COMMAND

	    Concentrator IP Options

	

	

SYSTEMS AFFECTED

	    Cisco VPN3000

	

	

PROBLEM

	    Following is based on a Cisco Security Advisory.  If a crafted  IP

	    packet, with an invalid IP Option setting is transmitted to a  VPN

	    3000 series concentrator on  the same network segment  (no routers

	    in between),  it can  cause the  VPN 3000  series concentrator  to

	    hang  with  a  100%  CPU  Utilization. The concentrator would then

	    have to be  reset. After rebooting,  the equipment would  function

	    normally  until  the  crafted  IP  packet  is received again.  The

	    defect  can  be  exploited  to  produce  a denial of service (DoS)

	    attack.

	

	    The vulnerability is described in  Cisco bug id CSCds92460.   This

	    notice will be posted at

	
	        http://www.cisco.com/warp/public/707/vpn3k-ipoptions-vuln-pub.shtml

	

	    Cisco VPN 3000 series  concentrators running software releases  up

	    to  but  not  including  revision  2.5.2  (F) are affected by this

	    vulnerability.   This  series  includes  models  3005, 3015, 3030,

	    3060,  and  3080.   Any  VPN  3000  series  concentrators  running

	    revision 2.5.2 (F) or later are unaffected by this vulnerability.

	

	    If a  crafted IP  packet, with  an invalid  IP Option  setting, is

	    transmitted to a VPN 3000 series concentrator on the same  network

	    segment  (no  routers  in  between),  on  either the Inside or the

	    Outside interface, it can  cause the VPN 3000  series concentrator

	    to hang with a 100 % CPU Utilization.  The concentrator would then

	    have to be reset  via the console port  as no SNMP or  HTTP remote

	    management  control  would  be  possible.   After  rebooting,  the

	    equipment would function normally  until the crafted IP  packet is

	    received again.

	

	    In order  to exploit  this vulnerability  the attacker  must be on

	    the same network segment  as the concentrator without  any routers

	    in  between.   A  crafted  IP  packet  traversing  a  router would

	    typically get  its invalid  IP Options  dropped and  would not  be

	    able to affect the VPN 3000 series concentrator.

	

	    When this  crafted IP  packet is  received by  the VPN 3000 series

	    concentrator, the concentrator will stop passing traffic and  will

	    not respond to any management inquiries via SNMP, Telnet or  HTTP.

	    However management via the console port is possible.

	

	    For  VPN  3000  series  concentrator  models 3015, 3030, 3060, and

	    3080 the CPU  Utilization bar graph  indicator on the  front panel

	    will go to 100%.

	

	

	 Update (11 July 2002)

	 ======

	

	Master Phi adds :
	

	We have witnessed this phenomena after  establishing  tunnels  with  the
	\"VPN dialer\" over a  modem  connexion:  when  the  target  sends  back
	ethernet frames with size close to the  max  ethernet  MTU  (1500),  the
	gateway encrypts the frames adding ESP headers  and  stupidly  tries  to
	send a 1580-bytes frame back to the client.

SOLUTION

	    This  vulnerability   does  not   affect  the   VPN  5000   series

	    concentrators.  No other Cisco product is known to be affected  by

	    this  vulnerability.   To  determine  if  a  Cisco VPN 3000 series

	    concentrator is running affected software, check the revision  via

	    the web interface or the console menu.

	

	    The vulnerability has been fixed in revision 2.5.2 (E) code.   The

	    fix will be carried forward into all future releases.  However due

	    to the another advisory the recommended revision to upgrade to  is

	    2.5.2 (F).   Upgrade can be  done via the  remote software upgrade

	    feature  using  the  VPN  3000  series  concentrator\'s  web  based

	    management interface.

	

	    There are no system configuration workarounds.  Please upgrade  to

	    revision 2.5.2 (F) code.