Test
Threads by month
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2003 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2002 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2001 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2000 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1999 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1998 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1997 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1996 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1995 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1994 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1993 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1992 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
March 2012
- 371 participants
- 169 discussions
Hi all,
I'm Bingyang Liu, a ph.d student in Tsinghua University. My thesis topic is
on "source address validation".
Although BCP38 was proposed more than ten years ago, IP spoofing still
remains an attack vector [MIT-Spoofer] [ARBOR-Annual-Report] [Presentation
on NANOG Meeting] [Discussion in NANOG ML].
I did a lot investigation, but still have no idea why so many ISPs haven't
deploy BCP38. I enumerate three reasons I found, and I'd like your comments
very much.
1. Stub ASes: They rely on their providers to filter, so they won't deploy
BCP38 on their own.
2. Low tier transit ASes: They are most likely to deploy BCP38 on the
interfaces towards their customers.
3. Large or tier1 ASes: Their peers and customers are also large. So uRPF
may have false positive and ACLs are too large to manage.
I also asked some ISP guys in IETF today, they all agreed that IP spoofing
is an issue, but they may haven't deployed it. One key issue, I think, is
about incentive. i.e. you can filter, but you'll still receive spoofing
from providers and peers who haven't enforced BCP38.
best
Bingyang
--
Bingyang Liu
Network Architecture Lab, Network Center,Tsinghua Univ.
Beijing, China
Home Page: http://netarchlab.tsinghua.edu.cn/~liuby
24
45
29 Mar '12
Hey All,
I have a site in Alabama that could really use some additional
diversity, but apparently ATT fiber is the only game in town.
If anybody has any options, such as fixed wireless in the 10-50mbs,
please reply to me, off-list.
Best,
Joe
36
78
29 Mar '12
This sharing can be done at a layer-3 or as you say at the time slot level or lambda level. It's no different than what is happening with the copper already. It's not like they have to give it away for free. They just have to offer it to other carriers at cost. This will hopefully provide more of a competitive market. But I don't see Verizon giving into it, nor Comcast or any other provider that has fiber. Verizon campaigned hard to have fiber removed from the equal access legalize so like most of these other large companies, they don't want to share their new toy with the other children.
-John
Keegan Holley <keegan.holley(a)sungard.com> wrote:
>2012/3/22 Jared Mauch <jared(a)puck.nether.net>
>
>>
>> On Mar 22, 2012, at 11:05 AM, chris wrote:
>>
>> > I'm all for VZ being able to reclaim it as long as they open their fiber
>> > which I don't see happening unless its by force via government. At the
>> end
>> > of the day there needs to be the ability to allow competitors in so of
>> > course they shouldnt be allowed to rip out the regulated part and replace
>> > it with a unregulated one.
>>
>
>
>Maybe I'm missing something, but how exactly does one share fiber? Isn't
>it usually a closed loop between DWDM or Sonet nodes? It doesn't seem fair
>to force the incumbents to start handing out lambdas and timeslots to their
>competitors on the business side. I guess passive optical can be shared
>depending on the details of the network, but that would still be much
>different than sharing copper pairs.
24
62
Hello,
can anyone confirm why IF-MIB::ifHighSpeed should return 0 for aggregates
of 10 Gbit/s ports?
My google-foo led me to several topics on "use ifHighSpeed to 10 Gbit/s",
but none is clear on 10 Gbit/s aggregated.
So far I could only find references pointing to IEEE Std 802.1AX-2008
clause 6.3.1.1.16 (aAggDataRate),
mapping to IF-MIB::ifSpeed, which is locked in 4,294,967,295 (Gauge32). In
this same standard it is very specific
about ifHighSpeed: "Set to zero.".
Or, more directly: how can one find current speed of a 10Gb/s+ link
aggregate port?
Please, answer me off-list and I promise to summarize an answer... :)
Thanks in advance.
Felipe
1
1
Cisco Security Advisory: Cisco IOS Software Command Authorization Bypass
by Cisco Systems Product Security Incident Response Team 28 Mar '12
by Cisco Systems Product Security Incident Response Team 28 Mar '12
28 Mar '12
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Cisco IOS Software Command Authorization Bypass
Advisory ID: cisco-sa-20120328-pai
Revision 1.0
For Public Release 2012 March 28 16:00 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
A vulnerability exists in the Cisco IOS Software that may allow a
remote application or device to exceed its authorization level when
authentication, authorization, and accounting (AAA) authorization is
used. This vulnerability requires that the HTTP or HTTPS server is
enabled on the Cisco IOS device.
Products that are not running Cisco IOS Software are not vulnerable.
Cisco has released free software updates that address these
vulnerabilities.
The HTTP server may be disabled as a workaround for the vulnerability
described in this advisory.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
Note: The March 28, 2012, Cisco IOS Software Security Advisory
bundled publication includes nine Cisco Security Advisories. Each
advisory lists the Cisco IOS Software releases that correct the
vulnerability or vulnerabilities detailed in the advisory as well as
the Cisco IOS Software releases that correct all vulnerabilities in
the March 2012 bundled publication.
Individual publication links are in "Cisco Event Response:
Semi-Annual Cisco IOS Software Security Advisory Bundled Publication"
at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html
Affected Products
=================
Vulnerable Products
+------------------
Any device running Cisco IOS Software release after 12.2 that has an
HTTP or HTTPS server configured is affected by this vulnerability if
AAA authorization is used.
To determine if an HTTP or HTTP server is configured with an HTTP or
HTTPS server, issue the show ip http server status | include status
command. The following example illustrates a Cisco IOS device with an
HTTPS server enabled and the HTTP server disabled.
Router> show ip http server status | include status
HTTP server status: Disabled
HTTP secure server status: Enabled
To determine if AAA authorization is used, an administrator can log
in to the device and issue the show run | include aaa authorization
command in privileged EXEC mode. If there is an entry that shows aaa
authorization commands, as shown in the following example, then AAA
authorization is configured.
Router# show run | include aaa authorization commands
aaa authorization commands 0 default local group tacacs+
aaa authorization commands 1 default group tacacs+
aaa authorization commands 15 default local
To determine the Cisco IOS Software release that is running on a
Cisco product, administrators can log in to the device and issue the
show version command to display the system banner. The system banner
confirms that the device is running Cisco IOS Software by displaying
text similar to "Cisco Internetwork Operating System Software" or
"Cisco IOS Software." The image name displays in parentheses,
followed by "Version" and the Cisco IOS Software release name. Other
Cisco devices do not have the show version command or may provide
different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 15.0(1)M1 with an installed image name of
C3900-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 02-Dec-09 17:17 by prod_rel_team
!--- output truncated
Additional information about Cisco IOS Software release naming
conventions is available in "White Paper: Cisco IOS and NX-OS
Software Reference Guide" at:
http://www.cisco.com/web/about/security/intelligence/ios-ref.html
Products Confirmed Not Vulnerable
+--------------------------------
If you are not running Cisco IOS or IOS XE software, you are not
affected by this vulnerability. Devices that are not using AAA
authorization or that do not have an HTTP or HTTPS server configured
are not affected by this vulnerability.
Cisco IOS XR is not affected by this vulnerability.
No other Cisco products are currently known to be affected by this
vulnerability.
Details
=======
Cisco IOS allows remote applications to administer and monitor
devices running Cisco IOS Software over an HTTP or HTTPS connection.
A vulnerability exists that may allow the Cisco IOS command
authorization to be bypassed, allowing a remote, authenticated HTTP
or HTTPS session to execute any Cisco IOS command that is configured
for their authorization level. This vulnerability does not allow
unauthenticated access; a valid username and password are required to
successfully exploit this vulnerability. Additionally, the
vulnerability does not allow a user to execute commands that are not
configured for their privilege level.
The HTTP server is enabled by default for cluster configurations and
on the following Cisco switches: Catalyst 3700 series, Catalyst 3750
series, Catalyst 3550 series, Catalyst 3560 series, and Catalyst 2950
series.
More information on AAA authorization can be found at:
http://www.cisco.com/en/US/docs/ios/12_2t/secure/command/reference/sftauth.…
Releases of Cisco IOS Software after release 12.2 are potentially
vulnerable. Please refer to the release table below for more
information.
This vulnerability is documented as Cisco Bug ID CSCtr91106
and has been assigned Common Vulnerabilities and Exposures (CVE) ID
CVE-2012-0384.
Vulnerability Scoring Details
=============================
Cisco has scored the vulnerability in this advisory based on the
Common Vulnerability Scoring System (CVSS). The CVSS scoring in this
security advisory is in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps organizations determine the urgency and priority
of a response.
Cisco has provided a base and temporal score. Customers can also
compute environmental scores that help determine the impact of the
vulnerability in their own networks.
Cisco has provided additional information regarding CVSS at the
following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to compute the
environmental impact for individual networks at the following link:
http://intellishield.cisco.com/security/alertmanager/cvss
* Command Authorization Fails for commands delivered over HTTP
CVSS Base Score - 8.5
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.0
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability may allow the Cisco IOS
command authorization to be bypassed, allowing a remote,
authenticated HTTP or HTTPS session to execute any Cisco IOS command
that is configured for its authorization level.
Software Versions and Fixes
===========================
When considering software upgrades, customers are advised to consult
the Cisco Security Advisories and Responses archive at:
http://www.cisco.com/go/psirt and review subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and
software configurations will continue to be supported properly by the
new release. If the information is not clear, customers are advised
to contact the Cisco Technical Assistance Center (TAC) or their
contracted maintenance providers.
Cisco IOS Software
+-----------------
Each row of the following Cisco IOS Software table corresponds to a
Cisco IOS Software train. If a particular train is vulnerable, the
earliest releases that contain the fix are listed in the First Fixed
Release column. The First Fixed Release for All Advisories in the
March 2012 Bundled Publication column lists the earliest possible
releases that correct all the published vulnerabilities in the Cisco
IOS Software Security Advisory bundled publication. Cisco recommends
upgrading to the latest available release, where possible.
The Cisco IOS Software Checker allows customers to search for Cisco
Security Advisories that address specific Cisco IOS Software
releases. This tool is available on the Cisco Security Intelligence
Operations (SIO) portal at:
http://tools.cisco.com/security/center/selectIOSVersion.x
+------------------------------------------+
| Major | Availability of |
| Release | Repaired Releases |
|------------+-----------------------------|
| | | First Fixed |
| | | Release for |
| | | All |
| | | Advisories |
| Affected | First Fixed | in the March |
| 12.0-Based | Release | 2012 Cisco |
| Releases | | IOS Software |
| | | Security |
| | | Advisory |
| | | Bundled |
| | | Publication |
|------------------------------------------|
| There are no affected 12.0 based |
| releases |
|------------------------------------------|
| | | First Fixed |
| | | Release for |
| | | All |
| | | Advisories |
| Affected | First Fixed | in the March |
| 12.2-Based | Release | 2012 Cisco |
| Releases | | IOS Software |
| | | Security |
| | | Advisory |
| | | Bundled |
| | | Publication |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2 | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2B | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2BC | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2BW | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2BX | Not | First fixed |
| | vulnerable | in Release |
| | | 12.2SB |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2BY | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2BZ | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2CX | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2CY | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2CZ | Not | First fixed |
| | vulnerable | in Release |
| | | 12.0S |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2DA | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2DD | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2DX | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2EU | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | |
| | contact your | |
| | support | |
| | organization | Vulnerable; |
| | per the | contact your |
| | instructions | support |
| | in Obtaining | organization |
| | Fixed | per the |
| 12.2EW | Software | instructions |
| | section of | in Obtaining |
| | this | Fixed |
| | advisory. | Software |
| | Releases up | section of |
| | to and | this |
| | including | advisory. |
| | 12.2(20)EWA4 | |
| | are not | |
| | vulnerable. | |
|------------+--------------+--------------|
| | Vulnerable; | |
| | contact your | |
| | support | |
| | organization | Vulnerable; |
| | per the | contact your |
| | instructions | support |
| | in Obtaining | organization |
| | Fixed | per the |
| 12.2EWA | Software | instructions |
| | section of | in Obtaining |
| | this | Fixed |
| | advisory. | Software |
| | Releases up | section of |
| | to and | this |
| | including | advisory. |
| | 12.2(20)EWA4 | |
| | are not | |
| | vulnerable. | |
|------------+--------------+--------------|
| | Vulnerable; | |
| | First fixed | |
| | in Release | |
| | 15.0SE | Vulnerable; |
| 12.2EX | Releases up | First fixed |
| | to and | in Release |
| | including | 15.0SE |
| | 12.2(25)EX1 | |
| | are not | |
| | vulnerable. | |
|------------+--------------+--------------|
| 12.2EY | 12.2(52)EY4 | 12.2(52)EY4 |
| | 12.2(58)EY2 | |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2EZ | First fixed | First fixed |
| | in Release | in Release |
| | 15.0SE | 15.0SE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2FX | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SE | 15.0SE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2FY | First fixed | First fixed |
| | in Release | in Release |
| | 15.0SE | 15.0SE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2FZ | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SE | 15.0SE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2IRA | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SRD | 12.2SRE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2IRB | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SRD | 12.2SRE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2IRC | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SRD | 12.2SRE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2IRD | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SRD | 12.2SRE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2IRE | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SRD | 12.2SRE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2IRF | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SRD | 12.2SRE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.2IRG | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2IRH | 12.2(33)IRH1 | instructions |
| | | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2IXA | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2IXB | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2IXC | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2IXD | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2IXE | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2IXF | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2IXG | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2IXH | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| 12.2JA | Not | Not |
| | vulnerable | vulnerable |
|------------+--------------+--------------|
| 12.2JK | Not | Not |
| | vulnerable | vulnerable |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2MB | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2MC | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2MRA | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SRD | 12.2SRE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.2MRB | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | | Releases |
| | | prior to |
| | | 12.2(30)S |
| | | are |
| | | vulnerable; |
| | Not | Releases |
| 12.2S | vulnerable | 12.2(30)S |
| | | and later |
| | | are not |
| | | vulnerable. |
| | | First fixed |
| | | in Release |
| | | 12.0S |
|------------+--------------+--------------|
| 12.2SB | 12.2(33)SB12 | 12.2(33)SB12 |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2SBC | Not | First fixed |
| | vulnerable | in Release |
| | | 12.2SRE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2SCA | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SCE | 12.2SCE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2SCB | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SCE | 12.2SCE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2SCC | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SCE | 12.2SCE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2SCD | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SCE | 12.2SCE |
|------------+--------------+--------------|
| 12.2SCE | 12.2(33)SCE5 | 12.2(33)SCE6 |
|------------+--------------+--------------|
| 12.2SCF | 12.2(33)SCF2 | 12.2(33)SCF2 |
|------------+--------------+--------------|
| | | |
| 12.2SE | 12.2(55)SE5 | 12.2(55)SE5 |
| | | * |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2SEA | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SE | 15.0SE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2SEB | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SE | 15.0SE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2SEC | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SE | 15.0SE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2SED | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SE | 15.0SE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2SEE | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SE | 15.0SE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2SEF | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SE | 15.0SE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2SEG | First fixed | First fixed |
| | in Release | in Release |
| | 15.0SE | 15.0SE |
|------------+--------------+--------------|
| | 12.2(53)SG7; | 12.2(53)SG7; |
| 12.2SG | Available on | Available on |
| | 07-MAY-12 | 07-MAY-12 |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | Vulnerable; | per the |
| 12.2SGA | First fixed | instructions |
| | in Release | in Obtaining |
| | 12.2SG | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| 12.2SL | Not | Not |
| | vulnerable | vulnerable |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2SM | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2SO | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.2SQ | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2SRA | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SRD | 12.2SRE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2SRB | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SRD | 12.2SRE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2SRC | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SRD | 12.2SRE |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2SRD | 12.2(33)SRD8 | First fixed |
| | | in Release |
| | | 12.2SRE |
|------------+--------------+--------------|
| 12.2SRE | 12.2(33)SRE6 | 12.2(33)SRE6 |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.2STE | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2SU | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Releases up |
| | | to and |
| 12.2SV | Not | including |
| | vulnerable | 12.2(18)SV2 |
| | | are not |
| | | vulnerable. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2SVA | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2SVC | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2SVD | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2SVE | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2SW | Not | First fixed |
| | vulnerable | in Release |
| | | 12.4T |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2SX | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2SXA | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2SXB | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2SXD | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2SXE | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2SXF | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.2SXH | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| 12.2SXI | 12.2(33)SXI9 | 12.2(33)SXI9 |
|------------+--------------+--------------|
| 12.2SXJ | 12.2(33)SXJ2 | 12.2(33)SXJ2 |
|------------+--------------+--------------|
| | 12.2(50)SY2; | |
| | Available on | |
| | 11-JUN-12 | |
| | Releases up | 12.2(50)SY2; |
| 12.2SY | to and | Available on |
| | including | 11-JUN-12 |
| | 12.2(14)SY5 | |
| | are not | |
| | vulnerable. | |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2SZ | Not | First fixed |
| | vulnerable | in Release |
| | | 12.0S |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2T | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2TPC | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XA | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XB | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XC | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XD | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XE | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XF | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XG | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XH | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XI | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XJ | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XK | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XL | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XM | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | Please see | Please see |
| 12.2XNA | Cisco IOS-XE | Cisco IOS-XE |
| | Software | Software |
| | Availability | Availability |
|------------+--------------+--------------|
| | Please see | Please see |
| 12.2XNB | Cisco IOS-XE | Cisco IOS-XE |
| | Software | Software |
| | Availability | Availability |
|------------+--------------+--------------|
| | Please see | Please see |
| 12.2XNC | Cisco IOS-XE | Cisco IOS-XE |
| | Software | Software |
| | Availability | Availability |
|------------+--------------+--------------|
| | Please see | Please see |
| 12.2XND | Cisco IOS-XE | Cisco IOS-XE |
| | Software | Software |
| | Availability | Availability |
|------------+--------------+--------------|
| | Please see | Please see |
| 12.2XNE | Cisco IOS-XE | Cisco IOS-XE |
| | Software | Software |
| | Availability | Availability |
|------------+--------------+--------------|
| | Please see | Please see |
| 12.2XNF | Cisco IOS-XE | Cisco IOS-XE |
| | Software | Software |
| | Availability | Availability |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | Vulnerable; | per the |
| 12.2XO | First fixed | instructions |
| | in Release | in Obtaining |
| | 12.2SG | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XQ | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Releases |
| | | prior to |
| | | 12.2(15)XR |
| | | are |
| | | vulnerable; |
| | Not | Releases |
| 12.2XR | vulnerable | 12.2(15)XR |
| | | and later |
| | | are not |
| | | vulnerable. |
| | | First fixed |
| | | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XS | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XT | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XU | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XV | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XW | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2YA | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2YC | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2YD | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2YE | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2YK | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2YO | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | First fixed |
| | | in Release |
| | | 15.0M |
| 12.2YP | Not | Releases up |
| | vulnerable | to and |
| | | including |
| | | 12.2(8)YP |
| | | are not |
| | | vulnerable. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2YT | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2YW | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2YX | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2YY | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2YZ | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2ZA | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2ZB | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2ZC | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2ZD | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2ZE | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2ZH | First fixed | First fixed |
| | in Release | in Release |
| | 12.4 | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2ZJ | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2ZP | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2ZU | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2ZX | Not | First fixed |
| | vulnerable | in Release |
