Cisco NX-OS Software Unexpected IP in IP Packet Processing Vulnerability

A vulnerability in the network stack of Cisco NX-OS Software could allow an unauthenticated, remote attacker to bypass certain security boundaries or cause a denial of service (DoS) condition on an affected device.

The vulnerability is due to the affected device unexpectedly decapsulating and processing IP in IP packets that are destined to a locally configured IP address. An attacker could exploit this vulnerability by sending a crafted IP in IP packet to an affected device. A successful exploit could cause the affected device to unexpectedly decapsulate the IP in IP packet and forward the inner IP packet. This may result in IP packets bypassing input access control lists (ACLs) configured on the affected device or other security boundaries defined elsewhere in the network.

Under certain conditions, an exploit could cause the network stack process to crash and restart multiple times, leading to a reload of the affected device and a DoS condition.

Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-ipip-dos-kCT9X4

Security Impact Rating: High

CVE: CVE-2020-10136

Related:

  • No Related Posts

Cisco IOS XE Software NAT Session Initiation Protocol Application Layer Gateway Denial of Service Vulnerability

A vulnerability in the Network Address Translation (NAT) Session Initiation Protocol (SIP) Application Layer Gateway (ALG) of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload.

The vulnerability is due to improper processing of transient SIP packets on which NAT is performed on an affected device. An attacker could exploit this vulnerability by using UDP port 5060 to send crafted SIP packets through an affected device that is performing NAT for SIP packets. A successful exploit could allow an attacker to cause the device to reload, resulting in a denial of service (DoS) condition.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-sip-alg

This advisory is part of the September 25, 2019, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 12 Cisco Security Advisories that describe 13 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: September 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication.

Security Impact Rating: High

CVE: CVE-2019-12646

Related:

Cisco IOS XE Software FTP Application Layer Gateway for NAT, NAT64, and ZBFW Denial of Service Vulnerability

A vulnerability in the FTP application layer gateway (ALG) functionality used by Network Address Translation (NAT), NAT IPv6 to IPv4 (NAT64), and the Zone-Based Policy Firewall (ZBFW) in Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload.

The vulnerability is due to a buffer overflow that occurs when an affected device inspects certain FTP traffic. An attacker could exploit this vulnerability by performing a specific FTP transfer through the device. A successful exploit could allow the attacker to cause the device to reload.

Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-ftp

This advisory is part of the September 25, 2019, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 12 Cisco Security Advisories that describe 13 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: September 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication.

Security Impact Rating: High

CVE: CVE-2019-12655

Related:

Citrix ADC Internet Protocol (IP) Counters

This article contains information about the newnslog Internet Protocol (IP) counters and a brief description of the counters.

Using the Counters

Log on to the NetScaler using an SSH client, change to SHELL, navigate to the /var/nslog directory, and then use the ‘nsconmsg’ command to see comprehensive statistics using the different counters available. For the detailed procedure refer to Citrix Blog – NetScaler ‘Counters’ Grab-Bag!.

The newnslog IP Counters

The following table lists the different newnslog IP counters and a brief description of the counter.

Counter

Description

ip_tot_rxpkts

IP packets received

ip_tot_rxbytes

Bytes of IP data received

ip_tot_txpkts

IP packets transmitted

ip_tot_txbytes

Bytes of IP data transmitted

ip_tot_rxMbits

Megabits of IP data received

ip_tot_txMbits

Megabits of IP data transmitted.

ip_tot_routedpkts

Total routed packets

ip_tot_routedMbits

Total routed Mbits

ip_tot_fragments

IP fragments received

ip_tot_addr_lookup_done

IP address lookups performed by the NetScaler appliance. When a packet is received on a non-established session, the NetScaler appliance checks if the destination IP address is one of the NetScaler owned IP addresses.

