[cisco-ttl] Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet

From: Ilker Temir (itemir_at_cisco.com)
Date: Thu Jul 17 2003 - 03:47:17 GMT

  • Next message: sustundag_at_tepum.com.tr: "[cisco-ttl] Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet"

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet

    Revision 1.0
    ============

    For Public Release 2003 July 17 at 0:00 UTC (GMT)

    - --------------------------------------------------------------------------

    Please provide your feedback on this document.

    - --------------------------------------------------------------------------

    Contents
    ========

        Summary
        Affected Products
        Details
        Impact
        Software Versions and Fixes
        Obtaining Fixed Software
        Workarounds
        Exploitation and Public Announcements
        Status of This Notice: INTERIM
        Distribution
        Revision History
        Cisco Security Procedures

    - --------------------------------------------------------------------------

    Summary
    =======

    Cisco routers and switches running Cisco IOS® software and configured to
    process Internet Protocol version 4 (IPv4) packets are vulnerable to a
    Denial of Service (DoS) attack. A rare sequence of crafted IPv4 packets
    sent directly to the device may cause the input interface to stop
    processing traffic once the input queue is full. No authentication is
    required to process the inbound packet. Processing of IPv4 packets is
    enabled by default. Devices running only IP version 6 (IPv6) are not
    affected. A workaround is available.

    Cisco has made software available, free of charge, to correct the problem.

    This advisory is available at
    http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml.

    Affected Products
    =================

    This issue affects all Cisco devices running Cisco IOS software and
    configured to process Internet Protocol version 4 (IPv4) packets. Cisco
    devices which do not run Cisco IOS software are not affected. Devices which
    run only Internet Protocol version 6 (IPv6) are not affected.

    Details
    =======

    Cisco routers are configured to process and accept Internet Protocol
    version 4 (IPv4) packets by default. A rare, specially crafted sequence of
    IPv4 packets which is handled by the processor on a Cisco IOS device may
    force the device to incorrectly flag the input queue on an interface as
    full, which will cause the router to stop processing inbound traffic on
    that interface. This can cause routing protocols to drop due to dead
    timers.

    On Ethernet interfaces, Address Resolution Protocol (ARP) times out after a
    default time of four hours, and no traffic can be processed. The device
    must be rebooted to clear the input queue on the interface, and will not
    reload without user intervention. The attack may be repeated on all
    interfaces causing the router to be remotely inaccessible. A workaround is
    available, and is documented in the Workarounds section.

    The following two Cisco vulnerabilities are documented in DDTS. CSCea02355
    ( registered customers only) affects all Cisco routers running Cisco IOS
    software. CSCdz71127 ( registered customers only) was introduced by an
    earlier code revision. Any version of software which has the fix for
    CSCdx02283 ( registered customers only) is vulnerable.

    Registered customers can find more details using the Bug Toolkit at
    http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl ( registered
    customers only) .

    To identify a blocked input interface, use the show interfaces command and
    look for the Input Queue line. If the current size (in this case, 76) is
    larger than the maximum size (75), the input queue is blocked.

        Router#show interface ethernet 0/0
        Ethernet0/0 is up, line protocol is up
          Hardware is AmdP2, address is 0050.500e.f1e0 (bia 0050.500e.f1e0)
          Internet address is 172.16.1.9/24
          MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 255/255, load 1/255
          Encapsulation ARPA, loopback not set, keepalive set (10 sec)
          ARP type: ARPA, ARP Timeout 04:00:00
          Last input 00:00:41, output 00:00:07, output hang never
          Last clearing of "show interface" counters 00:07:18
          Input queue: 76/75/1091/0 (size/max/drops/flushes); Total output
    drops: 0
                       ^^^^^^^^^^^^^^ ---> blocked

    Impact
    ======

    A device receiving these specifically crafted IPv4 packets will force the
    inbound interface to stop processing traffic. The device may stop
    processing packets destined to the router, including routing protocol
    packets and ARP packets. No alarms will be triggered, nor will the router
    reload to correct itself. This issue can affect all Cisco devices running
    Cisco IOS software. This vulnerability may be exercised repeatedly
    resulting in loss of availability until a workaround has been applied or
    the device has been upgraded to a fixed version of code.

    Software Versions and Fixes
    ===========================

    Each row of the table describes a release train and the platforms or
    products for which it is intended. If a given release train is vulnerable,
    then the earliest possible releases that contain the fix and the
    anticipated date of availability for each are listed in the Rebuild,
    Interim, and Maintenance columns. In some cases, no rebuild of a particular
    release is planned; this is marked with the label "Not scheduled." A device
    running any release in the given train that is earlier than the release in
    a specific column (less than the earliest fixed release) is known to be
    vulnerable, and it should be upgraded at least to the indicated release or
    a later version (greater than the earliest fixed release label).