| | | 12.2SRE |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2ZY | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2ZYA | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | First Fixed |
| | | Release for |
| | | All |
| | | Advisories |
| Affected | First Fixed | in the March |
| 12.3-Based | Release | 2012 Cisco |
| Releases | | IOS Software |
| | | Security |
| | | Advisory |
| | | Bundled |
| | | Publication |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3 | First fixed | First fixed |
| | in Release | in Release |
| | 12.4 | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3B | First fixed | First fixed |
| | in Release | in Release |
| | 12.4 | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3BC | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SCE | 12.2SCE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3BW | First fixed | First fixed |
| | in Release | in Release |
| | 12.4 | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3JA | First fixed | First fixed |
| | in Release | in Release |
| | 12.4JA | 12.4JA |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.3JEA | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.3JEB | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.3JEC | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.3JED | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3JK | First fixed | First fixed |
| | in Release | in Release |
| | 12.4 | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.3JL | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| 12.3JX | Not | Not |
| | vulnerable | vulnerable |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3T | First fixed | First fixed |
| | in Release | in Release |
| | 12.4 | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.3TPC | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| 12.3VA | Not | Not |
| | vulnerable | vulnerable |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3XA | First fixed | First fixed |
| | in Release | in Release |
| | 12.4 | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.3XB | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3XC | First fixed | First fixed |
| | in Release | in Release |
| | 12.4 | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3XD | First fixed | First fixed |
| | in Release | in Release |
| | 12.4 | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3XE | First fixed | First fixed |
| | in Release | in Release |
| | 12.4 | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.3XF | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3XG | First fixed | First fixed |
| | in Release | in Release |
| | 12.4 | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3XI | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SB | 12.2SRE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3XJ | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3XK | First fixed | First fixed |
| | in Release | in Release |
| | 12.4 | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3XL | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3XQ | First fixed | First fixed |
| | in Release | in Release |
| | 12.4 | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3XR | First fixed | First fixed |
| | in Release | in Release |
| | 12.4 | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3XU | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 12.4T |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3XW | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3XX | First fixed | First fixed |
| | in Release | in Release |
| | 12.4 | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3XY | First fixed | First fixed |
| | in Release | in Release |
| | 12.4 | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3XZ | First fixed | First fixed |
| | in Release | in Release |
| | 12.4 | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3YD | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3YF | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3YG | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3YI | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3YJ | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3YK | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3YM | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3YQ | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3YS | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3YT | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3YU | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3YX | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.3YZ | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3ZA | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | | First Fixed |
| | | Release for |
| | | All |
| | | Advisories |
| Affected | First Fixed | in the March |
| 12.4-Based | Release | 2012 Cisco |
| Releases | | IOS Software |
| | | Security |
| | | Advisory |
| | | Bundled |
| | | Publication |
|------------+--------------+--------------|
| | 12.4(25g); | Vulnerable; |
| 12.4 | Available on | First fixed |
| | 19-SEP-12 | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4GC | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | 12.4(23c)JA4 | |
| | 12.4(25d) | 12.4(23c) |
| 12.4JA | JA2; | JA412.4(25e) |
| | Available on | JA |
| | 01-AUG-12 | |
| | 12.4(25e)JA | |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4JAX | First fixed | First fixed |
| | in Release | in Release |
| | 12.4JA | 12.4JA |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4JDA | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4JDC | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4JDD | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4JDE | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4JHA | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4JHB | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4JHC | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4JK | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4JL | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4JX | First fixed | First fixed |
| | in Release | in Release |
| | 12.4JA | 12.4JA |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4JY | First fixed | First fixed |
| | in Release | in Release |
| | 12.4JA | 12.4JA |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4JZ | First fixed | First fixed |
| | in Release | in Release |
| | 12.4JA | 12.4JA |
|------------+--------------+--------------|
| | 12.4(22)MD3; | 12.4(22)MD3; |
| 12.4MD | Available on | Available on |
| | 30-MAR-12 | 30-MAR-12 |
|------------+--------------+--------------|
| 12.4MDA | 12.4(24) | 12.4(24) |
| | MDA11 | MDA11 |
|------------+--------------+--------------|
| 12.4MDB | 12.4(24) | 12.4(24) |
| | MDB5a | MDB5a |
|------------+--------------+--------------|
| 12.4MDC | Not | Not |
| | vulnerable | vulnerable |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4MR | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4MRA | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4MRB | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4SW | 12.4(15)SW8a | First fixed |
| | | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | 12.4(15)T17 | 12.4(15)T17 |
| 12.4T | 12.4(24)T7 | 12.4(24)T7 |
| | | |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4XA | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4XB | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 12.4T |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4XC | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4XD | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4XE | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4XF | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4XG | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4XJ | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4XK | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4XL | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4XM | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4XN | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4XP | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4XQ | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4XR | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 12.4T |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4XT | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4XV | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4XW | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4XY | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4XZ | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4YA | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4YB | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4YD | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| 12.4YE | 12.4(24)YE3d | 12.4(24)YE3d |
|------------+--------------+--------------|
| 12.4YG | 12.4(24)YG4 | 12.4(24)YG4 |
|------------+--------------+--------------|
| | | First Fixed |
| | | Release for |
| | | All |
| | | Advisories |
| Affected | First Fixed | in the March |
| 15.0-Based | Release | 2012 Cisco |
| Releases | | IOS Software |
| | | Security |
| | | Advisory |
| | | Bundled |
| | | Publication |
|------------+--------------+--------------|
| 15.0M | 15.0(1)M8 | 15.0(1)M8 |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 15.0MR | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 15.0MRA | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | 15.0(1)S5 | 15.0(1)S5 |
| | Cisco IOS XE | Cisco IOS XE |
| | devices: | devices: |
| 15.0S | Please see | Please see |
| | Cisco IOS XE | Cisco IOS XE |
| | Software | Software |
| | Availability | Availability |
|------------+--------------+--------------|
| 15.0SA | Not | Not |
| | vulnerable | vulnerable |
|------------+--------------+--------------|
| | 15.0(1)SE1 | |
| 15.0SE | 15.0(2)SE; | 15.0(1)SE1 |
| | Available on | |
| | 06-AUG-12 | |
|------------+--------------+--------------|
| | 15.0(2)SG2 | 15.0(2)SG2 |
| | Cisco IOS XE | Cisco IOS XE |
| | devices: | devices: |
| 15.0SG | Please see | Please see |
| | Cisco IOS XE | Cisco IOS XE |
| | Software | Software |
| | Availability | Availability |
|------------+--------------+--------------|
| 15.0SY | 15.0(1)SY1 | 15.0(1)SY1 |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 15.0XA | First fixed | First fixed |
| | in Release | in Release |
| | 15.1T | 15.1T |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | First fixed | First fixed |
| | in Release | in Release |
| | 15.0SG Cisco | 15.0SG Cisco |
| 15.0XO | IOS XE | IOS XE |
| | devices: | devices: |
| | Please see | Please see |
| | Cisco IOS XE | Cisco IOS XE |
| | Software | Software |
| | Availability | Availability |
|------------+--------------+--------------|
| | | First Fixed |
| | | Release for |
| | | All |
| | | Advisories |
| Affected | First Fixed | in the March |
| 15.1-Based | Release | 2012 Cisco |
| Releases | | IOS Software |
| | | Security |
| | | Advisory |
| | | Bundled |
| | | Publication |
|------------+--------------+--------------|
| 15.1EY | 15.1(2)EY1a | 15.1(2)EY2 |
|------------+--------------+--------------|
| 15.1GC | 15.1(2)GC2 | 15.1(2)GC2 |
|------------+--------------+--------------|
| | 15.1(4)M2 | 15.1(4)M4; |
| 15.1M | | Available on |
| | | 30-MAR-12 |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 15.1MR | 15.1(1)MR3 | instructions |
| | | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | 15.1(3)S2 | 15.1(3)S2 |
| | Cisco IOS XE | Cisco IOS XE |
| | devices: | devices: |
| 15.1S | Please see | Please see |
| | Cisco IOS XE | Cisco IOS XE |
| | Software | Software |
| | Availability | Availability |
|------------+--------------+--------------|
| 15.1SG | Not | Not |
| | vulnerable | vulnerable |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 15.1SNG | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| 15.1SNH | Not | Not |
| | vulnerable | vulnerable |
|------------+--------------+--------------|
| | 15.1(1)T4 | |
| | 15.1(2)T5; | |
| 15.1T | Available on | 15.1(3)T3 |
| | 27-APR-12 | |
| | 15.1(3)T3 | |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 15.1XB | First fixed | First fixed |
| | in Release | in Release |
| | 15.1T | 15.1T |
|------------+--------------+--------------|
| | | First Fixed |
| | | Release for |
| | | All |
| | | Advisories |
| Affected | First Fixed | in the March |
| 15.2-Based | Release | 2012 Cisco |
| Releases | | IOS Software |
| | | Security |
| | | Advisory |
| | | Bundled |
| | | Publication |
|------------+--------------+--------------|
| 15.2GC | 15.2(1)GC1 | 15.2(1)GC2 |
|------------+--------------+--------------|
| | 15.2(1)S1 | 15.2(1)S1 |
| | Cisco IOS XE | Cisco IOS XE |
| | devices: | devices: |
| 15.2S | Please see | Please see |
| | Cisco IOS XE | Cisco IOS XE |
| | Software | Software |
| | Availability | Availability |
|------------+--------------+--------------|
| | | 15.2(1) |
| | 15.2(1)T1 | T215.2(2) |
| 15.2T | 15.2(2)T | T115.2(3)T; |
| | 15.2(2)T1 | Available on |
| | | 30-MAR-12 |
+------------------------------------------+
* Cisco Catalyst 3550 Series Switches support the Internet Key
Exchange (IKE) feature and are vulnerable to Cisco bug ID CSCts38429
when the devices are running Layer 3 images; however, this product
reached the End of Software Maintenance milestone. Cisco 3550 Series
SMI Switches that are running Layer 2 images do not support IKE and
are not vulnerable. No other Cisco devices that run 12.2SE-based
software are vulnerable.
Cisco IOS XE Software
+--------------------
Cisco IOS XE Software is affected by the vulnerability that is
disclosed in this document.
+---------------------------------------+
| | | First Fixed |
| | | Release for |
| | | All |
| Cisco | | Advisories |
| IOS XE | First Fixed | in the March |
| Software | Release | 2012 Cisco |
| Release | | IOS Software |
| | | Security |
| | | Advisory |
| | | Bundled |
| | | Publication |
|----------+-------------+--------------|
| | Vulnerable; | Vulnerable; |
| 2.1.x | migrate to | migrate to |
| | 3.1.2S or | 3.4.2S or |
| | later. | later. |
|----------+-------------+--------------|
| | Vulnerable; | Vulnerable; |
| 2.2.x | migrate to | migrate to |
| | 3.1.2S or | 3.4.2S or |
| | later. | later. |
|----------+-------------+--------------|
| | Vulnerable; | Vulnerable; |
| 2.3.x | migrate to | migrate to |
| | 3.1.2S or | 3.4.2S or |
| | later. | later. |
|----------+-------------+--------------|
| | Vulnerable; | Vulnerable; |
| 2.4.x | migrate to | migrate to |
| | 3.1.2S or | 3.4.2S or |
| | later. | later. |
|----------+-------------+--------------|
| | Vulnerable; | Vulnerable; |
| 2.5.x | migrate to | migrate to |
| | 3.1.2S or | 3.4.2S or |
| | later. | later. |
|----------+-------------+--------------|
| | Vulnerable; | Vulnerable; |
| 2.6.x | migrate to | migrate to |
| | 3.1.2S or | 3.4.2S or |
| | later. | later. |
|----------+-------------+--------------|
| | | Vulnerable; |
| 3.1.xS | 3.1.2S | migrate to |
| | | 3.4.2S or |
| | | later. |
|----------+-------------+--------------|
| | Vulnerable; | Vulnerable; |
| 3.1.xSG | migrate to | migrate to |
| | 3.2.2SG or | 3.2.2SG or |
| | later. | later. |
|----------+-------------+--------------|
| | Vulnerable; | Vulnerable; |
| 3.2.xS | migrate to | migrate to |
| | 3.4.2S or | 3.4.2S or |
| | later. | later. |
|----------+-------------+--------------|
| 3.2.xSG | 3.2.2SG | 3.2.2SG |
|----------+-------------+--------------|
| | Vulnerable; | Vulnerable; |
| 3.3.xS | migrate to | migrate to |
| | 3.4.2S or | 3.4.2S or |
| | later. | later. |
|----------+-------------+--------------|
| 3.2.xSG | Not | Not |
| | vulnerable | vulnerable |
|----------+-------------+--------------|
| 3.4.xS | 3.4.2S | 3.4.2S |
|----------+-------------+--------------|
| 3.5.xS | 3.5.1S | 3.5.1S |
|----------+-------------+--------------|
| 3.6.xS | Not | Not |
| | vulnerable | vulnerable |
+---------------------------------------+
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
Release Notes, and Cisco IOS XE 3SG Release Notes.
Cisco IOS XR Software
+--------------------
Cisco IOS XR Software is not affected by any of the vulnerabilities
disclosed in the March 2012 Cisco IOS Software Security Advisory
Bundled Publication.
Workarounds
===========
If the HTTP and HTTPS servers are not required, they may be disabled
with the commands no ip http server and no ip http secure-server.
However, if web services are required, a feature was introduced in
12.3(14)T and later in which selective HTTP and HTTPS services could
be enabled or disabled. The WEB_EXEC service provides a facility to
configure the device and retrieve the current state of the device
from remote clients.
It is possible to disable the WEB_EXEC service while still leaving
other HTTP services active. If an installation does not require the
use of the WEB_EXEC service, then it may be disabled using the
following procedure:
1. Verify the list of all session modules.
Router# show ip http server session-module
HTTP server application session modules:
Session module Name Handle Status Secure-status Description
HTTP_IFS 1 Active Active HTTP based IOS File Server
HOME_PAGE 2 Active Active IOS Homepage Server
QDM 3 Active Active QOS Device Manager Server
QDM_SA 4 Active Active QOS Device Manager Signed Applet Server
WEB_EXEC 5 Active Active HTTP based IOS EXEC Server
IXI 6 Active Active IOS XML Infra Application Server
IDCONF 7 Active Active IDCONF HTTP(S) Server
XSM 8 Active Active XML Session Manager
VDM 9 Active Active VPN Device Manager Server
XML_Api 10 Active Active XML Api
ITS 11 Active Active IOS Telephony Service
ITS_LOCDIR 12 Active Active ITS Local Directory Search
CME_SERVICE_URL 13 Active Active CME Service URL
CME_AUTH_SRV_LOGIN 14 Active Active CME Authentication Server
IPS_SDEE 15 Active Active IOS IPS SDEE Server
tti-petitioner 16 Active Active TTI Petitioner
2. Create a list of session modules that are required, in this
example it would be everything other than WEB_EXEC.
Router# configuration terminal
Router(config)# ip http session-module-list exclude_webexec
HTTP_IFS,HOME_PAGE,QDM,QDM_SA,IXI,IDCONF,XSM,VDM,XML_Api,
ITS,ITS_LOCDIR,CME_SERVICE_URL,CME_AUTH_SRV_LOGIN,IPS_SDEE,tti-petitioner
3. Selectively enable HTTP/HTTPS applications that will service
incoming HTTP requests from remote clients.
Router(config)# ip http active-session-modules exclude_webexec
Router(config)# ip http secure-active-session-modules exclude_webexec
Router(config)# exit
4. Verify the list of all session modules, and ensure WEB_EXEC is
not active.
Router# show ip http server session-module
HTTP server application session modules:
Session module Name Handle Status Secure-status Description
HTTP_IFS 1 Active Active HTTP based IOS File Server
HOME_PAGE 2 Active Active IOS Homepage Server
QDM 3 Active Active QOS Device Manager Server
QDM_SA 4 Active Active QOS Device Manager Signed Applet Server
WEB_EXEC 5 Inactive Inactive HTTP based IOS EXEC Server
IXI 6 Active Active IOS XML Infra Application Server
IDCONF 7 Active Active IDCONF HTTP(S) Server
XSM 8 Active Active XML Session Manager
VDM 9 Active Active VPN Device Manager Server
XML_Api 10 Active Active XML Api
ITS 11 Active Active IOS Telephony Service
ITS_LOCDIR 12 Active Active ITS Local Directory Search
CME_SERVICE_URL 13 Active Active CME Service URL
CME_AUTH_SRV_LOGIN 14 Active Active CME Authentication Server
IPS_SDEE 15 Active Active IOS IPS SDEE Server
tti-petitioner 16 Active Active TTI Petitioner
For further information on the selective enabling of applications
using an HTTP or secure HTTP server, consult the Cisco IOS network
management configuration guide, release 12.4T, at:
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_http_app…
If the HTTP server and WEB_EXEC service are required, it is a
recommended best practice to limit which hosts may access the HTTP
server to allow only trusted sources. An access list can be applied
to the HTTP server to limit which hosts are permitted access. To
apply an access list to the HTTP server, use the following command in
global configuration mode: ip http access-class {access-list-number |
access-list-name}.
The following example shows an access list that allows only trusted
hosts to access the Cisco IOS HTTP server:
ip access-list standard 20
permit 192.168.1.0 0.0.0.255
remark "Above is a trusted subnet"
remark "Add further trusted subnets or hosts below"
! (Note: all other access implicitly denied)
! (Apply the access-list to the http server)
ip http access-class 20
For additional information on configuring the Cisco IOS HTTP server,
consult Using the Cisco Web Browser User Interface.
Obtaining Fixed Software
========================
Cisco has released free software updates that addresses the
vulnerability described in this advisory. Prior to deploying
software, customers are advised to consult their maintenance
providers or check the software for feature set compatibility and
known issues that are specific to their environments.
Customers may only install and expect support for feature sets they
have purchased. By installing, downloading, accessing, or otherwise
using such software upgrades, customers agree to follow the terms of
the Cisco software license at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt(a)cisco.com or security-alert(a)cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, upgrades should be
obtained through the Software Center on Cisco.com at:
http://www.cisco.com
Customers Using Third-Party Support Organizations
+------------------------------------------------
Customers with Cisco products that are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers,
should contact that organization for assistance with the appropriate
course of action.
The effectiveness of any workaround or fix depends on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Because of the variety of
affected products and releases, customers should consult their
service providers or support organizations to ensure that any applied
workaround or fix is the most appropriate in the intended network
before it is deployed
Customers Without Service Contracts
+----------------------------------
Customers who purchase directly from Cisco but do not hold a Cisco
service contract and customers who make purchases through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should obtain upgrades by contacting the Cisco
Technical Assistance Center (TAC):
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac(a)cisco.com
Customers should have the product serial number available and be
prepared to provide the URL of this advisory as evidence of
entitlement to a free upgrade. Customers without service contracts
should request free upgrades through the TAC.
Refer to Cisco Worldwide Contacts at:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, instructions, and e-mail addresses for support in various languages.
Exploitation and Public Announcements
=====================================
The Cisco Product Security Incident Response Team (PSIRT) is not
aware of any public announcements or malicious use of the
vulnerability that is described in this advisory.
This vulnerability was reported to Cisco TAC by customers observing
the vulnerability during the normal operation of their devices.
Status of This Notice: Final
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco Security Intelligence Operations at
the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
Additionally, a text version of this advisory is clear signed with
the Cisco PSIRT PGP key and circulated among the following e-mail
addresses:
* cust-security-announce(a)cisco.com
* first-bulletins(a)lists.first.org
* bugtraq(a)securityfocus.com
* vulnwatch(a)vulnwatch.org
* cisco(a)spot.colorado.edu
* cisco-nsp(a)puck.nether.net
* full-disclosure(a)lists.grok.org.uk
Future updates of this advisory, if any, will reside on Cisco.com but
may not be announced on mailing lists. Users can monitor this
advisory's URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2012-March-28 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information about reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco is available
on Cisco.com at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.…
This web page includes instructions for press inquiries regarding
Cisco Security Advisories.
All Cisco Security Advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2012 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFPcfB+QXnnBKKRMNARCG0KAP98319EAgChMCfxp4K0GXiscRX+fBEv/3NF
+CJDx7WA5gD+IcSwDBmEjesJmNj3GyxbjQ9f1WX7jFpUvy81HYDOqko=
=vGZr
-----END PGP SIGNATURE-----
1
0
Cisco Security Advisory: Cisco IOS Software Smart Install Denial of Service Vulnerability
by Cisco Systems Product Security Incident Response Team 28 Mar '12
by Cisco Systems Product Security Incident Response Team 28 Mar '12
28 Mar '12
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Cisco IOS Software Smart Install Denial of Service Vulnerability
Advisory ID: cisco-sa-20120328-smartinstall
Revision 1.0
For Public Release 2012 March 28 16:00 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
Cisco IOS Software contains a vulnerability in the Smart Install
feature that could allow an unauthenticated, remote attacker to cause
a reload of an affected device if the Smart Install feature is
enabled. The vulnerability is triggered when an affected device
processes a malformed Smart Install message on TCP port 4786.
Cisco has released free software updates that address this
vulnerability. There are no workarounds to mitigate this
vulnerability.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
Note: The March 28, 2012, Cisco IOS Software Security Advisory
bundled publication includes nine Cisco Security Advisories. Each
advisory lists the Cisco IOS Software releases that correct the
vulnerability or vulnerabilities detailed in the advisory as well as
the Cisco IOS Software releases that correct all vulnerabilities in
the March 2012 bundled publication.
Individual publication links are in "Cisco Event Response:
Semi-Annual Cisco IOS Software Security Advisory Bundled Publication"
at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html
Affected Products
=================
Vulnerable Products
+------------------
Devices configured as a Smart Install client or director are affected
by this vulnerability. To display Smart Install information, use the
show vstack config privileged EXEC command on the Smart Install
director or client. The outputs of show commands are different when
entered on the director or on the client. The following is the output
of show vstack config in a Cisco Catalyst Switch configured as a
Smart Install client:
switch#show vstack config
Role: Client
Vstack Director IP address: 10.1.1.163
The following is the output of show vstack config in a Cisco Catalyst
Switch configured as a Smart Install director:
Director# show vstack config
Role: Director
Vstack Director IP address: 10.1.1.163
Vstack Mode: Basic
Vstack default management vlan: 1
Vstack management Vlans: none
Vstack Config file: tftp://10.1.1.100/default-config.txt
Vstack Image file: tftp://10.1.1.100/c3750e-universalk9-tar.122-
Join Window Details:
Window: Open (default)
Operation Mode: auto (default)
Vstack Backup Details:
Mode: On (default)
Repository: flash:/vstack (default)
The Smart Install Feature is enabled by default.
