TUCoPS :: Cisco :: n-118.txt

Cisco IOS Interface Blocked by IPv4 Packet (CIAC N-118)

             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                   Cisco IOS Interface Blocked by IPv4 Packet
                           [Cisco Document ID: 44020]

July 17, 2003 14:00 GMT                                           Number N-118
[Revised 18 July 2003]
______________________________________________________________________________
PROBLEM:       Cisco routers and switches running Cisco IOS software and
               configured to process Internet Protocol version 4 (IPv4) packets
               have a vulnerability that allows an intruder to shut down 
               the interface of a Cisco router or switch.
PLATFORM:      - All Cisco devices running Cisco IOS software and configured
                 to process IPv4. 
               - Devices running IPv6 are not affected.
DAMAGE:        A sequence of carefully crafted IPv4 packets sent to a Cisco 
               router will cause the IOS to think the interface buffer is full 
               and to stop processing packets on that interface. Routing 
               protocols will eventually stop processing packets due to 
               timeouts on drop dead timers.
SOLUTION:      Apply workarounds described by Cisco, or upgrade devices to
               fixed versions.
______________________________________________________________________________
VULNERABILITY  The risk is HIGH. The router or switch must be rebooted to clear 
ASSESMENT:     the interface.  If the sequence of packets is sent to all 
               interfaces, a router or switch will be made remotely 
               inaccessible and must be restarted by hand.
______________________________________________________________________________
LINKS:
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/n-118.shtml
 ORIGINAL BULLETIN:  http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml
 ADDITIONAL          
 INFORMATION:        http://www.cert.org/advisories/CA-2003-15.html
______________________________________________________________________________
REVISION HISTORY:
7/18/03 - Cisco has updated their Advisory to Rev. 1.4.  CIAC recommends 
          visiting Cisco's web site for the most current information. 
		  See the Original Bulletin link above.


NOTE:  The following has been updated to Revision 1.4.
[***** Start Cisco Document ID: 44020 *****]
 
Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet
Document ID: 44020
Revision 1.2
Last Updated 2003 July 17 at 10:30 (GMT)
For Public Release 2003 July 17 at 6:10 UTC (GMT)

Please provide your feedback on this document.
______________________________________________________________________________

Contents
========

  Summary 
  Affected Products 
  Details 
  Impact 
  Software Versions and Fixes 
  Obtaining Fixed Software 
  Workarounds 
  Exploitation and Public Announcements 
  Status of This Notice: INTERIM 
  Distribution 
  Revision History 
  Cisco Security Procedures 
______________________________________________________________________________

Summary 
=======

Cisco routers and switches running Cisco IOSŪ software and configured to process 
Internet Protocol version 4 (IPv4) packets are vulnerable to a Denial of Service 
(DoS) attack. A rare sequence of crafted IPv4 packets sent directly to the 
device may cause the input interface to stop processing traffic once the input 
queue is full. No authentication is required to process the inbound packet. 
Processing of IPv4 packets is enabled by default. Devices running only IP 
version 6 (IPv6) are not affected. A workaround is available.

Cisco has made software available, free of charge, to correct the problem.

This advisory is available at 
http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml. 

Affected Products 
=================

This issue affects all Cisco devices running Cisco IOS software and configured 
to process Internet Protocol version 4 (IPv4) packets. Cisco devices which do 
not run Cisco IOS software are not affected. Devices which run only Internet 
Protocol version 6 (IPv6) are not affected.

Details 
=======

Cisco routers are configured to process and accept Internet Protocol version 4 
(IPv4) packets by default. A rare, specially crafted sequence of IPv4 packets 
which is handled by the processor on a Cisco IOS device may force the device to 
incorrectly flag the input queue on an interface as full, which will cause the 
router to stop processing inbound traffic on that interface. This can cause 
routing protocols to drop due to dead timers. 

On Ethernet interfaces, Address Resolution Protocol (ARP) times out after a 
default time of four hours, and no traffic can be processed. The device must be 
rebooted to clear the input queue on the interface, and will not reload without 
user intervention. The attack may be repeated on all interfaces causing the 
router to be remotely inaccessible. A workaround is available, and is documented 
in the Workarounds section. 

The following two Cisco vulnerabilities are documented in DDTS. CSCea02355 ( 
registered customers only) affects all Cisco routers running Cisco IOS software. 
CSCdz71127 ( registered customers only) was introduced by an earlier code 
revision. Any version of software which has the fix for CSCdx02283 ( registered 
customers only) is vulnerable.

Registered customers can find more details using the Bug Toolkit at 
http://www.cisco.com/pcgi-bin/Support/Bugtool/launch_bugtool.pl ( registered 
customers only) .

To identify a blocked input interface, use the show interfaces command and look 
for the Input Queue line. If the current size (in this case, 76) is larger than 
the maximum size (75), the input queue is blocked. 