    When selecting a release, keep in mind the following definitions:

      * Maintenance

        Most heavily tested and highly recommended release of any label in a
        given row of the table.

      * Rebuild

        Constructed from the previous maintenance or major release in the same
        train, it contains the fix for a specific vulnerability. Although it
        receives less testing, it contains only the minimal changes necessary
        to effect the repair. Cisco has made available several rebuilds of
        mainline trains to address this vulnerability, but strongly recommends
        running only the latest maintenance release on mainline trains.

      * Interim

        Built at regular intervals between maintenance releases and receives
        less testing. Interims should be selected only if there is no other
        suitable release that addresses the vulnerability, and interim images
        should be upgraded to the next available maintenance release as soon as
        possible. Interim releases are not available through manufacturing, and
        usually they are not available for customer download from CCO without
        prior arrangement with the Cisco Technical Assistance Center (TAC).

    In all cases, customers should exercise caution to be certain the devices
    to be upgraded contain sufficient memory and that current hardware and
    software configurations will continue to be supported properly by the new
    release. If the information is not clear, contact the Cisco TAC for
    assistance, as shown in the section following this table.

    +------------------------------------------------------------------------+
    |Train |Description of |Availability of Fixed Releases |
    | |Image or Platform| |
    |------------------------+-----------------------------------------------+
    | 11.x based releases | Rebuild |Interim| Maintenance |
    |------------------------+-------------+-------+-------------------------+
    |11.1CA| |11.1(36)CA4**| | |
    |------+-----------------+-------------+-------+-------------------------+
    |11.2 | |11.2(26e)** | | |
    |------+-----------------+-------------+-------+-------------------------+
    |11.2P | |11.2(26)P5** | | |
    |------+-----------------+-----------------------------------------------+
    |11.3 | |Not scheduled |
    |------+-----------------+-----------------------------------------------+
    |11.3T | |Not scheduled |
    |------------------------+-----------------------------------------------+
    |12.0 based releases |Rebuild |Interim|Maintenance |
    |------------------------+-------------+-------+-------------------------+
    | |General | | | |
    |12.0 |Deployment | | |12.0(26) |
    | |release for all | | | |
    | |platforms | | | |
    |------+-----------------+-----------------------------------------------+
    |12.0DA|xDSL support: |Migrate to 12.2DA; 12.2(10)DA2 - Aug-15-2003, |
    | |6100, 6200 |12.2(12)DA3 - Aug-22-2003: Engineering |
    | | |Specials available on request. |
    |------+-----------------+-----------------------------------------------+
    |12.0DB|Early Deployment |Migrate to 12.3(1a) |
    | |6400 UAC for NSP | |
    |------+-----------------+-----------------------------------------------+
    |12.0DC|Early Deployment |Migrate to 12.3(1a) |
    | |6400 UAC for NRP | |
    |------+-----------------+-----------------------------------------------+
    | | |12.0(24)S2 | | |
    | | |12.0(23)S3 | | |
    | | |12.0(22)S5 | | |
    | | |12.0(21)S7 | | |
    | | |12.0(19)S4 | | |
    | |Core/ISP support:|12.0(18)S7 | | |
    |12.0S |GSR, RSP, c7200, |12.0(17)S7 | |12.0(25)S |
    | |c10k |12.0(16)S10 | | |
    | | |12.0(15)S7 | | |
    | | |12.0(14)S8 | | |
    | | |12.0(13)S8 | | |
    | | |12.0(12)S4 | | |
    | | |12.0(10)S8 | | |
    |------+-----------------+-----------------------------------------------+
    |12.0SC|Cable/broadband |Migrate to 12.1(19)EC |
    | |ISP: ubr7200 | |
    |------+-----------------+-----------------------------------------------+
    |12.0SL|100000 ESR:c10k |Migrate to 12.0(23)S3, **12.0(17)SL9 - |
    | | |Jul-15-2003 |
    |------+-----------------+-----------------------------------------------+
    |12.0SP|Early Deployment |Migrate to 12.0(22)S5 |
    |------+-----------------+-----------------------------------------------+