To determine the Cisco IOS Software release that is running on a
Cisco product, administrators can log in to the device and issue the
show version command to display the system banner. The system banner
confirms that the device is running Cisco IOS Software by displaying
text similar to "Cisco Internetwork Operating System Software" or
"Cisco IOS Software." The image name displays in parentheses,
followed by "Version" and the Cisco IOS Software release name. Other
Cisco devices do not have the show version command or may provide
different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 15.0(1)M1 with an installed image name of
C3900-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 02-Dec-09 17:17 by prod_rel_team
!--- output truncated
Additional information about Cisco IOS Software release naming
conventions is available in "White Paper: Cisco IOS and NX-OS
Software Reference Guide" at:
http://www.cisco.com/web/about/security/intelligence/ios-ref.html
Products Confirmed Not Vulnerable
+--------------------------------
Cisco IOS XR Software is not affected by this vulnerability.
Cisco IOS XE Software is not affected by this vulnerability.
No other Cisco products are currently known to be affected by this
vulnerability.
Details
=======
Smart Install is a plug-and-play configuration and image-management
feature that provides zero-touch deployment for new LAN Ethernet
switches. This feature allows, for example, new LAN switches to be
deployed at new locations without any configuration.
A vulnerability exists in the Smart Install feature of Cisco IOS
Software that could allow an unauthenticated, remote attacker to
cause a reload of an affected device. Smart Install uses a Cisco
proprietary protocol that runs over TCP port 4786. To exploit this
vulnerability, an attacker needs to establish a TCP session on port
4786 of an affected device that has the Smart Install feature
enabled, and then send a malformed Smart Install message.
This vulnerability is documented in Cisco bug ID CSCtt16051
and has been assigned Common Vulnerabilities and Exposures (CVE)
ID CVE-2012-0385.
Vulnerability Scoring Details
=============================
Cisco has scored the vulnerability in this advisory based on the
Common Vulnerability Scoring System (CVSS). The CVSS scoring in this
security advisory is in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps organizations determine the urgency and priority
of a response.
Cisco has provided a base and temporal score. Customers can also
compute environmental scores that help determine the impact of the
vulnerability in their own networks.
Cisco has provided additional information regarding CVSS at the
following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to compute the
environmental impact for individual networks at the following link:
http://intellishield.cisco.com/security/alertmanager/cvss
* Cisco IOS Software Smart Install Denial of Service Vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability that is described in
this advisory may cause a reload of an affected device. Repeated
exploitation could result in a sustained denial of service condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult:
http://www.cisco.com/go/psirt and any subsequent advisories
to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Cisco IOS Software
+-----------------
Each row of the following Cisco IOS Software table corresponds to a
Cisco IOS Software train. If a particular train is vulnerable, the
earliest releases that contain the fix are listed in the First Fixed
Release column. The First Fixed Release for All Advisories in the
March 2012 Bundled Publication column lists the earliest possible
releases that correct all the published vulnerabilities in the Cisco
IOS Software Security Advisory bundled publication. Cisco recommends
upgrading to the latest available release, where possible.
The Cisco IOS Software Checker allows customers to search for Cisco
Security Advisories that address specific Cisco IOS Software
releases. This tool is available on the Cisco Security Intelligence
Operations (SIO) portal at:
http://tools.cisco.com/security/center/selectIOSVersion.x
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|----------+--------------------------------------------------------|
| Affected | | First Fixed Release for All |
|12.0-Based| First Fixed Release |Advisories in the March 2012 Cisco|
| Releases | | IOS Software Security Advisory |
| | | Bundled Publication |
|-------------------------------------------------------------------|
| There are no affected 12.0 based releases |
|-------------------------------------------------------------------|
| Affected | | First Fixed Release for All |
|12.2-Based| First Fixed Release |Advisories in the March 2012 Cisco|
| Releases | | IOS Software Security Advisory |
| | | Bundled Publication |
|----------+---------------------+----------------------------------|
|12.2 |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2B |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2BC |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2BW |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2BX |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SB |
|----------+---------------------+----------------------------------|
|12.2BY |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2BZ |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2CX |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2CY |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2CZ |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.0S |
|----------+---------------------+----------------------------------|
|12.2DA |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2DD |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2DX |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2EU |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2EW |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2EWA |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| |Vulnerable; First | |
| |fixed in Release | |
|12.2EX |15.0SE |Vulnerable; First fixed in Release|
| |Releases up to and |15.0SE |
| |including 12.2(46)EX | |
| |are not vulnerable. | |
|----------+---------------------+----------------------------------|
| |Vulnerable; migrate | |
| |to any release in | |
|12.2EY |15.1EY |12.2(52)EY4 |
| |Releases up to and | |
| |including 12.2(52)EY4| |
| |are not vulnerable. | |
|----------+---------------------+----------------------------------|
| |Vulnerable; First | |
| |fixed in Release | |
|12.2EZ |15.0SE |Vulnerable; First fixed in Release|
| |Releases up to and |15.0SE |
| |including 12.2(53)EZ | |
| |are not vulnerable. | |
|----------+---------------------+----------------------------------|
|12.2FX |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0SE |
|----------+---------------------+----------------------------------|
|12.2FY |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0SE |
|----------+---------------------+----------------------------------|
|12.2FZ |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0SE |
|----------+---------------------+----------------------------------|
|12.2IRA |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SRE |
|----------+---------------------+----------------------------------|
|12.2IRB |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SRE |
|----------+---------------------+----------------------------------|
|12.2IRC |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SRE |
|----------+---------------------+----------------------------------|
|12.2IRD |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SRE |
|----------+---------------------+----------------------------------|
|12.2IRE |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SRE |
|----------+---------------------+----------------------------------|
|12.2IRF |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SRE |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2IRG |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2IRH |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2IXA |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2IXB |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2IXC |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2IXD |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2IXE |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2IXF |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2IXG |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2IXH |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
|12.2JA |Not vulnerable |Not vulnerable |
|----------+---------------------+----------------------------------|
|12.2JK |Not vulnerable |Not vulnerable |
|----------+---------------------+----------------------------------|
|12.2MB |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2MC |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2MRA |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SRE |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2MRB |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Releases prior to 12.2(30)S are |
|12.2S |Not vulnerable |vulnerable; Releases 12.2(30)S and|
| | |later are not vulnerable. First |
| | |fixed in Release 12.0S |
|----------+---------------------+----------------------------------|
|12.2SB |Not vulnerable |12.2(33)SB12 |
|----------+---------------------+----------------------------------|
|12.2SBC |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SRE |
|----------+---------------------+----------------------------------|
|12.2SCA |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SCE |
|----------+---------------------+----------------------------------|
|12.2SCB |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SCE |
|----------+---------------------+----------------------------------|
|12.2SCC |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SCE |
|----------+---------------------+----------------------------------|
|12.2SCD |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SCE |
|----------+---------------------+----------------------------------|
|12.2SCE |Not vulnerable |12.2(33)SCE6 |
|----------+---------------------+----------------------------------|
|12.2SCF |Not vulnerable |12.2(33)SCF2 |
|----------+---------------------+----------------------------------|
|12.2SE |12.2(55)SE5 | |
| | |12.2(55)SE5 * |
|----------+---------------------+----------------------------------|
|12.2SEA |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0SE |
|----------+---------------------+----------------------------------|
|12.2SEB |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0SE |
|----------+---------------------+----------------------------------|
|12.2SEC |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0SE |
|----------+---------------------+----------------------------------|
|12.2SED |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0SE |
|----------+---------------------+----------------------------------|
|12.2SEE |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0SE |
|----------+---------------------+----------------------------------|
|12.2SEF |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0SE |
|----------+---------------------+----------------------------------|
|12.2SEG |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0SE |
|----------+---------------------+----------------------------------|
|12.2SG |Not vulnerable |12.2(53)SG7; Available on |
| | |07-MAY-12 |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2SGA |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
|12.2SL |Not vulnerable |Not vulnerable |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2SM |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2SO |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2SQ |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
|12.2SRA |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SRE |
|----------+---------------------+----------------------------------|
|12.2SRB |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SRE |
|----------+---------------------+----------------------------------|
|12.2SRC |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SRE |
|----------+---------------------+----------------------------------|
|12.2SRD |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SRE |
|----------+---------------------+----------------------------------|
|12.2SRE |Not vulnerable |12.2(33)SRE6 |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2STE |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
|12.2SU |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2SV |Not vulnerable |Releases up to and including 12.2 |
| | |(18)SV2 are not vulnerable. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2SVA |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2SVC |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2SVD |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2SVE |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
|12.2SW |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.4T |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2SX |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2SXA |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2SXB |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2SXD |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2SXE |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2SXF |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2SXH |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
|12.2SXI |Not vulnerable |12.2(33)SXI9 |
|----------+---------------------+----------------------------------|
|12.2SXJ |Not vulnerable |12.2(33)SXJ2 |
|----------+---------------------+----------------------------------|
|12.2SY |Not vulnerable |12.2(50)SY2; Available on |
| | |11-JUN-12 |
|----------+---------------------+----------------------------------|
|12.2SZ |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.0S |
|----------+---------------------+----------------------------------|
|12.2T |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2TPC |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
|12.2XA |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2XB |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2XC |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2XD |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2XE |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2XF |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2XG |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2XH |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2XI |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2XJ |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2XK |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2XL |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2XM |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
| |Please see Cisco |Please see Cisco IOS-XE Software |
|12.2XNA |IOS-XE Software |Availability |
| |Availability | |
|----------+---------------------+----------------------------------|
| |Please see Cisco |Please see Cisco IOS-XE Software |
|12.2XNB |IOS-XE Software |Availability |
| |Availability | |
|----------+---------------------+----------------------------------|
| |Please see Cisco |Please see Cisco IOS-XE Software |
|12.2XNC |IOS-XE Software |Availability |
| |Availability | |
|----------+---------------------+----------------------------------|
| |Please see Cisco |Please see Cisco IOS-XE Software |
|12.2XND |IOS-XE Software |Availability |
| |Availability | |
|----------+---------------------+----------------------------------|
| |Please see Cisco |Please see Cisco IOS-XE Software |
|12.2XNE |IOS-XE Software |Availability |
| |Availability | |
|----------+---------------------+----------------------------------|
| |Please see Cisco |Please see Cisco IOS-XE Software |
|12.2XNF |IOS-XE Software |Availability |
| |Availability | |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2XO |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
|12.2XQ |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
| | |Releases prior to 12.2(15)XR are |
|12.2XR |Not vulnerable |vulnerable; Releases 12.2(15)XR |
| | |and later are not vulnerable. |
| | |First fixed in Release 15.0M |
|----------+---------------------+----------------------------------|
|12.2XS |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2XT |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2XU |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2XV |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2XW |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2YA |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2YC |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2YD |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2YE |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2YK |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2YO |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; First fixed in Release|
|12.2YP |Not vulnerable |15.0M |
| | |Releases up to and including 12.2 |
| | |(8)YP are not vulnerable. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2YT |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2YW |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2YX |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2YY |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2YZ |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2ZA |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2ZB |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2ZC |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2ZD |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
|12.2ZE |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2ZH |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2ZJ |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2ZP |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2ZU |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
|12.2ZX |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SRE |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2ZY |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2ZYA |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| Affected | | First Fixed Release for All |
|12.3-Based| First Fixed Release |Advisories in the March 2012 Cisco|
| Releases | | IOS Software Security Advisory |
| | | Bundled Publication |
|-------------------------------------------------------------------|
| There are no affected 12.3 based releases |
|-------------------------------------------------------------------|
| Affected | | First Fixed Release for All |
|12.4-Based| First Fixed Release |Advisories in the March 2012 Cisco|
| Releases | | IOS Software Security Advisory |
| | | Bundled Publication |
|-------------------------------------------------------------------|
| There are no affected 12.4 based releases |
|-------------------------------------------------------------------|
| Affected | | First Fixed Release for All |
|15.0-Based| First Fixed Release |Advisories in the March 2012 Cisco|
| Releases | | IOS Software Security Advisory |
| | | Bundled Publication |
|----------+---------------------+----------------------------------|
|15.0M |Not vulnerable |15.0(1)M8 |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|15.0MR |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|15.0MRA |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| |Not vulnerable | |
| |Cisco IOS XE devices:|15.0(1)S5 |
|15.0S |Please see Cisco IOS |Cisco IOS XE devices: Please see |
| |XE Software |Cisco IOS XE Software Availability|
| |Availability | |
|----------+---------------------+----------------------------------|
|15.0SA |Not vulnerable |Not vulnerable |
|----------+---------------------+----------------------------------|
|15.0SE |15.0(1)SE1 |15.0(1)SE1 |
|----------+---------------------+----------------------------------|
| |Not vulnerable | |
| |Cisco IOS XE devices:|15.0(2)SG2 |
|15.0SG |Please see Cisco IOS |Cisco IOS XE devices: Please see |
| |XE Software |Cisco IOS XE Software Availability|
| |Availability | |
|----------+---------------------+----------------------------------|
|15.0SY |Not vulnerable |15.0(1)SY1 |
|----------+---------------------+----------------------------------|
|15.0XA |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.1T |
|----------+---------------------+----------------------------------|
| |Cisco IOS XE devices:| |
|15.0XO |Please see Cisco |Cisco IOS XE devices: Please see |
| |IOS-XE Software |Cisco IOS-XE Software Availability|
| |Availability | |
|----------+---------------------+----------------------------------|
| Affected | | First Fixed Release for All |
|15.1-Based| First Fixed Release |Advisories in the March 2012 Cisco|
| Releases | | IOS Software Security Advisory |
| | | Bundled Publication |
|----------+---------------------+----------------------------------|
|15.1EY |Not vulnerable |15.1(2)EY2 |
|----------+---------------------+----------------------------------|
|15.1GC |Not vulnerable |15.1(2)GC2 |
|----------+---------------------+----------------------------------|
|15.1M |15.1(4)M4; Available |15.1(4)M4; Available on 30-MAR-12 |
| |on 30-MAR-12 | |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|15.1MR |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| |Not vulnerable | |
| |Cisco IOS XE devices:|15.1(3)S2 |
|15.1S |Please see Cisco IOS |Cisco IOS XE devices: Please see |
| |XE Software |Cisco IOS XE Software Availability|
| |Availability | |
|----------+---------------------+----------------------------------|
| |Not vulnerable | |
| |Cisco IOS XE devices:|Not vulnerable |
|15.1SG |Please see Cisco IOS |Cisco IOS XE devices: Please see |
| |XE Software |Cisco IOS XE Software Availability|
| |Availability | |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|15.1SNG |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
|15.1SNH |Not vulnerable |Not vulnerable |
|----------+---------------------+----------------------------------|
|15.1T |15.1(3)T3 |15.1(3)T3 |
|----------+---------------------+----------------------------------|
|15.1XB |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.1T |
|----------+---------------------+----------------------------------|
| Affected | | First Fixed Release for All |
|15.2-Based| First Fixed Release |Advisories in the March 2012 Cisco|
| Releases | | IOS Software Security Advisory |
| | | Bundled Publication |
|----------+---------------------+----------------------------------|
|15.2GC |15.2(1)GC2 |15.2(1)GC2 |
|----------+---------------------+----------------------------------|
| |Not vulnerable |15.2(1)S1 |
| |Cisco IOS XE devices:| |
|15.2S |Please see Cisco IOS |Cisco IOS XE devices: Please see |
| |XE Software |Cisco IOS XE Software Availability|
| |Availability | |
|----------+---------------------+----------------------------------|
| |15.2(1)T2 |15.2(1)T2 |
|15.2T |15.2(2)T1 |15.2(2)T1 |
| |15.2(3)T; Available |15.2(3)T; Available on 30-MAR-12 |
| |on 30-MAR-12 | |
+-------------------------------------------------------------------+
* Cisco Catalyst 3550 Series Switches support the Internet Key
Exchange (IKE) feature and are vulnerable to Cisco bug ID CSCts38429
when the devices are running Layer 3 images; however, this product
reached the End of Software Maintenance milestone. Cisco 3550 Series
SMI Switches that are running Layer 2 images do not support IKE and
are not vulnerable. No other Cisco devices that run 12.2SE-based
software are vulnerable.
Cisco IOS XE Software
+--------------------
Cisco IOS XE Software is not affected by the vulnerability disclosed
in this advisory.
Cisco IOS XR Software
+--------------------
Cisco IOS XR Software is not affected by any of the vulnerabilities
disclosed in the March 2012 Cisco IOS Software Security Advisory
Bundled Publication.
Workarounds
===========
There are no workarounds available to mitigate this vulnerability
other than disabling the Smart Install feature. To disable the Smart
Install feature use the global configuration command no vstack.
Additional mitigations that can be deployed on Cisco devices within
the network are available in the Cisco Applied Mitigation Bulletin
companion document for this advisory, which is available at the
following link:
http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBullet…
Obtaining Fixed Software
========================
Cisco has released free software updates that address the
vulnerability described in this advisory. Prior to deploying
software, customers are advised to consult their maintenance
providers or check the software for feature set compatibility and
known issues that are specific to their environments.
Customers may only install and expect support for feature sets they
have purchased. By installing, downloading, accessing, or otherwise
using such software upgrades, customers agree to follow the terms of
the Cisco software license at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt(a)cisco.com or security-alert(a)cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, upgrades should be
obtained through the Software Center on Cisco.com at:
http://www.cisco.com
Customers Using Third-Party Support Organizations
+------------------------------------------------
Customers with Cisco products that are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers,
should contact that organization for assistance with the appropriate
course of action.
The effectiveness of any workaround or fix depends on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Because of the variety of
affected products and releases, customers should consult their
service providers or support organizations to ensure that any applied
workaround or fix is the most appropriate in the intended network
before it is deployed.
Customers Without Service Contracts
+----------------------------------
Customers who purchase directly from Cisco but do not hold a Cisco
service contract and customers who make purchases through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should obtain upgrades by contacting the Cisco
Technical Assistance Center (TAC):
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac(a)cisco.com
Customers should have the product serial number available and be
prepared to provide the URL of this advisory as evidence of
entitlement to a free upgrade. Customers without service contracts
should request free upgrades through the TAC.
Refer to Cisco Worldwide Contacts at:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, instructions, and e-mail addresses for support in various languages.
Exploitation and Public Announcements
=====================================
The Cisco Product Security Incident Response Team (PSIRT) is not
aware of any public announcements or malicious use of the
vulnerability that is described in this advisory.
This issue was reported to Cisco by customers who discovered it
during the course of security audits.
Status of This Notice: Final
+---------------------------
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco Security Intelligence Operations at
the following link
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
Additionally, a text version of this advisory is clear signed with
the Cisco PSIRT PGP key and circulated among the following e-mail
addresses:
* cust-security-announce(a)cisco.com
* first-bulletins(a)lists.first.org
* bugtraq(a)securityfocus.com
* vulnwatch(a)vulnwatch.org
* cisco(a)spot.colorado.edu
* cisco-nsp(a)puck.nether.net
* full-disclosure(a)lists.grok.org.uk
Future updates of this advisory, if any, will reside on Cisco.com but
may not be announced on mailing lists. Users can monitor this
advisory's URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2012-March-28 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information about reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco is available
on Cisco.com at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.…
This web page includes instructions for press inquiries regarding
Cisco Security Advisories.
All Cisco Security Advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2012 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFPcSThQXnnBKKRMNARCOH4AP9Wgc8t/hVLf4NZrWSE6Y64edlgu+lg7MB6
h5OtNEQTgAD/Ux8fxWyhS8HGYK17bT294K2OMuymiytT5sN/T2u/ZY8=
=6eFE
-----END PGP SIGNATURE-----
1
0
Cisco Security Advisory: Cisco IOS Software Reverse SSH Denial of Service Vulnerability
by Cisco Systems Product Security Incident Response Team 28 Mar '12
by Cisco Systems Product Security Incident Response Team 28 Mar '12
28 Mar '12
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Cisco IOS Software Reverse SSH Denial of Service Vulnerability
Advisory ID: cisco-sa-20120328-ssh
Revision 1.0
For Public Release 2012 March 28 16:00 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
The Secure Shell (SSH) server implementation in Cisco IOS Software
and Cisco IOS XE Software contains a denial of service (DoS)
vulnerability in the SSH version 2 (SSHv2) feature. An
unauthenticated, remote attacker could exploit this vulnerability by
attempting a reverse SSH login with a crafted username. Successful
exploitation of this vulnerability could allow an attacker to create
a DoS condition by causing the device to reload. Repeated exploits
could create a sustained DoS condition.
