-
Multiple vulnerabilities exist in the Cisco ONS15454 optical transport platform and the Cisco ONS15327 edge optical transport platform. All Cisco ONS software releases earlier than 3.4 are vulnerable.
The Cisco ONS15454E is affected only by CSCdx82962.
These vulnerabilities are documented as Cisco bug ID CSCds52295, CSCdt84146, CSCdv62307, CSCdw15690, CSCdx82962 and CSCdy70756. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory will be posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20021031-ons-vulnerability.
-
This section provides details on affected products.
Vulnerable Products
All Cisco ONS15454 and ONS15327 hardware running Cisco ONS releases earlier than 3.4 are affected by these vulnerabilities.
The Cisco ONS15454E is affected only by CSCdx82962.
To determine your software revision, view the help-about window on the CTC network management software.
Products Confirmed Not Vulnerable
Hardware not affected includes the Cisco ONS15540 extended service platform, ONS15800 series, ONS15200 series metro DWDM systems and the ONS15194 IP transport concentrator.
No other Cisco products are currently known to be affected by these vulnerabilities.
-
The ONS hardware is managed via the TCC, TCC+, TCCi or the XTC control cards which are usually connected to a network isolated from the Internet and local to the customer's environment. This limits the exposure to the exploitation of the vulnerabilites from the Internet.
These vulnerabilities are documented as Cisco bug ID CSCds52295, CSCdt84146, CSCdv62307, CSCdw15690, CSCdx82962 and CSCdy70756, which requires a CCO account to view and can be viewed after 2002 November 1 at 1600 UTC.
-
CSCds52295 -- It is possible to open a FTP
connection to the TCC, TCC+ or XTC using any nonexistent user-name and
password. In order to exploit this vulnerability a person must be able to
establish a FTP connection to the TCC, TCC+ or XTC.
-
CSCdt84146 -- User-names and passwords are stored
in clear text in the running image database of the TCC, TCC+ or XTC. In order
to exploit this vulnerability a person needs access to the backup of the image
database.
-
CSCdv62307 -- The SNMP community string "public"
cannot be changed in the Cisco ONS software. In order to exploit this
vulnerability a person must be able to establish a SNMP connection to the TCC,
TCC+ or XTC.
-
CSCdw15690 -- Requesting an invalid CORBA
Interoperable Object Reference (IOR) via HTTP may cause the TCC, TCC+ or XTC to
reset. In order to exploit this vulnerability a person must be able to
establish a HTTP connection to the TCC, TCC+ or XTC.
-
CSCdx82962 -- HTTP requests starting with any
character other than '/' may cause the TCC, TCC+, TCCi or XTC to reset. In
order to exploit this vulnerability a person must be able to establish a HTTP
connection to the TCC, TCC+ or XTC
-
CSCdy70756 -- The TCC, TCC+ and XTC have a user-name
and password that can be used to gain access to the underlying VxWorks
Operating System and it is not possible to change or disable this account. In
order to exploit this vulnerability a person must be able to establish a Telnet
connection to TCC, TCC+ or XTC.
-
CSCds52295 -- It is possible to open a FTP
connection to the TCC, TCC+ or XTC using any nonexistent user-name and
password. In order to exploit this vulnerability a person must be able to
establish a FTP connection to the TCC, TCC+ or XTC.
-
This section describes workarounds.
-
CSCds52295 - Restrict FTP traffic to the gateway
node(s) with a router configured to restrict FTP access to the TCC, TCC+ or XTC
so that FTP access is only allowed from authorized workstations. This can be
done by adding Access Control Lists and turning on Unicast Reverse Path
Forwarding on the router.
Please note, this will not prevent spoofed IP packets, from the local segment, with the source IP address set to that of the authorized workstation from reaching the TCC, TCC+ or XTC.
-
CSCdt84146 - It is possible to mitigate the effects
of this vulnerability by making sure that the backup Cisco ONS images from the
TCC, TCC+ or XTC are secure from unauthorized access.
-
CSCdv62307 - Restrict SNMP traffic to the gateway
node(s) with a router configured to restrict SNMP access to the TCC, TCC+ or
XTC so that SNMP access is only allowed from valid network management
workstations. This can be done by adding Access Control Lists and turning on
Unicast Reverse Path Forwarding on the router.
Please note, this will not prevent spoofed IP packets, from the local segment, with the source IP address set to that of the network management station from reaching the TCC, TCC+ or XTC.
-
CSCdw15690 - Restrict HTTP traffic to the gateway
node(s) with a router configured to restrict HTTP access to the TCC, TCC+ or
XTC so that HTTP access is only allowed from valid network management
workstations. This can be done by adding Access Control Lists and turning on
Unicast Reverse Path Forwarding on the router.
Please note, this will not prevent spoofed IP packets, from the local segment, with the source IP address set to that of the network management station from reaching the TCC, TCC+ or XTC.
-
CSCdx82962 - Restrict HTTP traffic to the gateway
node(s) with a router configured to restrict HTTP access to the TCC, TCC+ or
XTC so that HTTP access is only allowed from valid network management
workstations. This can be done by adding Access Control Lists and turning on
Unicast Reverse Path Forwarding on the router.
Please note, this will not prevent spoofed IP packets, from the local segment, with the source IP address set to that of the network management station from reaching the TCC, TCC+ or XTC.
-
CSCdy70756 - Restrict Telnet traffic to the gateway
node(s) with a router configured to restrict Telnet access to the TCC, TCC+ or
XTC so that Telnet access is only allowed from authorized workstations. This
can be done by adding Access Control Lists and turning on Unicast Reverse Path
Forwarding on the router.
Please note, this will not prevent spoofed IP packets, from the local segment, with the source IP address set to that of the workstation from reaching the TCC, TCC+ or XTC.
-
CSCds52295 - Restrict FTP traffic to the gateway
node(s) with a router configured to restrict FTP access to the TCC, TCC+ or XTC
so that FTP access is only allowed from authorized workstations. This can be
done by adding Access Control Lists and turning on Unicast Reverse Path
Forwarding on the router.
-
All vulnerabilities are fixed in the Cisco ONS software release 3.4 and later for the TCC+ installed in the ONS 15454, the TCCi installed in the ONS 15454E and the XTC installed in the ONS 15327. The Cisco ONS software release 3.2.1 also has all the vulnerabilities fixed in it. For the TCC control cards, the Cisco ONS software release 2.3.3 will be available on CCO on November 4, 2002.
The procedure to upgrade to the fixed software version on the Cisco ONS 15454 is detailed at http://www.cisco.com/en/US/products/hw/optical/ps2006/prod_installation_guides_list.html.
The procedure to upgrade to the fixed software version on the Cisco ONS 15327 is detailed at http://www.cisco.com/en/US/products/hw/optical/ps2001/prod_installation_guides_list.html.
-
All defects were reported to Cisco by customers. The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.1
2002-November-04
Documented ONS Release 3.2.1 as also having all the fixes.
Revision 1.0
2002-October-31
Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.