Cisco Security Advisory-
Processing a specially crafted IPv6 Type 0 Routing header can crash a device running Cisco IOS software. This vulnerability does not affect IPv6 Type 2 Routing header which is used in mobile IPv6. IPv6 is not enabled by default in Cisco IOS.
Cisco has made free software available to address this vulnerability for affected customers.
There are workarounds available to mitigate the effects of the vulnerability. The workaround depends on if Mobile IPv6 is used and what version on Cisco IOS is being currently used.
This vulnerability was initially reported by a customer and further trigger vector was discovered during developing the fix for this vulnerability.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070124-IOS-IPv6.
-
Devices running Cisco IOS and having IPv6 enabled on, at least, one of their interface may be affected by this vulnerability.
Vulnerable Products
To determine the software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS". On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the IOS release name. Other Cisco devices will not have the show version command or will give different output.
The following example identifies a Cisco product running IOS release 12.4(9.10):
Cisco IOS Software, 7200 Software (C7200-JK9O3S-M), Version 12.4(9.10), INTERIM SOFTWARE Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Mon 29-May-06 04:42 by prod_rel_team
Additional information about Cisco IOS release naming can be found at http://www.cisco.com/web/about/security/intelligence/ios-ref.html.
Products Confirmed Not Vulnerable
No other Cisco products are known to be vulnerable to the issue described in this Advisory. In particular Cisco IOS XR, Cisco PIX Appliance and Cisco MDS 9000 Series devices are not affected by this vulnerability.
-
This vulnerability can be triggered only when Cisco IOS processes specifically crafted IPv6 Type 0 Routing headers, which are used for source routing. Source routing is when an originator node explicitly specifies the exact path that a packet must take to reach the destination. Source routing is enabled by default on Cisco IOS if IPv6 is configured on the device. In order to trigger this vulnerability the packet must be destined to any of the IPv6 addresses defined on the device. The exact packet type is not relevant (e.g., TCP, ICMP, UDP) as the vulnerability is on the IP layer. For this reason care must be taken when implementing a workaround as this vulnerability can be triggered by a spoofed packet.
IPv6 multicast packets can not be used to trigger this vulnerability.
In addition to Type 0 Routing headers, IPv6 also supports Type 2 Routing that is used in Mobile IPv6 implementation. Type 2 Routing headers can not be used to trigger the vulnerability described in this Advisory.
A router running vulnerable Cisco IOS software will process Type 0 Routing headers only if the destination address in the IPv6 packet is one of the IPv6 addresses defined on any of the interfaces. The address may be either a global (i.e., routable), loopback or link local address. Link local addresses are not supposed to be routable and they are valid only among directly connected devices.
A device may also be susceptible in scenarios where IPv6 packets are tunneled over IPv4 networks provided that the IPv6 destination address (after de-encapsulation) is one of the IPv6 addresses defined on the device. This is independent of the exact encapsulation method used (e.g., MPLS, GRE or IPv6-in-IPv4).
This vulnerability is documented in Cisco Bug IDs CSCsd40334 ( registered customers only) and CSCsd58381 ( registered customers only) .
-
The workaround consists of filtering packets that contain Type 0 Routing header(s). Special attention must be paid not to filter packets with Type 2 Routing headers as that would break Mobile IPv6 deployment. Depending on what Cisco IOS software release is used and if Mobile IPv6 is deployed or not we have the following workarounds. As any packet type can be used to trigger this vulnerability the care must be taken when implementing a workaround to account for a spoofed packet.
Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20070124-IOS-IPv6
Mobile IPv6 is not deployed
For IOS releases before 12.3(4)T the workaround is to use ACLs to filter all packets that contain Routing headers. This method can not distinguish between Type 0 and Type 2 Routing headers so it is not suitable if Mobile IPv6 is deployed.
The following example shows how to configure such ACLs.
Router(config)#ipv6 access-list deny-sourcerouted Router(config-ipv6-acl)#deny ipv6 any <myaddress1> routing Router(config-ipv6-acl)#deny ipv6 any <myaddress2> routing Router(config-ipv6-acl)#permit ipv6 any any Router(config-ipv6-acl)#exit Router(config)#interface Ethernet0 Router(config-if)#ipv6 traffic-filter deny-sourcerouted in
In this example <myaddressX> is an IPv6 address. One example of such address is 3ffe:ffff::/64. The ACL must be applied to all interfaces and all IPv6 addresses that are configured. If an interface has more than one IPv6 address configured then all addresses must be covered by the ACLs. This also includes all loopback and "link local" addresses for each interface.