The SSH server in Cisco IOS Software and Cisco IOS XE Software is an
optional service, but its use is highly recommended as a security
best practice for the management of Cisco IOS devices. Devices that
are not configured to accept SSHv2 connections are not affected by
this vulnerability.
Cisco has released free software updates that address this
vulnerability. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
Note: The March 28, 2012, Cisco IOS Software Security Advisory
bundled publication includes nine Cisco Security Advisories. Each
advisory lists the Cisco IOS Software releases that correct the
vulnerability or vulnerabilities detailed in the advisory as well as
the Cisco IOS Software releases that correct all vulnerabilities in
the March 2012 bundled publication.
Individual publication links are in "Cisco Event Response:
Semi-Annual Cisco IOS Software Security Advisory Bundled Publication"
at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html
Affected Products
=================
Vulnerable Products
+------------------
Cisco devices that are running affected Cisco IOS Software or Cisco
IOS XE Software versions are vulnerable when they have the SSH server
enabled and allow SSHv2 logins. Only SSHv2 is affected.
To determine if SSH is enabled, use the show ip ssh command.
Router#show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
The previous output shows that SSH is enabled on this device and that
the SSH protocol major version that is being supported is 2.0.
Possible values for the SSH protocol versions that are reported by
Cisco IOS are:
* 1.5: only SSH protocol version 1 is enabled
* 1.99: SSH protocol version 2 with SSH protocol version 1
compatibility enabled
* 2.0: only SSH protocol version 2 is enabled
The SSH server is not available in all IOS images. If the show ip ssh
command is not available, the device is not vulnerable. Devices that
do not support SSHv2 are not vulnerable.
To determine the Cisco IOS Software release that is running on a
Cisco product, administrators can log in to the device and issue the
show version command to display the system banner. The system banner
confirms that the device is running Cisco IOS Software by displaying
text similar to "Cisco Internetwork Operating System Software" or
"Cisco IOS Software." The image name displays in parentheses,
followed by "Version" and the Cisco IOS Software release name. Other
Cisco devices do not have the show version command or may provide
different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 15.0(1)M1 with an installed image name of
C3900-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 02-Dec-09 17:17 by prod_rel_team
!--- output truncated
Additional information about Cisco IOS Software release naming
conventions is available in "White Paper: Cisco IOS and NX-OS
Software Reference Guide" at:
http://www.cisco.com/web/about/security/intelligence/ios-ref.html
Products Confirmed Not Vulnerable
+--------------------------------
Cisco IOS-XR is not affected by this vulnerability.
No other Cisco products are currently known to be affected by this
vulnerability.
Details
=======
Secure Shell (SSH) is a protocol which provides a secure remote
access connection to network devices.
The SSH server implementation in Cisco IOS Software and Cisco IOS XE
Software contains a DoS vulnerability in the SSH version 2 (SSHv2)
feature that could allow an unauthenticated remote attacker to cause
a device to reload. An attacker could exploit this vulnerability by
attempting a reverse SSH login with a crafted username. Successful
exploitation of this vulnerability could allow an attacker to create
a DoS condition by causing the device to reload. Repeated exploits
could create a sustained DoS condition.
The SSH server in Cisco IOS Software and Cisco IOS XE Software is an
optional service, but its use is highly recommended as a security
best practice for management of Cisco IOS devices. SSH can be
configured as part of the AutoSecure feature in the initial
configuration of IOS devices, AutoSecure run after initial
configuration, or manually. SSH is enabled any time RSA keys are
generated such as when an http secure-server or trust points for
digital certificates are configured. Devices that are not configured
to accept SSHv2 connections are not affected by this vulnerability.
A complete TCP three-way handshake is required to exploit this
vulnerability. Reverse SSH traffic uses TCP port 22 by default.
This vulnerability has been documented in Cisco Bug ID CSCtr49064 and
has been assigned the Common Vulnerabilities and Exposures (CVE) ID
CVE-2012-0386.
Vulnerability Scoring Details
=============================
Cisco has scored the vulnerability in this advisory based on the
Common Vulnerability Scoring System (CVSS). The CVSS scoring in this
security advisory is in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps organizations determine the urgency and priority
of a response.
Cisco has provided a base and temporal score. Customers can also
compute environmental scores that help determine the impact of the
vulnerability in their own networks.
Cisco has provided additional information regarding CVSS at the
following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to compute the
environmental impact for individual networks at the following link:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtr49064 - Cisco IOS Software Reverse SSH Denial of Service
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of this vulnerability could allow an
unauthenticated, remote attacker to create a DoS condition by causing
the device to reload. Repeated exploits could create a sustained DoS
condition.
Software Versions and Fixes
===========================
When considering software upgrades, customers are advised to consult
the Cisco Security Advisories and Responses archive at:
http://www.cisco.com/go/psirt and review subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and
software configurations will continue to be supported properly by the
new release. If the information is not clear, customers are advised
to contact the Cisco Technical Assistance Center (TAC) or their
contracted maintenance providers.
Cisco IOS Software
+-----------------
Each row of the following Cisco IOS Software table corresponds to a
Cisco IOS Software train. If a particular train is vulnerable, the
earliest releases that contain the fix are listed in the First Fixed
Release column. The First Fixed Release for All Advisories in the
March 2012 Bundled Publication column lists the earliest possible
releases that correct all the published vulnerabilities in the Cisco
IOS Software Security Advisory bundled publication. Cisco recommends
upgrading to the latest available release, where possible.
The Cisco IOS Software Checker allows customers to search for Cisco
Security Advisories that address specific Cisco IOS Software
releases. This tool is available on the Cisco Security Intelligence
Operations (SIO) portal at:
http://tools.cisco.com/security/center/selectIOSVersion.x
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|----------+--------------------------------------------------------|
| Affected | |First Fixed Release for All |
|12.0-Based| First Fixed Release |Advisories in the March 2012|
| Releases | |Cisco IOS Software Security |
| | |Advisory Bundled Publication|
|-------------------------------------------------------------------|
| There are no affected 12.0 based releases |
|-------------------------------------------------------------------|
| Affected | |First Fixed Release for All |
|12.2-Based| First Fixed Release |Advisories in the March 2012|
| Releases | |Cisco IOS Software Security |
| | |Advisory Bundled Publication|
|----------+---------------------------+----------------------------|
|12.2 |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.2B |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.2BC |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.2BW |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.2BX |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.2SB |
|----------+---------------------------+----------------------------|
|12.2BY |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.2BZ |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.2CX |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.2CY |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.2CZ |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.0S |
|----------+---------------------------+----------------------------|
|12.2DA |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.2DD |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.2DX |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2EU |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2EW |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2EWA |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| |Vulnerable; First fixed in | |
| |Release 15.0SE |Vulnerable; First fixed in |
|12.2EX |Releases up to and |Release 15.0SE |
| |including 12.2(55)EX3 are | |
| |not vulnerable. | |
|----------+---------------------------+----------------------------|
|12.2EY |12.2(58)EY2 |12.2(52)EY4 |
|----------+---------------------------+----------------------------|
|12.2EZ |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0SE |
|----------+---------------------------+----------------------------|
|12.2FX |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0SE |
|----------+---------------------------+----------------------------|
|12.2FY |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0SE |
|----------+---------------------------+----------------------------|
|12.2FZ |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0SE |
|----------+---------------------------+----------------------------|
|12.2IRA |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.2SRE |
|----------+---------------------------+----------------------------|
|12.2IRB |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.2SRE |
|----------+---------------------------+----------------------------|
|12.2IRC |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.2SRE |
|----------+---------------------------+----------------------------|
|12.2IRD |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.2SRE |
|----------+---------------------------+----------------------------|
|12.2IRE |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.2SRE |
|----------+---------------------------+----------------------------|
|12.2IRF |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.2SRE |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2IRG |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2IRH |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2IXA |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2IXB |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2IXC |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2IXD |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2IXE |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2IXF |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2IXG |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2IXH |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
|12.2JA |Not vulnerable |Not vulnerable |
|----------+---------------------------+----------------------------|
|12.2JK |Not vulnerable |Not vulnerable |
|----------+---------------------------+----------------------------|
|12.2MB |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.2MC |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.2MRA |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.2SRE |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2MRB |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Releases prior to 12.2(30)S |
| | |are vulnerable; Releases |
|12.2S |Not vulnerable |12.2(30)S and later are not |
| | |vulnerable. First fixed in |
| | |Release 12.0S |
|----------+---------------------------+----------------------------|
|12.2SB |Not vulnerable |12.2(33)SB12 |
|----------+---------------------------+----------------------------|
|12.2SBC |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.2SRE |
|----------+---------------------------+----------------------------|
|12.2SCA |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.2SCE |
|----------+---------------------------+----------------------------|
|12.2SCB |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.2SCE |
|----------+---------------------------+----------------------------|
|12.2SCC |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.2SCE |
|----------+---------------------------+----------------------------|
|12.2SCD |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.2SCE |
|----------+---------------------------+----------------------------|
|12.2SCE |Not vulnerable |12.2(33)SCE6 |
|----------+---------------------------+----------------------------|
|12.2SCF |Not vulnerable |12.2(33)SCF2 |
|----------+---------------------------+----------------------------|
| |Vulnerable; First fixed in | |
| |Release 15.0SE | |
|12.2SE |Releases up to and |12.2(55)SE5 * |
| |including 12.2(58)SE1 are | |
| |not vulnerable. | |
|----------+---------------------------+----------------------------|
|12.2SEA |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0SE |
|----------+---------------------------+----------------------------|
|12.2SEB |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0SE |
|----------+---------------------------+----------------------------|
|12.2SEC |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0SE |
|----------+---------------------------+----------------------------|
|12.2SED |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0SE |
|----------+---------------------------+----------------------------|
|12.2SEE |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0SE |
|----------+---------------------------+----------------------------|
|12.2SEF |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0SE |
|----------+---------------------------+----------------------------|
|12.2SEG |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0SE |
|----------+---------------------------+----------------------------|
|12.2SG |Not vulnerable |12.2(53)SG7; Available on |
| | |07-MAY-12 |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2SGA |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
|12.2SL |Not vulnerable |Not vulnerable |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2SM |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2SO |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2SQ |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
|12.2SRA |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.2SRE |
|----------+---------------------------+----------------------------|
|12.2SRB |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.2SRE |
|----------+---------------------------+----------------------------|
|12.2SRC |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.2SRE |
|----------+---------------------------+----------------------------|
|12.2SRD |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.2SRE |
|----------+---------------------------+----------------------------|
|12.2SRE |Not vulnerable |12.2(33)SRE6 |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2STE |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
|12.2SU |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
| | |Releases up to and including|
|12.2SV |Not vulnerable |12.2(18)SV2 are not |
| | |vulnerable. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2SVA |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2SVC |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2SVD |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2SVE |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
|12.2SW |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.4T |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2SX |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2SXA |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2SXB |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2SXD |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2SXE |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2SXF |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2SXH |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
|12.2SXI |Not vulnerable |12.2(33)SXI9 |
|----------+---------------------------+----------------------------|
|12.2SXJ |Not vulnerable |12.2(33)SXJ2 |
|----------+---------------------------+----------------------------|
|12.2SY |Not vulnerable |12.2(50)SY2; Available on |
| | |11-JUN-12 |
|----------+---------------------------+----------------------------|
|12.2SZ |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.0S |
|----------+---------------------------+----------------------------|
|12.2T |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2TPC |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
|12.2XA |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.2XB |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.2XC |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.2XD |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.2XE |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.2XF |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.2XG |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.2XH |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.2XI |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.2XJ |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.2XK |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.2XL |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.2XM |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.2XNA |Please see Cisco IOS-XE |Please see Cisco IOS-XE |
| |Software Availability |Software Availability |
|----------+---------------------------+----------------------------|
|12.2XNB |Please see Cisco IOS-XE |Please see Cisco IOS-XE |
| |Software Availability |Software Availability |
|----------+---------------------------+----------------------------|
|12.2XNC |Please see Cisco IOS-XE |Please see Cisco IOS-XE |
| |Software Availability |Software Availability |
|----------+---------------------------+----------------------------|
|12.2XND |Please see Cisco IOS-XE |Please see Cisco IOS-XE |
| |Software Availability |Software Availability |
|----------+---------------------------+----------------------------|
|12.2XNE |Please see Cisco IOS-XE |Please see Cisco IOS-XE |
| |Software Availability |Software Availability |
|----------+---------------------------+----------------------------|
|12.2XNF |Please see Cisco IOS-XE |Please see Cisco IOS-XE |
| |Software Availability |Software Availability |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2XO |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
|12.2XQ |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
| | |Releases prior to 12.2(15)XR|
| | |are vulnerable; Releases |
|12.2XR |Not vulnerable |12.2(15)XR and later are not|
| | |vulnerable. First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.2XS |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.2XT |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.2XU |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.2XV |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.2XW |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.2YA |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2YC |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2YD |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2YE |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2YK |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2YO |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; First fixed in |
| | |Release 15.0M |
|12.2YP |Not vulnerable |Releases up to and including|
| | |12.2(8)YP are not |
| | |vulnerable. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2YT |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2YW |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2YX |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2YY |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2YZ |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2ZA |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2ZB |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2ZC |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2ZD |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
|12.2ZE |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.2ZH |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2ZJ |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2ZP |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2ZU |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
|12.2ZX |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.2SRE |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2ZY |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.2ZYA |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| Affected | |First Fixed Release for All |
|12.3-Based| First Fixed Release |Advisories in the March 2012|
| Releases | |Cisco IOS Software Security |
| | |Advisory Bundled Publication|
|-------------------------------------------------------------------|
| There are no affected 12.3 based releases |
|-------------------------------------------------------------------|
| Affected | |First Fixed Release for All |
|12.4-Based| First Fixed Release |Advisories in the March 2012|
| Releases | |Cisco IOS Software Security |
| | |Advisory Bundled Publication|
|----------+---------------------------+----------------------------|
| |Releases 12.4(13d) and |Vulnerable; First fixed in |
|12.4 |prior are not vulnerable; |Release 15.0M |
| |first fixed in 12.4(25f) | |
|----------+---------------------------+----------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per |support organization per the|
|12.4GC |the instructions in |instructions in Obtaining |
| |Obtaining Fixed Software |Fixed Software section of |
| |section of this advisory. |this advisory. |
|----------+---------------------------+----------------------------|
|12.4JA |12.4(23c)JA4 |12.4(23c)JA4 |
| |12.4(25e)JA |12.4(25e)JA |
|----------+---------------------------+----------------------------|
|12.4JAX |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4JA |Release 12.4JA |
|----------+---------------------------+----------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per |support organization per the|
|12.4JDA |the instructions in |instructions in Obtaining |
| |Obtaining Fixed Software |Fixed Software section of |
| |section of this advisory. |this advisory. |
|----------+---------------------------+----------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per |support organization per the|
|12.4JDC |the instructions in |instructions in Obtaining |
| |Obtaining Fixed Software |Fixed Software section of |
| |section of this advisory. |this advisory. |
|----------+---------------------------+----------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per |support organization per the|
|12.4JDD |the instructions in |instructions in Obtaining |
| |Obtaining Fixed Software |Fixed Software section of |
| |section of this advisory. |this advisory. |
|----------+---------------------------+----------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per |support organization per the|
|12.4JDE |the instructions in |instructions in Obtaining |
| |Obtaining Fixed Software |Fixed Software section of |
| |section of this advisory. |this advisory. |
|----------+---------------------------+----------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per |support organization per the|
|12.4JHA |the instructions in |instructions in Obtaining |
| |Obtaining Fixed Software |Fixed Software section of |
| |section of this advisory. |this advisory. |
|----------+---------------------------+----------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per |support organization per the|
|12.4JHB |the instructions in |instructions in Obtaining |
| |Obtaining Fixed Software |Fixed Software section of |
| |section of this advisory. |this advisory. |
|----------+---------------------------+----------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per |support organization per the|
|12.4JHC |the instructions in |instructions in Obtaining |
| |Obtaining Fixed Software |Fixed Software section of |
| |section of this advisory. |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.4JK |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.4JL |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| |Vulnerable; First fixed in | |
| |Release 12.4JA |Vulnerable; First fixed in |
|12.4JX |Releases up to and |Release 12.4JA |
| |including 12.4(3g)JX2 are | |
| |not vulnerable. | |
|----------+---------------------------+----------------------------|
|12.4JY |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4JA |Release 12.4JA |
|----------+---------------------------+----------------------------|
|12.4JZ |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4JA |Release 12.4JA |
|----------+---------------------------+----------------------------|
|12.4MD |12.4(22)MD3; Available on |12.4(22)MD3; Available on |
| |30-MAR-12 |30-MAR-12 |
|----------+---------------------------+----------------------------|
|12.4MDA |12.4(24)MDA11 |12.4(24)MDA11 |
|----------+---------------------------+----------------------------|
|12.4MDB |12.4(24)MDB5a |12.4(24)MDB5a |
|----------+---------------------------+----------------------------|
|12.4MDC |Not vulnerable |Not vulnerable |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| |Releases up to and |support organization per the|
|12.4MR |including 12.4(16)MR1 are |instructions in Obtaining |
| |not vulnerable. |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per |support organization per the|
|12.4MRA |the instructions in |instructions in Obtaining |
| |Obtaining Fixed Software |Fixed Software section of |
| |section of this advisory. |this advisory. |
|----------+---------------------------+----------------------------|
|12.4MRB |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.4SW |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
| |12.4(15)T16 |12.4(15)T17 |
|12.4T |12.4(24)T6 |12.4(24)T7 |
| | | |
|----------+---------------------------+----------------------------|
|12.4XA |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.4XB |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.4T |
|----------+---------------------------+----------------------------|
|12.4XC |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.4XD |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.4XE |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.4XF |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.4XG |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.4XJ |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.4XK |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.4XL |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
|12.4XM |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.4XN |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.4XP |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
|12.4XQ |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.4XR |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 12.4T |
|----------+---------------------------+----------------------------|
|12.4XT |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.4XV |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
|12.4XW |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.4XY |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.4XZ |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+---------------------------+----------------------------|
|12.4YA |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+---------------------------+----------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per |support organization per the|
|12.4YB |the instructions in |instructions in Obtaining |
| |Obtaining Fixed Software |Fixed Software section of |
| |section of this advisory. |this advisory. |
|----------+---------------------------+----------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per |support organization per the|
|12.4YD |the instructions in |instructions in Obtaining |
| |Obtaining Fixed Software |Fixed Software section of |
| |section of this advisory. |this advisory. |
|----------+---------------------------+----------------------------|
|12.4YE |12.4(24)YE3d |12.4(24)YE3d |
|----------+---------------------------+----------------------------|
|12.4YG |12.4(24)YG4 |12.4(24)YG4 |
|----------+---------------------------+----------------------------|
| Affected | |First Fixed Release for All |
|15.0-Based| First Fixed Release |Advisories in the March 2012|
| Releases | |Cisco IOS Software Security |
| | |Advisory Bundled Publication|
|----------+---------------------------+----------------------------|
|15.0M |15.0(1)M7 |15.0(1)M8 |
|----------+---------------------------+----------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per |support organization per the|
|15.0MR |the instructions in |instructions in Obtaining |
| |Obtaining Fixed Software |Fixed Software section of |
| |section of this advisory. |this advisory. |
|----------+---------------------------+----------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per |support organization per the|
|15.0MRA |the instructions in |instructions in Obtaining |
| |Obtaining Fixed Software |Fixed Software section of |
| |section of this advisory. |this advisory. |
|----------+---------------------------+----------------------------|
| |15.0(1)S5 |15.0(1)S5 |
|15.0S |Cisco IOS XE devices: |Cisco IOS XE devices: Please|
| |Please see Cisco IOS XE |see Cisco IOS XE Software |
| |Software Availability |Availability |
|----------+---------------------------+----------------------------|
|15.0SA |Not vulnerable |Not vulnerable |
|----------+---------------------------+----------------------------|
| |15.0(1)SE1 | |
|15.0SE |15.0(2)SE; Available on |15.0(1)SE1 |
| |06-AUG-12 | |
|----------+---------------------------+----------------------------|
| |Not vulnerable |15.0(2)SG2 |
|15.0SG |Cisco IOS XE devices: |Cisco IOS XE devices: Please|
| |Please see Cisco IOS-XE |see Cisco IOS-XE Software |
| |Software Availability |Availability |
|----------+---------------------------+----------------------------|
|15.0SY |Not vulnerable |15.0(1)SY1 |
|----------+---------------------------+----------------------------|
|15.0XA |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.1T |Release 15.1T |
|----------+---------------------------+----------------------------|
| |Cisco IOS XE devices: |Cisco IOS XE devices: Please|
|15.0XO |Please see Cisco IOS-XE |see Cisco IOS-XE Software |
| |Software Availability |Availability |
|----------+---------------------------+----------------------------|
| Affected | |First Fixed Release for All |
|15.1-Based| First Fixed Release |Advisories in the March 2012|
| Releases | |Cisco IOS Software Security |
| | |Advisory Bundled Publication|
|----------+---------------------------+----------------------------|
|15.1EY |15.1(2)EY1a |15.1(2)EY2 |
|----------+---------------------------+----------------------------|
|15.1GC |15.1(2)GC2 |15.1(2)GC2 |
|----------+---------------------------+----------------------------|
|15.1M |15.1(4)M2 |15.1(4)M4; Available on |
| | |30-MAR-12 |
|----------+---------------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|15.1MR |15.1(1)MR3 |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+---------------------------+----------------------------|
| |15.1(3)S2 |15.1(3)S2 |
|15.1S |Cisco IOS XE devices: |Cisco IOS XE devices: Please|
| |Please see Cisco IOS XE |see Cisco IOS XE Software |
| |Software Availability |Availability |
|----------+---------------------------+----------------------------|
| |Not vulnerable |Not vulnerable |
|15.1SG |Cisco IOS XE devices: |Cisco IOS XE devices: Please|
| |Please see Cisco IOS XE |see Cisco IOS XE Software |
| |Software Availability |Availability |
|----------+---------------------------+----------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per |support organization per the|
|15.1SNG |the instructions in |instructions in Obtaining |
| |Obtaining Fixed Software |Fixed Software section of |
| |section of this advisory. |this advisory. |
|----------+---------------------------+----------------------------|
|15.1SNH |Not vulnerable |Not vulnerable |
|----------+---------------------------+----------------------------|
| |15.1(1)T4 | |
|15.1T |15.1(2)T5; Available on |15.1(3)T3 |
| |27-APR-12 | |
| |15.1(3)T3 | |
|----------+---------------------------+----------------------------|
|15.1XB |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.1T |Release 15.1T |
|----------+---------------------------+----------------------------|
| Affected | |First Fixed Release for All |
|15.2-Based| First Fixed Release |Advisories in the March 2012|
| Releases | |Cisco IOS Software Security |
| | |Advisory Bundled Publication|
|----------+---------------------------+----------------------------|
|15.2GC |15.2(1)GC1 |15.2(1)GC2 |
|----------+---------------------------+----------------------------|
| |Not vulnerable |15.2(1)S1 |
| |Cisco IOS XE devices: |Cisco IOS XE devices: Please|
|15.2S |Please see Cisco IOS XE |see Cisco IOS XE Software |
| |Software Availability |Availability |
| | | |
|----------+---------------------------+----------------------------|
| |15.2(1)T2 |15.2(1)T2 |
|15.2T |15.2(2)T |15.2(2)T1 |
| |15.2(2)T1 |15.2(3)T; Available on |
| | |30-MAR-12 |
+-------------------------------------------------------------------+
* Cisco Catalyst 3550 Series Switches support the Internet Key
Exchange (IKE) feature and are vulnerable to Cisco bug ID CSCts38429
when the devices are running Layer 3 images; however, this product
reached the End of Software Maintenance milestone. Cisco 3550 Series
SMI Switches that are running Layer 2 images do not support IKE and
are not vulnerable. No other Cisco devices that run 12.2SE-based
software are vulnerable.
