-----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Cisco Web Cache Control Protocol Router Vulnerability May 20, 1998 16:00 GMT Number I-054 ______________________________________________________________________________ PROBLEM: Cisco has identified a vulnerability if the router is configured for Web Cache Control Protocol (WCCP). PLATFORM: All versions of Cisco IOS software that support WCCP. This includes Cisco IOS 11.2(P) releases beginning with 11.2(10)P, 11.1CA releases beginning with 11.1(14)CA, and 11.1 releases derived from 11.1(14)CA, including 11.1CC. DAMAGE: If exploited, an attacker may gain access to passwords, web pages, or disrupt web service. SOLUTION: Apply workaround until fixes are available. ______________________________________________________________________________ VULNERABILITY The WCCP protocol specification is unpublished, but the ASSESSMENT: protocol is not immune to reverse engineering. ______________________________________________________________________________ [ Start Cisco Advisory ] Field Notice: Cisco Web Cache Control Protocol Router Vulnerability May 13, 1998 Summary ======= Cisco's Cisco Cache Engine product provides transparent caching for world-wide web pages retrieved via HTTP. The Cache Engine uses a Cisco proprietary protocol called the Web Cache Control Protocol (WCCP) to communicate with a properly-configured Cisco router and register as a cache service provider. The router then diverts HTTP traffic to the Cache Engine. Although this process is not enabled by default, and takes place only if a user specifically configures the router to enable WCCP, there is no authentication in WCCP itself. A router configured to support Cache Engines will treat any host that sends it valid WCCP hello packets as a cache engine, and may divert HTTP traffic to that host. This means that it is possible for malicious users to divert web traffic passing through such a router, even though they may not have either physical or configuration access to the router. This attack can be avoided by using access lists to prevent WCCP traffic from untrusted hosts from reaching the router. Cisco will be modifying WCCP to include hash-based authentication in a future release. Who Is Affected =============== All users of the Cisco Cache Engine and WCCP who have not configured filtering access lists to prevent WCCP access by unauthorized hosts are affected by this attack. Users who have not specifically configured their routers to enable WCCP are not affected by this attack. If the character string "wccp" does not appear in your router configuration file, you are not affected. Impact ====== Attackers can cause a router configured for WCCP to divert some or all HTTP traffic to any host they choose, anywhere on the Internet. Once having done this, attackers are able to: * intercept confidential information, including site access passwords * substitute data of their own choosing for the actual content of web pages * disrupt web service for connections passing through the targeted router In order to do this, the attacker would either need a Cisco Cache Engine or software capable of generating WCCP traffic. Cisco sells Cache Engines to the general public, although a relatively small number have been shipped thus far. The WCCP protocol specification is unpublished, but the protocol is not immune to reverse engineering. Details ======= This vulnerability has been assigned Cisco bug ID CSCdk07174. If you are a registered CCO user and you have logged in, you can view bug details. Affected Software Versions - ------------------------- This vulnerability affects all versions of Cisco IOS software that support WCCP that have been released as of the date of this notice. This includes Cisco IOS 11.2(P) releases beginning with 11.2(10)P, 11.1CA releases beginning with 11.1(14)CA, and 11.1 releases derived from 11.1(14)CA, including 11.1CC. Planned Software Fixes - --------------------- Cisco plans to release software that supports authentication for WCCP. This will involve a modification to the WCCP protocol. In order to take advantage of the authentication features, customers will need to upgrade the software in both routers and Cache Engines, and will need to make some minor configuration changes on both devices. Release of the improved software is tentatively scheduled for September, 1998, but this schedule is subject to change. Cisco believes that the workaround described below will adequately protect Cache Engine users until the new software is ready. Cisco is considering making an interim fix involving an explicit command to apply an access list to all incoming WCCP traffic. This would be largely equivalent to the workaround discussed below, but might be easier for some users to configure. No decision has been made on when or whether to offer this interim fix. If an interim fix is created, this notice will be updated to reflect that fact. Workaround - --------- WCCP runs over UDP at port 2048. By blocking unauthorized UDP traffic destined to port 2048 on the router running WCCP, attackers can be prevented from sending WCCP traffic to the router, and therefore from diverting any actual traffic. For proper security, it's important to block all traffic destined for port 2048 at any address assigned to the router, as well as at all broadcast addresses for networks on which the router may be attached, and all multicast addresses to which the router may be listening. The blocking can be configured