Cisco Crypto Code Version 12.1(22)EA13 - IBM BladeCenter E, H, HT, T

Download Description

• New IBM xSeries firmware and device driver file naming convention

Severity: Suggested

• IBM Director Cisco Switch Plug In
• Cisco Crypto Code Version 12.1(22)EA12
• CIGESM MIBS
• CiscoView Package
• CiscoWorks IDU's to support the CIGESM (Version 10 IDU supports CIGESM)

• IBM CIGESM Deployment Red paper
• CIGESM Software Configuration Guide
• CIGESM Command Reference
• CIGESM Message Guide (all error messages)
• Copper CIGESM Install Guide
• SFP CIGESM Install Guide

27 Feb 2009
CSCsi13344

Three separate Cisco IOS Hypertext Transfer Protocol (HTTP) cross-site scripting (XSS) vulnerabilities and a cross-site request forgery (CSRF) vulnerability have been reported to Cisco by
three independent researchers.
The Cisco Security Response is posted at the following link:

• http://www.cisco.com/warp/public/707/cisco-sr-20090114-http.shtml

CSCsm27071

Symptoms: Memory leak occurs with certain socket applications.
Conditions: Occurs with the skinny socket server process after repeated rejected phone registrations.
Workaround: There is no workaround.

CSCsr45344
During IEEE 802.1x authentication with VLAN assignment, if the VLAN from the Cisco Access Control Server (ACS) is the same as the access VLAN on the switch and if you configure a port as unidirectional by using the dot1x control-direction in interface configuration command, the VLAN
is successfully assigned to the switch.

CSCsr72301
Three separate Cisco IOS Hypertext Transfer Protocol (HTTP) cross-site scripting (XSS) vulnerabilities and a cross-site request forgery (CSRF) vulnerability have been reported to Cisco by three independent researchers.
The Cisco Security Response is posted at the following link:

• http://www.cisco.com/warp/public/707/cisco-sr-20090114-http.shtml

CSCsr92741
Symptoms: When a TCP packet with all fields set “zero” (at a TCP level) is sent to a remote router (whether using IPv4 and IPv6). The destination router (to which the destination ip belongs), will send a ACK/RST flag set TCP packet back to the source. Workaround: CoPP, FPM and other mechanisms can be used to mitigate and protect against these
packets.

• CSCsu39185
If you use the archive upload-sw privileged EXEC command to upload a software image to the server and then use the archive download-sw privileged EXEC command to download a new image
from a TFTP server to the switch, the new image is now downloaded to the switch.

• CSCsu68694
If an ACL is applied to an interface and then a policy map is applied to it, the ACL and the policy
map both take effect.

• CSCsv05934
Summary: Cisco's VTP protocol implementation in some versions of Cisco IOS and CatOS may be vulnerable to a DoS attack via a specially crafted VTP packet sent from the local network segment when operating in either server or client VTP mode. When the device receives the specially crafted
VTP packet, the switch may crash (and reload/hang). The crafted packet must be received on a switch interface configured to operate as a trunk port.
Workarounds: There are no workarounds available for this vulnerability.

• CSCsv73509
Symptoms: If no aaa new-model is configured, authentication occurs through the local even when TACACS is configured. This happens for EXEC users under the VTY configuration.
Conditions: The symptom is observed when you configure no aaa new-model; configure login local under line vty 0 4; and configure login tacacs under line vty 0 4.
Workaround: There is no workaround.

• CSCsw44728
The %CDP-4-DUPLEX_MISMATCH message no longer appears when loopback detection is enabled on the port.

• CSCsx70215
During IEEE 802.1x authentication, the time value in the 044 Acct-Session-Id attribute is now the same for the RADIUS accounting START and STOP events.

• CSCse85652
Symptom: The Cisco IOS HTTP server and the Cisco IOS HTTPS server provide web server functionality to be used by other Cisco IOS features that require it to function. For example, embedded device managers available for some Cisco IOS devices need the Cisco IOS HTTP server or the Cisco IOS HTTPS server to be enabled as a prerequisite.
One of the functionalities provided by the Cisco IOS HTTP server and the Cisco IOS HTTPS server is the WEB_EXEC module, which is the HTTP-based IOS EXEC Server. The WEB_EXEC module allows for both show and configure commands to be executed on the device through requests sent over the HTTP protocol. Both the Cisco IOS HTTP server and the Cisco IOS HTTPS server use the locally configured enable password (configured by using the enable password or enable secret commands) as the default authentication mechanism for any request received. Other mechanisms can also be configured to authenticate requests to the HTTP or HTTPS interface. Some of those mechanisms are the local user database, an external RADIUS server or an external TACACS+
server.

