Vulnerability

    CISCO

Affected

    Catalyst 1200, 2900, 5000, and 5500 series switches

Description

    Following is based  on ISS Security  Advisory.  Internet  Security
    Systems (ISS)  X-Force has  discovered several  vulnerabilities in
    Cisco Catalyst  Series Ethernet  Switches running  the Cisco fixed
    configuration  switch  software.   Cisco  Catalyst  switches   are
    commonly used  in high  volume production  environments supporting
    high-end servers and "virtual LAN" configurations.

    Vulnerable Software Versions are:
        - Catalyst 1200 family supervisor software versions up to  and
          including 4.29 are vulnerable,
        - Catalyst  2900 family  supervisor software  revisions up  to
          and including 2.1(5) are vulnerable,
        - Catalyst 5000 and 5500 family supervisor software  revisions
          up to and including 2.1(5) are vulnerable,
        - For  the  2900,  5000,  and  5500  series,  minor  revisions
          2.1(501) and 2.1(502) are also vulnerable.

    The  Cisco  Catalyst  5000  Series  Ethernet  Switches  run  fixed
    configuration  switch   software.   This   software  operates   an
    undocumented TCP service.  Sending a carriage return character  to
    this port causes the switch to immediately reset.  An attacker may
    repeat  this  action  indefinitely,  causing  a  denial of network
    services.  The switch software  does not provide any IP  filtering
    options  to  prevent  this  type  of  attack.   These  bugs  carry
    following bug IDs: Cisco bug ID CSCdi74333 and bug ID CSCdj71684.

    A remote  attacker who  knows how  to exploit  this vulnerability,
    and who  can make  a connection  to TCP  port 7161  on an affected
    switch, can cause the supervisor module of that switch to  reload.
    While the  supervisor is  reloading, the  switch will  not forward
    traffic,  and  the  attack  will  therefore  deny  service  to the
    equipment  attached  to  the  switch.   The  switch  will  recover
    automatically,  but  repeated  attacks  can  extend  the denial of
    service indefinitely.

Solution

    The Catalyst 2900XL and Catalyst  2926 are not affected.   Upgrade
    your switch  to the  most recent  version of  the Catalyst  switch
    software, or any version that  is not vulnerable.  Fixed  software
    for the Catalyst 5xxx and Catalyst 29xx series began shipping with
    new switches in mid-1997. Sales  of the Catalyst 12xx family  were
    stopped before the release of  software version 4.30; if you  have
    not upgraded  your software  since installing  your Catalyst  12xx
    switch, you are affected by this vulnerability.

    This  vulnerability  may  be  worked  around  by  assigning  no IP
    addresses  to  affected  Cisco  Catalyst  switches.  However, this
    workaround will have the effect of disabling all remote management
    of those  switches.   Another possible  workaround is  to use  the
    filtering  capabilities  of  surrounding  routers and/or dedicated
    firewall  devices   to  prevent   untrusted  hosts   from   making
    connections to TCP port 7161 on affected switches.