  Router#show interface ethernet 0/0
  Ethernet0/0 is up, line protocol is up  
    Hardware is AmdP2, address is 0050.500e.f1e0 (bia 0050.500e.f1e0)   
    Internet address is 172.16.1.9/24
    MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 255/255, load 1/255
    Encapsulation ARPA, loopback not set, keepalive set (10 sec)
    ARP type: ARPA, ARP Timeout 04:00:00  
    Last input 00:00:41, output 00:00:07, output hang never
    Last clearing of "show interface" counters 00:07:18
    Input queue: 76/75/1091/0 (size/max/drops/flushes); Total output drops: 0
                 ^^^^^^^^^^^^^^   ---> blocked
Impact 
======

A device receiving these specifically crafted IPv4 packets will force the 
inbound interface to stop processing traffic. The device may stop processing 
packets destined to the router, including routing protocol packets and ARP 
packets. No alarms will be triggered, nor will the router reload to correct 
itself. This issue can affect all Cisco devices running Cisco IOS software. This 
vulnerability may be exercised repeatedly resulting in loss of availability 
until a workaround has been applied or the device has been upgraded to a fixed 
version of code. 

Software Versions and Fixes 
===========================

Each row of the table describes a release train and the platforms or products 
for which it is intended. If a given release train is vulnerable, then the 
earliest possible releases that contain the fix and the anticipated date of 
availability for each are listed in the Rebuild, Interim, and Maintenance 
columns. In some cases, no rebuild of a particular release is planned; this is 
marked with the label "Not scheduled." A device running any release in the given 
train that is earlier than the release in a specific column (less than the 
earliest fixed release) is known to be vulnerable, and it should be upgraded at 
least to the indicated release or a later version (greater than the earliest 
fixed release label). 

When selecting a release, keep in mind the following definitions: 

  Maintenance 
    Most heavily tested and highly recommended release of any label in a given 
    row of the table. 
  Rebuild 
    Constructed from the previous maintenance or major release in the same train, 
    it contains the fix for a specific vulnerability. Although it receives less 
    testing, it contains only the minimal changes necessary to effect the repair. 
    Cisco has made available several rebuilds of mainline trains to address this 
    vulnerability, but strongly recommends running only the latest maintenance 
    release on mainline trains. 
  Interim 
    Built at regular intervals between maintenance releases and receives less 
    testing. Interims should be selected only if there is no other suitable 
    release that addresses the vulnerability, and interim images should be 
    upgraded to the next available maintenance release as soon as possible. 
    Interim releases are not available through manufacturing, and usually they 
    are not available for customer download from CCO without prior arrangement 
    with the Cisco Technical Assistance Center (TAC).

In all cases, customers should exercise caution to be certain the devices to be 
upgraded contain sufficient memory and that current hardware and software 
configurations will continue to be supported properly by the new release. If the 
information is not clear, contact the Cisco TAC for assistance, as shown in the 
section following this table. 