    | |Early Deployment |12.0(21)ST7 | | |
    |12.0ST|release for Core/|12.0(20)ST6 | | |
    | |ISP support: GSR,|12.0(19)ST6 | | |
    | |RSP, c7200 |12.0(17)ST8 | | |
    |------+-----------------+-----------------------------------------------+
    |12.0SX|Early Deployment |Migrate to 12.0(22)S5 |
    |------+-----------------+-----------------------------------------------+
    |12.0SY|Early Deployment |Migrate to 12.0(23)S3 |
    |------+-----------------+-----------------------------------------------+
    |12.0SZ|Early Deployment |Migrate to 12.0(23)S3 |
    |------+-----------------+-----------------------------------------------+
    |12.0T |Early Deployment |12.0(7)T3** | | |
    |------+-----------------+-------------+-------+-------------------------+
    | |85xx ls1010 | | |12.0(26)W5(28) |
    | |-----------------+-------------+-------+-------------------------+
    | |c5atm |12.0(24)W5 | | |
    | | |(26a) | | |
    | |-----------------+-------------+-------+-------------------------+
    | |Cat4232 and |12.0(25)W5 | | |
    | |Cat2948G-L3 |(27) | | |
    |12.0W5|-----------------+-------------+-------+-------------------------+
    | |C6MSM,C5rsfc, |Engineering | | |
    | |C5rsm, |Special | | |
    | | |available on | | |
    | | |request | | |
    | |-----------------+-------------+-------+-------------------------+
    | |C3620, C3640, | | | |
    | |C4500, C7200, RSP| | | |
    |------+-----------------+-------------+-------+-------------------------+
    |12.0WC|Early deployment |12.0(05)WC8 | | |
    | |2900XL-LRE,2900XL| | | |
    | |/3500XL; 2950 | | | |
    | |release | | | |
    |------+-----------------+-------------+-------+-------------------------+
    |12.0WT|Early deployment |Engineering | | |
    | |Catalyst |Special | | |
    | |switches: |Available | | |
    | |cat4840g, |upon request | | |
    |------+-----------------+-----------------------------------------------+
    |12.0X |Shortlived Early |All 12.0X(any letter) releases have migrated to|
    |(l) |Deployment |either 12.0T or 12.1 unless otherwise |
    | |Releases |documented in the X release technical notes |
    | | |pertaining to the specific release. Please |
    | | |check migration paths for all 12.0X releases. |
    |------------------------+-----------------------------------------------+
    |12.1 based releases |Rebuild |Interim|Maintenance |
    |------------------------+-------------+-------+-------------------------+
    | |General | | | |
    |12.1 |Deployment | |12.1 |12.1(19) |
    | |release for all | |(18.4) | |
    | |platforms | | | |
    |------+-----------------+-----------------------------------------------+
    |12.1AA| |Migrate to 12.2 |
    |------+-----------------+-----------------------------------------------+
    |12.1AX|Catalyst 3750 |12.1(14)EA1 -| | |
    | | |Engineering | | |
    | | |special | | |
    | | |available | | |
    | | |upon request | | |
    |------+-----------------+-------------+-------+-------------------------+
    |12.1AY|Catalyst 2940 | | |12.1(13)AY |
    |------+-----------------+-----------------------------------------------+
    |12.1DA|6160 platform |Migrate to 12.2DA |
    |------+-----------------+-----------------------------------------------+
    |12.1DB|6400 UAC |Migrate to 12.3(1a) |
    |------+-----------------+-----------------------------------------------+
    |12.1DC|6400 UAC |Migrate to 12.3(1a) |
    |------+-----------------+-----------------------------------------------+
    |12.1E |Core Enterprise |12.1(8b)E14 | |12.1(19)E |
    | |support - c7200, |12.1(13)E7 | | |
    | |Catalyst 6000, |12.1(14)E4 | | |
    | |RSP |**12.1(12c)E7| | |
    | | |12.1(11b)E12-| | |
    | | |Aug-4-2003 | | |
    | | |12.1(6)E12 | | |
    |------+-----------------+-----------------------------------------------+
    |12.1EA|12.1(4)EA |Migrate to 12.1(13)EA1c |
    | |12.1(6)EA | |
    | |12.1(8)EA | |
    | |12.1(9)EA | |
    | |12.1(11)EA | |
    | |-----------------+-----------------------------------------------+
    | |12.1(12c)EA |12.1(13)EA1c | | |
    | |12.1(13)EA | | | |
    |------+-----------------+-------------+-------+-------------------------+
    |12.1EB|LS1010 | | |12.1(14)EB |
    |------+-----------------+-------------+-------+-------------------------+
    |12.1EC|Early Deployment | | |12.1(19)EC (scheduled |
    | | | | |last week of July) |
