TECHNICAL BULLETIN

T-170: Cisco Physical Access Gateway Malformed Packet Remote Denial of Service Vulnerability

[CVE-2009-1163]

June 25, 2009 12:00 GMT


PROBLEM:	A vulnerability has been identified in Cisco Physical Access Gateway, which could be exploited by remote attackers to cause a denial of service.
PLATFORM:	Cisco Physical Access Gateway running software versions prior to 1.1 are vulnerable. Note: Cisco Physical Access Gateway running software versions 1.1 or later are not vulnerable. No other Cisco products are currently known to be affected by this vulnerability.
ABSTRACT:	This issue is caused by a memory leak when processing specially crafted packets sent to port 443/TCP, which could allow attackers to create a denial of service condition against connected door hardware, such as card readers, locks, and other input/output devices.

LINKS:
DOE-CIRC BULLETIN:	http://www.doecirc.energy.gov/bulletins/t-170.shtml
OTHER LINKS:	Security Focus http://www.securityfocus.com/bid/35477/info VUPEN Security http://www.vupen.com/english/advisories/2009/1679 Cisco http://www.cisco.com/warp/public/707/cisco-sa-20090624-gateway.shtml http://www.cisco.com/en/US/products/products_security_advisory09186a0080ad0f8b.shtml http://www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080ad0fb2.html
CVE:	CVE-2009-1163

IMPACT ASSESSMENT

This risk low. Unsuccessful exploitation of the vulnerability described in this document may result in a memory leak. The issue could be repeatedly exploited to cause an extended DoS condition. Connected door hardware, such as card readers, locks, and other input/output devices will function intermittently during extended DoS exploitation. Doors will remain open or locked depending on the gateway's configuration.

[***** Start CVE-2009-1163 *****]

Discussion:
A vulnerability has been identified in Cisco Physical Access Gateway, which could be exploited by remote attackers
to cause a denial of service. This issue is caused by a memory leak when processing specially crafted packets sent
to port 443/TCP, which could allow attackers to create a denial of service condition against connected door
hardware, such as card readers, locks, and other input/output devices. A TCP three-way handshake is needed to
exploit this vulnerability.

Solution:
When considering software upgrades, also consult http://www.cisco.com/go/psirt  and any subsequent advisories to
determine exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory
and that current hardware and software configurations will continue to be supported properly by the new release. If
the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance
provider for assistance.

This vulnerability has been corrected in Cisco Physical Access Gateway software version 1.1 and can be downloaded
from the following link:

http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=280588231

Workaround:
No workarounds are available; however, mitigations that can be deployed on Cisco devices within the network are
available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the
following link:

http://www.cisco.com/warp/public/707/cisco-amb-20090624-gateway.shtml

[***** End CVE-2009-1163 *****]

DOECIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at:

    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov

UCRL-MI-119788