If an enable password is not present in the device configuration, and no other mechanism has been configured to authenticate requests to the HTTP interface, the Cisco IOS HTTP server and the Cisco IOS HTTPS server may execute any command received without requiring authentication. Any commands up to and including commands that require privilege level 15
might then be executed on the device. Privilege level 15 is the highest privilege level on Cisco IOS devices.

Conditions:

For a Cisco IOS device to be affected by this issue all of the following conditions must be met:

• An enable password is not present in the device configuration.
  
• Either the Cisco IOS HTTP server or the Cisco IOS HTTPS server is enabled.
  
• No other authentication mechanism has been configured for access to the Cisco IOS HTTP server or Cisco IOS HTTPS server. Such mechanisms might include the local user database, RADIUS (Remote Authentication Dial In User Service), or TACACS+ (Terminal Access
  Controller Access-Control System).
  
• The Cisco IOS HTTP server is enabled by default on some Cisco IOS releases.
  

Workaround:

Any of the following workarounds can be implemented:

• Enabling authentication of requests to the Cisco IOS HTTP Server or the Cisco IOS HTTPS server by configuring an enable password.
  Customers requiring the functionality provided by the Cisco IOS HTTP server or the Cisco IOS HTTPS server must configure an authentication mechanism for any requests received. One option is to use the enable password or enable secret commands to configure an enable password.
  

The enable password is the default authentication mechanism used by both the Cisco IOS HTTP server and the Cisco IOS HTTPS server if no other method has been configured. In order to configure an enable password by using the enable secret command, add the
following line to the device configuration:

• enable secret mypassword
  
  

Replace mypassword with a strong password of your choosing. For guidance on selecting strong passwords, please refer to your site security policy. The document entitled “Cisco IOS Password Encryption Facts” explains the differences between using the enable secret and the enable password commands to configure an enable password.

This document is available at the following link:

• http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00809d38a7.shtml
  

Enabling authentication of requests to the Cisco IOS HTTP Server or the Cisco IOS HTTPS server by configuring an authentication mechanism other than the default. Configure an authentication mechanism for access to the Cisco IOS HTTP server or the Cisco IOS HTTPS server other than the default. Such authentication mechanism can be the local user database, an external RADIUS server, an external TACACS+ server or a previously defined AAA (Authentication, Authorization and Accounting) method. As the procedure to enable an authentication mechanism for the Cisco IOS HTTP server and the Cisco IOS HTTPS server varies across Cisco IOS releases and considering other additional factors, no example will be provided.

Customers looking for information about how to configure an authentication mechanism for the Cisco IOS HTTP server and for the Cisco IOS HTTPS server are encouraged to read the
document entitled “AAA Control of the IOS HTTP Server”, which is available at the following link:

• http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008069bdc5.shtml
  

Disabling the Cisco IOS HTTP Server and/or the Cisco IOS HTTPS server functionality Customers who do not require the functionality provided by the Cisco IOS HTTP server or the Cisco IOS HTTPS server can disable it by adding the following commands to the device
configuration:

• no ip http server
  
• no ip http secure-server
  

The second command might return an error message if the Cisco IOS version installed and running on the device does not support the HTTPS server feature. This error message is harmless and can safely be ignored. Please be aware that disabling the Cisco IOS HTTP server or the Cisco IOS HTTPS server may impact other features that rely on it. As an example, disabling the Cisco IOS HTTP server or the Cisco IOS HTTPS server will disable access to any embedded device manager installed on the device.

Version 12.1(22)EA12

This release resolves the following issues:

• CSCsl63734 - When the Cisco IGESM switch is connected to AMM and both are in protected mode, the link no longer remains down after the AMM reboots.
• CSCso23104 - This error message no longer appears when you log in to the switch: SCHAN ERROR INTR: unit=0 SRC=13 DST=15 OPCODE=20 ERRCODE=66
• CSCso70964 - You can now save the no errdisable detect cause DHCP-rate-limit global configuration command to the switch saved configuration
• CSCsq92719 - AutoQoS uses incorrect voice signaling (DSCP 26 used not 24). This should not have any impact on CIGESM, as it does not carry VOIP traffic (under normal and expected conditions).