    |------+-----------------+-------------+-------+-------------------------+
    |12.1EV|Early Deployment | | |12.1(12c)EV |
    |------+-----------------+-------------+-------+-------------------------+
    |12.1EW|Early Deployment | | |12.1(13)EW,12.1(19)EW |
    | |Cat4000 L3 | | | |
    |------+-----------------+-------------+-------+-------------------------+
    |12.1EX|Early deployment |12.1(13)EX2 | | |
    |------+-----------------+-------------+-------+-------------------------+
    |12.1EY| | |12.1(14)E4 | | |
    |------+--+--------------+-------------+-------+-------------------------+
    |12.1YJ| | |12.1(14)EA1 -| | |
    | | | |Jul-28-2003 | | |
    |------+-----------------+-------------+-------+-------------------------+
    |12.1T |Early deployment |12.1(5)T15** | | |
    |------+-----------------------------------------------------------------+
    |12.1X |12.1X releases generally migrate to 12.1T, 12.2 or 12.2T as |
    |(l) |specified below. Please refer to specific train Technical notes |
    | |for documented migration path. |
    |------+-----------------------------------------------------------------+
    |12.1XA|Short lived Early|Migrate to 12.1(5)T15 |
    | |Deployment | |
    | |Release | |
    |------+-----------------+-----------------------------------------------+
    |12.1XC|Short lived Early|Migrate to12.2(17) |
    |12.1XD|Deployment | |
    |12.1XH|Releases | |
    |12.1XI| | |
    |------+-----------------+-----------------------------------------------+
    |12.1XB|Short lived Early|Migrate to 12.2(15)T5 |
    |12.1XF|Deployment | |
    |12.1XG|Releases | |
    |12.1XJ| | |
    |12.1XL| | |
    |12.1XP| | |
    |12.1XR| | |
    |12.1XT| | |
    |12.1YB| | |
    |12.1YC| | |
    |12.1YD| | |
    |12.1YH| | |
    |------+-----------------+-----------------------------------------------+
    |12.1XM|Short lived Early|Migrate to 12.2(2)XB11 |
    |12.1XQ|Deployment | |
    |12.1XV|Releases | |
    |------+-----------------+-----------------------------------------------+
    |12.1XU|Short lived Early|Migrate to 12.2(4)T6 |
    | |Deployment | |
    | |Release | |
    |------+-----------------+-----------------------------------------------+
    |12.1YE|Short lived Early|Migrate to 12.2(2)YC |
    |12.1YF|Deployment | |
    |12.1YI|Release | |
    |------------------------+-----------------------------------------------+
    |12.2 based releases |Rebuild |Interim|Maintenance |
    |------------------------+-------------+-------+-------------------------+
    | |General |12.2(16a) | | |
    |12.2 |Deployment (GD) |12.2(12e) | |12.2(17) |
    | |candidate for all|12.2(10d) | | |
    | |platforms | | | |
    |------+-----------------+-------------+-------+-------------------------+
    |12.2B |12.2(2)B-12.2(4) |12.3(1a) | | |
    | |B7 | | | |
    | |-----------------+-------------+-------+-------------------------+
    | |12.2(4)B8-12.2 |12.2(16)B1 | | |
    | |(16)B | | | |
    |------+-----------------+-------------+-------+-------------------------+
    |12.2BC|Early Deployment |12.2(15)BC1 | | |
    | |Release |(Scheduled | | |
    | | |end of July) | | |
    |------+-----------------+-------------+-------+-------------------------+
    |12.2BW|Early Deployment |Migrate to | | |
    | |for use with |12.3(1a) | | |
    | |7200, 7400, and | | | |
    | |7411 platforms | | | |
    |------+-----------------+-------------+-------+-------------------------+
    |12.2BX|Broadband/Leased | | |12.2(16)BX |
    | |line | | | |
    |------+-----------------+-------------+-------+-------------------------+
    |12.2BZ|Early Deployment |12.2(15)BZ1 | | |
    | |Release | | | |
    |------+-----------------+-----------------------------------------------+
    |12.2CX|Early Deployment |Migrate to 12.1(15)BC1 |
    | |Release | |
    |------+-----------------+-----------------------------------------------+
    |12.2CY|Early Deployment |Migrate to 12.1(15)BC1 |
    | |Release | |
    |------+-----------------+-----------------------------------------------+
    |12.2DA|Early Deployment |12.2(10)DA2 -| | |
    | |Release |Jul-15-2003 | | |
    | | |12.2(12)DA3 -| | |
    | | |Aug-22-2003 | | |
    | | |Enginering | | |
    | | |Special | | |
    | | |available on | | |
    | | |request | | |
    |------+-----------------+-----------------------------------------------+