 ===============================================================================
 |     Train     | Description of Image |    Availability of Fixed Releases    |
 |               |     or Platform      |                                      |
 ===============================================================================
 | 11.x-based Releases                  |    Rebuild    | Interim | Maintenance|
 |---------------*----------------------|---------------|---------|------------|
 | 11.1CA        |                      | 11.1(36)CA4** |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 11.2          |                      | 11.2(26e)**   |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 11.2P         |                      | 11.2(26)P5**  |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 11.3          |                      | Not scheduled |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 11.3T         |                      | Not scheduled |         |            |
 |---------------*----------------------|---------------|---------|------------|
 | 12.0-based Releases                  |    Rebuild    | Interim | Maintenance|
 |---------------*----------------------|---------------|---------|------------|
 | 12.0          | General Deployment   |               |         | 12.0(26)   |
 |               | release for all      |               |         |            |
 |               | platforms            |               |         |            |
 |---------------|----------------------|---------------*---------*------------|
 | 12.0DA        | xDSL support: 6100,  | Migrate to 12.2DA; 12.2(10)DA2 -     |
 |               | 6200                 | Aug-15-2003, 12.2(12)DA3-Aug-22-2003:|
 |               |                      | Engineering Specials available on    |
 |               |                      | request.                             |
 |---------------|----------------------|--------------------------------------|
 | 12.0DB        | Early Deployment     | Migrate to 12.3(1a)                  |
 |               | 6400 UAC for NSP     |                                      |
 |---------------|----------------------|--------------------------------------|
 | 12.0DC        | Early Deployment 6400| Migrate to 12.3(1a)                  |
 |               | UAC for NRP          |                                      |
 |---------------|----------------------|---------------*---------*------------|
 | 12.0S         | Core/ISP support:    | 12.0(24)S2    |         |  12.0(25)S |
 |               | GSR, RSP, c7200, c10k| 12.0(23)S3    |         |            |
 |               |                      | 12.0(22)S5    |         |            |
 |               |                      | 12.0(21)S7    |         |            |
 |               |                      | 12.0(19)S4    |         |            |
 |               |                      | 12.0(18)S7    |         |            |
 |               |                      | 12.0(17)S7    |         |            |
 |               |                      | 12.0(16)S10   |         |            |
 |               |                      | 12.0(15)S7    |         |            |
 |               |                      | 12.0(14)S8    |         |            |
 |               |                      | 12.0(13)S8    |         |            |
 |               |                      | 12.0(12)S4    |         |            |
 |               |                      | 12.0(10)S8    |         |            |
 |---------------|----------------------|---------------*---------*------------|
 | 12.0SC        | Cable/broadband ISP: | Migrate to 12.1(19)EC                |
 |               | uBR7200              |                                      |
 |---------------|----------------------|--------------------------------------|
 | 12.0SL        | 10000ESR: c10k       | Migrate to 12.0(23)S3, **12.0(17)SL9 |
 |               |                      |  - Jul-15-2003                       |
 |---------------|----------------------|--------------------------------------|
 | 12.0SP        | Early Deployment     | Migrate to 12.0(22)S5                |
 |---------------|----------------------|---------------*---------*------------|
 | 12.0ST        | Early Deployment     | 12.0(21)ST7,  |         |            |
 |               | release for Core/ISP | 12.0(20)ST6,  |         |            |
 |               | support: GSR, RSP,   | 12.0(19)ST6,  |         |            |
 |               | c7200                | 12.0(17)ST8   |         |            |
 |---------------|----------------------|---------------*---------*------------|
 | 12.0SX        | Early Deployment     | Migrate to 12.0(22)S5                |
 |---------------|----------------------|--------------------------------------|
 | 12.0SY        | Early Deployment     | Migrate to 12.0(23)S3                |
 |---------------|----------------------|--------------------------------------|
 | 12.0SZ        | Early Deployment     | Migrate to 12.0(23)S3                |
 |---------------|----------------------|---------------*---------*------------|
 | 12.0T         | Early Deployment     | 12.0(7)T3**   |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 12.0W5        | Cat8510c, cat8510m,  |               |         | 12.0(26)W5 |
 |               | cat8540c, cat8540m,  |               |         | (28)       |
 |               | ls1010               |               |         |            |
 |               |----------------------|---------------|---------|------------|
 |               | c5atm                |12.0(26)W5(28a)|         |            |   
 |               |----------------------|---------------|---------|------------|
 |               | Cat4232 and          | 12.0(25)W5(27)|         |            |
 |               |  Cat2948G-L3         |               |         |            |
 |               |----------------------|---------------|---------|------------|
 |               | C6MSM                | Engineering   |         |            |
 |               |                      | Special       |         |            |
 |               |                      | available on  |         |            |
 |               |                      | request       |         |            |   
 |               |----------------------|---------------|---------|------------|
 |               | C5rsfc, C5rsm,C3620, |               |         | 12.1(20)   |
 |               | C3640, C4500, C7200, |               |         |            |
 |               | RSP                  |               |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 12.0WC        | Early deployment     | 12.0(05)WC8   |         |            |
 |               | 2900XL-LRE,          |               |         |            |
 |               | 2900XL/3500XL;       |               |         |            |
 |               | 2950 release         |               |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 12.0WT        | Early deployment     | Engineering   |         |            |
 |               | Catalyst switches:   | Special       |         |            |
 |               | cat4840g             | Available upon|         |            |
 |               |                      | request       |         |            |
 |---------------|----------------------|---------------*---------*------------|
 | 12.0X(l)      | Short-lived          | All 12.0X(any letter) releases have  |
 |               | Early Deployment     | migrated to either 12.0T or 12.1     |
 |               | Releases             | unless otherwise documented in the X |
 |               |                      | release technical notes pertaining to|
 |               |                      | the specific release. Please check   |
 |               |                      | migration paths for all 12.0X        |
