Summary

• Multiple vulnerabilities exist in the Cisco ONS15454 optical transport platform and the Cisco ONS15327 edge optical transport platform. All Cisco ONS software releases earlier than 3.4 are vulnerable.

  The Cisco ONS15454E is affected only by CSCdx82962.

  These vulnerabilities are documented as Cisco bug ID CSCds52295, CSCdt84146, CSCdv62307, CSCdw15690, CSCdx82962 and CSCdy70756. There are workarounds available to mitigate the effects of these vulnerabilities.

  This advisory will be posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20021031-ons-vulnerability.

Affected Products

• This section provides details on affected products.

  Vulnerable Products

  All Cisco ONS15454 and ONS15327 hardware running Cisco ONS releases earlier than 3.4 are affected by these vulnerabilities.

  The Cisco ONS15454E is affected only by CSCdx82962.

  To determine your software revision, view the help-about window on the CTC network management software.

  Products Confirmed Not Vulnerable

  Hardware not affected includes the Cisco ONS15540 extended service platform, ONS15800 series, ONS15200 series metro DWDM systems and the ONS15194 IP transport concentrator.

  No other Cisco products are currently known to be affected by these vulnerabilities.

Details

• The ONS hardware is managed via the TCC, TCC+, TCCi or the XTC control cards which are usually connected to a network isolated from the Internet and local to the customer's environment. This limits the exposure to the exploitation of the vulnerabilites from the Internet.

  These vulnerabilities are documented as Cisco bug ID CSCds52295, CSCdt84146, CSCdv62307, CSCdw15690, CSCdx82962 and CSCdy70756, which requires a CCO account to view and can be viewed after 2002 November 1 at 1600 UTC.

  • CSCds52295 -- It is possible to open a FTP connection to the TCC, TCC+ or XTC using any nonexistent user-name and password. In order to exploit this vulnerability a person must be able to establish a FTP connection to the TCC, TCC+ or XTC.
    
  • CSCdt84146 -- User-names and passwords are stored in clear text in the running image database of the TCC, TCC+ or XTC. In order to exploit this vulnerability a person needs access to the backup of the image database.
    
  • CSCdv62307 -- The SNMP community string "public" cannot be changed in the Cisco ONS software. In order to exploit this vulnerability a person must be able to establish a SNMP connection to the TCC, TCC+ or XTC.
    
  • CSCdw15690 -- Requesting an invalid CORBA Interoperable Object Reference (IOR) via HTTP may cause the TCC, TCC+ or XTC to reset. In order to exploit this vulnerability a person must be able to establish a HTTP connection to the TCC, TCC+ or XTC.
    
  • CSCdx82962 -- HTTP requests starting with any character other than '/' may cause the TCC, TCC+, TCCi or XTC to reset. In order to exploit this vulnerability a person must be able to establish a HTTP connection to the TCC, TCC+ or XTC
    
  • CSCdy70756 -- The TCC, TCC+ and XTC have a user-name and password that can be used to gain access to the underlying VxWorks Operating System and it is not possible to change or disable this account. In order to exploit this vulnerability a person must be able to establish a Telnet connection to TCC, TCC+ or XTC.
    

Workarounds

• This section describes workarounds.

  • CSCds52295 - Restrict FTP traffic to the gateway node(s) with a router configured to restrict FTP access to the TCC, TCC+ or XTC so that FTP access is only allowed from authorized workstations. This can be done by adding Access Control Lists and turning on Unicast Reverse Path Forwarding on the router.
    Please note, this will not prevent spoofed IP packets, from the local segment, with the source IP address set to that of the authorized workstation from reaching the TCC, TCC+ or XTC.
    
  • CSCdt84146 - It is possible to mitigate the effects of this vulnerability by making sure that the backup Cisco ONS images from the TCC, TCC+ or XTC are secure from unauthorized access.
    
  • CSCdv62307 - Restrict SNMP traffic to the gateway node(s) with a router configured to restrict SNMP access to the TCC, TCC+ or XTC so that SNMP access is only allowed from valid network management workstations. This can be done by adding Access Control Lists and turning on Unicast Reverse Path Forwarding on the router.
    Please note, this will not prevent spoofed IP packets, from the local segment, with the source IP address set to that of the network management station from reaching the TCC, TCC+ or XTC.
    
  • CSCdw15690 - Restrict HTTP traffic to the gateway node(s) with a router configured to restrict HTTP access to the TCC, TCC+ or XTC so that HTTP access is only allowed from valid network management workstations. This can be done by adding Access Control Lists and turning on Unicast Reverse Path Forwarding on the router.
    Please note, this will not prevent spoofed IP packets, from the local segment, with the source IP address set to that of the network management station from reaching the TCC, TCC+ or XTC.
    
  • CSCdx82962 - Restrict HTTP traffic to the gateway node(s) with a router configured to restrict HTTP access to the TCC, TCC+ or XTC so that HTTP access is only allowed from valid network management workstations. This can be done by adding Access Control Lists and turning on Unicast Reverse Path Forwarding on the router.
    Please note, this will not prevent spoofed IP packets, from the local segment, with the source IP address set to that of the network management station from reaching the TCC, TCC+ or XTC.
    
  • CSCdy70756 - Restrict Telnet traffic to the gateway node(s) with a router configured to restrict Telnet access to the TCC, TCC+ or XTC so that Telnet access is only allowed from authorized workstations. This can be done by adding Access Control Lists and turning on Unicast Reverse Path Forwarding on the router.
    Please note, this will not prevent spoofed IP packets, from the local segment, with the source IP address set to that of the workstation from reaching the TCC, TCC+ or XTC.
    

Fixed Software

• All vulnerabilities are fixed in the Cisco ONS software release 3.4 and later for the TCC+ installed in the ONS 15454, the TCCi installed in the ONS 15454E and the XTC installed in the ONS 15327. The Cisco ONS software release 3.2.1 also has all the vulnerabilities fixed in it. For the TCC control cards, the Cisco ONS software release 2.3.3 will be available on CCO on November 4, 2002.

  The procedure to upgrade to the fixed software version on the Cisco ONS 15454 is detailed at http://www.cisco.com/en/US/products/hw/optical/ps2006/prod_installation_guides_list.html.

  The procedure to upgrade to the fixed software version on the Cisco ONS 15327 is detailed at http://www.cisco.com/en/US/products/hw/optical/ps2001/prod_installation_guides_list.html.

Exploitation and Public Announcements

• All defects were reported to Cisco by customers. The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory.

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20021031-ons-vulnerability

Revision History

• Revision 1.1	2002-November-04	Documented ONS Release 3.2.1 as also having all the fixes.
  Revision 1.0	2002-October-31	Initial public release.

  Show Less