Version 12.1(22)EA11 - cigesm-i6q4l2-tar.121-22.EA11.tar and cigesm-i6k2l2q4-tar.121-22.EA11.tar

This release resolves the following issues:

• CSCsi53397 - You can now read from and write to the BRIDGE-MIB by using the mst-n suffix.
  
• CSCsk12508 - The output from the show interface interface-id command for input broadcast packets includes information for both broadcast and multicast packets.
  
• CSCsk27547 - A switch with a two-port EtherChannel no longer drops packets when one of the channels is shut down. (In previous releases, this occurred when one of the channels was configured as access mode in VLAN 1.)
  
• CSCsi19656 - When the MIB object c2900PortAdminSpeed is set to a value of 1 (auto), these two commands are no longer automatically configured on that interface:switchport port-security aging type inactivityswitchport port-security aging static

Version 12.1(22)EA10a - cigesm-i6q4l2-tar.121-22.EA10a.tar and cigesm-i6k2l2q4-tar.121-22.EA10a.tar

This release resolves the following issues:

• CSCsi92350 - The switch no longer might reload with a signal 10 exception.
  
• CSCsj15899 - When an IEEE (Institute of Electrical and Electronics Engineers) 802.1x-enabled interface has MAC (Media Access Control)authentication bypass (MAB) and guest VLAN enabled and the multiple-host mode configured, the switch no longer reloads if it receives traffic that is not an Extensible Authentication Protocol (EAP) frame and has a MAC address that is not in the MAB profile.
  
• CSCsb12598 - Cisco IOS (Internetwork Operating System) device may crash while processing malformed Secure Sockets Layer (SSL) packets. In
  order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device. Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information. Cisco IOS is affected by the following vulnerabilities: Processing ClientHello messages, documented as Cisco bug ID CSCsb12598
  
• CSCsb40304 - Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
  Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information. Cisco IOS is affected by the following vulnerabilities: Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304
  
• CSCsd92405 - Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
  Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information. Cisco IOS is affected by the following vulnerabilities: Processing Finished messages, documented as Cisco bug ID CSCsd92405

Version 12.1(22)EA10 - cigesm-i6q4l2-tar.121-22.EA10.tar and cigesm-i6k2l2q4-tar.121-22.EA10.tar

This release resolves the following issues:

• CSCei83729 - Strict priority queuing now works correctly.
• CSCsh77929 - A host with an Intel network interface card (NIC) connected to an external copper switch port no longer loses connectivity when the host reboots.

Version 12.1(22)EA9 - cigesm-i6q4l2-tar.121-22.EA9.tar

This release supports the following new software features:

• Protected Mode - In Cisco IOS Release 12.1(22)EA9 and later, you can enable protected mode to prevent the management module from controlling the blade switch. By locking out the management module from control of the switch, server administrators cannot manage the switch from the management module. When protected mode is enabled, the chassis management module cannot control or configure these features and functions of the CIGESM blade switch:
  • IP addresses
  • Administration of external ports
  • Whether the blade switch can be managed with traffic received over external ports
  • That the CIGESM will not revert to the manufacturing default configuration Management Module code version 1.27 or later is required

This release resolves the following issues:

• CSCeg09032 - Open Shortest Path First (OSPF) routes now appear in the routing table after a topology change when Incremental SPF (Small Form-Factor Pluggable) is enabled.
• CSCeg71620 - Downstream interfaces in a link-state group that are added to an EtherChannel group recover their link state when the link-state group is disabled.
• CSCeg72946 - Downstream interfaces that are members of a link-state group are no longer incorrectly placed in an up state when only one upstream interface is active and this upstream interface is made the destination interface for a local SPAN (Switches Port Analyzer) session.
• CSCeh45771 - When the multicast traffic for a group enters the switch it is directed to both the interface that joined the group entering the ip IGMP (Internet Group Management Protocol) join interface configuration command and to the interface with the static multicast MAC (Media Access Control) address.

