AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C
-
A vulnerability in the Cisco implementation of Multicast Virtual Private Network (MVPN) is subject to exploitation that can allow a malicious user to create extra multicast states on the core routers or receive multicast traffic from other Multiprotocol Label Switching (MPLS) based Virtual Private Networks (VPN) by sending specially crafted messages.
Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080326-mvpn.
Note: The March 26, 2008 publication includes five Security Advisories. The Advisories all affect Cisco IOS. Each Advisory lists the releases that correct the vulnerability described in the Advisory, and the Advisories also detail the releases that correct the vulnerabilities in all five Advisories.
Individual publication links are listed below:
-
Cisco IOS Virtual Private Dial-up Network Denial of Service
Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080326-pptp
-
Multiple DLSw Denial of Service Vulnerabilities in Cisco IOS
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080326-dlsw
-
Cisco IOS User Datagram Protocol Delivery Issue For IPv4/IPv6
Dual-stack Routers
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080326-IPv4IPv6
-
Vulnerability in Cisco IOS with OSPF, MPLS VPN, and Supervisor 32,
Supervisor 720, or Route Switch Processor 720
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080326-queue
-
Cisco IOS Multicast Virtual Private Network (MVPN) Data Leak
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080326-mvpn
-
Cisco IOS Virtual Private Dial-up Network Denial of Service
Vulnerability
-
Vulnerable Products
Devices that run Cisco IOS and are configured for MVPN are affected.
An IOS device that is configured for MVPN has a line that is similar to this in the running configuration example:
mdt default <group-address>
In order to determine the software that runs on a Cisco IOS product, log in to the device and issue the show version command to display the system banner. Cisco IOS® software identifies itself as "Internetwork Operating System Software" or simply "IOS." On the next line of output, the image name displays between parentheses, followed by "Version" and the Cisco IOS release name. Other Cisco devices do not have the show version command or give different output.
The following example shows output from a device that runs an IOS image:
Router>show version Cisco IOS Software, 7200 Software (C7200-IK9S-M), Version 12.3(14)T1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by Cisco Systems, Inc. Compiled Thu 31-Mar-05 08:04 by yiyan
Additional information about Cisco IOS release naming is available at the following link: http://www.cisco.com/warp/public/620/1.html.
Products Confirmed Not Vulnerable
No other Cisco products, including IOS XR software, are currently known to be affected by this vulnerability.
-
MVPN architecture introduces an additional set of protocols and procedures that help enable a service provider to support multicast traffic in an MPLS VPN. MVPN allows the transparent transport of IP multicast traffic across the MPLS VPN backbone of a provider and allows a service provider to offer multicast services to MPLS VPN customers.
A vulnerability exists in the implementation of MVPN that allows an attacker to send specially crafted Multicast Distribution Tree (MDT) Data Join messages that can cause the creation of extra multicast states on the core routers. MDT Data Join messages can be sent in unicast or multicast. The vulnerability can also allow leaking multicast traffic from different MPLS VPNs. It is possible to receive multicast traffic from VPNs that are not connected to the same Provider Edge (PE) router. In order to successfully exploit this vulnerability, an attacker needs to know or guess the Border Gateway Protocol (BGP) peering IP address of a remote PE router and the address of the multicast group that is used in other MPLS VPNs.
This vulnerability is documented in the Cisco Bug ID CSCsi01470 ( registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2008-1156.
-
The workaround for this vulnerability consists of filtering MDT Data Join packets on the PE device.
The workarounds need to be applied on all Virtual Routing and Forwarding (VRF) interfaces of all PE routers. Otherwise, attackers can target remote PE routers and can still exploit this vulnerability.
Even if only one PE router in the network runs an unfixed version of IOS code, it is vulnerable to packets that come from systems that are connected to remote PE routers. In such a case, workarounds need to be deployed on all PE routers to successfully mitigate this vulnerability.
The mdt data <group> <mask> or mdt data <group> <mask> threshold <n> list <acl> commands do not mitigate this vulnerability.