 |               |                      | releases.                            |
 |--------------------------------------|---------------*---------*------------|
 | 12.1-based Releases                  |    Rebuild    | Interim | Maintenance|
 |--------------------------------------|---------------|---------|------------|
 | 12.1          | General Deployment   |               | 12.1    | 12.1(19)   |
 |               | release for all      |               | (18.4)  |            |
 |               | platforms            |               |         |            |
 |---------------|----------------------|---------------*---------*------------|
 | 12.1AA        |                      | Migrate to 12.2                      |
 |---------------|----------------------|---------------*---------*------------|
 | 12.1AX        | Catalyst 3750        | 12.1(14)EA1 - |         |            |
 |               |                      | Engineering   |         |            |
 |               |                      | special       |         |            |
 |               |                      | available     |         |            |
 |               |                      | upon request  |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 12.1AY        | Catalyst 2940        |               |         | 12.1(13)AY |
 |---------------|----------------------|---------------*---------*------------|
 | 12.1DA        | 6160 platform        | Migrate to 12.2DA                    |
 |---------------|----------------------|--------------------------------------|
 | 12.1DB        | 6400 UAC             | Migrate to 12.3(1a)                  |
 |---------------|----------------------|--------------------------------------|
 | 12.1DC        | 6400 UAC             | Migrate to 12.3(1a)                  |
 |---------------|----------------------|---------------*---------*------------|
 | 12.1E         | Core Enterprise      | 12.1(8b)E14   |         | 12.1(19)E  |
 |               | support - c7200,     | 12.1(13)E7    |         |            |
 |               | Catalyst 6000, RSP   | 12.1(14)E4    |         |            |
 |               |                      | **12.1(12c)E7 |         |            |
 |               |                      | 12.1(11b)E12- |         |            |
 |               |                      |  Aug-4-2003   |         |            |
 |               |                      | 12.1(6)E12    |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 12.1EA        | 12.1(4)EA            | Migrate to    |         |            |
 |               | 12.1(6)EA            | 12.1(13)EA1c  |         |            |
 |               | 12.1(8)EA            |               |         |            |
 |               | 12.1(9)EA            |               |         |            |
 |               | 12.1(11)EA           |               |         |            |
 |               | 12.1(12c)EA          |               |         |            |
 |               | 12.1(13)EA           |               |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 12.1EB        | LS1010               |               |         | 12.1(14)EB |
 |---------------|----------------------|---------------|---------|------------|
 | 12.1EC        | Early Deployment     |               |         | 12.1(19)EC |
 |               |                      |               |         | (scheduled |
 |               |                      |               |         | last week  |
 |               |                      |               |         | of July)   |
 |---------------|----------------------|---------------|---------|------------|
 | 12.1EV        | Early Deployment     |               |         | 12.1(12c)  |
 |               |                      |               |         |   EV01     |
 |---------------|----------------------|---------------|---------|------------|
 | 12.1EW        | Early Deployment     |               |         | 12.1(13)EW |
 |               | Cat4000 L3           |               |         | 12.1(19)EW |
 |---------------|----------------------|---------------|---------|------------|
 | 12.1EX        | Early Deployment     | 12.1(13)EX2   |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 12.1EY        |                      | 12.1(14)E4    |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 12.1YJ        |                      | 12.1(14)EA1 - |         |            |
 |               |                      | Jul-28-2003   |         |            |  
 |---------------|----------------------|---------------|---------|------------|
 | 12.1T         | Early Deployment     | 12.1(5)T15**  |         |            |
 |---------------|----------------------*---------------*---------*------------|
 | 12.1X(l)      | 12.1X releases generally migrate to 12.1T, 12.2 or 12.2T as |
 |               | specified below. Please refer to specific train Technical   |
 |               | notes for documented migration path.                        |
 |---------------|----------------------*--------------------------------------|
 | 12.1XA        | Short-lived Early    | Migrate to 12.1(5)T15                |
 |               | Deployment Release   |                                      |
 |---------------|----------------------|--------------------------------------|
 | 12.1XC        | Short-lived Early    | Migrate to12.2(17)                   |
 | 12.1XD        | Deployment Releases  |                                      |
 | 12.1XH        |                      |                                      |
 | 12.1XI        |                      |                                      |
 |---------------|----------------------|--------------------------------------|
 | 12.1XB        | Short-lived Early    | Migrate to 12.2(15)T5                |
 | 12.1XF        | Deployment Releases  |                                      |
 | 12.1XG        |                      |                                      |
 | 12.1XJ        |                      |                                      |
 | 12.1XL        |                      |                                      |
 | 12.1XP        |                      |                                      |
 | 12.1XR        |                      |                                      |
 | 12.1XT        |                      |                                      |
 | 12.1YB        |                      |                                      |
 | 12.1YC        |                      |                                      |
 | 12.1YD        |                      |                                      |
 | 12.1YH        |                      |                                      |
 |---------------|----------------------|--------------------------------------|
 | 12.1XM        | Short-lived Early    | Migrate to 12.2(2)XB11               |
 | 12.1XQ        | Deployment Releases  |                                      |
 | 12.1XV        |                      |                                      |
 |---------------|----------------------|--------------------------------------|
 | 12.1XU        | Short-lived Early    | Migrate to 12.2(4)T6                 |
 |               | Deployment Release   |                                      |
 |---------------|----------------------|--------------------------------------|
 | 12.1YE        | Short-lived Early    | Migrate to 12.2(2)YC                 |
 | 12.1YF        | Deployment Releases  |                                      |
 | 12.1YI        |                      |                                      |
 |---------------*----------------------|---------------*---------*------------|
 | 12.2-based Releases                  |    Rebuild    | Interim | Maintenance|
 |---------------*----------------------|---------------|---------|------------|