Cisco IOS XE Software
+--------------------
Cisco IOS XE Software is affected by the vulnerability that is
disclosed in this document.
+---------------------------------------+
| | | First Fixed |
| | | Release for |
| | | All |
| Cisco | | Advisories |
| IOS XE | First Fixed | in the March |
| Software | Release | 2012 Cisco |
| Release | | IOS Software |
| | | Security |
| | | Advisory |
| | | Bundled |
| | | Publication |
|----------+-------------+--------------|
| | | Vulnerable; |
| 2.1.x | Not | migrate to |
| | vulnerable | 3.4.2S or |
| | | later. |
|----------+-------------+--------------|
| | | Vulnerable; |
| 2.2.x | Not | migrate to |
| | vulnerable | 3.4.2S or |
| | | later. |
|----------+-------------+--------------|
| | Vulnerable; | Vulnerable; |
| 2.3.x | migrate to | migrate to |
| | 3.4.2S or | 3.4.2S or |
| | later. | later. |
|----------+-------------+--------------|
| | Vulnerable; | Vulnerable; |
| 2.4.x | migrate to | migrate to |
| | 3.4.2S or | 3.4.2S or |
| | later. | later. |
|----------+-------------+--------------|
| | Vulnerable; | Vulnerable; |
| 2.5.x | migrate to | migrate to |
| | 3.4.2S or | 3.4.2S or |
| | later. | later. |
|----------+-------------+--------------|
| | Vulnerable; | Vulnerable; |
| 2.6.x | migrate to | migrate to |
| | 3.4.2S or | 3.4.2S or |
| | later. | later. |
|----------+-------------+--------------|
| | Vulnerable; | Vulnerable; |
| 3.1.xS | migrate to | migrate to |
| | 3.4.2S or | 3.4.2S or |
| | later. | later. |
|----------+-------------+--------------|
| | | Vulnerable; |
| 3.2.xSG | Not | migrate to |
| | Vulnerable | 3.2.2SG or |
| | | later. |
|----------+-------------+--------------|
| | Vulnerable; | Vulnerable; |
| 3.2.xS | migrate to | migrate to |
| | 3.4.2S or | 3.4.2S or |
| | later. | later. |
|----------+-------------+--------------|
| 3.2.xSG | Not | 3.2.2SG |
| | Vulnerable | |
|----------+-------------+--------------|
| | Vulnerable; | Vulnerable; |
| 3.3.xS | migrate to | migrate to |
| | 3.4.2S or | 3.4.2S or |
| | later. | later. |
|----------+-------------+--------------|
| 3.3.xSG | Not | Not |
| | Vulnerable | Vulnerable |
|----------+-------------+--------------|
| 3.4.xS | 3.4.2S | 3.4.2S |
|----------+-------------+--------------|
| 3.5.xS | Not | 3.5.1S |
| | vulnerable | |
|----------+-------------+--------------|
| 3.6.xS | Not | Not |
| | vulnerable | vulnerable |
+---------------------------------------+
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
Release Notes, and Cisco IOS XE 3SG Release Notes.
Cisco IOS XR Software
+--------------------
Cisco IOS XR Software is not affected by any of the vulnerabilities
disclosed in the March 2012 Cisco IOS Software Security Advisory
Bundled Publication.
Workarounds
===========
If disabling the IOS SSH Server is not feasible, the following
workarounds may be useful to some customers in their environments.
SSH version 1
+------------
This vulnerability only affects SSHv2, so it can be temporarily
mitigated by applying the ip ssh version 1 global configuration
command until a software update can be completed. Customers should
be aware of the limitations and vulnerabilities of SSH version 1
protocol before applying this workaround.
vty Access Class
+---------------
It is possible to limit the exposure of the Cisco device by applying
a vty access class to allow only known, trusted hosts to connect to
the device via SSH.
For more information on restricting traffic to a vty, please consult:
http://www.cisco.com/en/US/docs/ios/12_2/ipaddr/command/reference/1rfip1.ht…
The following example permits access to the vty lines from the
192.168.1.0/24 netblock and the single IP address 172.16.1.2 while
denying access from anywhere else:
Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
Router(config)# access-list 1 permit host 172.16.1.2
Router(config)# line vty 0 4
Router(config-line)# access-class 1 in
Different Cisco platforms support a different amount of terminal
lines. Check your device's configuration to determine the correct
number of terminal lines for your platform.
Infrastructure Access Control Lists
+----------------------------------
Although it is often difficult to block traffic transiting your
network, it is possible to identify traffic that should never be
allowed to target your infrastructure devices and block that traffic
at the border of your network. Infrastructure access control lists
(iACLs) are considered a network security best practice and should be
considered as a long-term addition to good network security as well
as a workaround for this specific vulnerability. The ACL example
shown below should be included as part of the deployed infrastructure
access-list, which will protect all devices with IP addresses in the
infrastructure IP address range.
A sample access list for devices running Cisco IOS is below:
!--- Permit SSH services from trusted hosts destined
!--- to infrastructure addresses.
access-list 150 permit tcp TRUSTED_HOSTS MASK
INFRASTRUCTURE_ADDRESSES MASK eq 22
!--- Deny SSH packets from all other sources destined to
infrastructure addresses.
access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 22
!--- Permit all other traffic to transit the device.
access-list 150 permit IP any any
interface serial 2/0
ip access-group 150 in
The white paper titled "Protecting Your Core: Infrastructure
Protection Access Control Lists" presents guidelines and recommended
deployment techniques for infrastructure protection access lists.
This white paper is located at:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0…
Control Plane Policing
+---------------------
The Control Plane Policing (CoPP) feature may be used to mitigate
these vulnerabilities. In the following example, only SSH traffic
from trusted hosts with receive destination IP addresses is permitted
to reach the route processor (RP).
Note: Dropping traffic from unknown or untrusted IP addresses may
affect hosts with dynamically assigned IP addresses from connecting
to the Cisco IOS device.
access-list 152 deny tcp TRUSTED_ADDRESSES MASK any eq 22
access-list 152 permit tcp any any eq 22
!
class-map match-all COPP-KNOWN-UNDESIRABLE
match access-group 152
!
!
policy-map COPP-INPUT-POLICY
class COPP-KNOWN-UNDESIRABLE
drop
!
control-plane
service-policy input COPP-INPUT-POLICY
In the above CoPP example, the ACL entries that match the exploit
packets with the permit action result in these packets being
discarded by the policy-map drop function, while packets that match
the deny action are not affected by the policy-map drop function.
Additional information on the configuration and use of the CoPP
feature can be found at the following URL:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/pr…
Obtaining Fixed Software
========================
Cisco has released free software updates that address the
vulnerability described in this advisory. Prior to deploying
software, customers are advised to consult their maintenance
providers or check the software for feature set compatibility and
known issues that are specific to their environments.
Customers may only install and expect support for feature sets they
have purchased. By installing, downloading, accessing, or otherwise
using such software upgrades, customers agree to follow the terms of
the Cisco software license at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt(a)cisco.com or security-alert(a)cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, upgrades should be
obtained through the Software Center on Cisco.com at:
http://www.cisco.com
Customers Using Third-Party Support Organizations
+------------------------------------------------
Customers with Cisco products that are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers,
should contact that organization for assistance with the appropriate
course of action.
The effectiveness of any workaround or fix depends on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Because of the variety of
affected products and releases, customers should consult their
service providers or support organizations to ensure that any applied
workaround or fix is the most appropriate in the intended network
before it is deployed.
Customers Without Service Contracts
+----------------------------------
Customers who purchase directly from Cisco but do not hold a Cisco
service contract and customers who make purchases through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should obtain upgrades by contacting the Cisco
Technical Assistance Center (TAC):
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac(a)cisco.com
Customers should have the product serial number available and be
prepared to provide the URL of this advisory as evidence of
entitlement to a free upgrade. Customers without service contracts
should request free upgrades through the TAC.
Refer to Cisco Worldwide Contacts at:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, instructions, and e-mail addresses for support in various languages.
Exploitation and Public Announcements
=====================================
The Cisco Product Security Incident Response Team (PSIRT) is not
aware of any public announcements or malicious use of the
vulnerability that is described in this advisory.
This vulnerability was reported to Cisco by a customer.
Status of This Notice: Final
+---------------------------
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco Security Intelligence Operations at
the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
Additionally, a text version of this advisory is clear signed with
the Cisco PSIRT PGP key and circulated among the following e-mail
addresses:
* cust-security-announce(a)cisco.com
* first-bulletins(a)lists.first.org
* bugtraq(a)securityfocus.com
* vulnwatch(a)vulnwatch.org
* cisco(a)spot.colorado.edu
* cisco-nsp(a)puck.nether.net
* full-disclosure(a)lists.grok.org.uk
Future updates of this advisory, if any, will reside on Cisco.com but
may not be announced on mailing lists. Users can monitor this
advisory's URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2012-March-28 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information about reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco is available
on Cisco.com at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.…
This web page includes instructions for press inquiries regarding Cisco Security Advisories.
All Cisco Security Advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2012 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iF4EAREIAAYFAk9zNG4ACgkQQXnnBKKRMNA2VAD/eHjS4OiLcpv5x5OOjIvHSWuC
kJ7DDF+wNTvEJQWX44cA/25zYBDJKshRjHuMIzTALkM0ML4n3PNHiDMaQbphXteJ
=jhc2
-----END PGP SIGNATURE-----
1
0
Cisco Security Advisory: Cisco IOS Internet Key Exchange Vulnerability
by Cisco Systems Product Security Incident Response Team 28 Mar '12
by Cisco Systems Product Security Incident Response Team 28 Mar '12
28 Mar '12
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Cisco IOS Internet Key Exchange Vulnerability
Advisory ID: cisco-sa-20120328-ike
Revision 1.0
For Public Release 2012 March 28 16:00 UTC (GMT)
+--------------------------------------------------------------------
Summary
=======
The Cisco IOS Software Internet Key Exchange (IKE) feature contains a
denial of service (DoS) vulnerability.
Cisco has released free software updates that address this
vulnerability.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
Note: The March 28, 2012, Cisco IOS Software Security Advisory
bundled publication includes nine Cisco Security Advisories. Each
advisory lists the Cisco IOS Software releases that correct the
vulnerability or vulnerabilities detailed in the advisory as well as
the Cisco IOS Software releases that correct all vulnerabilities in
the March 2012 bundled publication.
Individual publication links are in "Cisco Event Response:
Semi-Annual Cisco IOS Software Security Advisory Bundled Publication"
at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html
Affected Products
=================
Vulnerable Products
+------------------
Cisco devices that are running Cisco IOS Software are vulnerable when
they are configured to use IKE version 1 (IKEv1).
A number of features use IKEv1, including different Virtual Private
Networks (VPN) such as:
* LAN-to-LAN VPN
* Remote access VPN (excluding SSLVPN)
* Dynamic Multipoint VPN (DMVPN)
* Group Domain of Interpretation (GDOI)
There are two methods to determine if a device is configured for IKE:
* Determine if IKE ports are open on a running device
* Determine if IKE features are included in the device
configuration
Determine if IKE Ports are Open on a Running Device
+--------------------------------------------------
The preferred method to determine if a device has been configured for
IKE is to issue the "show ip sockets" or "show udp" exec command. If the
device has UDP port 500, UDP port 4500, UDP port 848, or UDP port 4848
open, it is processing IKE packets.
In the following example, the device is processing IKE packets in UDP
port 500 and UDP port 4500, using either IPv4 or IPv6:
router# show udp
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 --listen-- 192.168.130.21 500 0 0 1001011 0
17(v6) --listen-- UNKNOWN 500 0 0 1020011 0
17 --listen-- 192.168.130.21 4500 0 0 1001011 0
17(v6) --listen-- UNKNOWN 4500 0 0 1020011 0
!--- Output truncated
router#
Determine if IKE Features are included in the Device Configuration
+-----------------------------------------------------------------
To determine if a Cisco IOS device configuration is vulnerable,
the administrator needs to establish whether there is at least one
configured feature that uses IKE. This can be achieved by using the
"show run | include crypto map|tunnel protection ipsec|crypto gdoi"
enable mode command. If the output of this command contains either
crypto map, tunnel protection ipsec, or, crypto gdoi then the device
contains an IKE configuration. The following example shows a device that
has been configured for IKE:
router# show run | include crypto map|tunnel protection ipsec|crypto gdoi
crypto map CM 100 ipsec-isakmp
crypto map CM
router#
Determine the Cisco IOS Software Release
+---------------------------------------
To determine the Cisco IOS Software release that is running on a Cisco
product, administrators can log in to the device and issue the "show
version" command to display the system banner. The system banner
confirms that the device is running Cisco IOS Software by displaying
text similar to "Cisco Internetwork Operating System Software" or "Cisco
IOS Software." The image name displays in parentheses, followed by
"Version" and the Cisco IOS Software release name. Other Cisco devices
do not have the "show version" command or may provide different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 15.0(1)M1 with an installed image name of
C3900-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 02-Dec-09 17:17 by prod_rel_team
!--- output truncated
Additional information about Cisco IOS Software release naming
conventions is available in "White Paper: Cisco IOS and NX-OS
Software Reference Guide" at:
http://www.cisco.com/web/about/security/intelligence/ios-ref.html
Products Confirmed Not Vulnerable
+--------------------------------
Cisco ASA 5500 Series Adaptive Security Appliance is not affected by
this vulnerability.
No other Cisco products are currently known to be affected by this
vulnerability.
Details
=======
The IKE protocol is used in the Internet Protocol Security (IPsec)
protocol suite to negotiate cryptographic attributes that will be
used to encrypt or authenticate the communication session. These
attributes include cryptographic algorithm, mode, and shared keys.
The end result of IKE is a shared session secret that will be used to
derive cryptographic keys.
Cisco IOS Software supports IKE for IPv4 and IPv6 communications.
IKE communication can use any of the following UDP ports:
* UDP port 500
* UDP port 4500, NAT Traversal (NAT-T)
* UDP port 848, Group Domain of Interpretation (GDOI)
* UDP port 4848, GDOI NAT-T
The IKEv1 feature of Cisco IOS Software contains a vulnerability that
could allow an unauthenticated, remote attacker to cause a reload of
an affected device.
An attacker could exploit this vulnerability using either IPv4 or
IPv6 on any of the listed UDP ports. Spoofing of packets that could
exploit this vulnerability is limited because the attacker needs to
either receive or have access to the initial response from the
vulnerable device.
This vulnerability is documented in Cisco bug ID CSCts38429 and has been
assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2012-0381.
Vulnerability Scoring Details
=============================
Cisco has scored the vulnerabilities in this advisory based on the
Common Vulnerability Scoring System (CVSS). The CVSS scoring in this
security advisory is in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps organizations determine the urgency and priority
of a response.
Cisco has provided a base and temporal score. Customers can also
compute environmental scores that help determine the impact of the
vulnerability in their own networks.
Cisco has provided additional information regarding CVSS at the
following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to compute the
environmental impact for individual networks at the following link:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCts38429 ("Cisco IOS Software IKE DoS vulnerability")
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability may cause the vulnerable
device to reload.
Software Versions and Fixes
===========================
Cisco IOS Software
+-----------------
Each row of the following Cisco IOS Software table corresponds to a
Cisco IOS Software train. If a particular train is vulnerable, the
earliest releases that contain the fix are listed in the First Fixed
Release column. The First Fixed Release for All Advisories in the
March 2012 Bundled Publication column lists the earliest possible
releases that correct all the published vulnerabilities in the Cisco
IOS Software Security Advisory bundled publication. Cisco recommends
upgrading to the latest available release, where possible.