either using inbound access lists on the WCCP router itself, or using access lists or other filtering on surrounding devices. Exploitation and Public Announcements ===================================== Cisco has had no reports of malicious exploitation of this vulnerability. Cisco knows of no public announcements of this vulnerability before the date of this notice. However, the vulnerability has been independently identified by several people both inside and outside of Cisco, and should be considered to be public knowledge. Status of This Notice ===================== This is a final field notice. Although Cisco cannot guarantee the accuracy of all statements in this notice, all the facts have been checked to the best of our ability. Cisco does not anticipate issuing updated versions of this notice unless there is some material change in the facts. Should there be a significant change in the facts, Cisco may update this notice. Distribution - ----------- In addition to this CCO version of the field notice, the initial version of this notice is also being sent via e-mail to the following recipients: * cust-security-announce@cisco.com * Identified Cisco Cache Engine customers. Cisco does not guarantee its ability to identify every person or organization that may be in possesssion of a Cache Engine, nor to exclude every person or organization that does not have a Cache Engine. * bugtraq@netspace.org * first-teams@first.org (includes CERT/CC) * Internal Cisco mailing lists Future updates of this notice, if any, will be documented in this CCO version of the field notice, but will not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check this URL for updates. Revision History - --------------- Revision 1.0, Initial released version 08:00 AM US/Pacific, 13-MAY-1998 Cisco Security Procedures ========================= Please report security issues with Cisco products, and/or sensitive security intrusion emergencies involving Cisco products, to security-alert@cisco.com. Reports may be encrypted using PGP; public RSA and DSS keys for "security-alert@cisco.com" are on the public PGP keyservers. The alias "security-alert@cisco.com" is used only for reports incoming to Cisco. Mail sent to the list goes only to a very small group of users within Cisco. Neither outside users nor unauthorized Cisco employees may subscribe to "security-alert@cisco.com". Please do not use "security-alert@cisco.com" for configuration questions, for security intrusions that you do not consider to be sensitive emergencies, or for general, non-security-related support requests. We do not have the capacity to handle such requests through this channel, and will refer them to Cisco's Technical Assistance Center (TAC), delaying response to your questions. We advise contacting the TAC directly with these requests: * (800) 553-24HR * (408) 526-7209 * e-mail: tac@cisco.com All formal public security notices generated by Cisco are sent to the public mailing list "cust-security-announce@cisco.com". For information on subscribing to this mailing list, send a message containing the single line "info cust-security-announce" to "majordomo@cisco.com". An analogous list, "cust-security-discuss@cisco.com", is available for public discussion of the notices and of other Cisco security issues. This notice is copyright 1998 by Cisco Systems, Inc. This notice may be redistributed freely provided that redistributed copies are complete and unmodified, including all date and version information. [ End Cisco Advisory ] ______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Cisco for the information contained in this bulletin. ______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the CIAC voice number 925-422-8193 and leave a message, or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC duty person, and the secondary PIN number, 8550074 is for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 3. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called Majordomo, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting ciac-bulletin, spi-announce OR spi-notes for list-name: E-mail to ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov: subscribe list-name e.g., subscribe ciac-bulletin You will receive an acknowledgment email immediately with a confirmation that you will need to mail back to the addresses above, as per the instructions in the email. This is a partial protection to make sure you are really the one who asked to be signed up for the list in question. If you include the word 'help' in the body of an email to the above address, it will also send back an information file on how to subscribe/unsubscribe, get past issues of CIAC bulletins via email, etc. PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) I-044: BIND Vulnerabilities I-045: SGI IRIX LicenseManager(1M) Vulnerabilities I-046: Open Group xterm and Xaw Library Vulnerabilities I-047: HP-UX OpenMail Vulnerability I-048: SunOS mountd Vulnerability I-049: SunOS ufsrestore Vulnerability I-050: Digital UNIX Softlinks - advfs Vulnerability I-051: FreeBSD T/TCP Vulnerability I-052: 3ComŽ CoreBuilder and SuperStack II LAN Vulnerabilities I-053: ISC DHCP Distribution Vulnerability -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAwUBNWMR+rnzJzdsy3QZAQGeiAQAqTuelAhl4451TZBjV1bF3bp5umM7dOr6 fO6YgFFq06xwzsgSnDq1nNqmKAKgjrtLv781J1++5OcthfGwXVqwTT0ofBaYP84j 4AZ4arISYorkgE2Tvb2yS+Smx6r3MnJAyr8HSCht6FS7rIRduHiyIklC9fH+g6yE AQvMg/SWFtA= =hF2T -----END PGP SIGNATURE-----