Version 12.1(22)EA8a - cigesm-i6q4l2-tar.121-22.EA8a.tar

This release resolves the following issues:

• CSCsd74990 - When a switch has multiple management VLAN (Virtual Local Area Network) interfaces, the IP (Internet Protocol) addresses for all active interfaces are now reachable from a host or network device.
• CSCse11516 - Configuring the switch for a port monitor session on a remote VLAN no longer causes packet flooding on other interfaces that are not configured for the monitor session.
• CSCse25863 - When you are using a web browser to manage the CIGESM (Cisco Intellegent Gigabit Ethernet Switch Module), Device Manager now correctly requires you to enter username and password, even when the switch is booted without a configuration file or when the configuration file was removed after returning to the manufacturing default configuration.

Version 12.1(22)EA8a - cigesm-i6q4l2-tar.121-22.EA8a.tar

This release resolves the following issues:

• CSCsd74990 - When a switch has multiple management VLAN (Virtual Local Area Network) interfaces, the IP (Internet Protocol) addresses for all active interfaces are now reachable from a host or network device.
  
• CSCse11516 - Configuring the switch for a port monitor session on a remote VLAN no longer causes packet flooding on other interfaces that are not configured for the monitor session.
  
• CSCse25863 - When you are using a web browser to manage the CIGESM (Cisco Intellegent Gigabit Ethernet Switch Module), Device Manager now correctly requires you to enter username and password, even when the switch is booted without a configuration file or when the configuration file was removed after returning to the manufacturing default configuration.

Version 12.1(22)EA10 - cigesm-i6q4l2-tar.121-22.EA10.tar and cigesm-i6k2l2q4-tar.121-22.EA10.tar

This release resolves the following issues:

• CSCei83729 - Strict priority queuing now works correctly.
  
• CSCsh77929 - A host with an Intel network interface card (NIC) connected to an external copper switch port no longer loses connectivity when the host reboots.

Version 12.1(22)EA9 - cigesm-i6q4l2-tar.121-22.EA9.tar

This release supports the following new software features:

• Protected Mode. In Cisco IOS Release 12.1(22)EA9 and later, you can enable protected mode to prevent the management module from controlling the blade switch. By locking out the management module from control of the switch, server administrators cannot manage the switch from the management module. When protected mode is enabled, the chassis management module cannot control or configure these features and functions of the CIGESM blade switch:
  
  
• IP addresses. Administration of external ports- Whether the blade switch can be managed with traffic received over external ports that the CIGESM will not revert to the manufacturing default configuration Management Module code version 1.27 or later is required

This release resolves the following issues:

• CSCeg09032 - Open Shortest Path First (OSPF) routes now appear in the routing table after a topology change when Incremental SFP (Small Form-Factor Pluggable) is enabled.
  
• CSCeg71620 - Downstream interfaces in a link-state group that are added to an EtherChannel group recover their link state when the link-state group is disabled.
  
• CSCeg72946 - Downstream interfaces that are members of a link-state group are no longer incorrectly placed in an up state when only one upstream interface is active and this upstream interface is made the destination interface for a local SPAN (Switches Port Analyzer) session.
  
• CSCeh45771 - When the multicast traffic for a group enters the switch it is directed to both the interface that joined the group entering the ip IGMP (Internet Group Management Protocol) join interface configuration command and to the interface with the static multicast MAC (Media Access Control) address.

Version 12.1(22)EA8a - cigesm-i6q4l2-tar.121-22.EA8a.tar

This release resolves the following issues:

• CSCsd74990 - When a switch has multiple management VLAN (Virtual Local Area Network) interfaces, the IP (Internet Protocol) addresses for all active interfaces are now reachable from a host or network device.
• CSCse11516 - Configuring the switch for a port monitor session on a remote VLAN no longer causes packet flooding on other interfaces that are not configured for the monitor session.
• CSCse25863 - When you are using a web browser to manage the CIGESM (Cisco Intellegent Gigabit Ethernet Switch Module), Device Manager now correctly requires you to enter username and password, even when the switch is booted without a configuration file or when the configuration file was removed after returning to the manufacturing default configuration.

Version 12.1(22)EA8a - cigesm-i6q4l2-tar.121-22.EA8a.tar

This release resolves the following issues:

• When a switch has multiple management VLAN (Virtual Local Area Network) interfaces, the IP (Internet Protocol) addresses for all active interfaces are now reachable from a host or network device.
• CSCse11516 - Configuring the switch for a port monitor session on a remote VLAN no longer causes packet flooding on other interfaces that are not configured for the monitor session.
• CSCse25863 - When you are using a web browser to manage the CIGESM (Cisco Intellegent Gigabit Ethernet Switch Module), Device Manager now correctly requires you to enter username and password, even when the switch is booted without a configuration file or when the configuration file was removed after returning to the manufacturing default configuration.

Version 12.1(22)EA8 - cigesm-i6q4l2-tar.121-22.EA8.tar

This release resolves the following issues:

• CSCsb82422 - The switch does now forwards an IEEE (Institute of Electrical and Electronics Engineers) 802.1x request that has null credentials.
• CSCsd03880 - When the ciscoEnvMonMib is polled, it no longer returns envmom characteristics for the Cisco Intelligent Gigabit Ethernet Switching Module (CIGESM). The module has no envmon characteristics. In previous releases, the MIB displayed envmom information for the CIGESM.
• CSCsd23228 - The output of the show platform summary privileged EXEC command now appears in the output of the show tech privileged EXEC command.
• CSCsd24154 - When forwarding an IGMP (Internet Group Management Protocol) query, the default CoS (Class of Service) value from the incoming packets no longer changes automatically.
• CSCsd51738 - When the switch is reset to the factory default settings, the CIGESM now responds to ping or Telnet requests from external devices.
• CSCsd6866 - When the management module resets the CIGESM to the factory default settings and the preserve IP (Internet Protocol) address for the module is disabled, the CIGESM can now use the default IP address.
• CSCsb79318 - If the re-authentication timer and re-authentication action is downloaded from the RADIUS (Remote authentication dial-in user service) server using the session-Timeout and Termination-Action RADIUS attributes, the switch no longer performs the termination action when the port is not configured with the dot1x timeout reauthenticate server interface configuration command.
• CSCsb82422 - The switch now forwards an IEEE 802.1x request that has null credentials.
• CSCsb99249 - A host attached to an authenticated 802.1X port might no longer loses network access after a 802.1X-enabled port mode or host mode is modified. In previous releases, this occurred when the 802.1X control direction was set to In when the configuration was changed.
• CSCsc84627 - A MAC (Medium Access Control) entry no longer changes from static to dynamic on a switch configured with private VLANs (Virtual Local Area Network).
• CSCsc93698 - Connectivity failures to the management interface no longer occur if the VLAN used is other than VLAN 1.
• CSCsc96385 - The switch now sends the NAS-Identifier (Network Attached Storage), attribute 32, to the RADIUS server when you configure the attribute in the running configuration by using these Cisco IOS (Internetwork Operating System) global configuration commands:
  • radius-server attribute 32 include-in-access-req
  • radius-server attribute 32 include-in-accounting-req
• CSCsd19470 - This error log message no longer randomly appears: %TCAMMGR-3-HANDLE_ERROR: cam handle [hex] is invalid
• CSCsd39489 - When port-security aging on the switch is set to inactive, CAM (Content-Addressable Memory ) entries no longer time out when there is continuous traffic.
• CSCsb63404 - A switch is accessible by SSH (Secure Shell) or Telnet after it has been running for 4 to 5 days.

Version 12.1(22)EA6a - cigesm-i6q4l2-tar.121-22.EA6a.tar

• This release resolves the firmware revision contents displayed by the management module. The management module incorrectly displays the version number of version 12.1(22)AY instead of the correct version of 12.1(22)EA6. This new level of firmware corrects this problem.
• This release resolves the following DDTS issues: CSCsc73761
• Description of resolved issues: CSCsc73761 - If the CIGEMS has more than one VLAN interface defined, then one of the physical interfaces could be placed into the shutdown state. This problem occurs when the switch is in VTP client or VTP server mode and when the management interface has been changed to a VLAN ID other than the default VLAN ID = 1. If a reboot is done the physical interface matching the managemenet VLAN ID is placed in the shutdown state. For example, it the management VLAN ID = 7, when a reboot is done, the internal physical port 7 goes into the shutdown state and traffic stops.

Please see the CHANGE HISTORY file for complete details.