Cisco Security Advisory Lingo Demystified
It is almost that time of year again. Our Product Security Incident Response Team (PSIRT) is readying the release of the next bundle of security advisories for Cisco IOS. As stated in the original announcement, bundles are released on the fourth Wednesday in March and September; the next bundle is scheduled for September 23rd. With that in mind, I wanted to take the opportunity to explain some of the wording that is used in advisories.
I can assure you that there is a large effort applied to every security advisory by our technical, legal, and public relations teams to make sure the advisory is both clear and concise. At the same time though, I think reinforcing some key phrases will help you do the important work—assessing your risk due to an advisory—instead of working to understand the words themselves.
Unless you live and breathe security, you might find phrases such as “the improper handling of a crafted packet may allow an unauthenticated attacker to perform remote code execution” to be confusing. Along the same lines, what are mitigations and how are they different than workarounds? What in the world are CoPP and iACLs and can they buy time before an upgrade is required?
The following are some of the key words and phrases that you might encounter when reviewing a Cisco Security Advisory. There are certainly others, but these are the ones that occur frequently and that relate to the core content of the advisory. Before you ask, I know these are not listed alphabetically; I’ve listed them in the order in which you might find them while reading an advisory.
Denial of Service: An interruption in the service provided by a device. A denial of service, or DoS, can take several forms including a device crash or the unavailability of an individual service or protocol. Depending on the vulnerability, manual human intervention may be required to recover from a successful DoS attack.
Remote Code Execution: The processing of instructions supplied to the vulnerable device by a remote attacker. For attackers, this is of great value. If an attacker can successfully exploit a vulnerability that allows remote code execution, they can likely perform any actions they wish on the affected device.
Privilege Escalation: The attainment of privileges beyond what is intended by a system or system administrator. Generally speaking, vulnerabilities that allow privilege escalation allow regular, authenticated users to obtain a privilege or privileges that are usually reserved for administrators. This was the case in Cisco IOS Software Secure Copy Privilege Escalation Vulnerability.
Crafted Packet: A packet that has been specifically created or altered after creation by some sort of human action. By definition, a crafted packet is not something that should be seen during the normal operation of a network, but something intentionally created either maliciously or otherwise.
Malformed Packet: A packet that does not conform to the appropriate standards or specifications. Malformed packets may be crafted intentionally or the result of a software bug or bad protocol implementation. These packets may or may not be seen during normal network operations.
Authenticated User: This phrase is used to indicate that an “attacker” must have supplied some form of valid credentials before they can successfully perform an attack. Although credentials typically equate to a username and password, that is not always the case. For example, the “shared secret” commonly used in IPSec deployments can be considered “credentials” in the context of a security advisory.
Unauthenticated Attacker: An attacker without any sort of valid credentials. If a vulnerability can be triggered by an unauthenticated attacker that indicates that no authentication whatsoever is required for a vulnerability to be exploited.
Workaround: Steps taken or changes made to a device that cause a device to no longer be affected by the vulnerability. Although it may seem like a silly example, if only service X is vulnerable and that service is not truly required, disabling service X is a valid workaround. Workarounds are generally something that should only be applied temporarily until the device can be upgraded to a software revision that does not contain the vulnerability.
Mitigation: Steps or actions taken to minimize, but not remove, exposure to a vulnerability. Applying an access control list on another device may mitigate a potenial attack by dropping malicious packets, but strictly speaking, the vulnerable device is still vulnerable. Like workarounds, mitigations should be viewed as a stopgap and not a permanent solution.
Access Control List: Access control lists, or ACLs, are filtering mechanisms present on many network devices. Generally speaking, ACLs permit or deny network traffic based on the Layer 3 or Layer 4 characteristics of the packet. For example, the following ACL excerpt from a Cisco IOS device denies telnet traffic on TCP port 23, but allows SSH traffic on TCP port 22.
access-list 100 deny tcp any any eq 23
access-list 100 permit tcp any any eq 22
Once created, ACLs used for traffic filtering are applied to network interfaces in either the inbound or outbound direction.
Infrastructure Access Control List: Infrastructure ACLs (iACLs) are a technique through which ACLs are applied around the outside of a network, creating a hard shell if you will. Infrastructure ACLs aim to filter incoming network traffic that is targeted to the network itself while allowing all other traffic to travel across the network. Please see Protecting Your Core: Infrastructure Protection Access Control Lists for more information.
Control Plane Policing: Control Plane Policing (CoPP) is a security feature on Cisco IOS devices that permits, denies, or rate limits network traffic to a network device. It is a subtle, but very important point; CoPP filters traffic to a network device, not through it. In the context of security advisories, CoPP allows us to deny certain, potentially malicious, traffic on a network device without applying an ACL to all interfaces on the device. This single point of application coupled with the characteristic that it only affects traffic to the device makes CoPP a natural fit when looking to filter malicious traffic to a network device.
Now that you are armed with a better understanding of these key words and phrases you can focus on the important work, determining how these advisories affect your network and users.