ip_tot_udp_frag_fwd

UDP fragments forwarded to the client or the server

ip_tot_tcp_frag_fwd

TCP fragments forwarded to the client or the server

ip_tot_makefrag_pkts

Fragmented packets created by the NetScaler

ip_tot_reass_attempts

IP packets that the NetScaler appliance attempts to reassemble. If one of the fragments is missing, the entire packet is dropped.

ip_tot_reass_success

Fragmented IP packets successfully reassembled on the NetScaler appliance

ip_tot_l2_mode_drops

Total number of IP packets dropped due to L2 Mode disabled

ip_tot_l3_mode_drops

Total number of IP packets dropped due to L3 Mode disabled

ip_tot_secondary_pe_drops

Total number of IP packets dropped by the Secondary NetScaler appliance

ip_tot_loopback_drops

Total number of Loopback IP packets dropped

ip_tot_subnet_bcast_drops

Total number of IP packets dropped due to destination address as subnet broadcast

ip_err_badchecksums

Packets received with an IP checksum error

ip_err_reass_failure

Packets received that could not be reassembled. This can occur when there is a checksum failure, an identification field mismatch, or when one of the fragments is missing.

ip_err_reass_len_err

Packets received for which the reassembled data exceeds the Ethernet packet data length of 1500 bytes.

ip_err_reass_zerolenfrags

Packets received with a fragment length of 0 bytes.

ip_err_reass_dupfrags

Duplicate IP fragments received. This can occur when the acknowledgement was not received within the expected time.

ip_err_reass_ooofrags

Fragments received that are out of order.

ip_err_unknown_destination

Packets received in which the destination IP address was not reachable or not owned by the NetScaler appliance.

ip_err_bad_transport

Packets received in which the protocol specified in the IP header is unknown to the NetScaler appliance.

ip_err_natvip_down

Packets received for which the Virtual IP is down. This can occur when all the services bound to the Virtual IP are down or the Virtual IP is manually disabled.

ip_err_fixheader

Packets received that contain an error in one or more components of the IP header.

ip_tot_addr_lookup_failed

IP address lookups performed by the NetScaler appliance that have failed because the destination IP address of the packet does not match any of the NetScaler owned IP addresses.

ip_err_hdrsize

Packets received in which an invalid data length is specified, or the value in the length field and the actual data length do not match. The range for the Ethernet packet data length is 0-1500 bytes.

ip_err_packetlen

Total number of packets received by the NetScaler appliance with invalid IP packet size

ip_err_nsblen

Truncated IP packets received. An overflow in the routers along the path can truncate IP packets.

net_err_noniplen

Truncated non-IP packets received

ip_err_zero_nexthop

Packets received that contain a 0 value in the next hop field. These packets are dropped.

net_err_badlen_txpkts

Packets received with a length greater than the normal maximum transmission unit of 1514 bytes.

net_err_badMACAddr_txpkts

IP packets transmitted with a bad MAC address

ip_err_max_clients

Attempts to open a new connection to a service for which the maximum limit has been exceeded. Default value, 0, applies no limit.

ip_err_unknown_services

Packets received on a port or service that is not configured

ip_err_landattack

Land-attack packets received. The source and the destination addresses are the same.

ip_err_ttl_expired

Packets for which the time-to-live (TTL) expired during transit. These packets are dropped.

Related:

  • No Related Posts

Symantec DLP agent installed in a host not reporting after changing IP address? DLP 14.6

I do not need a solution (just sharing information)

Hi Everyone,

Just want to know if by changing the IP address of endpoint from its original IP address when it was installed will have effect in the agent reporting status?

Because I noticed that most of the agents that are not reporting in the console have a different IP address but same hostname ?

Thanks.

0

Related:

  • No Related Posts

Citrix ADC RNAT Counters

This article contains information about the newnslog Reverse NAT (RNAT) counters and its brief description.

Using the Counters

Log on to the ADC using an SSH client, change to SHELL, navigate to the /var/nslog directory, and then use the ‘nsconmsg’ command to see comprehensive statistics using the different counters available. For the detailed procedure refer to Citrix Blog – NetScaler ‘Counters’ Grab-Bag!.