 | 12.2          | General Deployment   | 12.2(16a),    |         | 12.2(17)   |
 |               | (GD) candidate for   | 12.2(12e),    |         |            |
 |               | all platforms        | 12.2(10d)     |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 12.2B         | 12.2(2)B-12.2(4)B7   | 12.3(1a)      |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 12.2B         | 12.2(4)B8-12.2(16)B  | 12.2(16)B1    |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 12.2BC        | Early Deployment     | 12.2(15)BC1   |         |            |
 |               | Release              | (Scheduled    |         |            |
 |               |                      | end of July)  |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 12.2BW        | Early Deployment     | Migrate to    |         |            |
 |               | for use with 7200,   | 12.3(1a)      |         |            |
 |               | 7400, and 7411       |               |         |            |
 |               | platforms            |               |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 12.2BX        | Broadband/Leased line|               |         | 12.2(16)BX |
 |---------------|----------------------|---------------|---------|------------|
 | 12.2BZ        | Early Deployment     | 12.2(16)BX    |         |            |
 |               | Release              |               |         |            |
 |---------------|----------------------|---------------*---------*------------|
 | 12.2CX        | Early Deployment     | Migrate to 12.1(15)BC1               |
 |               | Release              |                                      |
 |---------------|----------------------|--------------------------------------|
 | 12.2CY        | Early Deployment     | Migrate to 12.1(15)BC1               |
 |               | Release              |                                      |
 |---------------|----------------------|---------------*---------*------------|
 | 12.2DA        | Early Deployment     | 12.2(10)DA2 - |         |            |
 |               | Release              | Jul-15-2003,  |         |            |
 |               |                      | 12.2(12)DA3 - |         |            |
 |               |                      | Aug-22-2003   |         |            |
 |               |                      | Engineering   |         |            |
 |               |                      | Special       |         |            |
 |               |                      | available on  |         |            |
 |               |                      | request       |         |            |
 |---------------|----------------------|---------------*---------*------------|
 | 12.2DD        | Early Deployment     | Migrate to 12.3(1a)                  |
 |               | Release              |                                      |
 |---------------|----------------------|--------------------------------------|
 | 12.2DX        | Early Deployment     | Migrate to 12.3(1a)                  |
 |               | Release              |                                      |
 |---------------|----------------------|---------------*---------*------------|
 | 12.2JA        | Cisco Aironet        |               |         | 12.2(11)JA |
 |               | hardware platforms:  |               |         |            |
 |               | Introduction of      |               |         |            |
 |               | Access Point feature |               |         |            |
 |               | in IOS, Cisco 1100   |               |         |            |
 |               | Series Access Point  |               |         |            |
 |               | (802.11b)            |               |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 12.2MB        | Specific Technology  | 12.2(4)MB12   |         |            |
 |               | ED for 2600 7500     |               |         |            |
 |               | (GPRS/PDSN/GGSN      |               |         |            |
 |               | 2600/7200/7500)      |               |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 12.2MC        | Early Deployment: IP | 12.2(13)MC1   |         |            |
 |               | RAN                  | CCO: 7/24/03  |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 12.2MX        |                      | 12.2(8)YD     |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 12.2S         | Core/ISP support:    | 12.2(14)S1    | 12.2    |            |
 |               | GSR, RSP, c7200      |               | (16.5)S |            |
 |---------------|----------------------|---------------|---------|------------|
 | 12.2SX        | IOS Support for      | 12.2(14)SX1   |         |            |
 |               | C6500 Supervisor 3   |               |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 12.2SY        | VPN feature release  | 12.2(14)SY1,  |         |            |
 |               | for c6k/76xx VPN     | 12.2(8)YD     |         |            |
 |               | service module       |               |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 12.2SZ        | 7304 Platform        | 12.2(14)SZ2   |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 12.2T         | New Technology Early | 12.2(15)T4/5, | 12.2    | No more    |
 |               | Deployment (ED)      | 12.2(13)T5,   | (16.5)T | maintenance|
 |               | release for all      | 12.2(11)T9,   |         | trains for |
 |               | platforms            | 12.2(8)T10,   |         | 12.2T are  |
 |               |                      | 12.2(4)T6     |         | planned.   |
 |               |                      |               |         | Please     |
 |               |                      |               |         | migrate    |
 |               |                      |               |         | to the     |
 |               |                      |               |         | latest     |
 |               |                      |               |         | 12.3       |
 |               |                      |               |         | Mainline   |
 |               |                      |               |         | release.   |
 |---------------|----------------------|---------------*---------*------------|
 | 12.2X(l)      | Short-lived Early    | Many short-lived releases migrate to |
 | 12.2Y(l)      | Deployment Releases  | the same train; the trains below this|
 |               |                      | point until the following section are|
 |               |                      | not grouped by strict alphabetical   |
 |               |                      | order, but are grouped by migration  |
 |               |                      | path. Please review documented       |
 |               |                      | migration paths for your trains.     |
 |---------------|----------------------|--------------------------------------|
 | 12.2XA        | Short-lived Early    | Migrate to 12.2(11)T9                |
 |               | Deployment Releases  |                                      |
 |---------------|----------------------|--------------------------------------|
 | 12.2XS        |                      | 12.2(2)XB11                          |
 |---------------|----------------------|--------------------------------------|
 | 12.2XD        | Short-lived Early    | Migrate to 12.2(15)T5                |
 | 12.2XE        | Deployment Releases  |                                      |
 | 12.2XH        |                      |                                      |
 | 12.2XI        |                      |                                      |
 | 12.2XJ        |                      |                                      |
 | 12.2XK        |                      |                                      |
