performed

           without being noticed. When the correct password is guessed, it

           can be used to view or modify router configuration. This may be

           particularly dangerous in installations where multiple routers

           have the same password.


           It is possible to lock up the router thus causing

           Denial-of-Service. Every affected device must be powered off

           and back on in order to restore its normal functionality.

Software Versions and Fixes

    The following table summarizes the CBOS software releases affected by

    the defects described in this notice and scheduled dates on which the

    earliest corresponding fixed releases will be available. Dates are

    tentative and subject to change.


|           |                |                                              |

|  Release  | Description or |      Availability of Repaired Releases*      |

|           |   Platform     |==================+===========================+

|           |                | Patch release**  | General Availability (GA) |


|    All    | 627, 633, 673  |     |                           |

| releases  | 675, 677, 678  |   2000-DEC-11    |                           |


| | 677i           |     |                           |

|           |                |   2000-DEC-11    |                           |


|    All    | All platforms  |                  |           2.3.9           |

| releases  |                |                  |         2001-JAN          |


|    All    | All platforms  |                  |           2.4.1           |

| releases  |                |                  |        2000-DEC-11        |


|                                   Notes                                   |


|* All dates are estimated and subject to change.                           |


|** Patch releases are subjected to less rigorous testing than regular      |

| GA releases, and may have serious bugs.                                   |


Obtaining Fixed Software

    Cisco is offering free software upgrades to eliminate this

    vulnerability for all affected customers.

    Customers with contracts should obtain upgraded software through their

    regular update channels. For most customers, this means that upgrades

    should be obtained through the Software Center on Cisco's Worldwide

    Web site at http://www.cisco.com.

    Customers without contracts should get their upgrades by contacting

    the Cisco Technical Assistance Center (TAC). TAC contacts are as


      * +1 800 553 2447 (toll-free from within North America)

      * +1 408 526 7209 (toll call from anywhere in the world)

      * e-mail: tac@cisco.com

    Give the URL of this notice as evidence of your entitlement to a free

    upgrade. Free upgrades for non-contract customers must be requested

    through the TAC. Please do not contact either "psirt@cisco.com" or

    "security-alert@cisco.com" for software upgrades.



           There are two workarounds for this vulnerability. The potential

           for exploitation can be lessened by ensuring that Web access to

           the router is limited to a legitimate IP address.

           This can be done by entering the following commands while in

           enable mode:

           cbos# set web remote

           cbos# set web remote enabled

           where is the address of the host with a legitimate

           need for Web access to the router.

           Alternatively, disabling the Web access completely will also

           prevent this vulnerability from being exploited. This can be

           done by entering the following command while in enable mode:

           cbos# set web remote disable


           There is no workaround for this vulnerability.


           The Web Management interface can be disabled by entering the

           following commands in enable mode:

           cbos# set web remote disable


           All incoming ICMP ECHO (PING) packets destined to the router

           itself should be denied. That can be achieved by following


           cbos# set filter number on deny incoming all

   protocol ICMP

           cbos# set filter number+1 on deny incoming all

   protocol ICMP

           Where number is a free filter number between 0 and 17.

Exploitation and Public Announcements

    The vulnerability CSCdr98772 was discovered by several customers. It

    was also discussed at public forums. PSIRT has received reports that

    this vulnerability has been exploited in vivo.

    The vulnerability CSCds23921 was discovered by a customer. The other

    two vulnerabilities (CSCds59206 and CSCds19142) were discovered during

    internal testing.

    The Cisco Product Security Incident Response Team (PSIRT) is not aware

    of any public announcements of CSCds59206, CSCds19142 and CSCds23921.

Status of This Notice: INTERIM

    This is an interim notice. Cisco expects the contents of this report

    to change. The reader is warned that this notice may contain

    inaccurate or incomplete information. Although Cisco cannot guarantee

    the accuracy of all statements in this notice, all of the facts have

    been checked to the best of our ability. Cisco anticipates issuing

    monthly updates of this notice until it reaches final status.


    This notice will be posted on Cisco's Worldwide Web site at

    http://www.cisco.com/warp/public/707/CBOS-multiple.html. In addition

    to Worldwide Web posting, a text version of this notice is

    clear-signed with the Cisco PSIRT PGP key and is posted to the

    following e-mail and Usenet news recipients:

      * cust-security-announce@cisco.com

      * bugtraq@securityfocus.com

      * first-teams@first.org (includes CERT/CC)

      * cisco@spot.colorado.edu

      * comp.dcom.sys.cisco

      * firewalls@lists.gnac.com

      * Various internal Cisco mailing lists

    Future updates of this notice, if any, will be placed on Cisco's

    Worldwide Web server, but may or may not be actively announced on

    mailing lists or newsgroups. Users concerned about this problem are

    encouraged to check the URL given above for any updates.

Revision History

    Revision 1.0 2000-December-03 21:00 GMT+00 Draft for initial public


Cisco Security Procedures

    Complete information on reporting security vulnerabilities in Cisco

    products, obtaining assistance with security incidents, and

    registering to receive security information from Cisco, is available

    on Cisco's Worldwide Web site at

    http://www.cisco.com/warp/public/707/sec_incident_response.html. This

    includes instructions for press inquiries regarding Cisco security



    This notice is Copyright 2000 by Cisco Systems, Inc. This notice may

    be redistributed freely after the release date given at the top of the

    text, provided that redistributed copies are complete and unmodified,

    and include all date and version information.



Version: PGP 6.5.2










Version: PGP 6.5.2






































(C) 1999-2000 All rights reserved.