    |12.2DD|Early Deployment |Migrate to 12.3(1a) |
    | |Release | |
    |------+-----------------+-----------------------------------------------+
    |12.2DX|Early Deployment |Migrate to 12.3(1a) |
    | |Release | |
    |------+-----------------+-----------------------------------------------+
    |12.2JA|Cisco Aironet | | |12.2(11)JA |
    | |hardware | | | |
    | |platforms: | | | |
    | |Introduction of | | | |
    | |Access Point | | | |
    | |feature in IOS, | | | |
    | |Cisco 1100 Series| | | |
    | |Access Point | | | |
    | |(802.11b) | | | |
    |------+-----------------+-------------+-------+-------------------------+
    |12.2MB|Specific |12.2(4)MB12 | | |
    | |Technology ED for| | | |
    | |2600 7500 (GPRS/ | | | |
    | |PDSN/GGSN | | | |
    | |2600/7200/7500) | | | |
    |------+-----------------+-------------+-------+-------------------------+
    |12.2MC|Early Deployment:|12.2(13)MC1 | | |
    | |IP RAN |CCO: 7/24/03 | | |
    |------+-----------------+-------------+-------+-------------------------+
    |12.2MX| |12.2(8)YD | | |
    | | | | | |
    |------+-----------------+-------------+-------+-------------------------+
    |12.2S |Core/ISP support:|12.2(14)S1 |12.2 | |
    | |GSR, RSP, c7200 | |(16.5)S| |
    |------+-----------------+-------------+-------+-------------------------+
    |12.2SX|IOS Support for |12.2(14)SX1 | | |
    | |C6500 Supervisor | | | |
    | |3 | | | |
    |------+-----------------+-------------+-------+-------------------------+
    |12.2SY|VPN feature |12.2(14)SY1, | | |
    | |release for c6k/ |12.2(8)YD | | |
    | |76xx VPN service | | | |
    | |module. | | | |
    |------+-----------------+-------------+-------+-------------------------+
    |12.2SZ|7304 Platform |12.2(14)SZ2 | | |
    |------+-----------------+-------------+-------+-------------------------+
    | | |12.2(15)T4/ | |No more maintenance |
    | |New Technology |5,12.2(13)T5,| |trains for 12.2T are |
    |12.2T |Early Deployment |12.2(11) |12.2 |planned, please migrate |
    | |(ED) release for |T9,12.2(8) |(16.5)T|to latest 12.3 Mainline |
    | |all platforms |T10, | |release. |
    | | |12.2(4)T6 | | |
    |------+-----------------+-----------------------------------------------+
    |12.2X |Short lived Early|Many short lived releases migrate to the same |
    |(l) |Deployment |train; the trains below this point until the |
    |12.2Y |Releases - |following section are not grouped by strict |
    |(l) | |alphabetical order, but are grouped by |
    | | |migration path. Please review documented |
    | | |migration paths for your trains. |
    |------+-----------------+-----------------------------------------------+
    |12.2XA|Short lived Early|Migrate to 12.2(11)T9 |
    | |Deployment | |
    | |Releases | |
    |------+-----------------+-----------------------------------------------+
    |12.2XS| |12.2(2)XB11 |
    |------+-----------------+-----------------------------------------------+
    |12.2XD|Short lived Early|Migrate to 12.2(15)T5 |
    |12.2XE|Deployment | |
    |12.2XH|Releases | |
    |12.2XI| | |
    |12.2XJ| | |
    |12.2XK| | |
    |12.2XL| | |
    |12.2XM| | |
    |12.2XQ| | |
    |12.2XU| | |
    |12.2XW| | |
    |12.2YA| | |
    |12.2YB| | |
    |12.2YC| | |
    |12.2YF| | |
    |12.2YG| | |
    |12.2YH| | |
    |12.2YJ| | |
    |12.2YT| | |
    |------+-----------------+-----------------------------------------------+
    | |Short lived Early| |
    |12.2YN|Deployment |Migrate to 12.2(13)ZH |
    | |Releases | |
    |------+-----------------+-----------------------------------------------+
    | |Short lived Early|Migrate to 12.2(14)SY1 available Aug-4-2003: |
    |12.2YO|Deployment |Engineering Special available on request |
    | |Releases | |
    |------+-----------------+-----------------------------------------------+
    | |Early Deployment | | | |
    |12.2XB|Release with |12.2(2)XB11 | | |
    | |continuing | | | |
    | |support | | | |
    |------+-----------------+-----------------------------------------------+
    |12.2XC|Short lived Early|Migrate to 12.2(16)B1 |
    | |Deployment | |
    | |Releases | |
    |------+-----------------+-----------------------------------------------+
    |12.2XF|Short lived Early|Migrate to 12.2(15)BC1 |
    | |Deployment | |
    | |Release UBR10000 | |