 | 12.2XL        |                      |                                      |
 | 12.2XM        |                      |                                      |
 | 12.2XQ        |                      |                                      |
 | 12.2XU        |                      |                                      |
 | 12.2XW        |                      |                                      |
 | 12.2YA        |                      |                                      |
 | 12.2YB        |                      |                                      |
 | 12.2YC        |                      |                                      |
 | 12.2YF        |                      |                                      |
 | 12.2YG        |                      |                                      |
 | 12.2YH        |                      |                                      |
 | 12.2YJ        |                      |                                      |
 | 12.2YT        |                      |                                      |
 |---------------|----------------------|--------------------------------------|
 | 12.2YN        | Short-lived Early    | Migrate to 12.2(13)ZH                |
 |               | Deployment Release   |                                      |
 |---------------|----------------------|--------------------------------------|
 | 12.2YO        | Short-lived Early    | Migrate to 12.2(14)SY1 available     |
 |               | Deployment Release   | Aug-4-2003: Engineering Special      |
 |               |                      | available on request                 |
 |---------------|----------------------|---------------*---------*------------|
 | 12.2XB        | Early Deployment     | 12.2(2)XB11   |         |            |
 |               | Release with         |               |         |            |
 |               | continuing support   |               |         |            |
 |---------------|----------------------|---------------*---------*------------|
 | 12.2XC        | Short-lived Early    | Migrate to 12.2(16)B1                |
 |               | Deployment Release   |                                      |
 |---------------|----------------------|--------------------------------------|
 | 12.2XF        | Short-lived Early    | Migrate to 12.2(15)BC1               |
 |               | Deployment Release   |                                      |
 |               | uBR10000             |                                      |
 |---------------|----------------------|--------------------------------------|
 | 12.2XG        | Short-lived Early    | Migrate to 12.2(8)T10                |
 |               | Deployment Release   |                                      |
 |---------------|----------------------|--------------------------------------|
 | 12.2XN        | Short-lived Early    | Migrate to 12.2(11)T9                |
 | 12.2XT        | Deployment Releases  |                                      |
 |---------------|----------------------|--------------------------------------|
 | 12.2YD        | Short-lived Early    | Migrate to 12.2(8)YY                 |
 |               | Deployment Release   |                                      |
 |---------------|----------------------|---------------*---------*------------|
 | 12.2YP        | Short-lived Early    | **12.2(11)YP1 |         |            |
 |               | Deployment Release   |               |         |            |
 |---------------|----------------------|---------------*---------*------------|
 | 12.2YK        |                      | Migrate to 12.2(13)ZC                |
 |---------------|----------------------|--------------------------------------|
 | 12.2YL        | Short-lived Early    | Migrate to 12.2(13)ZH                |
 | 12.2YM        | Deployment Releases  |                                      |
 | 12.2YU        |                      |                                      |
 | 12.2YV        |                      |                                      |
 |---------------|----------------------|--------------------------------------|
 | 12.2YQ        | Short-lived Early    | Migrate to 12.2(15)ZL                |
 | 12.2YR        | Deployment Releases  |                                      |
 |---------------|----------------------|---------------*---------*------------|
 | 12.2YS        | Short-lived Early    | 12.2(15)YS    |         |            |
 |               | Deployment Release   |  /1.2(1)      |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 12.2YW        | Short-lived Early    | 12.2(8)YW2    |         |            |
 |               | Deployment Release   |               |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 12.2YX        | Short-lived Early    | 12.2(11)YX1   |         |            |
 |               | Deployment Release   |               |         |            |
 |               | Crypto for 7100/7200 |               |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 12.2YY        | Short lived Early    | 12.2(8)YY3    |         |            |
 |               | Deployment Releases  |               |         |            |
 |               | IOS support for      |               |         |            |
 |               | General Packet Radio |               |         |            |
 |               | Service              |               |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 12.2YZ        | Short-lived Early    | 12.2(11)YZ2   |         |            |
 |               | Deployment Release   |               |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 12.2ZA        | Short-lived Early    |               |         | 12.2(14)ZA2|
 |               | Deployment Release   |               |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 12.2ZB        | Short-lived Early    | 12.2(8)ZB7    |         |            |
 |               | Deployment Release   |               |         |            | 
 |---------------|----------------------|---------------|---------|------------|
 | 12.2ZC        | Short-lived Early    |               |         | 12.2(13)ZC |
 |               | Deployment Release   |               |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 12.2ZD        | Short-lived Early    | Not Scheduled |         |            |
 |               | Deployment Release   |               |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 12.2ZE        | Short-lived Early    | 12.3(1a)      |         |            |
 |               | Deployment Release   |               |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 12.2ZF        | Short-lived Early    | Not Vulnerable|         |            |
 |               | Deployment Release   |               |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 12.2ZG        | Short-lived Early    | Not Vulnerable|         |            |
 |               | Deployment Release   |               |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 12.2ZH        | Short-lived Early    | Not Vulnerable|         |            |
 |               | Deployment Release   |               |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 12.2ZJ        | Short-lived Early    | 12.2(15)ZJ1   |         |            |
 |               | Deployment Release   |               |         |            |
 |---------------|----------------------|---------------|---------|------------|
 | 12.2ZL        | Short-lived Early    | Not Vulnerable|         |            |
 |               | Deployment Release   |               |         |            |
 |---------------*----------------------|---------------*---------*------------|
 | 12.3-based Releases                  | NOT VULNERABLE                       |
 |-----------------------------------------------------------------------------|

