Re: Cisco Security Advisory: CBOS Web-based Configuration Utility Vulnerability

[Joel Maslak <jmaslak () antelope net>]

On Fri, 24 Aug 2001, Cisco Systems Product Security Incident Response Team wrote:

> There is no specific workaround for each of these vulnerabilities; however,
> a workaround exists which has proven a reasonable defense for the CodeRed
> Worm attack.  It is advisable to disable web management on port 80, by
> setting the web management port to some number greater than 1024, with the
> following command, replacing the text "number_greater-than_1024" with an
> actual number.
>      set web port number_greater-than_1024

This will not fix the root problem, but will fix some of the symptoms (the
CodeRed issue).

Even with the web port bound to a port > 1024, a simple nmap scan will
reveal it's real location and allow a malicous user - without much effort
- to disable the router temporarily (until reboot).

The fix I'm recommending to my customers (each of these filter lines
should be one line - it will wrap in the following example):

set filter 0 on deny incoming ANY 0.0.0.0 0.0.0.0 <router IP>
255.255.255.255 protocol TCP srcport 0-65535 destport 23-23

set filter 1 on deny incoming ANY 0.0.0.0 0.0.0.0 <router IP>
255.255.255.255 protocol TCP srcport 0-65535 destport 80-80

set filter 19 on accept incoming ANY 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

set filter 20 on accept outgoing ANY 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

Note that you MUST use the serial port to configure it.  Also note that
this disables telnet or HTTP remote administration - you'll need to use
the serial port.

Finually, please note that there is a documentation "glitch" in the 600
series routers,  at least on Cisco 678s running CBOS 2.4.1.  It is as
follows:


cbos#help filter examples

 CBOS Help System
 -------------------------------------
 COMMAND: set filter    TOPIC: example
 The first example shows how to block all incoming web access:
 cbos#set filter 0 on deny incoming all 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 
 protocol TCP srcport 1-65535 destport 80-80

 The second example shows how to block all incoming telnet access 
 from the 192.168.0.0 network:
 cbos#set filter 1 on deny incoming all 192.168.0.0 255.255.255.0 0.0.0.0 
 0.0.0.0 protocol TCP srcport 1-65535 destport 23-23

 The third example shows how to accept telnet access from the host
 192.168.0.25:
 cbos#set filter 2 on allow incoming all 192.168.0.25 255.255.255.255
 0.0.0.0 0.0.0.0 protocol TCP srcport 23-23

 The fourth example shows how to block all incoming ftp access on 
 The third example shows how to accept telnet access from the host 
 192.168.0.25:
 cbos#set filter 2 on allow incoming all 192.168.0.25 255.255.255.255
 0.0.0.0 0.0.0.0 protocol TCP srcport 23-23

 The fourth example shows how to block all incoming ftp access on 
 wan port wan0-1:
 cbos#set filter 3 on deny incoming wan0-1 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 
 protocol TCP srcport 1-65535 destport 21-21

 The fifth example shows how to turn off the first filter:
 cbos#set filter 0 off


Examples #1, #2, and #3 are simply wrong.  If you want to enclude all
possible TCP ports, you should use "srcport 0-65535", not "srcport
1-65535".  I wonder how many vulnerable filter installations there are
simply because the user followed the instructions...

-- 
Joel Maslak
Antelope Enterprises