Reverse NAT Counters

The following table lists the newnslog RNAT counters with a simple description of the counter.

Newnslog Counter

Description

ip_rnat_tot_rxbytes

This counter tracks the bytes received on this IP address during RNAT sessions.

ip_rnat_tot_txbytes

This counter tracks the bytes sent from this IP address during RNAT sessions.

ip_rnat_tot_rxpkts

This counter tracks the packets received on this IP address during RNAT sessions.

ip_rnat_tot_txpkts

This counter tracks the packets sent from this IP address during RNAT sessions.

ip_rnat_tot_txsyn

This counter tracks the requests for connections sent from this IP address during RNAT sessions.

ip_rnat_cur_sessions

This counter tracks the currently active RNAT sessions started from this IP address.

rnat_tot_rxbytes

This counter tracks the bytes received during RNAT sessions.

rnat_tot_txbytes

This counter tracks the bytes sent during RNAT sessions.

rnat_tot_rxpkts

This counter tracks the packets received during RNAT sessions.

rnat_tot_txpkts

This counter tracks the packets sent during RNAT sessions.

rnat_tot_txsyn

This counter tracks the requests for connections sent during RNAT sessions.

rnat_cur_sessions

This counter tracks the currently active RNAT sessions.

Related:

  • No Related Posts

How can specify URL for TCP tunneling requests for Line Application?

I need a solution

     I have to disable Tunnel on Protocol Error function because it allow client to use unwanted protocol over HTTPS such as SSH. But the problem is client still need to use Line Application which need to do TCP tunneling. Right now, I have to manually created service group, use TCP tunnel with detect protocol for them in all proxies and worse than that is I have to specify the destination using IP address only.

     Line Application has been updated a lot. It’s been changed or added more IP address almost every updated. When the update happen, client always face some problem such as cannot login or cannot view or send pictures, stickers or files. The only way I can know what’s going on is I have to run packet capture on them and see which destination IP address has a problem and add it to service group.

     It would be nice if I can specify destination by URL for TCP tunneling or if you have other solution for me, please advice.

 

0

Related:

s500 PS- not resolving url in the defined class

I need a solution

i had created a url class on PS s500, but its not resolving URL to ip address while implementing and checking class. the shaping was off at the time of implementation.

Image Version Currently Running  PacketShaper 11.6.4.3

DNS is resolving on PS while doing dns lookup of “wsus.ds.download.windowsupdate.com” on PS (CMD)

show result:

Matching Rules:

  [1  ]   inside  any host  service:Client  any port  TCP

          outside host 13.107.4.50  service:Microsoft-Updates  any port

  [2  ]   inside  any host  service:Client  any port  TCP

          outside host wsus.ds.download.windowsupdate.com(<unknown address>)  service:HTTP  any port

  [3  ]   inside  any host  service:Microsoft-Updates  any port  TCP

          outside host 13.107.4.50  service:Client  any port

  [4  ]   inside  any host  service:HTTP  any port  TCP

          outside host wsus.ds.download.windowsupdate.com(<unknown address>)  service:Client  any port

Please help me to resolve the issue.

0

Related:

Configuring Source NAT for Direct Internet Breakout on Branch SDWAN

For the site that you are configuring DIA for, navigate to Connections > Branch Site > Firewall and in the Dynamic NAT Policies Section.

Then Click the Plus Sign to create a new NAT policy.

From there, you should specify Outbound, since the traffic will be leaving the Branch site out to the Internet facing Interface.

Also, specify the Service Type as Internet and the Service Name as the Internet service:


Optionally, you can configure the Policy to only operate on specific IP Address on the LAN and for specific Zones.

The Policy should look like this:

After configuring this, you can check that the NAT policy is getting hit, by checking the Monitoring > Connections > Firewall page and setting the Statistics drop down to NAT Policies:

Related: