Test
Threads by month
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2003 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2002 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2001 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2000 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1999 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1998 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1997 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1996 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1995 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1994 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1993 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1992 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
September 2008
- 318 participants
- 220 discussions
Could someone please send me AOL's NOC contact information off list?
1
0
Apologies for the operational content. =)
I've been working with a client who has been the victim of several SQL
injection attacks. These attacks are being used to insert links to malicious
javascript hosted elsewhere using the following domains:
seekcc.com
google9.info
any-park.cn
I've reported the abuse several times to the abuse contact listed by ARIN,
but it seems to simply be a blackhole at Verizon Business (their address
space). How have others handled this problem? Also, if there is a more
appropriate forum for this question and forthcoming discussion, please let
me know.
Thanks!
-brandon
2
1
Hi,
I hate to use NANOG for outages... But can anyone else get to
puck.nether.net or the outages.org list? A traceroute gets me into
Chicago with NTT and then dies...(Along with high ping times between
NY and IL for NTT)
I'm looking to see if anyone has more info about an S&D power
event at 111 8th this morning. (And I contacted S&D and am getting
nothing from them).
Thanks, Tuc/TBOH
10
11
Hello Paul,
Those are their IP Blocks. We were simply routing them, as they were our client.
They've owned these blocks for quite a while. They seem to have moved that after a day of being down.
I haven't been monitoring their blocks, and made the decision Sunday Night that they were no longer going to be allowed on our network.
I believe the blocks your referring to are their 85.255 Blocks? Registered to "InHoster". I believe those prefixes are an entity of their's, though I don't know for sure. Perhaps ask them?
Cernel is their own ASN. It's not associated with our company.
Thank you for your time. Have a great day.
---
Russell Mitchell
InterCage, Inc.
----- Original Message ----
From: Paul Ferguson <fergdawgster(a)gmail.com>
To: Russell Mitchell <russm2k8(a)yahoo.com>
Cc: nanog(a)nanog.org
Sent: Tuesday, September 23, 2008 9:22:03 PM
Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Russ,
While I think that is great and everything, can you explain why Cernel is
now originating prefixes which were originally originated by
Atrivo/Intercage?
I'd be curious as to your explanation.
Thanks,
- - ferg
On Tue, Sep 23, 2008 at 9:05 PM, Russell Mitchell <russm2k8(a)yahoo.com>
wrote:
> Apologies, Yahoo was set to "Rich Text" :(
>
> -----
>
> Hello All,
>
> It seems you all missed the memo.As of about 11PM PST
> Last night 09/22/08, Esthost has been ENTIRELY Shutdown.
> They no longer have ANY Machine on my network.
>
> I'm currently starting to monitor some of the public media, such as
> google, DroneBL, as well as several Anti-Malware community websites for
> abuse. Being that Esthost is now entirely GONE, we should not have any
> further issues. In the case that something does arise, such as an
> exploited host, we're currently developing a game plan for response to
> the issues.
>
> To make the best effort towards combatting abuse on our network, here's
> what I have planned so far for ANY Type of abuse: Step 1, Suspend Power
> to the affected machine.
> Step 2, Call/Email the client whom the affected machine is leased to.
> Step 3, Allow the client the option to investigate the machine further
> (Nullroute access via KVM)= Step 4, Verify the reported content, domain,
> user, or exploit is patched/eliminated from the machine. Step 5, Remove
> the Nullroute. Allow the machine to return to the network.
>
> Any comments? This is the result of a zero tolerance policy regarding
> abuse.
>
> If it's clear that the server owner is the cause of the abusive material
> etc, the client will then be immediately cancelled. No questions. It
> seems that this approach will be the best supported by the anti-abuse
> communities, so please let me know your input.
>
> Thank you for your time. Have a great day.
>
> ---
> Russell Mitchell
> InterCage, Inc.
>
>
>
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)
wj8DBQFI2cBUq1pz9mNUZTMRAtbAAJwKk/H/9Pz4YelIgnYvtuCCDhmuswCfcrfV
PTUD/SyPo8+zHpACucRPqk4=
=+rwg
-----END PGP SIGNATURE-----
--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawgster(at)gmail.com
ferg's tech blog: http://fergdawg.blogspot.com/
4
4
Cisco Security Advisory: Cisco IOS IPS Denial of Service Vulnerability
by Cisco Systems Product Security Incident Response Team 24 Sep '08
by Cisco Systems Product Security Incident Response Team 24 Sep '08
24 Sep '08
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS IPS Denial of Service
Vulnerability
Advisory ID: cisco-sa-20080924-iosips
http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml
Revision 1.0
For Public Release 2008 September 24 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
=======
The Cisco IOS Intrusion Prevention System (IPS) feature contains a
vulnerability in the processing of certain IPS signatures that use
the SERVICE.DNS engine. This vulnerability may cause a router to
crash or hang, resulting in a denial of service condition.
Cisco has released free software updates that address this
vulnerability. There is a workaround for this vulnerability.
Note: This vulnerability is not related in any way to CVE-2008-1447 -
Cache poisoning attacks. Cisco Systems has published a Cisco Security
Advisory for that vulnerability, which can be found at
http://www.cisco.com/en/US/products/products_security_advisory09186a00809c2…
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml
Note: The September 24, 2008 IOS Advisory bundled publication
includes twelve Security Advisories. Eleven of the advisories address
vulnerabilities in Cisco's IOS software, and one advisory addresses
vulnerabilities in Cisco Unified Communications Manager. Each
Advisory lists the releases that correct the vulnerability described
in the Advisory. Please reference the following software table to
find a release that fixes all published IOS software Advisories as of
September 24th, 2008:
http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml
Individual publication links are listed below:
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml
Affected Products
=================
Vulnerable Products
+------------------
Any Cisco IOS device configured with the Cisco IOS IPS feature is
vulnerable, regardless if it is configured to use the built-in
signatures or an external signature file. Devices using either
version 4 or version 5 signatures are affected by this vulnerability.
The Cisco IOS IPS feature is not enabled by default. The command show
ip ips interfaces can be used to determine if the Cisco IOS IPS
feature has been configured and applied to any interface on the
device, as in the following example:
Router#show ip ips interfaces
Interface Configuration
Interface FastEthernet0/0
Inbound IPS rule is ios-ips-incoming
Outgoing IPS rule is not set
Interface FastEthernet0/1
Inbound IPS rule is not set
Outgoing IPS rule is ios-ips-outgoing
Router#
The output of the show ip ips interfaces command when the Cisco IOS
IPS feature has not been configured is dependent on which Cisco IOS
release is installed and running on the device. It may be similar to
the following example:
Router#show ip ips interfaces
Router#
or it may be similar to the following:
Router#show ip ips interfaces
Interface Configuration
IPS is not configured on any interface
Router#
Any version of Cisco IOS prior to the versions which are listed in
the Software Versions and Fixes section below is vulnerable.
To determine the version of the Cisco IOS software running on a Cisco
product, log in to the device and issue the show version command to
display the system banner. Cisco IOS software will identify itself as
"Internetwork Operating System Software" or simply "IOS". On the next
line of output, the image name will be displayed between parentheses,
followed by "Version" and the IOS release name. Other Cisco devices
will not have the show version command or will give different output.
The following example identifies a Cisco product running Cisco IOS
Software release 12.3(26) with an installed image name of C2500-IS-L:
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 14:39 by dchih
<output truncated>
Router#
The next example shows a product running Cisco IOS Software release
12.4(20)T with an image name of C1841-ADVENTERPRISEK9-M:
Router#show version
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 20:25 by prod_rel_team
<output truncated>
Router#
Additional information on the Cisco IOS release naming conventions
can be found on the document entitled "White Paper: Cisco IOS
Reference Guide", which is available at
http://www.cisco.com/warp/public/620/1.html
Products Confirmed Not Vulnerable
+--------------------------------
The following Cisco products are confirmed not vulnerable:
* Cisco IOS devices running the Intrusion Detection System feature
* Cisco ASA Security Appliances running the Intrusion Detection
System feature
* Cisco PIX 500 Series Security Appliances running the Intrusion
Detection System feature
* Cisco IPS 4200 Sensors
* Cisco AIP-SSM for ASA 5500 Series Adaptive Security Appliances
* Cisco Catalyst 6500 Series Intrusion detection System (IDSM-2)
Services Module
* Cisco IPS Advanced Integration Module for Integrated Services
Routers
No other Cisco products are currently known to be affected by this
vulnerability.
Details
=======
Cisco IOS Intrusion Prevention System (IPS) is an inline, deep-packet
inspection feature that effectively mitigates a wide range of network
attacks. A component of the Cisco IOS Integrated Threat Control
framework and complemented by Cisco IOS Flexible Packet Matching
feature, Cisco IOS IPS provides your network with the intelligence to
accurately identify, classify, and stop or block malicious traffic in
real time. Additional information on the Cisco IOS IPS feature can be
found at
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gt_fwids.html
Previous to the introduction of the Cisco IOS IPS feature, Cisco IOS
provided a similar feature, the Cisco IOS Intrusion Detection System
(IDS). The Cisco IOS IDS feature is not affected by this
vulnerability. Additional information on the Cisco IOS IDS feature
can be found at
http://www.cisco.com/en/US/docs/ios/12_0t/12_0t5/feature/guide/ios_ids.html
Certain network traffic can trigger IPS signatures on the SERVICE.DNS
signature engine which may cause the Cisco IOS device to crash or
hang. This may cause a denial of service that results in disruption
of network traffic. This vulnerability is documented in Cisco Bug ID
CSCsq13348.
This vulnerability has been assigned Common Vulnerabilities and
Exposures (CVE) ID CVE-2008-2739.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsq13348 - Watchdog timeout with IPS configured
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of this vulnerability may cause a Cisco IOS
device configured with the Cisco IOS IPS feature to crash or hang,
resulting in a denial of service condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|------------+------------------------------------------------------|
| Affected | | Recommended |
| 12.0-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.0 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.1-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.1 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.2-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.2 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.3-Based | First Fixed Release | Release |
| Releases | | |
|------------+--------------------------------------+---------------|
| 12.3 | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3B | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3BC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3BW | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3EU | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JEA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JEB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JEC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JK | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JL | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JX | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | | 12.4(15)T7 |
| 12.3T | Vulnerable; first fixed in 12.4 | |
| | | 12.4(18c) |
|------------+--------------------------------------+---------------|
| 12.3TPC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3VA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XD | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XE | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XF | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XG | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XI | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XJ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XK | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | | 12.4(15)T7 |
| 12.3XL | Vulnerable; first fixed in 12.4 | |
| | | 12.4(18c) |
|------------+--------------------------------------+---------------|
| | | 12.4(15)T7 |
| 12.3XQ | Vulnerable; first fixed in 12.4 | |
| | | 12.4(18c) |
|------------+--------------------------------------+---------------|
| | | 12.4(15)T7 |
| 12.3XR | Vulnerable; first fixed in 12.4 | |
| | | 12.4(18c) |
|------------+--------------------------------------+---------------|
| | | 12.4(15)T7 |
| 12.3XS | Vulnerable; first fixed in 12.4 | |
| | | 12.4(18c) |
|------------+--------------------------------------+---------------|
| 12.3XU | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XW | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | | 12.4(15)T7 |
| 12.3XX | Vulnerable; first fixed in 12.4 | |
| | | 12.4(18c) |
|------------+--------------------------------------+---------------|
| 12.3XY | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XZ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | | 12.4(15)T7 |
| 12.3YA | Vulnerable; first fixed in 12.4 | |
| | | 12.4(18c) |
|------------+--------------------------------------+---------------|
| 12.3YD | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|------------+--------------------------------------+---------------|
| 12.3YF | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | Releases prior to 12.3(8)YG7 are | |
| 12.3YG | vulnerable, release 12.3(8)YG7 and | 12.4(15)T7 |
| | later are not vulnerable; first | |
| | fixed in 12.4T | |
|------------+--------------------------------------+---------------|
| 12.3YH | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|------------+--------------------------------------+---------------|
| 12.3YI | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|------------+--------------------------------------+---------------|
| 12.3YJ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YK | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|------------+--------------------------------------+---------------|
| | | 12.3(14)YM13; |
| 12.3YM | 12.3(14)YM13; Available on 30-SEP-08 | Available on |
| | | 30-SEP-08 |
|------------+--------------------------------------+---------------|
| 12.3YQ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YS | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|------------+--------------------------------------+---------------|
| 12.3YT | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|------------+--------------------------------------+---------------|
| 12.3YU | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YX | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YZ | Vulnerable; contact TAC | |
|------------+--------------------------------------+---------------|
| 12.3ZA | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|------------+--------------------------------------+---------------|
| Affected | | Recommended |
| 12.4-Based | First Fixed Release | Release |
| Releases | | |
|------------+--------------------------------------+---------------|
| | 12.4(18b) | |
| | | |
| 12.4 | 12.4(19a) | 12.4(18c) |
| | | |
| | 12.4(21) | |
|------------+--------------------------------------+---------------|
| 12.4JA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JK | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JL | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JMA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JMB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JMC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JX | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4MD | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4MR | 12.4(19)MR | 12.4(19)MR |
|------------+--------------------------------------+---------------|
| 12.4SW | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | 12.4(15)T6 | |
| 12.4T | | 12.4(15)T7 |
| | 12.4(20)T | |
|------------+--------------------------------------+---------------|
| 12.4XA | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|------------+--------------------------------------+---------------|
| 12.4XB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XC | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|------------+--------------------------------------+---------------|
| | | 12.4(4)XD11; |
| 12.4XD | 12.4(4)XD11; Available on 26-SEP-08 | Available on |
| | | 26-SEP-08 |
|------------+--------------------------------------+---------------|
| 12.4XE | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|------------+--------------------------------------+---------------|
| 12.4XF | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|------------+--------------------------------------+---------------|
| 12.4XG | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XJ | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|------------+--------------------------------------+---------------|
| 12.4XK | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|------------+--------------------------------------+---------------|
| 12.4XL | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XM | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XN | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XP | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XQ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XT | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|------------+--------------------------------------+---------------|
| 12.4XV | Vulnerable; contact TAC | |
|------------+--------------------------------------+---------------|
| 12.4XW | 12.4(11)XW9 | 12.4(11)XW9 |
|------------+--------------------------------------+---------------|
| 12.4XY | 12.4(15)XY4 | 12.4(15)XY4 |
|------------+--------------------------------------+---------------|
| 12.4XZ | 12.4(15)XZ2 | 12.4(15)XZ2 |
|------------+--------------------------------------+---------------|
| 12.4YA | 12.4(20)YA1 | 12.4(20)YA1 |
+-------------------------------------------------------------------+
Workarounds
===========
The workaround consists of adding an Access Control List (ACL) to
every Cisco IOS IPS policy configured on the device so that traffic
destined to ports 53/udp or 53/tcp is not inspected by the Cisco IOS
IPS feature. The following ACL would need to be added to the device
configuration:
! deny inspection of traffic with a destination port of 53/udp
access-list 177 deny udp any any eq 53
! deny inspection of traffic with a destination port of 53/tcp
access-list 177 deny tcp any any eq 53
! allow all other traffic to be inspected
access-list 177 permit ip any any
Every instance of a Cisco IOS IPS policy on the device would then
need to be modified in order to reference the previous ACL. In order
to determine which Cisco IOS IPS policies are configured on the
device, execute the command show running-config | include ip ips name
as in the following example:
Router#show running-config | include ip ips name
ip ips name ios-ips-incoming
ip ips name ios-ips-outgoing
Router#
In the previous example, two Cisco IOS IPS policies are configured on
the device. The following example shows the addition of an ACL to
each one of the Cisco IOS IPS policies previously identified:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip ips name ios-ips-incoming list 177
Router(config)#ip ips name ios-ips-outgoing list 177
Router(config)#end
Router#
As a verification step, the command show ip ips interfaces can be
executed again to verify the ACL has been properly attached to each
one of the Cisco IOS IPS policies:
Router#show ip ips interfaces
Interface Configuration
Interface FastEthernet0/0
Inbound IPS rule is ios-ips-incoming
acl list 177
Outgoing IPS rule is not set
Interface FastEthernet0/1
Inbound IPS rule is not set
Outgoing IPS rule is ios-ips-outgoing
acl list 177
Router#
Note: Disabling or deleting individual or all signatures using the
SERVICE.DNS engine of the Cisco IOS IPS feature is not a recommended
workaround. The previous workaround is the only Cisco-recommended
workaround for this vulnerability.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.ht…
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt(a)cisco.com or security-alert(a)cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com/
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac(a)cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was reported to Cisco by a customer.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce(a)cisco.com
* first-bulletins(a)lists.first.org
* bugtraq(a)securityfocus.com
* vulnwatch(a)vulnwatch.org
* cisco(a)spot.colorado.edu
* cisco-nsp(a)puck.nether.net
* full-disclosure(a)lists.grok.org.uk
* comp.dcom.sys.cisco(a)newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+----------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-September-24 | public |
| | | release |
+----------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.…
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkjaLb4ACgkQ86n/Gc8U/uCOcQCfVtBrGIC3MJQr9jaPkMlt3ikc
XrEAn1XOyW6nTAO/lsY5edWYzRoTuLDe
=HgRp
-----END PGP SIGNATURE-----
1
0
Cisco Security Advisory: Cisco IOS Software Firewall Application Inspection Control Vulnerability
by Cisco Systems Product Security Incident Response Team 24 Sep '08
by Cisco Systems Product Security Incident Response Team 24 Sep '08
24 Sep '08
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Software Firewall Application
Inspection Control Vulnerability
Advisory ID: cisco-sa-20080924-iosfw
http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml
Revision 1.0
For Public Release 2008 September 24 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
=======
Cisco IOS software configured for IOS firewall Application Inspection
Control (AIC) with a HTTP configured application-specific policy are
vulnerable to a Denial of Service when processing a specific
malformed HTTP transit packet. Successful exploitation of the
vulnerability may result in a reload of the affected device.
Cisco has released free software updates that address this
vulnerability.
A mitigation for this vulnerability is available. See the
"Workarounds" section for details.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml
Note: The September 24, 2008 IOS Advisory bundled publication
includes twelve Security Advisories. Eleven of the advisories address
vulnerabilities in Cisco's IOS software, and one advisory addresses
vulnerabilities in Cisco Unified Communications Manager. Each
Advisory lists the releases that correct the vulnerability described
in the Advisory. Please reference the following software table to
find a release that fixes all published IOS software Advisories as of
September 24th, 2008:
http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml
Individual publication links are listed below:
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml
Affected Products
=================
The HTTP AIC feature was introduced in Cisco IOS Software Release
12.4(9)T. The software table in this advisory identifies the affected
releases.
Vulnerable Products
+------------------
Devices that are running a vulnerable version of Cisco IOS software
and configured for Cisco IOS firewall AIC for HTTP are affected.
To determine the software running on a Cisco IOS product, log in to
the device and issue the show version command-line interface (CLI)
command to display the system banner. Cisco IOS software will
identify itself as "Internetwork Operating System Software" or simply
"IOS." On the next line of output, the image name will be displayed
between parentheses, followed by "Version" and the Cisco IOS release
name. Other Cisco devices will not have the show version command, or
will give different output.
The following example shows output from a device running Cisco IOS
image 12.4(15)T2:
router#show version
Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M),
Version 12.4(15)T2, RELEASE SOFTWARE (fc7) Technical Support:
http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco
Systems, Inc. Compiled Thu 17-Jan-08 23:12 by prod_rel_team
!--- Output truncated.
Additional information on the Cisco IOS release naming conventions
can be found on the document entitled "White Paper: Cisco IOS
Reference Guide", which is available at
http://www.cisco.com/warp/public/620/1.html
The device is vulnerable if the configuration has a Layer 7 class map
and Layer 7 policy map for HTTP deep packet inspection (DPI), and
these policies are applied to any firewall zone. To determine whether
the device is running a vulnerable configuration of Cisco IOS
firewall AIC for HTTP, log in to the device and issue the CLI command
show policy-map type inspect zone-pair | section packet inspection.
If the output contains Policy: http layer7-policymap name , the
device is vulnerable. The following example shows the response from a
vulnerable device:
Router#show policy-map type inspect zone-pair | section packet inspection
Deep packet inspection
Policy: http layer7-policymap
1 packets, 28 bytes
Router#
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by this
vulnerability. IOS releases before 12.4(9)T are not affected by this
issue. Products confirmed not vulnerable include:
* Cisco PIX
* Cisco ASA
* Cisco Firewall Services Module (FWSM)
* The Virtual Firewall (VFW) application on the multiservice blade
(MSB) on the Cisco XR 12000 Series Router
Details
=======
Firewalls are networking devices that control access to an
organization's network assets. Firewalls are often positioned at the
entrance points into networks. Cisco IOS software provides a set of
security features that enable you to configure a simple or elaborate
firewall policy, according to your particular requirements.
HTTP uses port 80 by default to transport Internet web services,
which are commonly used on the network and rarely challenged with
regard to their legitimacy and conformance to standards. Because port
80 traffic is typically allowed through the network without being
challenged, many application developers are leveraging HTTP traffic
as an alternative transport protocol that will allow their
application's traffic to travel through or even bypass the firewall.
When the Cisco IOS Firewall is configured with HTTP AIC, it performs
packet inspection to detect HTTP connections that are not authorized
in the scope of the security policy configuration. It also detects
users who are tunneling applications through port 80. If the packet
is not in compliance with the HTTP protocol, it will be dropped, the
connection will be reset, and a syslog message will be generated, as
appropriate.
Cisco IOS Software that is configured for IOS firewall AIC with an
HTTP application-specific policy is vulnerable to a denial of service
condition when it processes a specific malformed HTTP transit packet.
Successful exploitation of the vulnerability may result in a reload
of the affected device.
HTTP runs over TCP. For this vulnerability to be exploited, a full
three-way handshake between client and server is required before any
malicious traffic would be processed to result in a device reload.
Additional information regarding Cisco IOS Firewall AIC with HTTP
application-specific policy maps is available at
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124newft/12…
This vulnerability is documented in Cisco bug ID CSCsh12480
and Common Vulnerabilities and Exposures (CVE) identifier
CVE-2008-3812 has been assigned to this vulnerability.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerability in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsh12480 - IOSFW with HTTP AIC may reload on processing crafted
HTTP packet
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability may result in a reload
of the affected device. Repeated exploitation attempts may result in
a sustained denial of service attack.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+-------------------------------------------------------------------+
| Major Release | Availability of Repaired Releases |
|-----------------+-------------------------------------------------|
| Affected | | Recommended |
| 12.0-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.0 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.1-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.1 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.2-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.2 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.3-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.3 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.4-Based | First Fixed Release | Release |
| Releases | | |
|-----------------+-----------------------------------+-------------|
| 12.4 | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4JA | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4JK | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4JL | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4JMA | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4JMB | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4JMC | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4JX | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4MD | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4MR | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4SW | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| | Releases prior to 12.4(9)T are | |
| | not vulnerable. First fixed in: | |
| | | |
| 12.4T | 12.4(9)T7 | 12.4(15)T7 |
| | | |
| | 12.4(11)T4 | |
| | | |
| | 12.4(15)T | |
|-----------------+-----------------------------------+-------------|
| 12.4XA | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4XB | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4XC | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4XD | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4XE | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|-----------------+-----------------------------------+-------------|
| 12.4XF | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4XG | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4XJ | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|-----------------+-----------------------------------+-------------|
| 12.4XK | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|-----------------+-----------------------------------+-------------|
| 12.4XL | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4XM | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4XN | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4XP | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4XQ | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4XT | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4XV | Vulnerable; contact TAC | |
|-----------------+-----------------------------------+-------------|
| 12.4XW | 12.4(11)XW1 | 12.4(11)XW9 |
|-----------------+-----------------------------------+-------------|
| 12.4XY | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4XZ | Not Vulnerable | |
|-----------------+-----------------------------------+-------------|
| 12.4YA | Not Vulnerable | |
+-------------------------------------------------------------------+
Workarounds
===========
There are no known workarounds for this vulnerability. The only known
action to help counter this vulnerability is to disable AIC HTTP deep
packet inspection in the affected device's configuration. Disabling
deep packet HTTP inspection will allow the rest of the firewall
features to continue to function until a software upgrade can be
implemented. All other firewall features will continue to perform
normally.
Disabling AIC HTTP Deep Packet Inspection
+----------------------------------------
To disable AIC HTTP Deep Packet Inspection, remove the linkage
between policy-map type inspect layer4-policymap and policy-map type
inspect http layer7-policymap. This example shows an existing
configuration, followed by how to remove AIC HTTP Deep Packet
Inspection:
!--- Existing Configuration
!
parameter-map type inspect global
!
class-map type inspect http match-any layer7-classmap
class-map type inspect match-any layer4-classmap
match protocol http
!
policy-map type inspect http layer7-policymap
class type inspect http layer7-classmap
allow
class class-default
policy-map type inspect layer4-policymap
class type inspect layer4-classmap
inspect global
service-policy http layer7-policymap
class class-default
!
zone security inside
description ** Inside Network **
zone security outside
description ** Outside Network **
zone-pair security in2out source inside destination outside
description ** Zone Pair - inside to outside **
service-policy type inspect layer4-policymap
Remove the service-policy from the zone-pair in question:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#zone-pair security in2out source inside destination outside
Router(config-sec-zone-pair)#no service-policy type inspect layer4-policymap
Router(config-sec-zone-pair)#exit
Remove the linkage between policy-map type inspect layer4-policymap
and policy-map type inspect http layer7-policymap:
Router(config)#policy-map type inspect layer4-policymap
Router(config-pmap)#class type inspect layer4-classmap
Router(config-pmap-c)#no service-policy http layer7-policymap
Router(config-pmap-c)#exit
Router(config-pmap)#exit
Reapply the service-policy to the zone-pair in question:
Router(config)#zone-pair security in2out source inside destination outside
Router(config-sec-zone-pair)#service-policy type inspect layer4-policymap
Router(config-sec-zone-pair)#exit
Although not required, for completeness of the configuration the
policy-map type inspect http layer7-policymap and class-map type
inspect http match-any layer7-classmap are recommended to be removed.
Router(config)#no policy-map type inspect http layer7-policymap
Router(config)#no class-map type inspect http match-any layer7-classmap
Router(config)#exit
Router#
Obtaining Fixed Software
========================
Cisco has released free software updates that address this
vulnerability. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.ht…
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt(a)cisco.com or security-alert(a)cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac(a)cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was found by Cisco internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce(a)cisco.com
* first-bulletins(a)lists.first.org
* bugtraq(a)securityfocus.com
* vulnwatch(a)vulnwatch.org
* cisco(a)spot.colorado.edu
* cisco-nsp(a)puck.nether.net
* full-disclosure(a)lists.grok.org.uk
* comp.dcom.sys.cisco(a)newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+----------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-September-24 | public |
| | | release |
+----------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.…
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkjaLbkACgkQ86n/Gc8U/uBSqwCgi7dmsFhp1u9fxWgLqVpMPtV+
fuIAn3f11gNGT/LITk11YI6fjv7W1Q20
=0tmt
-----END PGP SIGNATURE-----
1
0
Cisco Security Advisory: Cisco 10000, uBR10012, uBR7200 Series Devices IPC Vulnerability
by Cisco Systems Product Security Incident Response Team 24 Sep '08
by Cisco Systems Product Security Incident Response Team 24 Sep '08
24 Sep '08
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco 10000, uBR10012, uBR7200 Series
Devices IPC Vulnerability
Advisory ID: cisco-sa-20080924-ipc
http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml
Revision 1.0
For Public Release 2008 September 24 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
=======
Cisco 10000, uBR10012 and uBR7200 series devices use a User Datagram
Protocol (UDP) based Inter-Process Communication (IPC) channel that
is externally reachable. An attacker could exploit this vulnerability
to cause a denial of service (DoS) condition on affected devices. No
other platforms are affected.
Cisco has released free software updates that address this
vulnerability. Workarounds that mitigate this vulnerability are
available.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml
Note: The September 24, 2008 IOS Advisory bundled publication
includes twelve Security Advisories. Eleven of the advisories address
vulnerabilities in Cisco's IOS^ software, and one advisory addresses
vulnerabilities in Cisco Unified Communications Manager. Each
Advisory lists the releases that correct the vulnerability described
in the Advisory. Please reference the following software table to
find a release that fixes all published IOS software Advisories as of
September 24th, 2008:
http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml
Individual publication links are listed below:
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml
Affected Products
=================
Cisco 10000, uBR10012 and uBR7200 series devices that are running an
affected version of Cisco IOS are affected.
Vulnerable Products
+------------------
Devices that are running Cisco IOS can be identified by using the
show version command. The following example shows an output taken
from a Cisco 10000 series device running Cisco IOS software release
12.2(31)SB10e:
c10k#show version | include IOS
Cisco IOS Software, 10000 Software (C10K3-P11-M), Version 12.2(31)SB10e, RELEASE SOFTWARE (fc1)
c10k#
The following example shows an output taken from a Cisco uBR10012
series device running Cisco IOS software release 12.3(17b)BC7:
ubr10k#show version | include IOS
IOS (tm) 10000 Software (UBR10K-K8P6U2-M), Version 12.3(17b)BC7, RELEASE SOFTWARE (fc1)
ubr10k#
The following example shows an output taken from a Cisco uBR7200
series device running Cisco IOS software release 12.3(21a)BC2:
ubr7200#show version | include IOS
IOS (tm) 7200 Software (UBR7200-IK9SU2-M), Version 12.3(21a)BC2, RELEASE SOFTWARE (fc1)
ubr7200#
Please refer to the document entitled "White Paper: Cisco IOS
Reference Guide" for additional information on the Cisco IOS release
naming conventions. This document is available at the following link:
http://www.cisco.com/warp/public/620/1.html
Any version of Cisco IOS prior to the fixed versions listed in the
Software Versions and Fixes section below is vulnerable.
Products Confirmed Not Vulnerable
+--------------------------------
Cisco uBR7100 series devices are not affected.
No other Cisco products are currently known to be affected by this
vulnerability.
Details
=======
Cisco 10000, uBR10012 and uBR7200 series devices use a UDP-based IPC
channel. This channel uses addresses from the 127.0.0.0/8 range and
UDP port 1975. Cisco 10000, uBR10012 and uBR7200 series devices that
are running an affected version of Cisco IOS will process IPC
messages that are sent to UDP port 1975 from outside of the device.
This behavior may be exploited by an attacker to cause a reload of
the device, linecards, or both, resulting in a DoS condition.
Filtering unauthorized traffic destined to 127.0.0.0/8 or UDP port
1975 will mitigate this vulnerability.
This vulnerability is documented in the Cisco Bug IDs CSCsg15342
and CSCsh29217 and has been assigned Common Vulnerabilities and
Exposures (CVE) ID CVE-2008-3805.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsg15342 - IPC processing needs to be more robust
CVSS Base Score - 8.5
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - Partial
Availability Impact - Complete
CVSS Temporal Score - 7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsh29217 - IPC processing needs to be more robust
CVSS Base Score - 8.5
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - Partial
Availability Impact - Complete
CVSS Temporal Score - 7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability may result in a reload
of the device, linecards, or both, resulting in a DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|-------------+-----------------------------------------------------|
| Affected | | Recommended |
| 12.0-Based | First Fixed Release | Release |
| Releases | | |
|-------------+-------------------------------------+---------------|
| 12.0 | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.0DA | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.0DB | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.0DC | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| | Releases prior to 12.0(32)S are | 12.0(32)S11 |
| 12.0S | vulnerable, release 12.0(32)S and | |
| | later are not vulnerable; | 12.0(33)S1 |
|-------------+-------------------------------------+---------------|
| 12.0SC | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.0SL | Vulnerable, migrate to 12.0S, 12.1 | |
|-------------+-------------------------------------+---------------|
| 12.0SP | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.0ST | Vulnerable, migrate to 12.0S, 12.1 | |
|-------------+-------------------------------------+---------------|
| 12.0SX | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.0SY | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| | | 12.0(32)S11 |
| 12.0SZ | 12.0(30)SZ4 | |
| | | 12.0(33)S1 |
|-------------+-------------------------------------+---------------|
| 12.0T | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.0W | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.0WC | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.0WT | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.0XA | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.0XB | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.0XC | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.0XD | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.0XE | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.0XF | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.0XG | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.0XH | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.0XI | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.0XJ | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.0XK | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.0XL | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.0XM | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.0XN | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.0XQ | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.0XR | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.0XS | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.0XT | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.0XV | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| Affected | | Recommended |
| 12.1-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.1 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.2-Based | First Fixed Release | Release |
| Releases | | |
|-------------+-------------------------------------+---------------|
| 12.2 | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2B | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2BC | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2BW | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2BX | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2BY | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2BZ | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2CX | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2CY | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2CZ | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2DA | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2DD | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2DX | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2EW | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2EWA | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2EX | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2EY | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2EZ | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2FX | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2FY | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2FZ | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2IRB | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2IXA | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2IXB | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2IXC | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2IXD | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2IXE | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2IXF | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2IXG | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2JA | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2JK | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2MB | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2MC | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2S | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| | 12.2(31)SB13 | 12.2(33)SB2; |
| 12.2SB | | Available on |
| | 12.2(33)SB1 | 26-SEP-08 |
|-------------+-------------------------------------+---------------|
| 12.2SBC | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2SCA | 12.2(33)SCA1 | 12.2(33)SCA1 |
|-------------+-------------------------------------+---------------|
| 12.2SE | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2SEA | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2SEB | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2SEC | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2SED | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2SEE | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2SEF | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2SEG | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2SG | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2SGA | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2SL | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2SM | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2SO | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2SRA | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2SRB | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2SRC | 12.2(33)SRC2 | 12.2(33)SRC2 |
|-------------+-------------------------------------+---------------|
| 12.2SU | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2SV | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2SVA | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2SVC | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2SVD | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2SW | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2SX | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2SXA | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2SXB | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2SXD | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2SXE | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2SXF | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2SXH | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2SY | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2SZ | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2T | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2TPC | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2XA | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2XB | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2XC | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2XD | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2XE | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2XF | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2XG | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2XH | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2XI | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2XJ | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2XK | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2XL | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2XM | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2XN | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2XNA | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2XNB | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2XO | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2XQ | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2XR | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2XS | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2XT | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2XU | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2XV | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2XW | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2YA | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2YB | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2YC | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2YD | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2YE | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2YF | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2YG | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2YH | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2YJ | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2YK | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2YL | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2YM | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2YN | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2YO | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2YP | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2YQ | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2YR | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2YS | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2YT | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2YU | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2YV | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2YW | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2YX | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2YY | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2YZ | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2ZA | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2ZB | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2ZC | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2ZD | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2ZE | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2ZF | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2ZG | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2ZH | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2ZJ | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2ZL | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2ZP | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2ZU | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| | | 12.2(33)SB2; |
| 12.2ZX | Vulnerable; first fixed in 12.2SB | Available on |
| | | 26-SEP-08 |
|-------------+-------------------------------------+---------------|
| 12.2ZY | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.2ZYA | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| Affected | | Recommended |
| 12.3-Based | First Fixed Release | Release |
| Releases | | |
|-------------+-------------------------------------+---------------|
| 12.3 | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3B | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| | 12.3(17b)BC6 | |
| | | |
| 12.3BC | 12.3(21a)BC1 | 12.3(23)BC4 |
| | | |
| | 12.3(23)BC | |
|-------------+-------------------------------------+---------------|
| 12.3BW | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3EU | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3JA | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3JEA | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3JEB | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3JEC | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3JK | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3JL | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3JX | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| | Note: Releases prior to 12.3(14)T3 | 12.4(15)T7 |
| 12.3T | are vulnerable, release 12.3(14)T3 | |
| | and later are not vulnerable; | 12.4(18c) |
|-------------+-------------------------------------+---------------|
| 12.3TPC | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3VA | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3XA | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3XB | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3XC | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3XD | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3XE | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3XF | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3XG | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| | | 12.2(33)SB2; |
| 12.3XI | 12.3(7)XI10a | Available on |
| | | 26-SEP-08 |
|-------------+-------------------------------------+---------------|
| 12.3XJ | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3XK | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3XL | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3XQ | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3XR | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3XS | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3XU | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3XW | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3XX | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3XY | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3XZ | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3YA | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3YD | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3YF | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3YG | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3YH | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3YI | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3YJ | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3YK | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3YM | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3YQ | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3YS | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3YT | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3YU | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3YX | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3YZ | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3ZA | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| Affected | | Recommended |
| 12.4-Based | First Fixed Release | Release |
| Releases | | |
|-------------+-------------------------------------+---------------|
| | Note: Releases prior to 12.4(3) are | |
| 12.4 | vulnerable, release 12.4(3) and | 12.4(18c) |
| | later are not vulnerable; | |
|-------------+-------------------------------------+---------------|
| 12.4JA | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.4JK | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.4JL | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.4JMA | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.4JMB | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.4JMC | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.4JX | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.4MD | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.4MR | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.4SW | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.4T | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.4XA | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.4XB | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.4XC | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.4XD | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.4XE | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.4XF | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.4XG | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.4XJ | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.4XK | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.4XL | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.4XM | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.4XN | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.4XP | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.4XQ | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.4XR | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.4XT | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.4XV | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.4XW | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.4XY | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.4XZ | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.4YA | Not Vulnerable | |
+-------------------------------------------------------------------+
Workarounds
===========
Workarounds consist of filtering packets that are sent to 127.0.0.0/8
range and UDP packets that are sent to port 1975.
Using Interface Access Control Lists
+-----------------------------------
Access lists that filter UDP packets destined to port 1975 can be
used to mitigate this vulnerability. UDP port 1975 is a registered
port number that can be used by certain applications. However,
filtering all packets that are destined to UDP port 1975 may cause
some applications to malfunction. Therefore, access lists need to
explicitly deny UDP 1975 packets that are sent to any router
interface IP addresses and permit transit traffic. Such access lists
need to be applied on all interfaces to be effective. Since the IPC
channel uses addresses from the 127.0.0.0/8 range, it is also
necessary to filter packets that are sourced from or destined to this
range. An example is given below:
access-list 100 deny udp any host <router-interface 1> eq 1975
access-list 100 deny udp any host <router-interface 2> eq 1975
access-list 100 deny udp any host <router-interface ...> eq 1975
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip any 127.0.0.0 0.255.255.255
access-list 100 permit ip any any
interface Serial 0/0
ip access-group 100 in
Using Control Plane Policing
+---------------------------
Control Plane Policing (CoPP) can be used to block untrusted UDP port
1975 access to the affected device. Cisco IOS software releases
12.2BC and 12.2SCA support the CoPP feature. CoPP may be configured
on a device to protect the management and control planes to minimize
the risk and effectiveness of direct infrastructure attacks by
explicitly permitting only authorized traffic sent to infrastructure
devices in accordance with existing security policies and
configurations. The following example can be adapted to your network.
Note: CoPP is not supported on uBR10012 series devices.
!-- Permit all UDP/1975 traffic so that it
!-- will be policed and dropped by the CoPP feature
!
access-list 111 permit udp any any eq 1975
access-list 111 permit ip any 127.0.0.0 0.255.255.255
access-list 111 permit ip 127.0.0.0 0.255.255.255 any
!
!-- Permit (Police or Drop)/Deny (Allow) all other Layer 3 and
!-- Layer 4 traffic in accordance with existing security policies
!-- and configurations for traffic that is authorized to be sent
!-- to infrastructure devices
!
!-- Create a Class-Map for traffic to be policed by the CoPP
!-- feature
!
class-map match-all drop-IPC-class
match access-group 111
!
!-- Create a Policy-Map that will be applied to the Control-Plane
!-- of the device
!
policy-map drop-IPC-traffic
class drop-IPC-class
drop
!
!-- Apply the Policy-Map to the Control-Plane of the device
!
control-plane
service-policy input drop-IPC-traffic
!
In the above CoPP example, the access control list entries (ACEs)
which match the potential exploit packets with the "permit" action
result in these packets being discarded by the policy-map "drop"
function, while packets that match the "deny" action (not shown) are
not affected by the policy-map drop function.
Please note that in the Cisco IOS 12.2S and 12.0S trains the
policy-map syntax is different:
!
policy-map drop-IPC-traffic class drop-IPC-class
police 32000 1500 1500 conform-action drop exceed-action drop
!
Additional information on the configuration and use of the CoPP
feature can be found at
http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html,
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/pr…
and http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html
Using Infrastructure ACLs at Network Boundary
+--------------------------------------------
Although it is often difficult to block traffic transiting your
network, it is possible to identify traffic which should never be
allowed to target your infrastructure devices and block that traffic
at the border of your network. iACLs are a network security best
practice and should be considered as a long-term addition to good
network security as well as a workaround for this specific
vulnerability. The iACL example shown below should be included as
part of the deployed infrastructure access-list which will protect
all devices with IP addresses in the infrastructure IP address range:
!-- Note: IPC packets sent to UDP destination port 1975 must not
!-- be permitted from any trusted source as this traffic
!-- should only be sent and received internally by the
!-- affected device using an IP address allocated from the
!-- 127.0.0.0/8 prefix.
!--
!-- IPC that traffic that is internally generated and sent
!-- and/or received by the affected device is not subjected
!-- to packet filtering by the applied iACL policy.
!
!-- Deny IPC (UDP port 1975) packets from all sources destined to
!-- all IP addresses configured on the affected device.
!
access-list 150 deny udp any host INTERFACE_ADDRESS#1 eq 1975
access-list 150 deny udp any host INTERFACE_ADDRESS#2 eq 1975
access-list 150 deny udp any host INTERFACE_ADDRESS#N eq 1975
!
!-- Deny all IP packets with a source or destination IP address
!-- from the 127.0.0.0/8 prefix.
!
access-list 150 deny ip 127.0.0.0 0.255.255.255 any
access-list 150 deny ip any 127.0.0.0 0.255.255.255
!
!-- Permit/deny all other Layer 3 and Layer 4 traffic in accordance
!-- with existing security policies and configurations.
!
!-- Permit all other traffic to transit the device.
!
access-list 150 permit ip any any
!
!-- Apply iACL to interfaces in the ingress direction.
!
interface GigabitEthernet0/0
ip access-group 150 in
!
Note: iACLs that filter UDP packets destined to port 1975 can be used
to mitigate this vulnerability. However, UDP port 1975 is a
registered port number that can be used by certain applications.
Filtering all packets that are destined to UDP port 1975 may cause
some applications to malfunction. Therefore, the iACL policy needs to
explicitly deny UDP packets using a destination port of 1975 that are
sent to any router interface IP addresses for affected devices, then
permit and/or deny all other Layer 3 and Layer 4 traffic in
accordance with existing security policies and configurations, and
then permit all other traffic to transit the device. iACLs must be
applied on all interfaces to be used effectively. Since the IPC
channel uses addresses from the 127.0.0.0/8 range, it is also
necessary to filter packets that are sourced from or destined to this
range as provided in the preceding example.
The white paper entitled "Protecting Your Core: Infrastructure
Protection Access Control Lists" presents guidelines and recommended
deployment techniques for infrastructure protection access lists.
This white paper can be obtained here:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0…
Additional Mitigation Techniques
+-------------------------------
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory, which is
available at the following link:
http://www.cisco.com/warp/public/707/cisco-amb-20080924-ipc-and-ubr.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.ht…,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt(a)cisco.com or security-alert(a)cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac(a)cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was found internally.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce(a)cisco.com
* first-bulletins(a)lists.first.org
* bugtraq(a)securityfocus.com
* vulnwatch(a)vulnwatch.org
* cisco(a)spot.colorado.edu
* cisco-nsp(a)puck.nether.net
* full-disclosure(a)lists.grok.org.uk
* comp.dcom.sys.cisco(a)newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-Sep-24 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.…
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkjaLcIACgkQ86n/Gc8U/uDLHwCeO1ZYLn/jMCO2qIX5cBhtLo46
uokAn1Q+dApUNnQOJY6Eh1cVegNVXg43
=jP+C
-----END PGP SIGNATURE-----
1
0
Cisco Security Advisory: Cisco IOS Software Layer 2 Tunneling Protocol (L2TP) Denial of Service Vulnerability
by Cisco Systems Product Security Incident Response Team 24 Sep '08
by Cisco Systems Product Security Incident Response Team 24 Sep '08
24 Sep '08
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Software Layer 2 Tunneling
Protocol (L2TP) Denial of Service Vulnerability
Advisory ID: cisco-sa-20080924-l2tp
http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml
Revision 1.0
For Public Release 2008 September 24 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
=======
A vulnerability exists in the Cisco IOS software implementation of
Layer 2 Tunneling Protocol (L2TP), which affects limited Cisco IOS
software releases.
Several features enable the L2TP mgmt daemon process within Cisco IOS
software, including but not limited to Layer 2 virtual private
networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack
Group Bidding Protocol (SGBP) and Cisco Virtual Private Dial-Up
Networks (VPDN). Once this process is enabled the device is
vulnerable.
This vulnerability will result in a reload of the device when
processing a specially crafted L2TP packet.
Cisco has released free software updates that address this
vulnerability.
Workarounds that mitigate this vulnerability are available.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml
Note: The September 24, 2008 IOS Advisory bundled publication
includes twelve Security Advisories. Eleven of the advisories address
vulnerabilities in Cisco's IOS software, and one advisory addresses
vulnerabilities in Cisco Unified Communications Manager. Each
Advisory lists the releases that correct the vulnerability described
in the Advisory. Please reference the following software table to
find a release that fixes all published IOS software Advisories as of
September 24th, 2008:
http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml
Individual publication links are listed below:
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml
Affected Products
=================
All devices running affected versions of 12.2 or 12.4 Cisco IOS
system software and that have a vulnerable configuration are affected
by this vulnerability.
Vulnerable Products
+------------------
To determine if a device is vulnerable, first confirm that the device
is running an affected version of 12.2 or 12.4 Cisco IOS system
software. Then check for the process L2TP mgmt daemon running on the
device.
To determine the software version running on a Cisco product, log in
to the device and issue the show version command to display the
system banner. Cisco IOS software will identify itself as
"Internetwork Operating System Software" or simply "IOS." On the next
line of output, the image name will be displayed between parentheses,
followed by "Version" and the IOS release name. Other Cisco devices
will not have the show version command or will give different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.4(11)T2:
Router#show version
Cisco IOS Software, 7200 Software (C7200-ADVSECURITYK9-M), Version 12.4(11)T2, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Tue 01-May-07 04:19 by prod_rel_team
<output truncated>
Additional information on the Cisco IOS release naming conventions
can be found in the document entitled "White Paper: Cisco IOS
Reference Guide," which is available at
http://www.cisco.com/warp/public/620/1.html
To check if the process L2TP mgmt daemon is running on a device, log
into the command line interface (CLI) and issue the command show
processes | include L2TP . (NOTE: The command is case sensitive.) If
the output returns a line with the process name L2TP mgmt daemon, the
device is vulnerable. The following example shows a device running
the L2TP mgmt daemon process:
Router#show processes | include L2TP
158 Mwe 62590FE4 4 3 133322900/24000 0 L2TP mgmt daemon
Router#
The L2TP mgmt daemon is started by several different types of
configurations that may be deployed in networks that leverage the
L2TP protocol. If any of the following commands appear within a
device's configuration, show running-config, then the device will
have started the L2TP mgmt daemon and is vulnerable.
* Device is configured with Virtual Private Dial-Up Networks
(VPDN).
The command vpdn enable will appear in the device configuration.
* Device is configured for L2TP or L2TPv3 Client-Initiated VPDN
Tunneling.
The command pseudowire peer-ip-address vcid pw-class
pw-class-name " appears in the device configuration.
* Device is configured with Stack Group Bidding Protocol (SGBP).
The command sgbp group group-name will appear in the device
configuration.
* A L2TP signaling template has been defined.
The command l2tp-class l2tp-class name will appear in the device
configuration.
* Devices configured for Layer 2 Tunnel Protocol Version 3
The commands pseudowire-class pseudowire-class name and a
successfully applied interface xconnect command will appear in
the device configuration.
Products Confirmed Not Vulnerable
+--------------------------------
* Devices that are running Cisco IOS versions that are not
explicitly listed in the software table below as vulnerable, are
not affected.
* Cisco IOS XR is not affected.
* Cisco IOS XE is not affected.
No other Cisco products are currently known to be affected by this
vulnerability.
Details
=======
Documented in RFC2661, L2TP and RFC3931, L2TPv3 are protocols for
tunneling network traffic between two peers over an existing network.
A device running affected 12.2 and 12.4 versions of Cisco IOS and
that has the L2TP mgmt daemon process running will reload when
processing a specially crafted L2TP packet.
Several features leverage the L2TP protocol and start the L2TP mgmt
daemon within Cisco IOS. These features have been outlined in this
advisory under the Vulnerable Products section.
This vulnerability is documented in Cisco bug ID CSCsh48879
and Common Vulnerabilities and Exposures (CVE) identifier
CVE-2008-3813 has been assigned to this vulnerability.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerability in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsh48879 - Crafted L2TP packet triggers a device reload.
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability will result in a reload
of the device. Repeated exploitation may result in an extended denial
of service (DoS) condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|--------------+----------------------------------------------------|
| Affected | | Recommended |
| 12.0-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.0 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.1-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.1 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.2-Based | First Fixed Release | Release |
| Releases | | |
|--------------+-----------------------------------+----------------|
| 12.2 | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2B | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2BC | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2BW | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2BX | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2BY | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2BZ | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2CX | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2CY | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2CZ | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2DA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2DD | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2DX | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2EW | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2EWA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2EX | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2EY | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2EZ | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2FX | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2FY | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2FZ | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2IRB | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2IXA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2IXB | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2IXC | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2IXD | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2IXE | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2IXF | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2IXG | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2JA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2JK | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2MB | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2MC | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2S | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SB | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SBC | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SCA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| | Note: Releases prior to 12.2(37) | |
| 12.2SE | SE are not vulnerable. First | 12.2(46)SE |
| | fixed in 12.2(44)SE | |
|--------------+-----------------------------------+----------------|
| 12.2SEA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SEB | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SEC | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SED | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SEE | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SEF | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SEG | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| | Note: Releases prior to 12.2(37) | |
| 12.2SG | SG are not vulnerable. First | 12.2(46)SG1 |
| | Fixed in 12.2(44)SG | |
|--------------+-----------------------------------+----------------|
| 12.2SGA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SL | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SM | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SO | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SRA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SRB | 12.2(33)SRB1 | 12.2(33)SRB4 |
|--------------+-----------------------------------+----------------|
| 12.2SRC | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SU | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SV | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SVA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SVC | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SVD | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SW | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SX | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SXA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SXB | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SXD | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SXE | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SXF | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SXH | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SY | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2SZ | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2T | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2TPC | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XB | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XC | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XD | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XE | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XF | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XG | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XH | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XI | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XJ | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XK | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XL | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XM | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XN | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XNA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XNB | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XO | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XQ | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XR | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XS | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XT | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XU | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XV | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2XW | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YB | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YC | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YD | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YE | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YF | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YG | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YH | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YJ | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YK | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YL | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YM | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YN | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YO | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YP | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YQ | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YR | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YS | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YT | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YU | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YV | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YW | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YX | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YY | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2YZ | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2ZA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2ZB | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2ZC | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2ZD | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2ZE | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2ZF | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2ZG | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2ZH | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2ZJ | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2ZL | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2ZP | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2ZU | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2ZX | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2ZY | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.2ZYA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| Affected | | Recommended |
| 12.3-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.3 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.4-Based | First Fixed Release | Release |
| Releases | | |
|--------------+-----------------------------------+----------------|
| 12.4 | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4JA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4JK | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4JL | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4JMA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4JMB | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4JMC | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4JX | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4MD | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| | Note: Releases prior to 12.4(11) | |
| 12.4MR | MR are not vulnerable. First | 12.4(19)MR |
| | fixed in 12.4(16)MR | |
|--------------+-----------------------------------+----------------|
| | | 12.4(15)SW2; |
| 12.4SW | 12.4(11)SW3 | Available on |
| | | 28-SEP-08 |
|--------------+-----------------------------------+----------------|
| | Note: Releases prior to 12.4(11)T | |
| 12.4T | are not vulnerable. First fixed | 12.4(15)T7 |
| | in 12.4(15)T | |
|--------------+-----------------------------------+----------------|
| 12.4XA | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4XB | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4XC | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4XD | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4XE | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4XF | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4XG | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4XJ | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|--------------+-----------------------------------+----------------|
| 12.4XK | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4XL | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4XM | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4XN | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4XP | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4XQ | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4XT | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4XV | Vulnerable; contact TAC | |
|--------------+-----------------------------------+----------------|
| 12.4XW | 12.4(11)XW1 | 12.4(11)XW9 |
|--------------+-----------------------------------+----------------|
| 12.4XY | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4XZ | Not Vulnerable | |
|--------------+-----------------------------------+----------------|
| 12.4YA | Not Vulnerable | |
+-------------------------------------------------------------------+
Workarounds
===========
The following workarounds have been identified for this
vulnerability.
Note: L2TP implementations will need to allow UDP 1701, from trusted
addresses to infrastructure addresses. This does not provide for a
full mitigation as the source addresses may be spoofed.
Note: L2TPv3 over IP only implementations need to deny all UDP 1701
from anywhere to the infrastructure addresses.
* Infrastructure Access Control Lists
Although it is often difficult to block traffic that transits a
network, it is possible to identify traffic that should never be
allowed to target infrastructure devices and block that traffic
at the border of networks. Infrastructure Access Control Lists
(iACLs) are a network security best practice and should be
considered as a long-term addition to good network security as
well as a workaround for these specific vulnerabilities. The iACL
example below should be included as part of the deployed
infrastructure access-list which will protect all devices with IP
addresses in the infrastructure IP address range:
!--- Permit L2TP UDP 1701 packets from all trusted
!--- sources destined to infrastructure addresses.
!--- NOTE: This does not prevent spoofed attacks.
!--- To be a full mitigation, no trusted source
!--- addresses should be listed.
!--- Omit this line if using a L2TPv3 over IP implementation only.
access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES MASK
INFRASTRUCTURE_ADDRESSES MASK eq 1701
!--- Deny L2TP UDP 1701 packets from all
!--- sources destined to infrastructure addresses.
access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 1701
!--- If using a L2TPv3 over IP implementation ensure to allow L2TPv3
access-list 150 permit 115 <source_ip_address and mask>
<destination_ip_address and mask>
!--- Permit/deny all other Layer 3 and Layer 4 traffic in accordance
!--- with existing security policies and configurations
!--- Permit all other traffic to transit the device.
access-list 150 permit ip any any
!--- Apply access-list to all interfaces (only one example shown)
interface serial 2/0
ip access-group 150 in
The white paper entitled "Protecting Your Core: Infrastructure
Protection Access Control Lists" presents guidelines and
recommended deployment techniques for infrastructure protection
access lists. This white paper can be obtained at the following
link:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0…
* Control Plane Policing
Control Plane Policing (CoPP) can be used to block L2TP access to
the device. Cisco IOS software releases 12.0S, 12.2SX, 12.2S,
12.3T, 12.4, and 12.4T support the CoPP feature. CoPP can be
configured on a device to protect the management and control
planes and minimize the risk and effectiveness of direct
infrastructure attacks by explicitly permitting only authorized
traffic that is sent to infrastructure devices in accordance with
existing security policies and configurations. The CoPP example
below should be included as part of the deployed CoPP which will
protect all devices with IP addresses in the infrastructure IP
address range.
!--- Deny all trusted source L2TP UDP traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so that it
!--- will not be policed by the CoPP feature.
!--- NOTE: This does not prevent spoofed attacks.
!--- To be a full mitigation, no trusted source
!--- addresses should be listed.
!--- Omit this line if using an L2TPv3 over IP implementation only.
access-list 111 deny udp TRUSTED_SOURCE_ADDRESSES MASK
INFRASTRUCTURE_ADDRESSES MASK eq 1701
!--- Permit all L2TP UDP traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so that it
!--- will be policed and dropped by the CoPP feature
access-list 111 permit udp any INFRASTRUCTURE_ADDRESSES MASK eq 1701
!--- If using an L2TPv3 over IP implementation ensure not to drop L2TPv3
access-list 111 deny 115 <source_ip_address and mask>
<destination_ip_address and mask>
!--- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4
!--- traffic in accordance with existing security policies and
!--- configurations for traffic that is authorized to be sent
!--- to infrastructure devices
!--- Create a Class-Map for traffic to be policed by
!--- the CoPP feature
class-map match-all drop-l2tp-class
match access-group 111
!--- Create a Policy-Map that will be applied to the
!--- Control-Plane of the device.
policy-map drop-l2tp-traffic
class drop-l2tp-class
drop
!--- Apply the Policy-Map to the
!--- Control-Plane of the device
control-plane
service-policy input drop-l2tp-traffic
In the above CoPP example, the access control list entries (ACEs)
that match the potential exploit packets with the "permit" action
result in these packets being discarded by the policy-map "drop"
function, while packets that match the "deny" action (not shown)
are not affected by the policy-map drop function. Please note
that the policy-map syntax is different in the 12.2S and 12.0S
Cisco IOS trains:
policy-map drop-l2tp-traffic
class drop-l2tp-class
police 32000 1500 1500 conform-action drop exceed-action drop
Additional information on the configuration and use of the CoPP
feature is available at the following link:
http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html
Additional mitigations that can be deployed on Cisco devices within
the network are available in the Cisco Applied Mitigation Bulletin
companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20080924-l2tp.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.ht…,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt(a)cisco.com or security-alert(a)cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac(a)cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was found by Cisco through internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce(a)cisco.com
* first-teams(a)first.org
* bugtraq(a)securityfocus.com
* vulnwatch(a)vulnwatch.org
* cisco(a)spot.colorado.edu
* cisco-nsp(a)puck.nether.net
* full-disclosure(a)lists.grok.org.uk
* comp.dcom.sys.cisco(a)newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+----------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-September-24 | public |
| | | release |
+----------------------------------------+
Cisco Security Procedures
==========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.…
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkjaLcgACgkQ86n/Gc8U/uC/CQCfcC70VVLkBqFMyqTqBh9mP0pu
BY4AniOvIpCfu1wKu/Zz7USner4MTUnB
=jfZd
-----END PGP SIGNATURE-----
1
0
Cisco Security Advisory: Cisco IOS MPLS Forwarding Infrastructure Denial of Service Vulnerability
by Cisco Systems Product Security Incident Response Team 24 Sep '08
by Cisco Systems Product Security Incident Response Team 24 Sep '08
24 Sep '08
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS MPLS Forwarding Infrastructure
Denial of Service Vulnerability
Advisory ID: cisco-sa-20080924-mfi
http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml
Revision 1.0
For Public Release 2008 September 24 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
=======
Cisco IOS Software Multi Protocol Label Switching (MPLS) Forwarding
Infrastructure (MFI) is vulnerable to a Denial of Service (DoS)
attack from specially crafted packets. Only the MFI is affected by
this vulnerability. Older Label Forwarding Information Base (LFIB)
implementation, which is replaced by MFI, is not affected.
Cisco has released free software updates that address this
vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml
NOTE: The September 24, 2008 IOS Advisory bundled publication
includes twelve Security Advisories. Eleven of the advisories address
vulnerabilities in Cisco's IOS software, and one advisory addresses
vulnerabilities in Cisco Unified Communications Manager. Each
Advisory lists the releases that correct the vulnerability described
in the Advisory. Please reference the following software table to
find a release that fixes all published IOS software Advisories as of
September 24th, 2008:
http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml
Individual publication links are listed below:
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml
Affected Products
=================
Devices that run Cisco IOS software (including those that support
Cisco IOS Software Modularity) and support MFI are affected if they
are configured for MPLS.
Vulnerable Products
+------------------
A device that runs Cisco IOS software and supports MFI will have
mfi_ios in the output of the show subsys command. The following
example shows output from a device that supports MFI:
Router#show subsys name mfi_ios
Class Version
mfi_ios Protocol 1.000.001
Router#
The following example shows output from a device that is configured
for MPLS:
Router#show mpls interface
Interface IP Tunnel BGP Static Operational
Ethernet0/0 Yes (ldp) No No No Yes
Router#
To determine the software running on a Cisco product, log in to the
device and issue the "show version" command to display the system
banner. Cisco IOS software will identify itself as "Internetwork
Operating System Software" or simply "IOS". On the next line of
output, the image name will be displayed between parentheses,
followed by "Version" and the IOS release name. Other Cisco devices
will not have the "show version" command or will give different
output.
The following example identifies a Cisco product that is running
Cisco IOS release 12.4(11)T2:
Router#show version
Cisco IOS Software,7200 Software (C7200-ADVSECURITYK9-M), Version 12.4(11)T2, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Tue 01-May-07 04:19 by prod_rel_team
<output truncated>
Additional information on the Cisco IOS release naming conventions
can be found on the document entitled "White Paper: Cisco IOS
Reference Guide", which is available at
http://www.cisco.com/warp/public/620/1.html
Products Confirmed Not Vulnerable
+--------------------------------
Devices running Cisco IOS software versions that do not include MFI
are not vulnerable.
Devices that are not configured for MPLS are not vulnerable.
Devices that are running Cisco IOS XR software are not vulnerable.
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
In newer versions of Cisco IOS software, a new packet forwarding
infrastructure was introduced to improve scalability and performance.
This forwarding infrastructure, called MFI, is transparent to the
user. MFI manages MPLS data structures used for forwarding and
replaces the older implementation, Label Forwarding Information Base
(LFIB). Cisco IOS MFI implementation is vulnerable to a DoS attack
from specially crafted packets that are handled in the software path,
including transit packets that are handled in the software path. Such
packets can be sent from the local segment to the interfaces that are
configured for MPLS or via tunnel interfaces that are configured for
MPLS. To target a remote system in an MPLS network, an attacker needs
to have access to the MPLS network through an MPLS-enabled interface.
MPLS packets are dropped on interfaces that are not configured for
MPLS.
Devices that support MFI will have mfi_ios in the output of the show
subsys command. Interfaces that are enabled for MPLS can be seen by
the show mpls interface command.
More information on MFI can be found at the following link:
http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_lsc_removed…
This vulnerability is documented in the Cisco Bug ID CSCsk93241
and has been assigned Common Vulnerabilities and Exposures (CVE)
ID CVE-2008-3804.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsk93241 - Chunk memory corruption on LFDp Input Proc
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of this vulnerability may result in the
reload of the device, leading to a DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|------------+------------------------------------------------------|
| Affected | | Recommended |
| 12.0-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.0 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.1-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.1 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.2-Based | First Fixed Release | Release |
| Releases | | |
|------------+--------------------------------------+---------------|
| 12.2 | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2B | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2BC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2BW | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2BX | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2BY | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2BZ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2CX | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2CY | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2CZ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2DA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2DD | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2DX | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2EW | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2EWA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2EX | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2EY | 12.2(44)EY; Available on 16-DEC-08 | |
|------------+--------------------------------------+---------------|
| 12.2EZ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2FX | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2FY | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2FZ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2IRB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2IXA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2IXB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2IXC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2IXD | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2IXE | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2IXF | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2IXG | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2JA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2JK | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2MB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2MC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | Releases prior to 12.2(22)S are not | |
| | vulnerable. | |
| | | 12.2(33)SB2; |
| 12.2S | Release 12.2(22)S and later and | Available on |
| | prior to 12.2(30)S are vulnerable, | 26-SEP-08 |
| | | |
| | release 12.2(30)S and later are not | |
| | vulnerable | |
|------------+--------------------------------------+---------------|
| | 12.2(31)SB12 | 12.2(33)SB2; |
| 12.2SB | | Available on |
| | 12.2(33)SB | 26-SEP-08 |
|------------+--------------------------------------+---------------|
| | | 12.2(33)SB2; |
| 12.2SBC | Vulnerable; first fixed in 12.2SB | Available on |
| | | 26-SEP-08 |
|------------+--------------------------------------+---------------|
| 12.2SCA | 12.2(33)SCA1 | 12.2(33)SCA1 |
|------------+--------------------------------------+---------------|
| | 12.2(44)SE3; Available on 30-SEP-08 | |
| 12.2SE | | 12.2(46)SE |
| | 12.2(46)SE | |
|------------+--------------------------------------+---------------|
| 12.2SEA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2SEB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2SEC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2SED | Vulnerable; first fixed in 12.2SE | 12.2(46)SE |
|------------+--------------------------------------+---------------|
| 12.2SEE | Vulnerable; first fixed in 12.2SE | 12.2(46)SE |
|------------+--------------------------------------+---------------|
| 12.2SEF | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | Note: Releases prior to 12.2(25)SEG4 | |
| 12.2SEG | are vulnerable, release 12.2(25)SEG4 | 12.2(25)SEG6 |
| | and later are not vulnerable; | |
|------------+--------------------------------------+---------------|
| 12.2SG | 12.2(50)SG; Available on 24-NOV-08 | 12.2(46)SG1 |
|------------+--------------------------------------+---------------|
| 12.2SGA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2SL | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2SM | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2SO | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | | 12.2(33)SRB4 |
| 12.2SRA | Vulnerable; first fixed in 12.2SRB | |
| | | 12.2(33)SRC2 |
|------------+--------------------------------------+---------------|
| 12.2SRB | 12.2(33)SRB4 | 12.2(33)SRB4 |
|------------+--------------------------------------+---------------|
| 12.2SRC | 12.2(33)SRC1 | 12.2(33)SRC2 |
|------------+--------------------------------------+---------------|
| 12.2SU | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2SV | Vulnerable; contact TAC | |
|------------+--------------------------------------+---------------|
| 12.2SVA | Vulnerable; contact TAC | |
|------------+--------------------------------------+---------------|
| 12.2SVC | Vulnerable; contact TAC | |
|------------+--------------------------------------+---------------|
| 12.2SVD | Vulnerable; contact TAC | |
|------------+--------------------------------------+---------------|
| | Note: Releases prior to 12.2(25)SW4 | |
| 12.2SW | are vulnerable, release 12.2(25)SW4 | 12.2(25)SW12 |
| | and later are not vulnerable; | |
|------------+--------------------------------------+---------------|
| 12.2SX | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2SXA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2SXB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2SXD | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2SXE | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2SXF | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2SXH | 12.2(33)SXH3 | 12.2(33)SXH3 |
|------------+--------------------------------------+---------------|
| 12.2SY | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2SZ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2T | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2TPC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2XA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2XB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2XC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2XD | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2XE | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2XF | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2XG | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2XH | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2XI | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2XJ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2XK | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2XL | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2XM | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | | 12.2(33)SB2; |
| | | Available on |
| | | 26-SEP-08 |
| 12.2XN | Vulnerable; first fixed in 12.2SB | |
| | | 12.2(33)SRC2 |
| | | |
| | | 12.2(33)XNA2 |
|------------+--------------------------------------+---------------|
| 12.2XNA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2XNB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2XO | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2XQ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2XR | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2XS | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2XT | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2XU | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2XV | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2XW | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2YA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2YB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2YC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2YD | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2YE | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2YF | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2YG | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2YH | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2YJ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2YK | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2YL | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2YM | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2YN | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2YO | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2YP | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2YQ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2YR | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2YS | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2YT | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2YU | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2YV | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2YW | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2YX | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2YY | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2YZ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2ZA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2ZB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2ZC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2ZD | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2ZE | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2ZF | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2ZG | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2ZH | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2ZJ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2ZL | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2ZP | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2ZU | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | | 12.2(33)SB2; |
| 12.2ZX | Vulnerable; first fixed in 12.2SB | Available on |
| | | 26-SEP-08 |
|------------+--------------------------------------+---------------|
| 12.2ZY | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.2ZYA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| Affected | | Recommended |
| 12.3-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.3 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.4-Based | First Fixed Release | Release |
| Releases | | |
|------------+--------------------------------------+---------------|
| 12.4 | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JK | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JL | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JMA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JMB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JMC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JX | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4MD | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4MR | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4SW | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4T | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XD | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XE | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XF | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XG | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XJ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XK | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XL | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XM | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XN | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XP | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XQ | 12.4(15)XQ1 | 12.4(15)XQ1 |
|------------+--------------------------------------+---------------|
| 12.4XR | Vulnerable; migrate to any release | 12.4(15)T7 |
| | in 12.4T | |
|------------+--------------------------------------+---------------|
| 12.4XT | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XV | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XW | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XY | 12.4(15)XY4 | 12.4(15)XY4 |
|------------+--------------------------------------+---------------|
| 12.4XZ | 12.4(15)XZ1 | 12.4(15)XZ2 |
|------------+--------------------------------------+---------------|
| 12.4YA | Not Vulnerable | |
+-------------------------------------------------------------------+
Workarounds
===========
MPLS is normally enabled on physical and logical interfaces that are
shared with other MPLS-enabled devices. It can be disabled on
interfaces where MPLS is not necessary and from which a potential
attack can be launched. This action may help to limit the exposure of
this vulnerability.
If it is not possible to disable MPLS on interfaces from which an
attack can be launched, there are no workarounds to mitigate this
vulnerability.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.ht…
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt(a)cisco.com or security-alert(a)cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac(a)cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was found internally.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce(a)cisco.com
* first-bulletins(a)lists.first.org
* bugtraq(a)securityfocus.com
* vulnwatch(a)vulnwatch.org
* cisco(a)spot.colorado.edu
* cisco-nsp(a)puck.nether.net
* full-disclosure(a)lists.grok.org.uk
* comp.dcom.sys.cisco(a)newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-Sep-24 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.…
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkjaLcwACgkQ86n/Gc8U/uCKtQCeOUTNVK58br0wqCUQAa506CGJ
aWIAn3WBReM3lzWMM/+iT7SVaH6npY3E
=7zu4
-----END PGP SIGNATURE-----
1
0
Cisco Security Advisory: Multiple Multicast Vulnerabilities in Cisco IOS Software
by Cisco Systems Product Security Incident Response Team 24 Sep '08
by Cisco Systems Product Security Incident Response Team 24 Sep '08
24 Sep '08
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Multiple Multicast Vulnerabilities in Cisco
IOS Software
Advisory ID: cisco-sa-20080924-multicast
http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml
Revision 1.0
For Public Release 2008 September 24 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
=======
Two crafted Protocol Independent Multicast (PIM) packet
vulnerabilities exist in Cisco IOS software that may lead to a denial
of service (DoS) condition. Cisco has released free software updates
that address these vulnerabilities. Workarounds that mitigate these
vulnerabilities are available.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml
Note: The September 24, 2008 IOS Advisory bundled publication
includes twelve Security Advisories. Eleven of the advisories address
vulnerabilities in Cisco's IOS software, and one advisory addresses
vulnerabilities in Cisco Unified Communications Manager. Each
Advisory lists the releases that correct the vulnerability described
in the Advisory. Please reference the following software table to
find a release that fixes all published IOS software Advisories as of
September 24th, 2008:
http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml
Individual publication links are listed below:
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml
Affected Products
=================
Vulnerable Products
+------------------
Devices that are running Cisco IOS Software and configured for PIM
have a vulnerability related to a specially crafted PIM packet. In
addition, Cisco 12000 Series (GSR) routers running Cisco IOS Software
have a second vulnerability related to a crafted PIM packet.
The show running-config | include ip pim command can be issued to
verify that a Cisco IOS device is configured for PIM. In the
following example, the Cisco IOS router is configured for PIM
sparse-dense mode.
Router#show running-config | include ip pim
ip pim sparse-dense-mode
Note that available PIM modes on a Cisco IOS device are dense mode,
sparse mode, or sparse-dense mode. A device that is configured for
any of these modes is affected by these vulnerabilities. The mode
determines how the device populates its multicast routing table and
how multicast packets are forwarded. PIM must be enabled in one of
these modes for an interface to perform IP multicast routing. More
information on the configuration of each mode is in the "Details"
section.
Additionally, To display information about interfaces configured for
Protocol Independent Multicast (PIM), use the show ip pim interface
command in user EXEC or privileged EXEC mode, as shown in the
following example:
Router# show ip pim interface
Address Interface Ver/ Nbr Query DR DR
Mode Count Intvl Prior
10.1.0.1 GigabitEthernet0/0 v2/SD 0 30 1 10.1.0.1
10.6.0.1 GigabitEthernet0/1 v2/SD 1 30 1 10.6.0.2
In order to determine the software that runs on a Cisco IOS product,
log in to the device and issue the show version command to display
the system banner. Cisco IOS software identifies itself as
"Internetwork Operating System Software" or simply "IOS." On the next
line of output, the image name displays between parentheses, followed
by "Version" and the Cisco IOS release name. Other Cisco devices do
not have the show version command or give different output.
The following example shows output from a device that runs an IOS
image:
router>show version
Cisco IOS Software, 7200 Software (C7200-ADVSECURITYK9-M), Version 12.4(6)T2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Tue 16-May-06 16:09 by kellythw
<more output removed for brevity>
Products Confirmed Not Vulnerable
+--------------------------------
Cisco IOS devices that are not configured for PIM are not vulnerable.
Cisco IOS XR Software is not affected by this vulnerability. No other
Cisco products are currently known to be affected by this
vulnerability.
Details
=======
Two crafted Protocol Independent Multicast (PIM) packet
vulnerabilities exist in Cisco IOS Software that may lead to a denial
of service (DoS) condition. Devices that run Cisco IOS Software and
are configured for PIM are affected by the first vulnerability. Only
Cisco 12000 Series (GSR) routers that are configured for PIM are
affected by the second vulnerability.
Available PIM modes on a Cisco IOS device are dense mode, sparse
mode, or sparse-dense mode. The mode determines how the device
populates its multicast routing table and how multicast packets are
forwarded. PIM must be enabled in one of these modes for an interface
to perform IP multicast routing.
Note: There is no default mode setting. By default, multicast routing
is disabled on an interface.
To configure PIM on an interface to be in dense mode, use the
following command in interface configuration mode:
Router(config-if)# ip pim dense-mode
To configure PIM on an interface to be in sparse mode, use the
following command in interface configuration mode:
Router(config-if)# ip pim sparse-mode
To configure PIM on an interface to be in sparse-dense mode, use the
following command in interface configuration mode:
Router(config-if)# ip pim sparse-dense-mode
These vulnerabilities are documented in the following Cisco Bug IDs:
* CSCsd95616 - Crafted PIM packets may cause an IOS device to
reload
* CSCsl34355 - GSR may crash with malformed PIM packets
These vulnerabilities have been assigned the Common Vulnerabilities
and Exposures (CVE) identifiers CVE-2008-3808 and CVE-2008-3809.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsd95616 - Crafted PIM packets may cause an IOS device to reload
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsl34355 - GSR may crash with malformed PIM packets
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation may cause a reload of the affected device.
Repeated exploitation could result in a sustained denial of service
(DoS) condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|------------+------------------------------------------------------|
| Affected | | Recommended |
| 12.0-Based | First Fixed Release | Release |
| Releases | | |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.0 | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | Releases prior to 12.0(8)DA3 are | 12.2(12)DA13 |
| | vulnerable, release 12.0(8)DA3 and | |
| 12.0DA | later are not vulnerable; first fixed | 12.4(15)T7 |
| | in 12.2DA | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.0DB | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.0DC | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | 12.0(32)S8 | 12.0(32)S11 |
| 12.0S | | |
| | 12.0(33)S | 12.0(33)S1 |
|------------+---------------------------------------+--------------|
| | | 12.0(32)S11 |
| 12.0SC | Vulnerable; first fixed in 12.0S | |
| | | 12.0(33)S1 |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.0SL | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.0SP | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.0(32)S11 |
| 12.0ST | Vulnerable; first fixed in 12.0S | |
| | | 12.0(33)S1 |
|------------+---------------------------------------+--------------|
| | | 12.0(32)S11 |
| 12.0SX | Vulnerable; first fixed in 12.0S | |
| | | 12.0(33)S1 |
|------------+---------------------------------------+--------------|
| | | 12.0(32)SY7; |
| 12.0SY | 12.0(32)SY5 | Available on |
| | | 29-SEP-08 |
|------------+---------------------------------------+--------------|
| | | 12.0(32)S11 |
| 12.0SZ | 12.0(30)SZ4 | |
| | | 12.0(33)S1 |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.0T | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| 12.0W | Vulnerable; first fixed in 12.2 | 12.0(3c)W5 |
| | | (8) |
|------------+---------------------------------------+--------------|
| | Releases prior to 12.0(5)WC10 are | 12.4(15)T7 |
| 12.0WC | vulnerable, release 12.0(5)WC10 and | |
| | later are not vulnerable; first fixed | 12.4(18c) |
| | in 12.2 | |
|------------+---------------------------------------+--------------|
| 12.0WT | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.0XA | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.0XB | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | Releases prior to 12.0(2)XC2 are | 12.4(15)T7 |
| 12.0XC | vulnerable, release 12.0(2)XC2 and | |
| | later are not vulnerable; first fixed | 12.4(18c) |
| | in 12.2 | |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.0XD | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.0XE | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| 12.0XF | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.0XG | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.0XH | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | Releases prior to 12.0(4)XI2 are | 12.4(15)T7 |
| 12.0XI | vulnerable, release 12.0(4)XI2 and | |
| | later are not vulnerable; first fixed | 12.4(18c) |
| | in 12.2 | |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.0XJ | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.0XK | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.0XL | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.0XM | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.0XN | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.0XQ | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.0XR | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| 12.0XS | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.0XT | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.0XV | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| Affected | | Recommended |
| 12.1-Based | First Fixed Release | Release |
| Releases | | |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1 | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1AA | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| 12.1AX | Vulnerable; first fixed in 12.2EY | 12.2(46)SE |
|------------+---------------------------------------+--------------|
| | Releases prior to 12.1(22)AY1 are | 12.1(22)EA12 |
| 12.1AY | vulnerable, release 12.1(22)AY1 and | |
| | later are not vulnerable; first fixed | 12.2(46)SE |
| | in 12.1EA | |
|------------+---------------------------------------+--------------|
| 12.1AZ | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1CX | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.2(12)DA13 |
| | | |
| 12.1DA | Vulnerable; first fixed in 12.2DA | 12.4(15)T7 |
| | | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1DB | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1DC | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| 12.1E | 12.1(27b)E2 | 12.2(18) |
| | | SXF15 |
|------------+---------------------------------------+--------------|
| 12.1EA | 12.1(22)EA10 | 12.1(22)EA12 |
|------------+---------------------------------------+--------------|
| 12.1EB | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| | | 12.2(33)SCA1 |
| 12.1EC | Vulnerable; first fixed in 12.3BC | |
| | | 12.3(23)BC4 |
|------------+---------------------------------------+--------------|
| 12.1EO | Vulnerable; first fixed in 12.2SV | |
|------------+---------------------------------------+--------------|
| | | 12.2(25) |
| | | EWA14 |
| 12.1EU | Vulnerable; first fixed in 12.2EWA | |
| | | 12.2(31)SGA8 |
| | | |
| | | 12.2(46)SG1 |
|------------+---------------------------------------+--------------|
| 12.1EV | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| | | 12.2(25) |
| | | EWA14 |
| | | |
| | | 12.2(31)SGA8 |
| 12.1EW | Vulnerable; first fixed in 12.2 | |
| | | 12.2(46)SG1 |
| | | |
| | | 12.4(15)T7 |
| | | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1EX | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| 12.1EY | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| | | 12.2(18) |
| | | SXF15 |
| 12.1EZ | Vulnerable; first fixed in 12.1E | |
| | | 12.4(15)T7 |
| | | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1GA | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1GB | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1T | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1XA | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1XB | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1XC | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1XD | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1XE | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1XF | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1XG | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1XH | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1XI | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1XJ | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1XL | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1XM | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1XP | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1XQ | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1XR | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1XS | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1XT | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1XU | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1XV | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1XW | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1XX | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1XY | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1XZ | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1YA | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1YB | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1YC | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1YD | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | Releases prior to 12.1(5)YE6 are | 12.4(15)T7 |
| 12.1YE | vulnerable, release 12.1(5)YE6 and | |
| | later are not vulnerable; first fixed | 12.4(18c) |
| | in 12.2 | |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1YF | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.1YH | Vulnerable; first fixed in 12.2 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| 12.1YI | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| 12.1YJ | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| Affected | | Recommended |
| 12.2-Based | First Fixed Release | Release |
| Releases | | |
|------------+---------------------------------------+--------------|
| | 12.2(26c) | |
| | | |
| | 12.2(27c) | |
| | | 12.4(15)T7 |
| 12.2 | 12.2(28d) | |
| | | 12.4(18c) |
| | 12.2(29b) | |
| | | |
| | 12.2(46) | |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.2B | Vulnerable; first fixed in 12.3 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.2(33)SCA1 |
| | | |
| | | 12.3(23)BC4 |
| 12.2BC | Vulnerable; first fixed in 12.3 | |
| | | 12.4(15)T7 |
| | | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.2BW | Vulnerable; first fixed in 12.3 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.2(33)SB2; |
| | | Available on |
| | | 26-SEP-08 |
| 12.2BX | Vulnerable; first fixed in 12.3 | |
| | | 12.4(15)T7 |
| | | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.2BY | Vulnerable; first fixed in 12.3 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.2BZ | Vulnerable; first fixed in 12.3 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.2(33)SCA1 |
| | | |
| | | 12.3(23)BC4 |
| 12.2CX | Vulnerable; first fixed in 12.3 | |
| | | 12.4(15)T7 |
| | | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.2(33)SCA1 |
| | | |
| | | 12.3(23)BC4 |
| 12.2CY | Vulnerable; first fixed in 12.3 | |
| | | 12.4(15)T7 |
| | | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.2(33)SB2; |
| 12.2CZ | Vulnerable; first fixed in 12.2S | Available on |
| | | 26-SEP-08 |
|------------+---------------------------------------+--------------|
| | 12.2(10)DA9 | |
| 12.2DA | | 12.2(12)DA13 |
| | 12.2(12)DA13 | |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.2DD | Vulnerable; first fixed in 12.3 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.2DX | Vulnerable; first fixed in 12.3 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.2(25) |
| | | EWA14 |
| 12.2EW | Vulnerable; first fixed in 12.2EWA | |
| | | 12.2(31)SGA8 |
| | | |
| | | 12.2(46)SG1 |
|------------+---------------------------------------+--------------|
| | 12.2(25)EWA10 | 12.2(25) |
| 12.2EWA | | EWA14 |
| | 12.2(25)EWA11 | |
|------------+---------------------------------------+--------------|
| 12.2EX | 12.2(37)EX | 12.2(35)EX2 |
|------------+---------------------------------------+--------------|
| 12.2EY | 12.2(37)EY | |
|------------+---------------------------------------+--------------|
| 12.2EZ | Vulnerable; first fixed in 12.2SEE | 12.2(46)SE |
|------------+---------------------------------------+--------------|
| 12.2FX | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.2FY | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.2FZ | Vulnerable; first fixed in 12.2SE | 12.2(46)SE |
|------------+---------------------------------------+--------------|
| 12.2IRB | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.2IXA | Vulnerable; migrate to any release in | 12.2(18)IXG |
| | 12.2IXE | |
|------------+---------------------------------------+--------------|
| 12.2IXB | Vulnerable; migrate to any release in | 12.2(18)IXG |
| | 12.2IXE | |
|------------+---------------------------------------+--------------|
| 12.2IXC | Vulnerable; migrate to any release in | 12.2(18)IXG |
| | 12.2IXE | |
|------------+---------------------------------------+--------------|
| 12.2IXD | Vulnerable; migrate to any release in | 12.2(18)IXG |
| | 12.2IXE | |
|------------+---------------------------------------+--------------|
| 12.2IXE | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.2IXF | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.2IXG | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.2JA | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.2JK | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| | | 12.2(25)SW12 |
| | | |
| 12.2MB | Vulnerable; first fixed in 12.2SW | 12.4(15)T7 |
| | | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.2MC | 12.2(15)MC2i | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | 12.2(14)S18 | |
| | | |
| | 12.2(18)S13 | 12.2(33)SB2; |
| 12.2S | | Available on |
| | 12.2(20)S13 | 26-SEP-08 |
| | | |
| | 12.2(25)S13 | |
|------------+---------------------------------------+--------------|
| | 12.2(28)SB7 | |
| | | 12.2(33)SB2; |
| 12.2SB | 12.2(31)SB5 | Available on |
| | | 26-SEP-08 |
| | 12.2(33)SB | |
|------------+---------------------------------------+--------------|
| | | 12.2(33)SB2; |
| 12.2SBC | Vulnerable; first fixed in 12.2SB | Available on |
| | | 26-SEP-08 |
|------------+---------------------------------------+--------------|
| 12.2SCA | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| | 12.2(35)SE4 | |
| 12.2SE | | 12.2(46)SE |
| | 12.2(37)SE | |
|------------+---------------------------------------+--------------|
| 12.2SEA | Vulnerable; first fixed in 12.2SEE | 12.2(46)SE |
|------------+---------------------------------------+--------------|
| 12.2SEB | Vulnerable; first fixed in 12.2SEE | 12.2(46)SE |
|------------+---------------------------------------+--------------|
| 12.2SEC | Vulnerable; first fixed in 12.2SEE | 12.2(46)SE |
|------------+---------------------------------------+--------------|
| 12.2SED | Vulnerable; first fixed in 12.2SEE | 12.2(46)SE |
|------------+---------------------------------------+--------------|
| 12.2SEE | 12.2(25)SEE4 | 12.2(46)SE |
|------------+---------------------------------------+--------------|
| 12.2SEF | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.2SEG | 12.2(25)SEG3 | 12.2(25)SEG6 |
|------------+---------------------------------------+--------------|
| | 12.2(25)SG3 | |
| | | |
| 12.2SG | 12.2(31)SG3 | 12.2(46)SG1 |
| | | |
| | 12.2(37)SG | |
|------------+---------------------------------------+--------------|
| 12.2SGA | 12.2(31)SGA2 | 12.2(31)SGA8 |
|------------+---------------------------------------+--------------|
| 12.2SL | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.2SM | 12.2(29)SM3 | 12.2(29)SM4 |
|------------+---------------------------------------+--------------|
| 12.2SO | Vulnerable; first fixed in 12.2SV | |
|------------+---------------------------------------+--------------|
| | | 12.2(33)SRB4 |
| 12.2SRA | 12.2(33)SRA4 | |
| | | 12.2(33)SRC2 |
|------------+---------------------------------------+--------------|
| 12.2SRB | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.2SRC | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.2SU | Vulnerable; first fixed in 12.4 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| 12.2SV | 12.2(29b)SV1 | |
|------------+---------------------------------------+--------------|
| 12.2SVA | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.2SVC | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.2SVD | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.2SW | 12.2(25)SW12 | 12.2(25)SW12 |
|------------+---------------------------------------+--------------|
| 12.2SX | Vulnerable; first fixed in 12.2SXF | 12.2(18) |
| | | SXF15 |
|------------+---------------------------------------+--------------|
| 12.2SXA | Vulnerable; first fixed in 12.2SXF | 12.2(18) |
| | | SXF15 |
|------------+---------------------------------------+--------------|
| 12.2SXB | Vulnerable; first fixed in 12.2SXF | 12.2(18) |
| | | SXF15 |
|------------+---------------------------------------+--------------|
| 12.2SXD | Vulnerable; first fixed in 12.2SXF | 12.2(18) |
| | | SXF15 |
|------------+---------------------------------------+--------------|
| 12.2SXE | Vulnerable; first fixed in 12.2SXF | 12.2(18) |
| | | SXF15 |
|------------+---------------------------------------+--------------|
| 12.2SXF | 12.2(18)SXF9 | 12.2(18) |
| | | SXF15 |
|------------+---------------------------------------+--------------|
| | Not Vulnerable | |
| 12.2SXH | | |
| | http://www.cisco.com/go/pn | |
|------------+---------------------------------------+--------------|
| | | 12.2(33)SB2; |
| 12.2SY | Vulnerable; first fixed in 12.2S | Available on |
| | | 26-SEP-08 |
|------------+---------------------------------------+--------------|
| | | 12.2(33)SB2; |
| 12.2SZ | Vulnerable; first fixed in 12.2S | Available on |
| | | 26-SEP-08 |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.2T | Vulnerable; first fixed in 12.3 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| 12.2TPC | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.2XA | Vulnerable; first fixed in 12.3 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.2XB | Vulnerable; first fixed in 12.3 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.2XC | Vulnerable; first fixed in 12.3 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.2XD | Vulnerable; first fixed in 12.3 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.2XE | Vulnerable; first fixed in 12.3 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.2(33)SCA1 |
| | | |
| | | 12.3(23)BC4 |
| 12.2XF | Vulnerable; first fixed in 12.3 | |
| | | 12.4(15)T7 |
| | | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | Releases prior to 12.2(2)XG1 are | 12.4(15)T7 |
| 12.2XG | vulnerable, release 12.2(2)XG1 and | |
| | later are not vulnerable; first fixed | 12.4(18c) |
| | in 12.3 | |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.2XH | Vulnerable; first fixed in 12.3 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.2XI | Vulnerable; first fixed in 12.3 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.2XJ | Vulnerable; first fixed in 12.3 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.2XK | Vulnerable; first fixed in 12.3 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.2XL | Vulnerable; first fixed in 12.3 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.2XM | Vulnerable; first fixed in 12.3 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.2(33)SB2; |
| | | Available on |
| | | 26-SEP-08 |
| 12.2XN | 12.2(33)XN1 | |
| | | 12.2(33)SRC2 |
| | | |
| | | 12.2(33)XNA2 |
|------------+---------------------------------------+--------------|
| 12.2XNA | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.2XNB | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.2XO | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.2XQ | Vulnerable; first fixed in 12.3 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | Releases prior to 12.2(15)XR are | 12.3(8)JEA3 |
| | vulnerable, release 12.2(15)XR and | |
| 12.2XR | later are not vulnerable; first fixed | 12.4(15)T7 |
| | in 12.3 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.2XS | Vulnerable; first fixed in 12.3 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.2XT | Vulnerable; first fixed in 12.3 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.2XU | Vulnerable; first fixed in 12.3 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.2XV | Vulnerable; first fixed in 12.3 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.2XW | Vulnerable; first fixed in 12.3 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.2YA | Vulnerable; first fixed in 12.3 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| 12.2YB | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| 12.2YC | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| 12.2YD | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| 12.2YE | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| 12.2YF | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| 12.2YG | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| 12.2YH | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| 12.2YJ | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| 12.2YK | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| 12.2YL | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.2YM | Vulnerable; first fixed in 12.4 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| 12.2YN | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| 12.2YO | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.2YP | Vulnerable; first fixed in 12.3 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| 12.2YQ | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| 12.2YR | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| 12.2YS | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.2YT | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| 12.2YU | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| 12.2YV | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| 12.2YW | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| 12.2YX | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| 12.2YY | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| 12.2YZ | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| 12.2ZA | Vulnerable; first fixed in 12.2SXF | 12.2(18) |
| | | SXF15 |
|------------+---------------------------------------+--------------|
| 12.2ZB | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| 12.2ZC | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| 12.2ZD | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.2ZE | Vulnerable; first fixed in 12.3 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.2ZF | Vulnerable; first fixed in 12.4 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.2ZG | Vulnerable; first fixed in 12.4 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.2ZH | 12.2(13)ZH9 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| 12.2ZJ | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| 12.2ZL | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| 12.2ZP | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| 12.2ZU | Vulnerable; migrate to any release in | 12.2(33)SXH3 |
| | 12.2SXH | |
|------------+---------------------------------------+--------------|
| | | 12.2(33)SB2; |
| 12.2ZX | Vulnerable; first fixed in 12.2SB | Available on |
| | | 26-SEP-08 |
|------------+---------------------------------------+--------------|
| 12.2ZY | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.2ZYA | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| Affected | | Recommended |
| 12.3-Based | First Fixed Release | Release |
| Releases | | |
|------------+---------------------------------------+--------------|
| | 12.3(17c) | |
| | | |
| | 12.3(18a) | |
| | | 12.4(15)T7 |
| 12.3 | 12.3(19a) | |
| | | 12.4(18c) |
| | 12.3(20a) | |
| | | |
| | 12.3(21) | |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.3B | Vulnerable; first fixed in 12.4 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | 12.3(17b)BC6 | |
| 12.3BC | | 12.3(23)BC4 |
| | 12.3(21)BC | |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.3BW | Vulnerable; first fixed in 12.4 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| 12.3EU | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.3JA | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.3JEA | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.3JEB | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.3JEC | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.3JK | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.3JL | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.3JX | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.3T | Vulnerable; first fixed in 12.4 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| 12.3TPC | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| 12.3VA | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.3XA | 12.3(2)XA7 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| 12.3XB | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.3XC | Vulnerable; first fixed in 12.4 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.3XD | Vulnerable; first fixed in 12.4 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.3XE | Vulnerable; first fixed in 12.4 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| 12.3XF | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.3XG | Vulnerable; first fixed in 12.4 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.2(33)SB2; |
| 12.3XI | 12.3(7)XI10 | Available on |
| | | 26-SEP-08 |
|------------+---------------------------------------+--------------|
| | | 12.3(14)YX13 |
| 12.3XJ | Vulnerable; first fixed in 12.3YX | |
| | | 12.4(15)T7 |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.3XK | Vulnerable; first fixed in 12.4 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.3XL | Vulnerable; first fixed in 12.4 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.3XQ | Vulnerable; first fixed in 12.4 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.3XR | 12.3(7)XR7 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.3XS | Vulnerable; first fixed in 12.4 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| 12.3XU | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|------------+---------------------------------------+--------------|
| | | 12.3(14)YX13 |
| 12.3XW | Vulnerable; first fixed in 12.3YX | |
| | | 12.4(15)T7 |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.3XX | 12.3(8)XX2d | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.3XY | Vulnerable; first fixed in 12.4 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.3XZ | Vulnerable; first fixed in 12.4 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.3YA | Vulnerable; first fixed in 12.4 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| 12.3YD | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|------------+---------------------------------------+--------------|
| | | 12.3(14)YX13 |
| 12.3YF | Vulnerable; first fixed in 12.3YX | |
| | | 12.4(15)T7 |
|------------+---------------------------------------+--------------|
| 12.3YG | 12.3(8)YG6 | 12.4(15)T7 |
|------------+---------------------------------------+--------------|
| 12.3YH | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|------------+---------------------------------------+--------------|
| 12.3YI | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|------------+---------------------------------------+--------------|
| 12.3YJ | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|------------+---------------------------------------+--------------|
| 12.3YK | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|------------+---------------------------------------+--------------|
| | | 12.3(14) |
| 12.3YM | 12.3(14)YM10 | YM13; |
| | | Available on |
| | | 30-SEP-08 |
|------------+---------------------------------------+--------------|
| 12.3YQ | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|------------+---------------------------------------+--------------|
| 12.3YS | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|------------+---------------------------------------+--------------|
| 12.3YT | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|------------+---------------------------------------+--------------|
| | | 12.4(2)XB10 |
| | | |
| 12.3YU | Vulnerable; first fixed in 12.4XB | 12.4(9)XG3 |
| | | |
| | | 12.4(15)T7 |
|------------+---------------------------------------+--------------|
| 12.3YX | 12.3(14)YX8 | 12.3(14)YX13 |
|------------+---------------------------------------+--------------|
| 12.3YZ | 12.3(11)YZ3 | |
|------------+---------------------------------------+--------------|
| 12.3ZA | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|------------+---------------------------------------+--------------|
| Affected | | Recommended |
| 12.4-Based | First Fixed Release | Release |
| Releases | | |
|------------+---------------------------------------+--------------|
| | 12.4(10c) | |
| | | |
| | 12.4(12) | |
| | | |
| | 12.4(3h) | |
| 12.4 | | 12.4(18c) |
| | 12.4(5c) | |
| | | |
| | 12.4(7e) | |
| | | |
| | 12.4(8d) | |
|------------+---------------------------------------+--------------|
| 12.4JA | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.4JK | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.4JL | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.4JMA | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.4JMB | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.4JMC | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.4JX | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.4MD | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.4MR | 12.4(11)MR | 12.4(19)MR |
|------------+---------------------------------------+--------------|
| 12.4SW | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| | 12.4(11)T | |
| | | |
| | 12.4(2)T6 | |
| | | |
| 12.4T | 12.4(4)T8 | 12.4(15)T7 |
| | | |
| | 12.4(6)T7 | |
| | | |
| | 12.4(9)T3 | |
|------------+---------------------------------------+--------------|
| 12.4XA | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|------------+---------------------------------------+--------------|
| 12.4XB | 12.4(2)XB6 | 12.4(2)XB10 |
|------------+---------------------------------------+--------------|
| 12.4XC | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|------------+---------------------------------------+--------------|
| | | 12.4(4)XD11; |
| 12.4XD | 12.4(4)XD8 | Available on |
| | | 26-SEP-08 |
|------------+---------------------------------------+--------------|
| 12.4XE | Vulnerable; first fixed in 12.4T | 12.4(15)T7 |
|------------+---------------------------------------+--------------|
| 12.4XF | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.4XG | 12.4(9)XG2 | 12.4(9)XG3 |
|------------+---------------------------------------+--------------|
| 12.4XJ | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.4XK | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.4XL | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.4XM | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.4XN | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.4XP | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| 12.4XQ | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.4XR | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.4XT | 12.4(6)XT2 | 12.4(15)T7 |
|------------+---------------------------------------+--------------|
| 12.4XV | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.4XW | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.4XY | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.4XZ | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.4YA | Not Vulnerable | |
+-------------------------------------------------------------------+
Workarounds
===========
Specifying trusted PIM neighbors is a workaround for both
vulnerabilities. A PIM router must receive PIM Hellos to establish
PIM neighborship. PIM neighborship is also the basis for designated
router (DR) election, DR failover, and accepting/sending PIM Join/
Prune/Assert messages. To specify trusted PIM neighbors, use the ip
pim neighbor-filter command, as shown in the following example:
Router(config)#access-list 1 permit host 10.10.10.123
!-- An access control list is created to allow a trusted PIM neighbor
!-- in this example the neighbor is 10.10.10.123
!
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip pim neighbor-filter 1
!-- The PIM neighbor filter is then applied to the respective interface(s)
The ip pim neighbor-filter command filters PIM packets from untrusted
devices including Hellos, Join/Prune, and BSR packets.
Note: The vulnerabilities described in this document can be exploited
by spoofed IP packets if the attacker knows the IP address of the
trusted PIM neighbors listed in the ip pim neighbor-filter
implementation.
To protect infrastructure devices and minimize the risk, impact, and
effectiveness of direct infrastructure attacks, administrators are
advised to deploy ACLs to perform policy enforcement of traffic sent
to core infrastructure equipment. PIM is IP protocol 103. As an
additional workaround, administrators can explicitly permit only
authorized PIM (IP protocol 103) traffic sent to infrastructure
devices in accordance with existing security policies and
configurations. An ACL can be deployed as shown in the following
example:
ip access-list extended Infrastructure-ACL-Policy
!
!-- When applicable, include explicit permit statements for trusted
!-- sources that require access on the vulnerable protocol
!-- PIM routers need to communicate with the rendezvous point (RP).
!-- In this example, 192.168.100.1 is the IP address of the
!-- rendezvous point, which is a trusted host that requires access
!-- to and from the affected PIM devices.
!
permit pim host 192.168.100.1 192.168.60.0 0.0.0.255
permit pim 192.168.60.0 0.0.0.255 host 192.168.100.1
!
!-- Permit PIM segment traffic, packets have destination of:
!-- 224.0.0.13 (PIMv2)
!-- 224.0.0.2 (Required only by legacy PIMv1)
!
permit pim 192.168.60.0 0.0.0.255 host 224.0.0.13
permit pim 192.168.60.0 0.0.0.255 host 224.0.0.2
!
!-- The following vulnerability-specific access control entries
!-- (ACEs) can aid in identification of attacks
!
deny pim any 192.168.60.0 0.0.0.255
!
!-- Explicit deny ACE for traffic sent to addresses configured within
!-- the infrastructure address space
!
deny ip any 192.168.60.0 0.0.0.255
!
!-- Permit/deny all other Layer 3 and Layer 4 traffic in accordance
!-- with existing security policies and configurations
!
!-- Apply iACL to interfaces in the ingress direction
!
interface GigabitEthernet0/0
ip access-group Infrastructure-ACL-Policy in
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.ht…
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt(a)cisco.com or security-alert(a)cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac(a)cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were found during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce(a)cisco.com
* first-bulletins(a)lists.first.org
* bugtraq(a)securityfocus.com
* vulnwatch(a)vulnwatch.org
* cisco(a)spot.colorado.edu
* cisco-nsp(a)puck.nether.net
* full-disclosure(a)lists.grok.org.uk
* comp.dcom.sys.cisco(a)newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+----------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-September-24 | public |
| | | release |
+----------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.…
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkjaLdEACgkQ86n/Gc8U/uBLYQCfbFNaZROaq5OZX5KzZAVwv0gr
oBwAoJeb3PdxAWcVg3sBKladJgqbb1oy
=f4p/
-----END PGP SIGNATURE-----
1
0