The alternative of enumerating all IPv6 addresses is to use statement deny ipv6 any any routing. While that simplifies the resulting ACL it will also filter all transit IPv6 traffic with Routing headers 0 and 2. The example where all configured IPv6 addresses are enumerated will not affect transit traffic. This comment is applicable to all other examples in this Advisory.
Mobile IPv6 is deployed
There is no workaround if you are running a Cisco IOS release prior to 12.2(15)T. Starting from the IOS release 12.2(15)T a new command ipv6 source-route was introduced. If applied, it will block any IPv6 packet with Type 0 Routing Headers. The configuration is given in the following example.
Router(config)#no ipv6 source-route
This is a global command and it applies to all interfaces. The command is applicable on all defined IPv6 addresses, including the link local and loopback address, and on all interfaces.
In IOS 12.4(2)T a new keyword routing-type is added to IPv6 ACLs. It can be used to selectively permit or deny specific routing types.
Router(config)#ipv6 access-list deny-sourcerouted Router(config-ipv6-acl)#deny ipv6 any <myaddress1> routing-type 0 Router(config-ipv6-acl)#permit ipv6 any any Router(config)#interface Ethernet0 Router(config-if)#ipv6 source-route Router(config-if)#ipv6 traffic-filter deny-sourcerouted in
The filter must be applied to all interfaces that have IPv6 configured.
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.
Each row of the Cisco IOS software table (below) describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix (the "First Fixed Release") and the anticipated date of availability for each are listed in the "Rebuild" and "Maintenance" columns. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label).
For more information on the terms "Rebuild" and "Maintenance," consult the following URL: http://www.cisco.com/web/about/security/intelligence/ios-ref.html.
Note: There are three IOS security advisories and one field notice being published on January 24, 2007. Each advisory only lists the releases which fix the issue described in the advisory. A combined software table is available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070124-bundle and can be used to choose a software release which fixes all security vulnerabilities published as of January 24, 2007. The advisories and field notice published on January 24 are listed here.
- https://sec.cloudapps.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20070124-IOS-IPv6
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070124-crafted-tcp
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070124-crafted-ip-option
- http://www.cisco.com/warp/public/770/fn62613.shtml
Requests for software rebuilds to include the change for Daylight Savings Time (DST) that will be implemented in March 2007 should be directed through the Technical Assistance Center (TAC) and this advisory should be used as reference.
Major Release
Availability of Repaired Releases
Affected 12.0-Based Release
Rebuild
Maintenance
12.0
Not vulnerable
12.0DA
Not vulnerable
12.0DB
Not vulnerable
12.0DC
Not vulnerable
12.0S
12.0(32)S3
12.0SC