Notes: 
======

** Marked versions of code are not available on CCO. Please contact the Cisco 
TAC and request the specific images you need posted.

Obtaining Fixed Software 
========================

Customers with contracts should obtain upgraded software free of charge through 
their regular update channels. For most customers, this means that upgrades 
should be obtained through the Software Center on the Cisco worldwide website at 
http://www.cisco.com/tacpage/sw-center/sw-ios.shtml.

Customers whose Cisco products are provided or maintained through prior or 
existing agreement with third-party support organizations such as Cisco 
Partners, authorized resellers, or service providers should contact that support 
organization for assistance with obtaining the free software upgrade(s). 

Customers who purchase direct from Cisco but who do not hold a Cisco service 
contract and customers who purchase through third-party vendors but are 
unsuccessful at obtaining fixed software through their point of sale should get 
their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC 
contacts are as follows. 

  +1 800 553 2447 (toll free from within North America) 
  +1 408 526 7209 (toll call from anywhere in the world) 
  e-mail: tac@cisco.com 

Please have your product serial number available and give the URL of this notice 
as evidence of your entitlement to a free upgrade. Free upgrades for 
non-contract customers must be requested through the TAC. 

Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for 
software upgrades. 

See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional 
TAC contact information, including special localized telephone numbers, 
instructions, and e-mail addresses for use in various languages. 

Workarounds 
===========

AFTER APPLYING THE WORKAROUND the input queue depth may be raised with the 
hold-queue <new value> in interface command -- the default size is 75. This will 
allow traffic flow on the interface until the device can be reloaded. 

Cisco recommends that all IOS devices which process IPv4 packets be configured 
to block traffic directed to the router from any unauthorized source with the 
use of Access Control Lists (ACLs). This can be done at multiple locations, and 
it is recommended that you review all methods and use the combination which fits 
your network best. Legitimate traffic is defined as management protocols such as 
telnet, snmp or ssh, and configured routing protocols from explicitly allowed 
peers. All other traffic destined to the device should be blocked at the input 
interface. Traffic entering the network should also be carefully evaluated and 
filtered at the network edge if destined to an infrastructure device. Although 
network service providers must often allow unknown traffic to transit their 
network, it is not necessary to allow that same traffic destined to their 
network infrastructure. Several white papers have been written to assist in 
deploying these recommended security best practices. 

ACLs can have performance impact on certain platforms, so care should be taken 
when applying the recommended workarounds. 

Receive ACLs 
------------

For distributed platforms, receive path access lists may be an option starting 
in Cisco IOS software versions 12.0(21)S2 for the c12000 and 12.0(24)S for the 
c7500. The receive access lists protect the device from harmful traffic before 
the traffic can impact the route processor. The CPU load is distributed to the 
line card processors and helps mitigate load on the main route processor. The 
white paper entitled "GSR: Receive Access Control Lists" will help you identify 
and allow legitimate traffic to your device and deny all unwanted packets:

http://www.cisco.com/warp/public/707/racl.html 

Infrastructure ACLs 
-------------------

Although it is often difficult to block traffic transiting your network, it is 
possible to identify traffic which should never be allowed to target your 
infrastructure devices and block that traffic at the border of your network. The 
white paper entitled "Protecting Your Core: Infrastructure Protection Access 
Control Lists" presents guidelines and recommended deployment techniques for 
infrastructure protection ACLs:

http://www.cisco.com/warp/public/707/iacl.html 

Transit ACLs 
------------

The two techniques described above protect infrastructure devices. This IP 
protocol ACL can also be used to filter transit traffic passing through a 
network. The ACL will need to permit all protocols used by end users, not just 
those destined to routers. Since end users can run a wide array of protocols, 
often unexpected or uncommon protocols, these protocol requirements must be well 
understood prior to deploying this ACL. This example is not a complete list of 
permissible protocols; specific network topologies may require modification of 
this ACL. This access-list is applied inbound on edge facing interfaces. For 
complete protection this access-list needs to be implemented on the edge router. 