    |------+-----------------+-----------------------------------------------+
    |12.2XG|Short lived Early|Migrate to 12.2(8)T10 |
    | |Deployment | |
    | |Release | |
    |------+-----------------+-----------------------------------------------+
    |12.2XN|Short lived Early|Migrate to 12.2(11)T9 |
    |12.2XT|Deployment | |
    | |Releases | |
    |------+-----------------+-----------------------------------------------+
    |12.2YD|Short lived Early|Migrate to 12.2(8)YY |
    | |Deployment | |
    | |Release | |
    |------+-----------------+-----------------------------------------------+
    | |Short lived Early| | | |
    |12.2YP|Deployment |**12.2(11)YP1| | |
    | |Release | | | |
    |------+-----------------+-----------------------------------------------+
    |12.2YK| |Migrate to 12.2(13)ZC |
    |------+-----------------+-----------------------------------------------+
    |12.2YL|Short lived Early|Migrate to 12.2(13)ZH |
    |12.2YM|Deployment | |
    |12.2YU|Releases | |
    |12.2YV| | |
    |------+-----------------+-----------------------------------------------+
    |12.2YQ|Short lived Early|Migrate to 12.2(15)ZL |
    |12.2YR|Deployment | |
    | |Releases | |
    |------+-----------------+-----------------------------------------------+
    |12.2YS|Short lived Early|12.2(15)YS/ | | |
    | |Deployment |1.2(1) | | |
    | |Release | | | |
    |------+-----------------+-------------+-------+-------------------------+
    |12.2YW|Short lived Early|12.2(8)YW2 | | |
    | |Deployment | | | |
    | |Releases | | | |
    |------+-----------------+-------------+-------+-------------------------+
    |12.2YX|Short lived Early|12.2(11)YX1 | | |
    | |Deployment | | | |
    | |Release | | | |
    | |Crypto for 7100/ | | | |
    | |7200 | | | |
    |------+-----------------+-------------+-------+-------------------------+
    |12.2YY|Short lived Early|12.2(8)YY3 | | |
    | |Deployment | | | |
    | |Releases | | | |
    | |IOS support for | | | |
    | |General Packet | | | |
    | |Radio Service | | | |
    |------+-----------------+-------------+-------+-------------------------+
    |12.2YZ|Short lived Early|12.2(11)YZ2 | | |
    | |Deployment | | | |
    | |Release | | | |
    |------+-----------------+-------------+-------+-------------------------+
    |12.2ZA|Short lived Early| | |12.2(14)ZA2 |
    | |Deployment | | | |
    | |Release | | | |
    |------+-----------------+-------------+-------+-------------------------+
    |12.2ZB|Short lived Early|12.2(8)ZB7 | | |
    | |Deployment | | | |
    | |Release | | | |
    |------+-----------------+-------------+-------+-------------------------+
    |12.2ZC|Short lived Early| | |12.2(13)ZC |
    | |Deployment | | | |
    | |Release | | | |
    |------+-----------------+-------------+-------+-------------------------+
    |12.2ZD|Short lived Early|Not Scheduled| | |
    | |Deployment | | | |
    | |Release | | | |
    |------+-----------------+-------------+-------+-------------------------+
    |12.2ZE|Short lived Early|12.3(1a) | | |
    | |Deployment | | | |
    | |Release | | | |
    |------+-----------------+-------------+-------+-------------------------+
    |12.2ZF|Short lived Early|Not | | |
    | |Deployment |Vulnerable | | |
    | |Release | | | |
    |------+-----------------+-------------+-------+-------------------------+
    |12.2ZG|Short lived Early|Not | | |
    | |Deployment |Vulnerable | | |
    | |Release | | | |
    |------+-----------------+-------------+-------+-------------------------+
    |12.2ZH|Short lived Early|Not | | |
    | |Deployment |Vulnerable | | |
    | |Release | | | |
    |------+-----------------+-------------+-------+-------------------------+
    |12.2ZJ|Short lived Early|12.2(15)ZJ1 | | |
    | |Deployment | | | |
    | |Release | | | |
    |------+-----------------+-------------+-------+-------------------------+
    |12.2ZL|Short lived Early|Not | | |
    | |Deployment |Vulnerable | | |
    | |Release | | | |
    |------------------------+-----------------------------------------------+
    |12.3 based releases |NOT VULNERABLE |
    |------------------------------------------------------------------------+
    |Notes: **Marked versions of code are not available on CCO. Please |
    |contact TAC and request the specific images you need posted. |
    +------------------------------------------------------------------------+