Filtering Packets to UDP Port 3232
MDT Data Join messages are sent to UDP port 3232. Creating an access-list that filters destination UDP port 3232 and applying it on the VRF interface of the PE router mitigates this vulnerability. Such an access-list looks like this:
access-list 100 deny udp any any eq 3232 access-list 100 permit ip any any interface Serial 0/0 ip vrf forwarding <vpn-1> ... ip access-group 100 in
Note that this access-list can also filter legitimate traffic that is destined to UDP port 3232. In such a case, the access-list can be modified to be more specific by providing individual BGP peer IP addresses. This is explained in the section that follows.
Filtering BGP Peer IP Addresses on the VRF Interface
In order to successfully exploit this vulnerability, an attacker needs to send MDT Data Join messages by spoofing the packets from the IP address of one of the existing iBGP peers. Because MDT Data Join messages are only used between PE routers, the packets from CE devices can safely be filtered.
Creating an access-list that filters iBGP peer IP addresses as source addresses and applying it on the VRF interface of the PE router mitigates this vulnerability. The access-list needs to filter all iBGP peer IP addresses. Such an access-list looks like this example:
access-list 100 deny udp host <ibgp-peer-1> any eq 3232 access-list 100 deny udp host <ibgp-peer-2> any eq 3232 ... access-list 100 deny udp host <ibgp-peer-n> any eq 3232 access-list 100 permit ip any any interface Serial 0/0 ip vrf forwarding <vpn-1> ... ip access-group 100 in
Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory:
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table.
Major Release
Availability of Repaired Releases
Affected 12.0-Based Releases
First Fixed Release
Recommended Release
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
12.0(32)S9
12.0(33)S
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Vulnerable; Contact TAC
12.0(32)SY4
12.0(30)SZ4
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Affected 12.1-Based Releases
First Fixed Release
Recommended Release
There are no affected 12.1 based releases
Affected 12.2-Based Releases
First Fixed Release
Recommended Release
Not Vulnerable
Vulnerable; first fixed in 12.4
12.4(18a)
Vulnerable; first fixed in 12.3BC
12.3(23)BC1
Not Vulnerable
Not Vulnerable
Vulnerable; first fixed in 12.3XI
Vulnerable; first fixed in 12.3BC
12.3(23)BC1
Not Vulnerable
Vulnerable; contact TAC
Not Vulnerable
Not Vulnerable
Not Vulnerable
Vulnerable; first fixed in 12.2SG
12.2(25)EWA13
12.2(31)SGA5
12.2(44)SG
Vulnerable; first fixed in 12.2SG
12.2(25)EWA13
12.2(31)SGA5
12.2(44)SG
12.2(25)EWA10
12.2(25)EWA11
12.2(25)EWA13
12.2(37)EX
12.2(40)EX1
12.2(37)EY
Vulnerable; first fixed in 12.2SEE
Not Vulnerable
Not Vulnerable
Vulnerable; first fixed in 12.2SE
12.2(44)SE1
Vulnerable; first fixed in 12.2IXD
Vulnerable; first fixed in 12.2IXD
Vulnerable; first fixed in 12.2IXD
12.2(18)IXD1
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
12.2(15)MC2h
12.2(15)MC2k
12.2(14)S18
12.2(18)S13
12.2(20)S14
12.2(25)S13
12.2(25)S15
12.2(28)SB7
12.2(31)SB5
12.2(33)SB; Available on 31-MAR-2008
12.2(31)SB11
Vulnerable; first fixed in 12.2SB; Available on 31-MAR-2008
12.2(31)SB11
Not Vulnerable
12.2(35)SE4
12.2(37)SE
12.2(44)SE1
Vulnerable; first fixed in 12.2SEE
Vulnerable; first fixed in 12.2SEE
Vulnerable; first fixed in 12.2SEE
Vulnerable; first fixed in 12.2SEE
12.2(25)SEE4
Not Vulnerable
12.2(25)SEG3
12.2(25)SEG4
12.2(25)SG2
12.2(31)SG2
12.2(37)SG1
12.2(40)SG
12.2(44)SG
12.2(31)SGA2
12.2(31)SGA3
12.2(31)SGA6; Available on 07-APR-2008
12.2(31)SGA5
Not Vulnerable
12.2(29)SM2
Vulnerable; migrate to any release in 12.2SVA
12.2(29)SVD
12.2(33)SRA4
12.2(33)SRA7
12.2(33)SRB1
12.2(33)SRB3; Available on 14-APR-08
Not Vulnerable
Vulnerable; first fixed in 12.4
12.4(18a)
12.2(29b)SV
12.2(29b)SV
Not Vulnerable
Not Vulnerable
Not Vulnerable
12.2(25)SW11
Vulnerable; first fixed in 12.2SXF
12.2(18)SXF13
Vulnerable; first fixed in 12.2SXF
12.2(18)SXF13
Vulnerable; first fixed in 12.2SXF
12.2(18)SXF13
Vulnerable; first fixed in 12.2SXF
12.2(18)SXF13
Vulnerable; first fixed in 12.2SXF
12.2(18)SXF13
12.2(18)SXF10
12.2(18)SXF10a
12.2(18)SXF12a
12.2(18)SXF13
Not Vulnerable
Vulnerable; first fixed in 12.2SXF
12.2(18)SXF13
Vulnerable; first fixed in 12.2S
12.2(25)S15
12.2(31)SB11
12.2(33)SRC
Vulnerable; first fixed in 12.3
12.3(26)
Not Vulnerable
Vulnerable; first fixed in 12.2SB; Available on 31-MAR-2008
12.2(31)SB11
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
12.2(33)XN1
12.3(26)
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Vulnerable; first fixed in 12.3
12.3(26)
Vulnerable; first fixed in 12.3
12.3(26)
Not Vulnerable
Vulnerable; first fixed in 12.4
12.4(18a)
Vulnerable; first fixed in 12.4
12.4(18a)
Vulnerable; first fixed in 12.4
12.4(18a)
Not Vulnerable
Not Vulnerable
Vulnerable; first fixed in 12.4
12.4(18a)
Vulnerable; first fixed in 12.4
12.4(18a)
Not Vulnerable
Vulnerable; first fixed in 12.3
12.3(26)
Vulnerable; first fixed in 12.4
12.4(18a)
Vulnerable; first fixed in 12.4
12.4(18a)
Not Vulnerable
Vulnerable; first fixed in 12.4
12.4(18a)
Not Vulnerable
Vulnerable; first fixed in 12.2S
12.2(25)S15
12.2(31)SB11
12.2(33)SRC
Vulnerable; first fixed in 12.2SXF
12.2(18)SXF13
Not Vulnerable
Vulnerable; first fixed in 12.4
12.4(18a)
Vulnerable; contact TAC
Vulnerable; first fixed in 12.3
12.3(26)
Vulnerable; first fixed in 12.4
12.4(18a)
Vulnerable; first fixed in 12.3YG
12.4(15)T4
12.4(18a)
12.2(13)ZH9
12.2(13)ZH11
Vulnerable; first fixed in 12.4
12.4(18a)
Vulnerable; first fixed in 12.4
12.4(15)T4
12.4(18a)
Vulnerable; first fixed in 12.4
12.4(18a)
Vulnerable; migrate to any release in 12.2SXH
12.2(33)SXH2
12.2(18)ZY1
12.2(18)ZY2
Affected 12.3-Based Releases
First Fixed Release
Recommended Release
12.3(17c)
12.3(18a)
12.3(19a)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(23)
12.3(26)
Vulnerable; first fixed in 12.4
12.4(18a)
12.3(17b)BC8
12.3(21a)BC2
12.3(23)BC
12.3(23)BC1
Vulnerable; first fixed in 12.4
12.4(18a)
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Releases prior to 12.3(8)JK1 are vulnerable, release 12.3(8)JK1 and later are not vulnerable;
12.3(8)JK1
Not Vulnerable
Not Vulnerable
Vulnerable; first fixed in 12.4
12.4(18a)
12.3(4)TPC11b
Vulnerable; contact TAC
12.3(2)XA6
12.3(2)XA7; Available on 31-MAR-08
Vulnerable; first fixed in 12.4
12.4(18a)
12.3(2)XC5
12.4(15)T4
12.4(18a)
Vulnerable; first fixed in 12.4
12.4(18a)
12.3(2)XE5
12.4(15)T4
12.4(18a)
Vulnerable; first fixed in 12.4
12.4(18a)
Vulnerable; first fixed in 12.3YG
12.4(15)T4
12.4(18a)
Vulnerable; first fixed in 12.4
12.4(18a)
12.3(7)XI10a
Vulnerable; first fixed in 12.3YX
12.3(14)YX11
12.4(15)T4
Vulnerable; first fixed in 12.4
12.4(18a)
Vulnerable; first fixed in 12.4
12.4(18a)
12.3(7)XR7
12.3(7)XR8; Available on 31-MAR-08
Vulnerable; first fixed in 12.4
12.4(18a)
Vulnerable; first fixed in 12.4T
12.4(15)T4
Vulnerable; first fixed in 12.3YX
12.3(14)YX11
12.4(15)T4
Vulnerable; first fixed in 12.4
12.4(18a)
Vulnerable; first fixed in 12.4
12.4(15)T4
12.4(18a)
Vulnerable; first fixed in 12.4T
12.4(15)T4
Vulnerable; first fixed in 12.3YX
12.3(14)YX11
12.4(15)T4
12.3(8)YG6
12.4(15)T4
Vulnerable; first fixed in 12.4T
12.4(15)T4
Vulnerable; first fixed in 12.4T
12.4(15)T4
Vulnerable; first fixed in 12.4T
12.4(15)T4
12.3(11)YK3
12.4(15)T4
12.3(14)YM10
12.3(14)YM12
Vulnerable; first fixed in 12.4T
12.4(15)T4
12.3(11)YS2
12.4(15)T4
Vulnerable; first fixed in 12.4T
12.4(15)T4
Vulnerable; first fixed in 12.4XB
12.3(14)YX9
12.3(14)YX11
12.3(11)YZ2
Affected 12.4-Based Releases
First Fixed Release
Recommended Release
12.4(10c)
12.4(12b)
12.4(13c)
12.4(16)
12.4(3h)
12.4(5c)
12.4(7f)
12.4(8d)
12.4(18a)
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
12.4(11)MD1
12.4(15)MD; Available on 09-MAY-08
12.4(12)MR2
12.4(16)MR2
12.4(11)SW3
12.4(15)SW
12.4(11)T3
12.4(15)T
12.4(2)T6
12.4(4)T8
12.4(6)T8
12.4(9)T4
12.4(15)T4
Vulnerable; first fixed in 12.4T
12.4(15)T4
12.4(2)XB6
12.4(4)XC7
12.4(4)XD8
12.4(4)XD10
12.4(6)XE2
12.4(15)T4
Vulnerable; first fixed in 12.4T
12.4(15)T4
12.4(9)XG2
12.4(9)XG2
12.4(11)XJ4
12.4(15)T4
Vulnerable; first fixed in 12.4T
12.4(15)T4
Not Vulnerable
Not Vulnerable
Not Vulnerable
12.4(6)XT1
12.4(6)XT2
Not Vulnerable
Not Vulnerable
Not Vulnerable
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
This vulnerability was reported to Cisco by Thomas Morin.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.3
2008-June-27
Updated Summary to remove link and verbiage.
Revision 1.2
2008-April-22
Updated URL of CVSSCSCsi01470.
Revision 1.1
2008-March-29
Updated Software Table for 12.0S, 12.0SY, 12.0SX and 12.0SZ due to new information on advisory ID cisco-sa-20080326-IPv4IPv6, the March 26th advisory on IPv4IPv6 Dual Stack Routers.
Revision 1.0
2008-March-26
Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.