For basic TCP/UDP and ICMP, the following ACL will provide protection: 
    access-list 101 permit tcp any any
    access-list 101 permit udp any any
    !--- GRE tunnel if required
    access-list 101 permit gre any any
    !--- IPSec ESP if required
    access-list 101 permit esp any any
    !--- IPSec AH if required
    access-list 101 permit ah any any
    access-list 101 permit icmp any any
    access-list 101 deny ip any any
The last statement of the Transit ACL should be a deny any any for IP traffic. 
Prior to deploying ACLs that filter transit traffic, a classification ACL can be 
used to help identify required permit statements. A classification ACL is an ACL 
that permits a series of protocols. Displaying access-list entry hit counters 
helps determine required protocols: entries with zero packets counted are likely 
not required. Classification access-lists are detailed in the above link for 
infrastructure access-lists.

Exploitation and Public Announcements 
=====================================

The Cisco PSIRT is not aware of any public announcements or malicious use of the 
vulnerabilities described in this advisory. If PSIRT becomes aware of any sign 
of public announcement of the crafted packet, or there is any sign of 
exploitation of this vulnerability, a follow-up announcement will be sent to our 
standard distribution list immediately with further details to assist network 
administrators in mitigation. 

Status of This Notice: INTERIM 
==============================

This is an INTERIM notice. Although Cisco cannot guarantee the accuracy of all 
statements in this notice, all of the facts have been checked to the best of our 
ability. Cisco does not anticipate issuing updated versions of this advisory 
unless there is some material change in the facts. Should there be a significant 
change in the facts, Cisco will update this advisory.

Distribution 
============

This notice is posted on the Cisco worldwide website at 
http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml. In 
addition to worldwide web posting, a text version of this notice is clear-signed 
with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet 
news recipients at the public release date and time: 

  cust-security-announce@cisco.com
  bugtraq@securityfocus.com 
  full-disclosure@lists.netsys.com 
  first-teams@first.org (includes CERT/CC) 
  cisco@spot.colorado.edu 
  cisco-nsp@puck.nether.net 
  nanog@merit.edu 
  sanog@sanog.org 
  comp.dcom.sys.cisco 
  Various internal Cisco mailing lists 

Future updates of this advisory, if any, will be placed on the Cisco worldwide 
web server. Users concerned about this problem are encouraged to check the URL 
given above for any updates.

Revision History 
================

      Revision 1.017-July-2003 0:00 GMT Initial public release
      Revision 1.117-July-2003 6:10 GMTUpdated Workaround section (access 
        lists), Updated table with information on 12.0W5
      Revision 1.217-July-2003 10:30 GMTCorrected "Last Updated" time; corrected 
        document title of Infrastructure ACL link under Workaround section

Cisco Security Procedures 
=========================

Complete information on reporting security vulnerabilities in Cisco products, 
obtaining assistance with security incidents, and registering to receive 
security information from Cisco, is available on the Cisco worldwide website at 
http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This includes 
instructions for press inquiries regarding Cisco security notices.

All Cisco Security Advisories are available at http://www.cisco.com/go/psirt. 

This notice is Copyright 2003 by Cisco Systems, Inc. This notice may be 
redistributed freely after the release date given at the top of the text, 
provided that redistributed copies are complete and unmodified, and include all 
date and version information. 

[***** End Cisco Document ID: 44020 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Cisco Systems, Inc. and CERT Coordination Center for the
information contained in this bulletin.
_______________________________________________________________________________

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N-108: Sun's XSun Program Buffer Overflow Vulnerability
N-109: Microsoft Flaw in ISAPI Extension for Windows Media Services Could Cause Code Execution
N-110: Red Hat Updated XFree86 Packages Provide Security and Bug Fixes
N-111: Red Hat Updated unzip Packages Fix Trojan Vulnerability
N-112: Red Hat Updated PHP Packages Fix Bugs
N-113: Sun Buffer Overflow in LDAP Name Service
N-114: Buffer Overrun in Microsoft HTML Converter Could Allow Code Execution
N-115: Buffer Overrun in Microsoft Windows Could Lead to Data Corruption
N-116: Flaw in Microsoft Windows Message Handling through Utility Manager Could Enable Privilege Elevation
N-117: Microsoft RPC Interface Buffer Overrun Vulnerability


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH