Context for cust-security-announceat_private: somebody on the BUGTRAQ mailing list is talking about the Cisco identification port, TCP port 1999. > Intro: > ------ > This release covers some information that was found sniffing a > portscan session. What was found wasn't anything super special. > I'm sure anyone running a packet sniffer while performing a port > scan on a cisco has seen this. But it is the implications of > this that are not fully understood. If you asked us, we would simply tell you. > Cisco Note: > --------- > It is documented that cisco uses port 1999. However I have never seen > the details of its use. It does exactly what you saw it do, and no more. Its primary use is for network management. > This may not be an immediate security bug, it may do exactly as it > was intended. It does indeed do what's intended, which is to allow identification of Cisco equipment. It's been in the software for about 10 years that I know of. We might not put it in if we were doing it in today's environment, but we've had no complaints about it (as far as I know) in all the time it's been in there. It can indeed be used to identify Cisco equipment. Personally, and I'm not necessarily speaking for Cisco when I say this, I don't see that as a big issue. There are many ways to identify Cisco stuff fairly reliably, starting with the reasonably distinctive default login prompt. "nmap -O" doesn't seem to have any problem, and I assume queso can do it as well. However, my opinion is not as important as customers' opinions. If customers tell us that we don't want the port 1999 hack in the system, we can certainly look into taking it out. We would, of course, first have to look for legitimate applications that were using it, and find other ways to accommodate those applications. A lot of dependencies can appear in an installed base in 10 years. Nowadays, the port 1999 hack has largely been superseded by the Cisco Discovery Protocol (CDP), which provides a great deal more information... things you do *not* want to have crackers know, like your software version number. Although CDP only runs on a hop-by-hop basis, on the local LAN, and can't be queried over the Internet, we advise customers to turn it off in firewalls and other very sensitive machines. > However I did not feel that everyone > would be aware of how easy it is to remotely identify Cisco products. > With the IOSLOGON, and HISTORY bug out there, it may be advisable to > prevent your router from telling everyone what brand it is I can see your point. The feature is pretty obscure, and it's obviously better to give hostile people as little information as possible. However, for protection from those particular bugs, Cisco customers should *not* rely on people not knowing that their routers are Ciscos. Ignoring the threat of login prompts or "nmap -O", attackers can always just try the exploits (assuming that they know what the exploits are) and see if they work. Also, if the device is known to be a router, there's about a 70 percent chance that it's a Cisco, just based on market share. Regardless of whether they choose to block out port 1999, we *strongly* advise customers who may be endangered by any announced Cisco bug to upgrade their software and/or apply a specific workaround for that bug. For those of you who don't know about the two bugs in question, they are explained at http://www.cisco.com/warp/public/770/ioslogin-pub.shtml and http://www.cisco.com/warp/public/770/ioshist-pub.shtml > Cisco products respond to SYNs directed to port 1999 with > a RST. Which is normal but they also include 'cisco' in > the payload of the packet. Yes. > It is now easy to scan a large range of IP addresses to find > Cisco products. In the next week Rhino9 will hopefully release > a Cisco scanning utility. Even if the device doesn't allow access > to the telnet port it is now possible to determine Cisco hardware. ... and I'd appreciate some feedback on how important customers think that is. Again, if there's significant demand, we'll look at taking the feature out. However, if you're concerned about exposures of this magnitude, you should probably look at other issues, like CDP, and perhaps protecting yourself from signature scans. > It is unclear why this happens. Basically, because one of our engineers, sometime in the mid-to-late 1980s, decided that there should be a way to identify Cisco equipment. I don't know the reasons for his decision, but I do know who he is, and can ask him if you really want to know. > I'm unclear on the apparent implimentation of this feature. ??? I don't understand your question. It's implemented in the same way as all the other services in the Cisco IOS software. > It may turn out to be a welcome mat. Nope. Sorry. Feel free to test it however you like to verify that. > Either way Rhino9 will dig-in regarding this subject. Enjoy... and please report any security problems you find to "security-alertat_private". We do read BUGTRAQ, but not nearly as fast or as thoroughly as we read messages to "security-alert". -- J. Bashinski Product Security IRT Cisco Systems
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:29:15 PDT