Not vulnerable
12.0SL
Not vulnerable
12.0SP
Not vulnerable
12.0ST
Vulnerable; migrate to 12.0(32)S3 or later
12.0SX
Vulnerable for only 12.0(30)SX; contact TAC
12.0SY
12.0(32)SY
12.0SZ
Vulnerable; migrate to 12.0(32)S3 or later
12.0T
Not vulnerable
12.0W
Not vulnerable
12.0WC
Not vulnerable
12.0WT
Not vulnerable
12.0XA
Not vulnerable
12.0XB
Not vulnerable
12.0XC
Not vulnerable
12.0XD
Not vulnerable
12.0XE
Not vulnerable
12.0XF
Not vulnerable
12.0XG
Not vulnerable
12.0XH
Not vulnerable
12.0XI
Not vulnerable
12.0XJ
Not vulnerable
12.0XK
Not vulnerable
12.0XL
Not vulnerable
12.0XM
Not vulnerable
12.0XN
Not vulnerable
12.0XQ
Not vulnerable
12.0XR
Not vulnerable
12.0XS
Not vulnerable
12.0XV
Not vulnerable
12.0XW
Not vulnerable
Affected 12.1-Based Release
Rebuild
Maintenance
12.1
Not vulnerable
12.1AA
Not vulnerable
12.1AX
Not vulnerable
12.1AY
Not vulnerable
12.1AZ
Not vulnerable
12.1CX
Not vulnerable
12.1DA
Not vulnerable
12.1DB
Not vulnerable
12.1DC
Not vulnerable
12.1E
Not vulnerable
12.1EA
Not vulnerable
12.1EB
Not vulnerable
12.1EC
Not vulnerable
12.1EO
Not vulnerable
12.1EU
Not vulnerable
12.1EV
Not vulnerable
12.1EW
Not vulnerable
12.1EX
Not vulnerable
12.1EY
Not vulnerable
12.1EZ
Not vulnerable
12.1T
Not vulnerable
12.1XA
Not vulnerable
12.1XB
Not vulnerable
12.1XC
Not vulnerable
12.1XD
Not vulnerable
12.1XE
Not vulnerable
12.1XF
Not vulnerable
12.1XG
Not vulnerable
12.1XH
Not vulnerable
12.1XI
Not vulnerable
12.1XJ
Not vulnerable
12.1XL
Not vulnerable
12.1XM
Not vulnerable
12.1XP
Not vulnerable
12.1XQ
Not vulnerable
12.1XR
Not vulnerable
12.1XS
Not vulnerable
12.1XT
Not vulnerable
12.1XU
Vulnerable; migrate to 12.3(18) or later
12.1XV
Vulnerable; migrate to 12.3(18) or later
12.1XW
Not vulnerable
12.1XX
Not vulnerable
12.1XY
Not vulnerable
12.1XZ
Not vulnerable
12.1YA
Not vulnerable
12.1YB
Vulnerable; migrate to 12.3(18) or later
12.1YC
Vulnerable; migrate to 12.3(18) or later
12.1YD
Vulnerable; migrate to 12.3(18) or later
12.1YE
Not vulnerable
12.1YF
Not vulnerable
12.1YH
Not vulnerable
12.1YI
Not vulnerable
12.1YJ
Not vulnerable
Affected 12.2-Based Release
Rebuild
Maintenance
12.2
Not vulnerable
12.2B
Vulnerable; migrate to 12.3(4)T13 or later
12.2BC
Vulnerable; migrate to 12.3(17b)BC3 or later
12.2BW
Vulnerable; migrate to 12.3(18) or later
12.2BY
Vulnerable; migrate to 12.3(4)T13 or later
12.2BZ
Not vulnerable
12.2CX
Vulnerable; migrate to 12.3(17b)BC3 or later
12.2CY
Not vulnerable
12.2CZ
Not vulnerable
12.2DA
Not vulnerable
12.2DD
Vulnerable; migrate to 12.3(4)T13 or later
12.2DX
Vulnerable; migrate to 12.3(4)T13 or later
12.2EU
Vulnerable; migrate to 12.2(25)EWA6 or later
12.2EW
Vulnerable; migrate to 12.2(25)EWA6 or later
12.2EWA
12.2(25)EWA6
12.2EX
Not vulnerable
12.2EY
Not vulnerable
12.2EZ
Vulnerable; migrate to 12.2(25)SEE1 or later
12.2FX
Not vulnerable
12.2FY
Not vulnerable
12.2FZ
Not vulnerable
12.2IXA
Vulnerable; migrate to 12.2(18)IXB or later
12.2IXB
All 12.2IXB releases are fixed
12.2IXC
All 12.2IXC releases are fixed
12.2JA
Not vulnerable
12.2JK
Not vulnerable
12.2MB
Not vulnerable
12.2MC
12.2(15)MC2h
12.2S
12.2(25)S11
12.2(30)S
12.2SB
12.2(28)SB2
12.2(31)SB
12.2SBC
12.2(27)SBC4
12.2SEA
Vulnerable; migrate to 12.2(25)SEE1 or later
12.2SEB
Vulnerable; migrate to 12.2(25)SEE1 or later
12.2SEC
Vulnerable; migrate to 12.2(25)SEE1 or later
12.2SED
Vulnerable; migrate to 12.2(25)SEE1 or later
12.2SEE
12.2(25)SEE1
12.2SEF
12.2(25)SEF1
12.2SEG
All 12.2SEG releases are fixed
12.2SG
12.2(25)SG1
12.2(31)SG
12.2SGA
All 12.2SGA releases are fixed
12.2SO
Not vulnerable
12.2SRA
All 12.2SRA releases are fixed
12.2SRB
All 12.2SRB releases are fixed
12.2SU
Vulnerable; migrate to 12.3(14)T7 or later
12.2SV
12.2(25)SV3
12.2(26)SV
12.2SW
12.2(25)SW7
12.2SX
Vulnerable; migrate to 12.2(18)SXD7a or later
12.2SXA
Vulnerable; migrate to 12.2(18)SXD7a or later
12.2SXB
Vulnerable; migrate to 12.2(18)SXD7a or later
12.2SXD
12.2(18)SXD7a
12.2SXE
12.2(18)SXE6
12.2SXF
12.2(18)SXF5
12.2SY
Vulnerable; migrate to 12.2(18)SXD7a or later
12.2SZ
Vulnerable; migrate to 12.2(25)S11 or later
12.2T
Vulnerable; migrate to 12.3(18) or later
12.2TPC
Vulnerable; contact TAC
12.2XA
Vulnerable; migrate to 12.3(18) or later
12.2XB
Vulnerable; migrate to 12.3(18) or later
12.2XC
Vulnerable; migrate to 12.3(4)T13 or later
12.2XD
Vulnerable; migrate to 12.3(18) or later
12.2XE
Not vulnerable
12.2XF
Vulnerable; migrate to 12.3(17b)BC3 or later
12.2XG
Vulnerable; migrate to 12.3(18) or later
12.2XH
Vulnerable; migrate to 12.3(18) or later
12.2XI
Vulnerable; migrate to 12.3(18) or later
12.2XJ
Vulnerable; migrate to 12.3(18) or later
12.2XK
Vulnerable; migrate to 12.3(18) or later
12.2XL
Vulnerable; migrate to 12.3(18) or later
12.2XM
Vulnerable; migrate to 12.3(18) or later
12.2XN
12.2(31)XN
12.2XQ
Vulnerable; migrate to 12.3(18) or later
12.2XR
Not vulnerable
12.2XS
Vulnerable; migrate to 12.3(18) or later
12.2XT
Vulnerable; migrate to 12.3(18) or later
12.2XU
Vulnerable; migrate to 12.3(18) or later
12.2XV
Vulnerable; migrate to 12.3(18) or later
12.2XW
Vulnerable; migrate to 12.3(18) or later
12.2YA
Vulnerable; migrate to 12.3(18) or later
12.2YB
Vulnerable; migrate to 12.3(18) or later
12.2YC
Not vulnerable
12.2YD
Vulnerable; migrate to 12.3(11)T10 or later
12.2YE
Vulnerable; migrate to 12.2(25)S11 or later
12.2YF
Vulnerable; migrate to 12.3(18) or later
12.2YG
Not vulnerable
12.2YH
Vulnerable; migrate to 12.3(18) or later
12.2YJ
Vulnerable; migrate to 12.3(18) or later
12.2YK
Not vulnerable
12.2YL
Vulnerable; migrate to 12.3(4)T13 or later
12.2YM
Vulnerable; migrate to 12.3(4)T13 or later
12.2YN
Vulnerable; migrate to 12.3(4)T13 or later
12.2YO
Not vulnerable
12.2YP
Not vulnerable
12.2YQ
Vulnerable; migrate to 12.3(4)T13 or later
12.2YR
Vulnerable; migrate to 12.3(4)T13 or later
12.2YS
Vulnerable; migrate to 12.3(4)T13 or later
12.2YT
Vulnerable; migrate to 12.3(18) or later
12.2YU
Vulnerable; migrate to 12.3(4)T13 or later
12.2YV
Vulnerable; migrate to 12.3(4)T13 or later
12.2YW
Vulnerable; migrate to 12.3(4)T13 or later
12.2YX
Vulnerable; migrate to 12.3(14)T7 or later
12.2YY
Vulnerable; migrate to 12.3(4)T13 or later
12.2YZ
Vulnerable; migrate to 12.2(25)S11 or later
12.2ZA
Vulnerable; migrate to 12.2(18)SXD7a or later
12.2ZB
Vulnerable; migrate to 12.3(4)T13 or later
12.2ZC
Not vulnerable
12.2ZD
Vulnerable; contact TAC
12.2ZE
Vulnerable; migrate to 12.3(18) or later
12.2ZF
Vulnerable; migrate to 12.3(4)T13 or later
12.2ZG
Not vulnerable
12.2ZH
Vulnerable; contact TAC
12.2ZJ
Vulnerable; migrate to 12.3(4)T13 or later
12.2ZL
Vulnerable; contact TAC
12.2ZN
Vulnerable; migrate to 12.3(4)T13 or later
12.2ZP
Not vulnerable
Affected 12.3-Based Release
Rebuild
Maintenance
12.3
12.3(17b)
12.3(18)
12.3B
Vulnerable; migrate to 12.3(11)T10 or later
12.3BC
12.3(17b)BC3
12.3BW
Vulnerable; migrate to 12.3(11)T10 or later
12.3JA
Not vulnerable
12.3JEA
All 12.3JEA releases are fixed
12.3JEB
All 12.3JEA releases are fixed
12.3JK
Not vulnerable
12.3JX
Not vulnerable
12.3T
12.3(4)T13
12.3(11)T10
12.3(14)T7
Limited platform support is available: Contact TAC
Please migrate to 12.4(8) or later
12.3TPC
Not vulnerable
12.3XA
Vulnerable; contact TAC
12.3XB
Vulnerable; migrate to 12.3(11)T10 or later
12.3XC
Vulnerable; contact TAC
12.3XD
Vulnerable; migrate to 12.3(11)T10 or later
12.3XE
Vulnerable; contact TAC
12.3XF
Vulnerable; migrate to 12.3(11)T10 or later
12.3XG
Vulnerable; contact TAC
12.3XH
Vulnerable; migrate to 12.3(11)T10 or later
12.3XI
12.3(7)XI8a
12.3(7)XI9
12.3XJ
Vulnerable; migrate to 12.3(14)YX2 or later
12.3XK
Vulnerable; migrate to 12.3(14)T7 or later
12.3XQ
Vulnerable; migrate to 12.4(8) or later
12.3XR
Vulnerable; contact TAC
12.3XS
Vulnerable; migrate to 12.4(8) or later
12.3XU
Vulnerable; migrate to 12.4(2)T4 or later
12.3XW
Vulnerable; migrate to 12.3(14)YX2 or later
12.3XX
Vulnerable; migrate to 12.4(8) or later
12.3XY
Not vulnerable
12.3YA
Vulnerable; contact TAC
12.3YD
Vulnerable; migrate to 12.4(2)T4 or later
12.3YF
Vulnerable; migrate to 12.3(14)YX2 or later
12.3YG
Vulnerable; migrate to 12.4(2)T4 or later
12.3YH
Vulnerable; migrate to 12.4(2)T4 or later
12.3YI
Vulnerable; migrate to 12.4(2)T4 or later
12.3YJ
Vulnerable; migrate to 12.4(6)T1 or later
12.3YK
Vulnerable; migrate to 12.4(4)T2 or later
12.3YM
12.3(14)YM8
12.3YQ
Vulnerable; migrate to 12.4(6)T1 or later
12.3YS
Vulnerable; migrate to 12.4(4)T2 or later
12.3YT
Vulnerable; migrate to 12.4(4)T2 or later
12.3YU
Vulnerable; migrate to 12.4(2)XB2 or later
12.3YX
12.3(14)YX2
12.3YZ
12.3(11)YZ1
Affected 12.4-Based Release
Rebuild
Maintenance
12.4
12.4(3d)
12.4(5b)
12.4(7a)
12.4(8)
12.4MR
Not vulnerable
12.4SW
All 12.4SW releases are fixed
12.4T
12.4(2)T4
12.4(4)T2
12.4(6)T1
12.4(9)T
12.4XA
Vulnerable; migrate to 12.4(6)T1 or later
12.4XB
12.4(2)XB2
12.4XC
12.4(4)XC5
12.4XD
12.4(4)XD2
12.4XE
All 12.4XE releases are fixed
12.4XG
All 12.4XG releases are fixed
12.4XJ
All 12.4XJ releases are fixed
12.4XP
All 12.4XP releases are fixed
12.4XT
All 12.4XT releases are fixed
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
This vulnerability was initially reported to Cisco by Arnaud Ebalard from EADS Corporate Research Center. An additional vector to trigger it was discovered internally while fixing the vulnerability.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show Less1.2
2007-May-04
no ipv6 source-rout affects only Type 0 Routing Header.
1.1
2007-January-27
Updated Cisco IOS software table.
1.0
2007-January-24
Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.