The Cisco IOS Software Checker allows customers to search for Cisco
Security Advisories that address specific Cisco IOS Software
releases. This tool is available on the Cisco Security Intelligence
Operations (SIO) portal at:
http://tools.cisco.com/security/center/selectIOSVersion.x
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|----------+--------------------------------------------------------|
| | |First Fixed Release for All|
| Affected | | Advisories in the March |
|12.0-Based| First Fixed Release | 2012 Cisco IOS Software |
| Releases | | Security Advisory Bundled |
| | | Publication |
|-------------------------------------------------------------------|
| There are no affected 12.0 based releases |
|-------------------------------------------------------------------|
| | |First Fixed Release for All|
| Affected | | Advisories in the March |
|12.2-Based| First Fixed Release | 2012 Cisco IOS Software |
| Releases | | Security Advisory Bundled |
| | | Publication |
|----------+----------------------------+---------------------------|
|12.2 |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
| |Vulnerable; First fixed in | |
| |Release 15.0M |Vulnerable; First fixed in |
|12.2B |Releases up to and including|Release 15.0M |
| |12.2(2)B7 are not | |
| |vulnerable. | |
|----------+----------------------------+---------------------------|
| |Vulnerable; First fixed in | |
| |Release 15.0M |Vulnerable; First fixed in |
|12.2BC |Releases up to and including|Release 15.0M |
| |12.2(4)BC1b are not | |
| |vulnerable. | |
|----------+----------------------------+---------------------------|
|12.2BW |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
| |Vulnerable; First fixed in | |
| |Release 12.2SRE |Vulnerable; First fixed in |
|12.2BX |Releases up to and including|Release 12.2SB |
| |12.2(2)BX1 are not | |
| |vulnerable. | |
|----------+----------------------------+---------------------------|
| |Vulnerable; First fixed in | |
| |Release 15.0M |Vulnerable; First fixed in |
|12.2BY |Releases up to and including|Release 15.0M |
| |12.2(2)BY3 are not | |
| |vulnerable. | |
|----------+----------------------------+---------------------------|
| |Vulnerable; First fixed in | |
| |Release 15.0M |Vulnerable; First fixed in |
|12.2BZ |Releases up to and including|Release 15.0M |
| |12.2(4)BZ2 are not | |
| |vulnerable. | |
|----------+----------------------------+---------------------------|
|12.2CX |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2CY |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2CZ |Vulnerable; migrate to any |Vulnerable; First fixed in |
| |release in 12.0S |Release 12.0S |
|----------+----------------------------+---------------------------|
|12.2DA |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2DD |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2DX |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.2EU |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.2EW |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.2EWA |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.2EX |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0SE |
|----------+----------------------------+---------------------------|
|12.2EY |Not vulnerable |12.2(52)EY4 |
|----------+----------------------------+---------------------------|
|12.2EZ |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0SE |
|----------+----------------------------+---------------------------|
|12.2FX |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0SE |
|----------+----------------------------+---------------------------|
|12.2FY |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0SE |
|----------+----------------------------+---------------------------|
|12.2FZ |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0SE |
|----------+----------------------------+---------------------------|
|12.2IRA |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.2SRD |Release 12.2SRE |
|----------+----------------------------+---------------------------|
|12.2IRB |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.2SRD |Release 12.2SRE |
|----------+----------------------------+---------------------------|
|12.2IRC |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.2SRD |Release 12.2SRE |
|----------+----------------------------+---------------------------|
|12.2IRD |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.2SRD |Release 12.2SRE |
|----------+----------------------------+---------------------------|
|12.2IRE |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.2SRD |Release 12.2SRE |
|----------+----------------------------+---------------------------|
|12.2IRF |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.2SRD |Release 12.2SRE |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2IRG |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2IRH |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2IXA |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2IXB |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2IXC |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2IXD |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2IXE |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2IXF |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2IXG |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2IXH |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.2JA |Not vulnerable |Not vulnerable |
|----------+----------------------------+---------------------------|
|12.2JK |Not vulnerable |Not vulnerable |
|----------+----------------------------+---------------------------|
|12.2MB |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2MC |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2MRA |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.2SRD |Release 12.2SRE |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2MRB |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Note: Releases prior to 12.2|Releases prior to 12.2(30)S|
| |(25)S1 are vulnerable; |are vulnerable; Releases |
|12.2S |Releases 12.2(25)S1 and |12.2(30)S and later are not|
| |later are not vulnerable. |vulnerable. First fixed in |
| | |Release 12.0S |
|----------+----------------------------+---------------------------|
| |Only releases 12.2(33)SB1 | |
|12.2SB |through 12.2(33)SB4 are |12.2(33)SB12 |
| |vulnerable. | |
|----------+----------------------------+---------------------------|
|12.2SBC |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.2SRE |
|----------+----------------------------+---------------------------|
|12.2SCA |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.2SCE |Release 12.2SCE |
|----------+----------------------------+---------------------------|
|12.2SCB |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.2SCE |Release 12.2SCE |
|----------+----------------------------+---------------------------|
|12.2SCC |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.2SCE |Release 12.2SCE |
|----------+----------------------------+---------------------------|
|12.2SCD |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.2SCE |Release 12.2SCE |
|----------+----------------------------+---------------------------|
|12.2SCE |12.2(33)SCE6 |12.2(33)SCE6 |
|----------+----------------------------+---------------------------|
|12.2SCF |12.2(33)SCF2 |12.2(33)SCF2 |
|----------+----------------------------+---------------------------|
|12.2SE |Not vulnerable* | |
| | |12.2(55)SE5 * |
|----------+----------------------------+---------------------------|
|12.2SEA |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0SE |
|----------+----------------------------+---------------------------|
|12.2SEB |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0SE |
|----------+----------------------------+---------------------------|
|12.2SEC |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0SE |
|----------+----------------------------+---------------------------|
|12.2SED |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0SE |
|----------+----------------------------+---------------------------|
|12.2SEE |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0SE |
|----------+----------------------------+---------------------------|
|12.2SEF |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0SE |
|----------+----------------------------+---------------------------|
|12.2SEG |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0SE |
|----------+----------------------------+---------------------------|
|12.2SG |Not vulnerable |12.2(53)SG7; Available on |
| | |07-MAY-12 |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.2SGA |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.2SL |Not vulnerable |Not vulnerable |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.2SM |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.2SO |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.2SQ |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.2SRA |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.2SRD |Release 12.2SRE |
|----------+----------------------------+---------------------------|
|12.2SRB |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.2SRD |Release 12.2SRE |
|----------+----------------------------+---------------------------|
|12.2SRC |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.2SRD |Release 12.2SRE |
|----------+----------------------------+---------------------------|
|12.2SRD |12.2(33)SRD8 |Vulnerable; First fixed in |
| | |Release 12.2SRE |
|----------+----------------------------+---------------------------|
|12.2SRE |12.2(33)SRE6 |12.2(33)SRE6 |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.2STE |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.2SU |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
| | |Releases up to and |
|12.2SV |Not vulnerable |including 12.2(18)SV2 are |
| | |not vulnerable. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.2SVA |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.2SVC |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.2SVD |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.2SVE |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Releases up to and including| |
| |12.2(21)SW1 are not | |
|12.2SW |vulnerable. |Vulnerable; First fixed in |
| |Releases 12.2(25)SW10 and |Release 12.4T |
| |later are not vulnerable. | |
| |First fixed in Release 12.4T| |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2SX |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2SXA |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2SXB |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2SXD |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2SXE |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2SXF |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2SXH |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.2SXI |12.2(33)SXI9 |12.2(33)SXI9 |
|----------+----------------------------+---------------------------|
|12.2SXJ |12.2(33)SXJ2 |12.2(33)SXJ2 |
|----------+----------------------------+---------------------------|
|12.2SY |12.2(50)SY2; Available on |12.2(50)SY2; Available on |
| |11-JUN-12 |11-JUN-12 |
|----------+----------------------------+---------------------------|
|12.2SZ |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.0S |
|----------+----------------------------+---------------------------|
|12.2T |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2TPC |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.2XA |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XB |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XC |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XD |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XE |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XF |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XG |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XH |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XI |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XJ |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XK |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XL |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XM |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XNA |Please see Cisco IOS-XE |Please see Cisco IOS-XE |
| |Software Availability |Software Availability |
|----------+----------------------------+---------------------------|
|12.2XNB |Please see Cisco IOS-XE |Please see Cisco IOS-XE |
| |Software Availability |Software Availability |
|----------+----------------------------+---------------------------|
|12.2XNC |Please see Cisco IOS-XE |Please see Cisco IOS-XE |
| |Software Availability |Software Availability |
|----------+----------------------------+---------------------------|
|12.2XND |Please see Cisco IOS-XE |Please see Cisco IOS-XE |
| |Software Availability |Software Availability |
|----------+----------------------------+---------------------------|
|12.2XNE |Please see Cisco IOS-XE |Please see Cisco IOS-XE |
| |Software Availability |Software Availability |
|----------+----------------------------+---------------------------|
|12.2XNF |Please see Cisco IOS-XE |Please see Cisco IOS-XE |
| |Software Availability |Software Availability |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.2XO |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.2XQ |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
| | |Releases prior to 12.2(15) |
| | |XR are vulnerable; Releases|
|12.2XR |Not vulnerable |12.2(15)XR and later are |
| | |not vulnerable. First fixed|
| | |in Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XS |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XT |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XU |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XV |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XW |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2YA |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2YC |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2YD |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2YE |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.2YK |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2YO |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; First fixed in |
| | |Release 15.0M |
|12.2YP |Not vulnerable |Releases up to and |
| | |including 12.2(8)YP are not|
| | |vulnerable. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.2YT |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2YW |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2YX |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2YY |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2YZ |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2ZA |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| |Releases up to and including|support organization per |
|12.2ZB |12.2(8)ZB are not |the instructions in |
| |vulnerable. |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.2ZC |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2ZD |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.2ZE |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2ZH |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2ZJ |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.2ZP |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2ZU |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.2ZX |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.2SRE |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2ZY |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2ZYA |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |First Fixed Release for All|
| Affected | | Advisories in the March |
|12.3-Based| First Fixed Release | 2012 Cisco IOS Software |
| Releases | | Security Advisory Bundled |
| | | Publication |
|----------+----------------------------+---------------------------|
|12.3 |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3B |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3BC |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.2SCE |Release 12.2SCE |
|----------+----------------------------+---------------------------|
|12.3BW |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3JA |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.4JA |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.3JEA |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.3JEB |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.3JEC |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.3JED |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Releases up to and including| |
| |12.3(2)JK3 are not | |
|12.3JK |vulnerable. |Vulnerable; First fixed in |
| |Releases 12.3(8)JK1 and |Release 15.0M |
| |later are not vulnerable. | |
| |First fixed in Release 15.0M| |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.3JL |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.3JX |Not vulnerable |Not vulnerable |
|----------+----------------------------+---------------------------|
|12.3T |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.3TPC |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.3VA |Not vulnerable |Not vulnerable |
|----------+----------------------------+---------------------------|
|12.3XA |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.3XB |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.3XC |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3XD |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3XE |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.3XF |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.3XG |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3XI |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.2SRE |Release 12.2SRE |
|----------+----------------------------+---------------------------|
|12.3XJ |Vulnerable; migrate to any |Vulnerable; First fixed in |
| |release in 12.4XN |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3XK |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3XL |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3XQ |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3XR |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
| |Vulnerable; First fixed in | |
| |Release 12.4T |Vulnerable; First fixed in |
|12.3XU |Releases up to and including|Release 12.4T |
| |12.3(8)XU1 are not | |
| |vulnerable. | |
|----------+----------------------------+---------------------------|
|12.3XW |Vulnerable; migrate to any |Vulnerable; First fixed in |
| |release in 12.4XN |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3XX |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3XY |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3XZ |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3YD |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3YF |Vulnerable; migrate to any |Vulnerable; First fixed in |
| |release in 12.4XN |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3YG |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3YI |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3YJ |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3YK |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3YM |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3YQ |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3YS |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3YT |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3YU |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3YX |Vulnerable; migrate to any |Vulnerable; First fixed in |
| |release in 12.4XN |Release 15.0M |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.3YZ |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.3ZA |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
| | |First Fixed Release for All|
| Affected | | Advisories in the March |
|12.4-Based| First Fixed Release | 2012 Cisco IOS Software |
| Releases | | Security Advisory Bundled |
| | | Publication |
|----------+----------------------------+---------------------------|
|12.4 |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.4GC |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.4JA |Not vulnerable |12.4(23c)JA4 |
| | |12.4(25e)JA |
|----------+----------------------------+---------------------------|
|12.4JAX |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.4JA |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.4JDA |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.4JDC |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.4JDD |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.4JDE |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.4JHA |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.4JHB |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.4JHC |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.4JK |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.4JL |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.4JX |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.4JA |
|----------+----------------------------+---------------------------|
|12.4JY |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.4JA |
|----------+----------------------------+---------------------------|
|12.4JZ |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.4JA |
|----------+----------------------------+---------------------------|
|12.4MD |12.4(22)MD3; Available on |12.4(22)MD3; Available on |
| |30-MAR-12 |30-MAR-12 |
|----------+----------------------------+---------------------------|
|12.4MDA |12.4(24)MDA11 |12.4(24)MDA11 |
|----------+----------------------------+---------------------------|
|12.4MDB |12.4(24)MDB5a |12.4(24)MDB5a |
|----------+----------------------------+---------------------------|
|12.4MDC |Not vulnerable |Not vulnerable |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| |Releases up to and including|support organization per |
|12.4MR |12.4(9)MR are not |the instructions in |
| |vulnerable. |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.4MRA |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.4MRB |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.4SW |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
| |12.4(15)T17 |12.4(15)T17 |
|12.4T |12.4(24)T7 |12.4(24)T7 |
| | | |
|----------+----------------------------+---------------------------|
|12.4XA |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
| |Releases prior to 12.4(2) | |
| |XB12 are vulnerable; |Vulnerable; First fixed in |
|12.4XB |Releases 12.4(2)XB12 and |Release 12.4T |
| |later are not vulnerable. | |
| |First fixed in Release 12.4T| |
|----------+----------------------------+---------------------------|
|12.4XC |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.4XD |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.4XE |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.4XF |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.4XG |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.4XJ |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.4XK |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.4XL |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.4XM |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.4XN |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.4XP |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.4XQ |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.4XR |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 12.4T |
|----------+----------------------------+---------------------------|
|12.4XT |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.4XV |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.4XW |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.4XY |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.4XZ |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.4YA |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.4YB |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.4YD |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.4YE |12.4(24)YE3d |12.4(24)YE3d |
|----------+----------------------------+---------------------------|
|12.4YG |12.4(24)YG4 |12.4(24)YG4 |
|----------+----------------------------+---------------------------|
| | |First Fixed Release for All|
| Affected | | Advisories in the March |
|15.0-Based| First Fixed Release | 2012 Cisco IOS Software |
| Releases | | Security Advisory Bundled |
| | | Publication |
|----------+----------------------------+---------------------------|
|15.0M |15.0(1)M8 |15.0(1)M8 |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|15.0MR |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|15.0MRA |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |15.0(1)S5 |15.0(1)S5 |
|15.0S |Cisco IOS XE devices: Please|Cisco IOS XE devices: |
| |see Cisco IOS XE Software |Please see Cisco IOS XE |
| |Availability |Software Availability |
|----------+----------------------------+---------------------------|
|15.0SA |Not vulnerable |Not vulnerable |
|----------+----------------------------+---------------------------|
|15.0SE |Not vulnerable |15.0(1)SE1 |
|----------+----------------------------+---------------------------|
| |Not vulnerable |15.0(2)SG2 |
|15.0SG |Cisco IOS XE devices: Please|Cisco IOS XE devices: |
| |see Cisco IOS XE Software |Please see Cisco IOS XE |
| |Availability |Software Availability |
|----------+----------------------------+---------------------------|
|15.0SY |15.0(1)SY1 |15.0(1)SY1 |
|----------+----------------------------+---------------------------|
|15.0XA |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.1T |Release 15.1T |
|----------+----------------------------+---------------------------|
| |Cisco IOS XE devices: Please|Cisco IOS XE devices: |
|15.0XO |see Cisco IOS-XE Software |Please see Cisco IOS-XE |
| |Availability |Software Availability |
|----------+----------------------------+---------------------------|
| | |First Fixed Release for All|
| Affected | | Advisories in the March |
|15.1-Based| First Fixed Release | 2012 Cisco IOS Software |
| Releases | | Security Advisory Bundled |
| | | Publication |
|----------+----------------------------+---------------------------|
|15.1EY |Not vulnerable |15.1(2)EY2 |
|----------+----------------------------+---------------------------|
|15.1GC |15.1(2)GC2 |15.1(2)GC2 |
|----------+----------------------------+---------------------------|
|15.1M |15.1(4)M3 |15.1(4)M4; Available on |
| | |30-MAR-12 |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|15.1MR |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |15.1(3)S2 |15.1(3)S2 |
|15.1S |Cisco IOS XE devices: Please|Cisco IOS XE devices: |
| |see Cisco IOS XE Software |Please see Cisco IOS XE |
| |Availability |Software Availability |
|----------+----------------------------+---------------------------|
| |Not vulnerable |Not vulnerable |
|15.1SG |Cisco IOS XE devices: Please|Cisco IOS XE devices: |
| |see Cisco IOS XE Software |Please see Cisco IOS XE |
| |Availability |Software Availability |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|15.1SNG |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
|15.1SNH |Not vulnerable |Not vulnerable |
|----------+----------------------------+---------------------------|
| |15.1(1)T5; Available on | |
| |18-MAY-12 | |
|15.1T |15.1(2)T5; Available on |15.1(3)T3 |
| |27-APR-12 | |
| |15.1(3)T3 | |
|----------+----------------------------+---------------------------|
|15.1XB |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.1T |Release 15.1T |
|----------+----------------------------+---------------------------|
| | |First Fixed Release for All|
| Affected | | Advisories in the March |
|15.2-Based| First Fixed Release | 2012 Cisco IOS Software |
| Releases | | Security Advisory Bundled |
| | | Publication |
|----------+----------------------------+---------------------------|
|15.2GC |15.2(1)GC2 |15.2(1)GC2 |
|----------+----------------------------+---------------------------|
| |15.2(1)S1 |15.2(1)S1 |
| | | |
|15.2S |Cisco IOS XE devices: Please|Cisco IOS XE devices: |
| |see Cisco IOS XE Software |Please see Cisco IOS XE |
| |Availability |Software Availability |
|----------+----------------------------+---------------------------|
| |15.2(1)T2 |15.2(1)T2 |
|15.2T |15.2(2)T1 |15.2(2)T1 |
| |15.2(3)T; Available on |15.2(3)T; Available on |
| |30-MAR-12 |30-MAR-12 |
+-------------------------------------------------------------------+
* Cisco Catalyst 3550 Series Switches support the Internet Key
Exchange (IKE) feature and are vulnerable to Cisco bug ID CSCts38429
when the devices are running Layer 3 images; however, this product
reached the End of Software Maintenance milestone. Cisco 3550 Series
SMI Switches that are running Layer 2 images do not support IKE and
are not vulnerable. No other Cisco devices that run 12.2SE-based
software are vulnerable.
Cisco IOS XE Software
+--------------------
+------------------------------------------------------------+
| Cisco IOS | | First Fixed Release for All |
| XE | First Fixed | Advisories in the March 2012 |
| Software | Release | Cisco IOS Software Security |
| Release | | Advisory Bundled Publication |
|-----------+--------------+---------------------------------|
| | Vulnerable; | |
| 2.1.x | migrate to | Vulnerable; migrate to 3.4.2S |
| | 3.4.2S or | or later. |
| | later. | |
|-----------+--------------+---------------------------------|
| | Vulnerable; | |
| 2.2.x | migrate to | Vulnerable; migrate to 3.4.2S |
| | 3.4.2S or | or later. |
| | later. | |
|-----------+--------------+---------------------------------|
| | Vulnerable; | |
| 2.3.x | migrate to | Vulnerable; migrate to 3.4.2S |
| | 3.4.2S or | or later. |
| | later. | |
|-----------+--------------+---------------------------------|
| | Vulnerable; | |
| 2.4.x | migrate to | Vulnerable; migrate to 3.4.2S |
| | 3.4.2S or | or later. |
| | later. | |
|-----------+--------------+---------------------------------|
| | Vulnerable; | |
| 2.5.x | migrate to | Vulnerable; migrate to 3.4.2S |
| | 3.4.2S or | or later. |
| | later. | |
|-----------+--------------+---------------------------------|
| | Vulnerable; | |
| 2.6.x | migrate to | Vulnerable; migrate to 3.4.2S |
| | 3.4.2S or | or later. |
| | later. | |
|-----------+--------------+---------------------------------|
| | Vulnerable; | |
| 3.1.xS | migrate to | Vulnerable; migrate to 3.4.2S |
| | 3.4.2S or | or later. |
| | later. | |
|-----------+--------------+---------------------------------|
| 3.1.xSG | Not | Vulnerable; migrate to 3.2.2SG |
| | vulnerable | or later. |
|-----------+--------------+---------------------------------|
| | Vulnerable; | |
| 3.2.xS | migrate to | Vulnerable; migrate to 3.4.2S |
| | 3.4.2S or | or later. |
| | later. | |
|-----------+--------------+---------------------------------|
| 3.2.xSG | 3.2.2SG | 3.2.2SG |
|-----------+--------------+---------------------------------|
| | Vulnerable; | |
| 3.3.xS | migrate to | Vulnerable; migrate to 3.4.2S |
| | 3.4.2S or | or later. |
| | later. | |
|-----------+--------------+---------------------------------|
| 3.3.xSG | Not | Not Vulnerable |
| | Vulnerable | |
|-----------+--------------+---------------------------------|
| 3.4.xS | 3.4.2S | 3.4.2S |
|-----------+--------------+---------------------------------|
| 3.5.xS | 3.5.1S | 3.5.1S |
|-----------+--------------+---------------------------------|
| 3.6.xS | Not | Not vulnerable |
| | vulnerable | |
+------------------------------------------------------------+
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
Release Notes, and Cisco IOS XE 3SG Release Notes.
Cisco IOS XR Software
+--------------------
Cisco IOS XR Software is not affected by any of the vulnerabilities
disclosed in the March 2012 Cisco IOS Software Security Advisory
Bundled Publication.
Workarounds
===========
There are no workarounds for this vulnerability.
Obtaining Fixed Software
========================
Cisco has released free software updates that address the
vulnerability described in this advisory. Prior to deploying
software, customers are advised to consult their maintenance
providers or check the software for feature set compatibility and
known issues that are specific to their environments.
Customers may only install and expect support for feature
sets they have purchased. By installing, downloading,
accessing, or otherwise using such software upgrades, customers
agree to follow the terms of the Cisco software license at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as set forth at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt(a)cisco.com or security-alert(a)cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, upgrades should be obtained
through the Software Center on Cisco.com at http://www.cisco.com.