    Notes:

    ** Marked versions of code are not available on CCO. Please contact the
    Cisco TAC and request the specific images you need posted.

    Obtaining Fixed Software
    ========================

    Customers with contracts should obtain upgraded software free of charge
    through their regular update channels. For most customers, this means that
    upgrades should be obtained through the Software Center on the Cisco
    worldwide website at
    http://www.cisco.com/tacpage/sw-center/sw-ios.html.

    Customers whose Cisco products are provided or maintained through prior or
    existing agreement with third-party support organizations such as Cisco
    Partners, authorized resellers, or service providers should contact that
    support organization for assistance with obtaining the free software
    upgrade(s).

    Customers who purchase direct from Cisco but who do not hold a Cisco
    service contract and customers who purchase through third-party vendors but
    are unsuccessful at obtaining fixed software through their point of sale
    should get their upgrades by contacting the Cisco Technical Assistance
    Center (TAC). TAC contacts are as follows.

      * +1 800 553 2447 (toll free from within North America)

      * +1 408 526 7209 (toll call from anywhere in the world)

      * e-mail: tac_at_cisco.com

    Please have your product serial number available and give the URL of this
    notice as evidence of your entitlement to a free upgrade. Free upgrades for
    non-contract customers must be requested through the TAC.

    Please do not contact either "psirt_at_cisco.com" or
    "security-alert_at_cisco.com" for software upgrades.

    See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for
    additional TAC contact information, including special localized telephone
    numbers, instructions, and e-mail addresses for use in various languages.

    Workarounds
    ===========

    AFTER APPLYING THE WORKAROUND the input queue depth may be raised with the
    hold-queue <new value> in interface command -- the default size is 75. This
    will allow traffic flow on the interface until the device can be reloaded.

    Cisco recommends that all IOS devices which process IPv4 packets be
    configured to block traffic directed to the router from any unauthorized
    source with the use of Access Control Lists (ACLs). This can be done at
    multiple locations, and it is recommended that you review all methods and
    use the combination which fits your network best. Legitimate traffic is
    defined as management protocols such as telnet, snmp or ssh, and configured
    routing protocols from explicitly allowed peers. All other traffic destined
    to the device should be blocked at the input interface. Traffic entering
    the network should also be carefully evaluated and filtered at the network
    edge if destined to an infrastructure device. Although network service
    providers must often allow unknown traffic to transit their network, it is
    not necessary to allow that same traffic destined to their network
    infrastructure. Several white papers have been written to assist in
    deploying these recommended security best practices.

    ACLs can have performance impact on certain platforms, so care should be
    taken when applying the recommended workarounds.

    Receive ACLs

    For distributed platforms, receive path access lists may be an option
    starting in Cisco IOS software versions 12.0(21)S2 for the c12000 and 12.0
    (24)S for the c7500. The receive access lists protect the device from
    harmful traffic before the traffic can impact the route processor. The CPU
    load is distributed to the line card processors and helps mitigate load on
    the main route processor. The white paper entitled "GSR: Receive Access
    Control Lists" will help you identify and allow legitimate traffic to your
    device and deny all unwanted packets:

    http://www.cisco.com/warp/customer/707/racl.html

    Infrastructure ACLs

    Although it is often difficult to block traffic transiting your network, it
    is possible to identify traffic which should never be allowed to target
    your infrastructure devices and block that traffic at the border of your
    network. The white paper entitled "GSR: Receive Access Control Lists"
    presents guidelines and recommended deployment techniques for
    infrastructure protection ACLs:

    http://www.cisco.com/warp/customer/707/iacl.html

    Transit ACLs

    The two techniques described above protect infrastructure devices. This IP
    protocol ACL can also be used to filter transit traffic passing through a
    network. The ACL will need to permit all protocols used by end users, not
    just those destined to routers. Since end users can often run a wide array
    of protocols, often unexpected or uncommon protocols, these protocol
    requirements must be well understood prior to deploying this ACL. This
    access-list is applied inbound on edge facing interfaces. For complete
    protection this access-list needs to be implemented on the edge router.