Customers Using Third-Party Support Organizations
+------------------------------------------------
Customers with Cisco products that are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers,
should contact that organization for assistance with the appropriate
course of action.
The effectiveness of any workaround or fix depends on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Because of the variety of
affected products and releases, customers should consult their
service providers or support organizations to ensure that any applied
workaround or fix is the most appropriate in the intended network
before it is deployed.
Customers Without Service Contracts
+----------------------------------
Customers who purchase directly from Cisco but do not hold a Cisco
service contract and customers who make purchases through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should obtain upgrades by contacting the Cisco
Technical Assistance Center (TAC):
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac(a)cisco.com
Customers should have the product serial number available and be
prepared to provide the URL of this advisory as evidence of
entitlement to a free upgrade. Customers without service contracts
should request free upgrades through the TAC.
Refer to Cisco Worldwide Contacts at
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, instructions, and e-mail addresses for support in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco Product Security Incident Response Team (PSIRT) is not
aware of any public announcements or malicious use of the
vulnerability that is described in this advisory.
This vulnerability was found during internal Cisco testing.
Status of This Notice: Final
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco Security Intelligence Operations at
the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
Additionally, a text version of this advisory is clear signed with
the Cisco PSIRT PGP key and circulated among the following e-mail
addresses:
* cust-security-announce(a)cisco.com
* first-bulletins(a)lists.first.org
* bugtraq(a)securityfocus.com
* vulnwatch(a)vulnwatch.org
* cisco(a)spot.colorado.edu
* cisco-nsp(a)puck.nether.net
* full-disclosure(a)lists.grok.org.uk
Future updates of this advisory, if any, will reside on Cisco.com but
may not be announced on mailing lists. Users can monitor this
advisory's URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2012-March-28 | Initial public release. |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information about reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering
to receive security information from Cisco is available on Cisco.com at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.….
This web page includes instructions for press inquiries
regarding Cisco Security Advisories. All Cisco Security Advisories are
available at http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iF4EAREIAAYFAk9xNMgACgkQQXnnBKKRMND8jwD6AzE8IxsF7PzqGh9w75+OhEQ7
z3dm7J1xzgPKLxtI7R8A/1AXDWCmSXsfNHJjhTPmMeZ5kxiA+9AfvxkWJLWxDMZ2
=sT/L
-----END PGP SIGNATURE-----
1
0
Cisco Security Advisory: Cisco IOS Software Zone-Based Firewall Vulnerabilities
by Cisco Systems Product Security Incident Response Team 28 Mar '12
by Cisco Systems Product Security Incident Response Team 28 Mar '12
28 Mar '12
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Cisco IOS Software Zone-Based Firewall Vulnerabilities
Advisory ID: cisco-sa-20120328-zbfw
Revision 1.0
For Public Release 2012 March 28 16:00 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
Cisco IOS Software contains four vulnerabilities related to Cisco IOS
Zone-Based Firewall features. These vulnerabilities are as follows:
* Memory Leak Associated with Crafted IP Packets
* Memory Leak in HTTP Inspection
* Memory Leak in H.323 Inspection
* Memory Leak in SIP Inspection
Workarounds that mitigate these vulnerabilities are not available.
Cisco has released free software updates that address these
vulnerabilities.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
Note: The March 28, 2012, Cisco IOS Software Security Advisory
bundled publication includes nine Cisco Security Advisories. Each
advisory lists the Cisco IOS Software releases that correct the
vulnerability or vulnerabilities detailed in the advisory as well as
the Cisco IOS Software releases that correct all vulnerabilities in
the March 2012 bundled publication.
Individual publication links are in "Cisco Event Response:
Semi-Annual Cisco IOS Software Security Advisory Bundled Publication"
at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html
Affected Products
=================
Vulnerable Products
+------------------
Cisco IOS devices running vulnerable versions of Cisco IOS Software
are affected by four vulnerabilities in the Cisco IOS Zone-Based
Firewall. The vulnerabilities are independent of each other. Details
to confirm affected configurations are provided below.
To determine whether a device is configured with Zone-Based Firewall,
log in to the device and issue the show zone security command-line
interface (CLI) command. If the output shows a member interface under
a zone name, the device is vulnerable. The following example shows a
device with Zone-Based Firewall rules configured on both
GigabitEthernet0/0 and GigabitEthernet0/1:
Router#show zone security
zone self
Description: System defined zone
zone inside
Description: *** Inside Network ***
Member Interfaces:
GigabitEthernet0/0
zone outside
Description: *** Outside Network ***
Member Interfaces:
GigabitEthernet0/1
Router#
The following sections provide more details on the specific features
containing the vulnerabilities.
Memory Leak Associated with Crafted IP Packets
+---------------------------------------------
There is no specific configuration necessary for a device to be
vulnerable to the memory leak associated with crafted IP packets. If
the Zone-Based Firewall is configured, the device is vulnerable.
Memory Leak in HTTP Inspection
+-----------------------------
For the device to be vulnerable to the memory leak associated with
HTTP inspection, the Zone-Based Firewall must be configured to
perform HTTP inspection with the Zone-Based Firewall.
To determine whether a device is configured for HTTP inspection,
enter the command show policy-map type inspect zone-pair | include
Match: protocol http. The following example shows a vulnerable device
configured with Cisco IOS Zone-Based Policy Firewall HTTP inspection:
Router#show policy-map type inspect zone-pair | include Match: protocol http
Match: protocol http
Memory Leak in H.323 Inspection
+------------------------------
For a device to be vulnerable to the memory leak associated with
H.323 inspection, the Zone-Based Firewall must be configured to
perform H.323 inspection. To determine if a device is configured for
H.323 inspection enter the command show policy-map type inspect
zone-pair | include Match: protocol h323. If the output contains
"Match: protocol h323" the device is vulnerable. The following
example shows a vulnerable device configured with Cisco IOS
Zone-Based Policy Firewall H.323 inspection:
Router# show policy-map type inspect zone-pair | include Match: protocol h323
Match: protocol h323
Memory Leak in SIP Inspection
+----------------------------
The device is vulnerable if the configuration has either a Layer 4 or
Layer 7 Session Initiation Protocol (SIP) application-specific policy
configured, and the policy is applied to any firewall zone. To
determine whether a device is configured for SIP inspection enter the
command show policy-map type inspect zone-pair | include Match:
protocol sip. If the output contains "Match: protocol sip" the device
is vulnerable. The following example shows a vulnerable device
configured with Cisco IOS Zone-Based Policy Firewall SIP inspection:
Router# show policy-map type inspect zone-pair | include Match: protocol sip
Match: protocol sip
To determine the Cisco IOS Software release that is running on a
Cisco product, administrators can log in to the device and issue the
show version command to display the system banner. The system banner
confirms that the device is running Cisco IOS Software by displaying
text similar to "Cisco Internetwork Operating System Software" or
"Cisco IOS Software." The image name displays in parentheses,
followed by "Version" and the Cisco IOS Software release name. Other
Cisco devices do not have the show version command or may provide
different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 15.0(1)M1 with an installed image name of
C3900-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 02-Dec-09 17:17 by prod_rel_team
!--- output truncated
Additional information about Cisco IOS Software release naming
conventions is available in "White Paper: Cisco IOS and NX-OS
Software Reference Guide" at http://www.cisco.com/web/about/security/
intelligence/ios-ref.html.
Products Confirmed Not Vulnerable
+--------------------------------
The following products are confirmed not vulnerable:
* Cisco PIX 500 Series Firewall
* Cisco ASA 5500 Series Adaptive Security Appliance
* Firewall Services Module (FWSM) for Catalyst 6500 Series Switches
and 7600 Series Routers
* Virtual Firewall (VFW) application on the multiservice blade
(MSB) on the Cisco XR 12000 Series Router
* Cisco ACE Application Control Engine Module
* Cisco IOS devices configured with legacy Cisco IOS Firewall
support
* Cisco IOS XR Software
* Cisco IOS XE Software
* Cisco Catalyst 6500 Series ASA Services Module
* Context-Based Access Control (CBAC)
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
Firewalls are networking devices that control access to the network
assets of an organization. Firewalls are often positioned at the
entrance points of networks. Cisco IOS Software provides a set of
security features that allow the configuration of a firewall policy
to match an organization's requirements.
The vulnerabilities described in this advisory affect the Zone-Based
Firewall feature. The Zone-Based Policy Firewall (also known as
Zone-Policy Firewall or ZFW) updates the firewall configuration from
the older interface-based model to a more flexible, more easily
understood zone-based model. Interfaces are assigned to zones, and
inspection policy is applied to traffic moving between the zones.
Inter-zone policies offer considerable flexibility and granularity,
so different inspection policies can be applied to multiple host
groups connected to the same router interface.
More information on the Zone-Based Firewall is available at:
http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a0080…
Memory Leak Associated with Crafted IP Packets
+---------------------------------------------
A vulnerability exists in the Zone-Based Firewall implementation in
Cisco IOS Software that could allow a remote attacker to cause an
affected device to reload or to trigger memory leaks that may result
in system instabilities. These vulnerabilities are triggered when the
device that is running Cisco IOS Software processes crafted IP
packets. Only traffic destined to an IP address configured on the
device can trigger the vulnerability; transit traffic is not an
exploit vector.
This vulnerability is documented in Cisco bug ID CSCto89536
and has been assigned the Common Vulnerabilities and Exposures
(CVE) identifier CVE-2012-1310.
Memory Leak in HTTP Inspection
+---------------------------------------------
The HTTP Inspection Engine feature allows users to configure their
Cisco IOS Firewall to detect and filter HTTP connections-such as
tunneling over port 80, unauthorized request methods, and non-HTTP
compliant file transfers-that are not authorized within the scope of
the security policy configuration.
A vulnerability exists in the implementation of the Cisco IOS
Software HTTP inspection feature that could allow a remote attacker
to cause an affected device to reload or to trigger memory leaks that
may result in system instabilities. This vulnerability is triggered
when the device that is running Cisco IOS Software processes certain
HTTP messages. Transit HTTP traffic is an exploit vector.
This vulnerability is documented in Cisco bug ID CSCtq36153
and has been assigned CVE ID CVE-2012-0387.
More information on HTTP inspection is available at:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_fwapc.ht…
Memory Leak in H.323 Inspection
+---------------------------------------------
H.323 is the ITU standard for real-time multimedia communications and
conferencing over packet-based (IP) networks. A vulnerability exists
in the implementation of the Cisco IOS Software H.323 inspection
feature that could allow a remote attacker to cause an affected
device to reload or to trigger memory leaks that may result in system
instabilities. This vulnerability is triggered when the device that
is running Cisco IOS Software processes malformed H.323 messages.
Transit H.323 traffic is an exploit vector.
This vulnerability is documented in Cisco bug ID CSCtq45553
and has been assigned the CVE ID CVE-2012-0388.
More information on H.323 inspection is available at:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/15-2…
Memory Leak in SIP Inspection
+---------------------------------------------
SIP is a popular signaling protocol that is used to manage voice and
video calls across IP networks, such as the Internet. SIP is
responsible for handling all aspects of call setup and termination.
Voice and video are the most popular types of sessions that SIP
handles, but the protocol has the flexibility to accommodate other
applications that require call setup and termination. SIP call
signaling can use UDP (port 5060), TCP (port 5060), or Transport
Layer Security (TLS; TCP port 5061) as the underlying transport
protocol.
A vulnerability exists in the implementation of the Cisco IOS SIP
inspection feature that could allow a remote attacker to cause an
affected device to reload or to trigger memory leaks that may result
in system instabilities. This vulnerability is triggered when the
device that is running Cisco IOS Software processes crafted SIP
messages. Transit SIP traffic is an exploit vector.
This vulnerability is documented in Cisco bug ID CSCti46171
and has been assigned CVE ID CVE-2012-1315.
More information on SIP inspection is available at:
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_sip_al…
Memory Leak Detection
+---------------------------------------------
Detected memory leaks can be viewed using the command show memory
debug leaks chunks in privileged EXEC mode, as shown in the following
example:
Router# show memory debug leaks chunks
Adding blocks for GD... I/O memory Address Size Alloc_pc PID
Alloc-Proc Name Chunk Elements:
AllocPC Address Size Parent Name Processor memory Address Size
Alloc_pc PID Alloc-Proc Name
4733113C 188 419CB164 129 IP Input FW h225 tpkt
The previous example shows a memory leak in the process FW h225 tpkt.
The show memory debug leaks command was introduced in Cisco IOS
Software versions 12.3(8)T1 and 12.2(25)S.
Caution: All show memory debug commands must be used on customer
networks only to diagnose the router for memory leaks when memory
depletion is observed. These commands may cause high CPU utilization
and may cause time-sensitive protocols to flap. These commands are
recommended to be used in maintenance windows.
Vulnerability Scoring Details
=============================
Cisco has scored the vulnerabilities in this advisory based on the
Common Vulnerability Scoring System (CVSS). The CVSS scoring in this
security advisory is in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps organizations determine the urgency and priority
of a response.
Cisco has provided a base and temporal score. Customers can also
compute environmental scores that help determine the impact of the
vulnerability in their own networks.
Cisco has provided additional information regarding CVSS at the
following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to compute the
environmental impact for individual networks at the following link:
http://intellishield.cisco.com/security/alertmanager/cvss
* Memory Leak associated with crafted IP packets
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* Memory Leak in HTTP inspection
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* Memory Leak in H.323 inspection
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* Memory Leak in SIP Inspection
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of these vulnerabilities may result in a
reload of the affected device. Repeated exploit attempts may result
in a sustained denial of service (DoS) attack.
Software Versions and Fixes
===========================
When considering software upgrades, customers are advised to consult
the Cisco Security Advisories and Responses archive at:
http://www.cisco.com/go/psirt and review subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and
software configurations will continue to be supported properly by the
new release. If the information is not clear, customers are advised
to contact the Cisco Technical Assistance Center (TAC) or their
contracted maintenance providers.
Cisco IOS Software
+-----------------
Each row of the following Cisco IOS Software table corresponds to a
Cisco IOS Software train. If a particular train is vulnerable, the
earliest releases that contain the fix are listed in the First Fixed
Release column. The First Fixed Release for All Advisories in the
March 2012 Bundled Publication column lists the earliest possible
releases that correct all the published vulnerabilities in the Cisco
IOS Software Security Advisory bundled publication. Cisco recommends
upgrading to the latest available release, where possible.
The Cisco IOS Software Checker allows customers to search for Cisco
Security Advisories that address specific Cisco IOS Software
releases. This tool is available on the Cisco Security Intelligence
Operations (SIO) portal at:
http://tools.cisco.com/security/center/selectIOSVersion.x
+------------------------------------------+
| Major | Availability of |
| Release | Repaired Releases |
|------------+-----------------------------|
| | | First Fixed |
| | | Release for |
| | | All |
| | | Advisories |
| Affected | First Fixed | in the March |
| 12.0-Based | Release | 2012 Cisco |
| Releases | | IOS Software |
| | | Security |
| | | Advisory |
| | | Bundled |
| | | Publication |
|------------------------------------------|
| There are no affected 12.0 based |
| releases |
|------------------------------------------|
| | | First Fixed |
| | | Release for |
| | | All |
| | | Advisories |
| Affected | First Fixed | in the March |
| 12.2-Based | Release | 2012 Cisco |
| Releases | | IOS Software |
| | | Security |
| | | Advisory |
| | | Bundled |
| | | Publication |
|------------------------------------------|
| There are no affected 12.2 based |
| releases |
|------------------------------------------|
| | | First Fixed |
| | | Release for |
| | | All |
| | | Advisories |
| Affected | First Fixed | in the March |
| 12.3-Based | Release | 2012 Cisco |
| Releases | | IOS Software |
| | | Security |
| | | Advisory |
| | | Bundled |
| | | Publication |
|------------------------------------------|
| There are no affected 12.3 based |
| releases |
|------------------------------------------|
| | | First Fixed |
| | | Release for |
| | | All |
| | | Advisories |
| Affected | First Fixed | in the March |
| 12.4-Based | Release | 2012 Cisco |
| Releases | | IOS Software |
| | | Security |
| | | Advisory |
| | | Bundled |
| | | Publication |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4 | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4GC | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| 12.4JA | Not | 12.4(23c)JA4 |
| | vulnerable | 12.4(25e)JA |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4JAX | Not | First fixed |
| | vulnerable | in Release |
| | | 12.4JA |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.4JDA | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.4JDC | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.4JDD | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.4JDE | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.4JHA | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.4JHB | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.4JHC | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.4JK | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.4JL | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4JX | Not | First fixed |
| | vulnerable | in Release |
| | | 12.4JA |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4JY | Not | First fixed |
| | vulnerable | in Release |
| | | 12.4JA |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4JZ | Not | First fixed |
| | vulnerable | in Release |
| | | 12.4JA |
|------------+--------------+--------------|
| | 12.4(22)MD3; | 12.4(22)MD3; |
| 12.4MD | Available on | Available on |
| | 30-MAR-12 | 30-MAR-12 |
|------------+--------------+--------------|
| 12.4MDA | 12.4(24) | 12.4(24) |
| | MDA11 | MDA11 |
|------------+--------------+--------------|
| 12.4MDB | 12.4(24) | 12.4(24) |
| | MDB5a | MDB5a |
|------------+--------------+--------------|
| 12.4MDC | Not | Not |
| | vulnerable | vulnerable |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | Releases up | organization |
| | to and | per the |
| 12.4MR | including | instructions |
| | 12.4(19)MR3 | in Obtaining |
| | are not | Fixed |
| | vulnerable. | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4MRA | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4MRB | First fixed | First fixed |
| | in Release | in Release |
| | 15.0M | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4SW | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | 12.4(24)T7 | |
| | | |
| | Releases up | 12.4(15)T17 |
| 12.4T | to and | 12.4(24)T7 |
| | including | |
| | 12.4(15)T17 | |
| | are not | |
| | vulnerable. | |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4XA | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4XB | Not | First fixed |
| | vulnerable | in Release |
| | | 12.4T |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4XC | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4XD | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4XE | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4XF | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4XG | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4XJ | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4XK | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.4XL | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4XM | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.4XN | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.4XP | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4XQ | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | |
| | First fixed | |
| | in Release | |
| | 12.4T | Vulnerable; |
| 12.4XR | Releases up | First fixed |
| | to and | in Release |
| | including | 12.4T |
| | 12.4(15)XR10 | |
| | are not | |
| | vulnerable. | |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4XT | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.4XV | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4XW | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4XY | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4XZ | First fixed | First fixed |
| | in Release | in Release |
| | 15.0M | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4YA | First fixed | First fixed |
| | in Release | in Release |
| | 15.0M | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4YB | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4YD | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| 12.4YE | 12.4(24)YE3d | 12.4(24)YE3d |
|------------+--------------+--------------|
| 12.4YG | 12.4(24)YG4 | 12.4(24)YG4 |
|------------+--------------+--------------|
| | | First Fixed |
| | | Release for |
| | | All |
| | | Advisories |
| Affected | First Fixed | in the March |
| 15.0-Based | Release | 2012 Cisco |
| Releases | | IOS Software |
| | | Security |
| | | Advisory |
| | | Bundled |
| | | Publication |
|------------+--------------+--------------|
| 15.0M | 15.0(1)M8 | 15.0(1)M8 |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 15.0MR | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 15.0MRA | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | 15.0(1)S5 |
| | | Cisco IOS XE |
| | Not | devices: |
| 15.0S | vulnerable | Please see |
| | | Cisco IOS XE |
| | | Software |
| | | Availability |
|------------+--------------+--------------|
| 15.0SA | Not | Not |
| | vulnerable | vulnerable |
|------------+--------------+--------------|
| 15.0SE | Not | 15.0(1)SE1 |
| | vulnerable | |
|------------+--------------+--------------|
| | | 15.0(2)SG2 |
| | | Cisco IOS XE |
| | Not | devices: |
| 15.0SG | vulnerable | Please see |
| | | Cisco IOS XE |
| | | Software |
| | | Availability |
|------------+--------------+--------------|
| 15.0SY | Not | 15.0(1)SY1 |
| | vulnerable | |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 15.0XA | First fixed | First fixed |
| | in Release | in Release |
| | 15.1T | 15.1T |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | First fixed |
| | | in Release |
| | | 15.0SG Cisco |
| 15.0XO | Not | IOS XE |
| | vulnerable | devices: |
| | | Please see |
| | | Cisco IOS XE |
| | | Software |
| | | Availability |
|------------+--------------+--------------|
| | | First Fixed |
| | | Release for |
| | | All |
| | | Advisories |
| Affected | First Fixed | in the March |
| 15.1-Based | Release | 2012 Cisco |
| Releases | | IOS Software |
| | | Security |
| | | Advisory |
| | | Bundled |
| | | Publication |
|------------+--------------+--------------|
| 15.1EY | Not | 15.1(2)EY2 |
| | vulnerable | |
|------------+--------------+--------------|
| 15.1GC | 15.1(2)GC2 | 15.1(2)GC2 |
|------------+--------------+--------------|
| | 15.1(4)M3 | 15.1(4)M4; |
| 15.1M | | Available on |
| | | 30-MAR-12 |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 15.1MR | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | 15.1(3)S2 |
| | | Cisco IOS XE |
| | Not | devices: |
| 15.1S | vulnerable | Please see |
| | | Cisco IOS XE |
| | | Software |
| | | Availability |
|------------+--------------+--------------|
| 15.1SG | Not | Not |
| | vulnerable | vulnerable |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 15.1SNG | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| 15.1SNH | Not | Not |
| | vulnerable | vulnerable |
|------------+--------------+--------------|
| 15.1T | 15.1(3)T3 | 15.1(3)T3 |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 15.1XB | First fixed | First fixed |
| | in Release | in Release |
| | 15.1T | 15.1T |
|------------+--------------+--------------|
| | | First Fixed |
| | | Release for |
| | | All |
| | | Advisories |
| Affected | First Fixed | in the March |
| 15.2-Based | Release | 2012 Cisco |
| Releases | | IOS Software |
| | | Security |
| | | Advisory |
| | | Bundled |
| | | Publication |
|------------+--------------+--------------|
| 15.2GC | 15.2(1)GC2 | 15.2(1)GC2 |
|------------+--------------+--------------|
| | | 15.2(1)S1 |
| | | Cisco IOS XE |
| | | devices: |
| 15.2S | Not | Please see |
| | vulnerable | Cisco IOS XE |
| | | Software |
| | | Availability |
| | | |
|------------+--------------+--------------|
| | | 15.2(1)T2 |
| | 15.2(1)T2 | 15.2(2)T1 |
| 15.2T | 15.2(2)T | 15.2(3)T; |
| | 15.2(2)T1 | Available on |
| | | 30-MAR-12 |
+------------------------------------------+
* Cisco Catalyst 3550 Series Switches support the Internet Key
Exchange (IKE) feature and are vulnerable to Cisco bug ID CSCts38429
when the devices are running Layer 3 images; however, this product
reached the End of Software Maintenance milestone. Cisco 3550 Series
SMI Switches that are running Layer 2 images do not support IKE and
are not vulnerable. No other Cisco devices that run 12.2SE-based
software are vulnerable.