    For basic TCP/UCP and ICMP, the following ACL will provide protection:

        access-list 101 permit tcp any any
        access-list 101 permit udp any any
        access-list 101 permit icmp any any
        access-list 101 permit gre any any /* GRE tunnel if required */
        access-list 101 permit esp any any /* IPSec ESP if required */
        access-list 101 permit ah any any /* IPSec AH if required */
        access-list 101 deny ip any any

    The last statement of the Transit ACL should be a deny any any for IP
    traffic. Prior to deploying ACLs that filter transit traffic, a
    classification ACL can be used to help identify required permit statements.
    A classification ACL is an ACL that permits a series of protocols.
    Displaying access-list entry hit counters helps determine required
    protocols: entries with zero packets counted are likely not required.
    Classification access-lists are detailed in the above link for
    infrastructure access-lists.

    Exploitation and Public Announcements
    =====================================

    The Cisco PSIRT is not aware of any public announcements or malicious use
    of the vulnerabilities described in this advisory. If PSIRT becomes aware
    of any sign of public announcement of the crafted packet, or there is any
    sign of exploitation of this vulnerability, a follow-up announcement will
    be sent to our standard distribution list immediately with further details
    to assist network administrators in mitigation.

    Status of This Notice: INTERIM
    ======================

    This is an INTERIM notice. Although Cisco cannot guarantee the accuracy of
    all statements in this notice, all of the facts have been checked to the
    best of our ability. Cisco does not anticipate issuing updated versions of
    this advisory unless there is some material change in the facts. Should
    there be a significant change in the facts, Cisco will update this
    advisory.

    Distribution
    ============

    This notice will be posted on the Cisco worldwide website at
    http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml at
    21:00 GMT on July 17th, 2003. In addition to worldwide web posting, a text
    version of this notice is clear-signed with the Cisco PSIRT PGP key and will
    be posted to the following e-mail and Usenet news recipients at the public
    release date and time:

      * cust-security-announce_at_cisco.com
      * bugtraq_at_securityfocus.com
      * full-disclosure_at_lists.netsys.com
      * first-teams_at_first.org (includes CERT/CC)
      * cisco_at_spot.colorado.edu
      * cisco-nsp_at_puck.nether.net
      * nanog_at_merit.edu
      * sanog_at_sanog.org
      * comp.dcom.sys.cisco
      * Various internal Cisco mailing lists

    Future updates of this advisory, if any, will be placed on the Cisco
    worldwide web server. Users concerned about this problem are encouraged to
    check the URL given above for any updates.

    Revision History
    ================

    +-------------------------------------------+
    | Revision | 17-July-2003 | Initial public |
    | 1.0 | 0:00 GMT | release |
    +-------------------------------------------+

    Cisco Security Procedures
    =========================

    Complete information on reporting security vulnerabilities in Cisco
    products, obtaining assistance with security incidents, and registering to
    receive security information from Cisco, is available on the Cisco
    worldwide website at
    http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This
    includes instructions for press inquiries regarding Cisco security notices.

    All Cisco Security Advisories are available at
    http://www.cisco.com/go/psirt.

    - --------------------------------------------------------------------------

    This notice is Copyright 2003 by Cisco Systems, Inc. This notice may be
    redistributed freely after the release date given at the top of the text,
    provided that redistributed copies are complete and unmodified, and include
    all date and version information.

    - --------------------------------------------------------------------------

    All contents are Copyright © 1992-2003 Cisco Systems, Inc. All rights
    reserved. Important Notices and Privacy Statement.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.2

    iQA/AwUBPxX07XsxqM8ytrWQEQLNNACdFbhmEm+cLSRpo3eV/V1SYpVMgnkAoJ0P
    JhLCtJ5dixpqZDwJZ0nw10o9
    =TgEi
    -----END PGP SIGNATURE-----

    ------------------------ Yahoo! Groups Sponsor ---------------------~-->
    Free shipping on all inkjet cartridge & refill kit orders to US & Canada. Low prices up to 80% off. We have your brand: HP, Epson, Lexmark & more.
    http://www.c1tracking.com/l.asp?cid=5510
    http://us.click.yahoo.com/GHXcIA/n.WGAA/ySSFAA/26EolB/TM
    ---------------------------------------------------------------------~->

    Bu listenin Cisco Systems ile dogrudan herhangi bir baglantisi bulunmamaktadir.

    Listeden cikmak için cisco-ttl-unsubscribe_at_yahoogroups.com adresine bir e-posta gönderebilirsiniz.

    Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/



    This archive was generated by hypermail 2.1.5 : Thu Jul 17 2003 - 07:47:51 GMT