Cisco IOS XE Software
+--------------------
Cisco IOS XE Software is not affected by the vulnerabilities that are
disclosed in this document.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
Release Notes, and Cisco IOS XE 3SG Release Notes.
Cisco IOS XR Software
+--------------------
Cisco IOS XR Software is not affected by any of the vulnerabilities
disclosed in the March 2012 Cisco IOS Software Security Advisory
Bundled Publication.
Workarounds
===========
There are no workarounds that mitigate the vulnerabilities described
in this advisory.
Obtaining Fixed Software
========================
Cisco has released free software updates that address the
vulnerabilities described in this advisory. Prior to deploying
software, customers are advised to consult their maintenance
providers or check the software for feature set compatibility and
known issues that are specific to their environments.
Customers may only install and expect support for feature sets they
have purchased. By installing, downloading, accessing, or otherwise
using such software upgrades, customers agree to follow the terms of
the Cisco software license at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt(a)cisco.com or security-alert(a)cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, upgrades should be
obtained through the Software Center on Cisco.com at:
http://www.cisco.com
Customers Using Third-Party Support Organizations
+------------------------------------------------
Customers with Cisco products that are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers,
should contact that organization for assistance with the appropriate
course of action.
The effectiveness of any workaround or fix depends on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Because of the variety of
affected products and releases, customers should consult their
service providers or support organizations to ensure that any applied
workaround or fix is the most appropriate in the intended network
before it is deployed.
Customers Without Service Contracts
+----------------------------------
Customers who purchase directly from Cisco but do not hold a Cisco
service contract and customers who make purchases through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should obtain upgrades by contacting the Cisco
Technical Assistance Center (TAC):
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac(a)cisco.com
Customers should have the product serial number available and be
prepared to provide the URL of this advisory as evidence of
entitlement to a free upgrade. Customers without service contracts
should request free upgrades through the TAC.
Refer to Cisco Worldwide Contacts at:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, instructions, and e-mail addresses for support in various languages.
Exploitation and Public Announcements
=====================================
The Cisco Product Security Incident Response Team (PSIRT) is not
aware of any public announcements or malicious use of the
vulnerabilities that are described in this advisory.
These vulnerabilities were discovered by Cisco during normal internal
security testing.
Status of This Notice: Final
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco Security Intelligence Operations at
the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
Additionally, a text version of this advisory is clear signed with
the Cisco PSIRT PGP key and circulated among the following e-mail
addresses:
* cust-security-announce(a)cisco.com
* first-bulletins(a)lists.first.org
* bugtraq(a)securityfocus.com
* vulnwatch(a)vulnwatch.org
* cisco(a)spot.colorado.edu
* cisco-nsp(a)puck.nether.net
* full-disclosure(a)lists.grok.org.uk
Future updates of this advisory, if any, will reside on Cisco.com but
may not be announced on mailing lists. Users can monitor this
advisory's URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2012-March-28 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information about reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco is available
on Cisco.com at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.…
This web page includes instructions for press inquiries regarding Cisco
Security Advisories.
All Cisco Security Advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2012 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFPcSUMQXnnBKKRMNARCA3iAP48lwmrPR8E6Wi6CVHpEpqoDUnfuHJA/e4E
tz+jl1voLwD+NNC2Y5SFONTzfed+n4Ib3cxVLPAwafgVDlr+HhITJgc=
=Na2V
-----END PGP SIGNATURE-----
1
0
Cisco Security Advisory: Multiple Vulnerabilities in Cisco IOS Software Traffic Optimization Features
by Cisco Systems Product Security Incident Response Team 28 Mar '12
by Cisco Systems Product Security Incident Response Team 28 Mar '12
28 Mar '12
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Multiple Vulnerabilities in Cisco IOS Software
Traffic Optimization Features
Advisory ID: cisco-sa-20120328-mace
Revision 1.0
For Public Release 2012 March 28 16:00 UTC (GMT)
+--------------------------------------------------------------------
Summary
=======
Cisco IOS Software contains a denial of service (DoS) vulnerability
in the Wide Area Application Services (WAAS) Express feature that
could allow an unauthenticated, remote attacker to cause the router
to leak memory or to reload.
Cisco IOS Software also contains a DoS vulnerability in the
Measurement, Aggregation, and Correlation Engine (MACE) feature that
could allow an unauthenticated, remote attacker to cause the router
to reload.
An attacker could exploit these vulnerabilities by sending transit
traffic through a router configured with WAAS Express or MACE.
Successful exploitation of these vulnerabilities could allow an
unauthenticated, remote attacker to cause the router to leak memory
or to reload. Repeated exploits could allow a sustained DoS
condition.
Cisco has released free software updates that address these
vulnerabilities. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
Note: The March 28, 2012, Cisco IOS Software Security Advisory
bundled publication includes nine Cisco Security Advisories. Each
advisory lists the Cisco IOS Software releases that correct the
vulnerability or vulnerabilities detailed in the advisory as well as
the Cisco IOS Software releases that correct all vulnerabilities in
the March 2012 bundled publication.
Individual publication links are in "Cisco Event Response:
Semi-Annual Cisco IOS Software Security Advisory Bundled Publication"
at the following link:
http://www.cisco.com/web/about/security/intelligence/
Cisco_ERP_mar12.html
Affected Products
=================
Vulnerable Products
+------------------
Cisco devices that are running Cisco IOS Software are vulnerable
when they are configured with the "mace enable" or "waas enable"
interface configuration commands on one or more interfaces. Additional
configuration is required for WAAS Express or MACE to be configured;
more details follow.
Note: Cisco IOS Software is vulnerable only when configured for WAAS
Express or MACE. Cisco IOS Software configured for WAAS, not WAAS
Express, is not vulnerable.
For more information on WAAS Express, see
http://www.cisco.com/en/US/products/ps11211/index.html.
For more information about MACE, see
http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps11709/ps11671/guide_c….
To determine the Cisco IOS Software release that is running on a Cisco
product, administrators can log in to the device and issue the "show
version" command to display the system banner. The system banner
confirms that the device is running Cisco IOS Software by displaying
text similar to "Cisco Internetwork Operating System Software" or "Cisco
IOS Software." The image name displays in parentheses, followed by
"Version" and the Cisco IOS Software release name. Other Cisco devices
do not have the "show version" command or may provide different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 15.0(1)M1 with an installed image name of
C3900-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 02-Dec-09 17:17 by prod_rel_team
!--- output truncated
Additional information about Cisco IOS Software release
naming conventions is available in "White Paper:
Cisco IOS and NX-OS Software Reference Guide" at
http://www.cisco.com/web/about/security/intelligence/ios-ref.html.
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
The Cisco Wide Area Application Services (WAAS) Express feature allows
optimization of the WAN bandwidth required to access centrally located
applications. WAAS Express allows the traffic to be optimized by a Cisco
Integrated Services Router (ISR G2), with no other devices required.
The Cisco Measurement, Aggregation, and Correlation Engine (MACE) is a
Cisco IOS feature that is used for measurement and analysis of network
traffic. The feature may be used with WAAS Express to give details
of optimized traffic or used by itself to help measure application
performance.
Cisco IOS Software contains a DoS vulnerability in the WAAS Express
feature that could allow an unauthenticated, remote attacker to cause
the router to leak memory or to reload. This vulnerability is documented
in Cisco bug ID CSCtt45381 and has been assigned Common Vulnerabilities
and Exposures (CVE) ID CVE-2012-1314.
Cisco IOS Software contains a DoS vulnerability in the MACE feature that
could allow an unauthenticated, remote attacker to cause the router to
reload. This vulnerability is documented in Cisco bug IDs CSCtq64987 and
CSCtu57226 and has been assigned CVE ID CVE-2012-1312.
An attacker could exploit these vulnerabilities by sending transit
traffic through a router configured with WAAS Express or MACE.
Successful exploitation of these vulnerabilities could allow an
unauthenticated, remote attacker to cause the router to leak memory
or to reload. Repeated exploits could allow a sustained DoS
condition.
A configuration similar to one or more of the following configuration
excerpts will exist if WAAS Express or MACE is configured on the
router.
The following example shows a partial WAAS Express configuration:
parameter-map type waas waas_global
tfo optimize full
class-map type waas match-any HTTP
match tcp destination port 80
class-map type waas match-any NNTP
match tcp destination port 119
...
policy-map type waas waas_global
class HTTP
optimize tfo dre lz application Web
class NNTP
optimize tfo dre lz application Email-and-Messaging
...
interface <egress interface>
waas enable
The following example shows a partial MACE configuration with WAAS
Express already configured as shown in the preceding excerpt:
flow record type mace my-flow-record
collect art all
flow exporter my-flow-exporter
export-protocol netflow-v9
destination 10.101.200.1
flow monitor type mace my-flow-monitor
record my-flow-record
exporter my-flow-exporter
mace monitor waas all my-flow-monitor
interface <egress interface>
mace enable
The following example shows a partial MACE configuration without WAAS
Express:
flow record type mace mace-flow-record
collect datalink mac source address input
collect ipv4 dscp
collect interface input
collect interface output
collect application name
collect waas all
flow exporter flow-exporter1
destination 10.101.200.1
source <interface>
output-features
transport udp 32001
flow monitor type mace mace-flow-monitor1
record mace-flow-record
exporter flow-exporter1
class-map type waas match-any HTTP
match tcp destination port 80
match tcp destination port 8080
...
policy-map type mace mace_global
class HTTP
flow monitor mace-flow-monitor1
...
interface <egress interface>
mace enable
Vulnerability Scoring Details
=============================
Cisco has scored the vulnerabilities in this advisory based on the
Common Vulnerability Scoring System (CVSS). The CVSS scoring in this
security advisory is in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps organizations determine the urgency and priority
of a response.
Cisco has provided a base and temporal score. Customers can also
compute environmental scores that help determine the impact of the
vulnerability in their own networks.
Cisco has provided additional information regarding CVSS at the
following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to compute the
environmental impact for individual networks at the following link:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtt45381
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtq64987 and CSCtu57226
CVSS Base Score - 7.1
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 5.9
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of these vulnerabilities could allow an
unauthenticated, remote attacker to cause the router to leak memory or
to reload. Repeated exploits could allow a sustained DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, customers are advised to
consult the Cisco Security Advisories and Responses archive at
http://www.cisco.com/go/psirt and review subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and
software configurations will continue to be supported properly by the
new release. If the information is not clear, customers are advised
to contact the Cisco Technical Assistance Center (TAC) or their
contracted maintenance providers.
Cisco IOS Software
+-----------------
Each row of the following Cisco IOS Software table corresponds to a
Cisco IOS Software train. If a particular train is vulnerable, the
earliest releases that contain the fix are listed in the First Fixed
Release column. The First Fixed Release for All Advisories in the
March 2012 Bundled Publication column lists the earliest possible
releases that correct all the published vulnerabilities in the Cisco
IOS Software Security Advisory bundled publication. Cisco recommends
upgrading to the latest available release, where possible.
The Cisco IOS Software Checker allows customers to search for Cisco
Security Advisories that address specific Cisco IOS Software
releases. This tool is available on the Cisco Security Intelligence
Operations (SIO) portal at:
http://tools.cisco.com/security/center/selectIOSVersion.x
+------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|----------+-------------------------------------------------|
| Affected | | First Fixed Release for All |
|12.0-Based| First Fixed | Advisories in the March 2012 |
| Releases | Release | Cisco IOS Software Security |
| | | Advisory Bundled Publication |
|------------------------------------------------------------|
| There are no affected 12.0 based releases |
|------------------------------------------------------------|
| Affected | | First Fixed Release for All |
|12.2-Based| First Fixed | Advisories in the March 2012 |
| Releases | Release | Cisco IOS Software Security |
| | | Advisory Bundled Publication |
|------------------------------------------------------------|
| There are no affected 12.2 based releases |
|------------------------------------------------------------|
| Affected | | First Fixed Release for All |
|12.3-Based| First Fixed | Advisories in the March 2012 |
| Releases | Release | Cisco IOS Software Security |
| | | Advisory Bundled Publication |
|------------------------------------------------------------|
| There are no affected 12.3 based releases |
|------------------------------------------------------------|
| Affected | | First Fixed Release for All |
|12.4-Based| First Fixed | Advisories in the March 2012 |
| Releases | Release | Cisco IOS Software Security |
| | | Advisory Bundled Publication |
|------------------------------------------------------------|
| There are no affected 12.4 based releases |
|------------------------------------------------------------|
| Affected | | First Fixed Release for All |
|15.0-Based| First Fixed | Advisories in the March 2012 |
| Releases | Release | Cisco IOS Software Security |
| | | Advisory Bundled Publication |
|------------------------------------------------------------|
| There are no affected 15.0 based releases |
|------------------------------------------------------------|
| Affected | | First Fixed Release for All |
|15.1-Based| First Fixed | Advisories in the March 2012 |
| Releases | Release | Cisco IOS Software Security |
| | | Advisory Bundled Publication |
|----------+------------------+------------------------------|
|15.1EY |Not vulnerable |15.1(2)EY2 |
|----------+------------------+------------------------------|
|15.1GC |Not vulnerable |15.1(2)GC2 |
|----------+------------------+------------------------------|
| |15.1(4)M4; |15.1(4)M4; Available on |
|15.1M |Available on |30-MAR-12 |
| |30-MAR-12 | |
|----------+------------------+------------------------------|
| | |Vulnerable; contact your |
| | |support organization per the |
|15.1MR |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of this|
| | |advisory. |
|----------+------------------+------------------------------|
| |Cisco IOS XE | |
| |devices: Please |Cisco IOS XE devices: Please |
|15.1S |see Cisco IOS XE |see Cisco IOS XE Software |
| |Software |Availability |
| |Availability | |
|----------+------------------+------------------------------|
| |Cisco IOS XE | |
| |devices: Please |Cisco IOS XE devices: Please |
|15.1SG |see Cisco IOS XE |see Cisco IOS XE Software |
| |Software |Availability |
| |Availability | |
|----------+------------------+------------------------------|
| | |Vulnerable; contact your |
| | |support organization per the |
|15.1SNG |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of this|
| | |advisory. |
|----------+------------------+------------------------------|
|15.1SNH |Not vulnerable |Not vulnerable |
|----------+------------------+------------------------------|
|15.1T |Not vulnerable |15.1(3)T3 |
|----------+------------------+------------------------------|
|15.1XB |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.1T |
|----------+------------------+------------------------------|
| Affected | | First Fixed Release for All |
|15.2-Based| First Fixed | Advisories in the March 2012 |
| Releases | Release | Cisco IOS Software Security |
| | | Advisory Bundled Publication |
|----------+------------------+------------------------------|
|15.2GC |15.2(1)GC2 |15.2(1)GC2 |
|----------+------------------+------------------------------|
|15.2S |Not vulnerable |15.2(1)S1 |
| | | |
|----------+------------------+------------------------------|
| |15.2(1)T2 |15.2(1)T2 |
| |15.2(2)T1 |15.2(2)T1 |
|15.2T |15.2(3)T; |15.2(3)T; Available on |
| |Available on |30-MAR-12 |
| |30-MAR-12 | |
+------------------------------------------------------------+
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release
Notes, and Cisco IOS XE 3SG Release Notes.
Cisco IOS XE Software
+--------------------
Cisco IOS XE Software is not affected by the vulnerabilities that are
disclosed in this document.
Cisco IOS XR Software
+--------------------
Cisco IOS XR Software is not affected by any of the vulnerabilities
disclosed in the March 2012 Cisco IOS Software Security Advisory
Bundled Publication.
Workarounds
===========
There are no workarounds for these vulnerabilities.
There is no Applied Mitigation Bulletin (AMB) for this advisory.
Obtaining Fixed Software
========================
Cisco has released free software updates that address the
vulnerabilities described in this advisory. Prior to deploying
software, customers are advised to consult their maintenance
providers or check the software for feature set compatibility and
known issues that are specific to their environments.
Customers may only install and expect support for feature
sets they have purchased. By installing, downloading,
accessing, or otherwise using such software upgrades, customers
agree to follow the terms of the Cisco software license at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as set forth at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt(a)cisco.com or security-alert(a)cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, upgrades should be obtained
through the Software Center on Cisco.com at http://www.cisco.com.
Customers Using Third-Party Support Organizations
+------------------------------------------------
Customers with Cisco products that are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers,
should contact that organization for assistance with the appropriate
course of action.
The effectiveness of any workaround or fix depends on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Because of the variety of
affected products and releases, customers should consult their
service providers or support organizations to ensure that any applied
workaround or fix is the most appropriate in the intended network
before it is deployed.
Customers Without Service Contracts
+----------------------------------
Customers who purchase directly from Cisco but do not hold a Cisco
service contract and customers who make purchases through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should obtain upgrades by contacting the Cisco
Technical Assistance Center (TAC):
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac(a)cisco.com
Customers should have the product serial number available and be
prepared to provide the URL of this advisory as evidence of
entitlement to a free upgrade. Customers without service contracts
should request free upgrades through the TAC.
Refer to Cisco Worldwide Contacts at
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, instructions, and e-mail addresses for support in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco Product Security Incident Response Team (PSIRT) is not
aware of any public announcements or malicious use of the
vulnerabilities that are described in this advisory.
These vulnerabilities were initially found by Cisco during internal
testing.
Status of This Notice: Final
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco Security Intelligence Operations at
the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
Additionally, a text version of this advisory is clear signed with
the Cisco PSIRT PGP key and circulated among the following e-mail
addresses:
* cust-security-announce(a)cisco.com
* first-bulletins(a)lists.first.org
* bugtraq(a)securityfocus.com
* vulnwatch(a)vulnwatch.org
* cisco(a)spot.colorado.edu
* cisco-nsp(a)puck.nether.net
* full-disclosure(a)lists.grok.org.uk
Future updates of this advisory, if any, will reside on Cisco.com but
may not be announced on mailing lists. Users can monitor this
advisory's URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2012-March-28 | Initial public release |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information about reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering
to receive security information from Cisco is available on Cisco.com at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.….
This web page includes instructions for press inquiries
regarding Cisco Security Advisories. All Cisco Security Advisories are
available at http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iF4EAREIAAYFAk9yeDQACgkQQXnnBKKRMND8JAD+LwCEQ/3I15qyaV2fGjOXnBBP
oqdlu1PkfePXe5OeMaoA/iUbaiXx3glDNbmziQwcm+fVu2RAJ1HvZzyh0mjz9vOn
=BPrU
-----END PGP SIGNATURE-----
1
0