Cisco Security Advisory
Click Icon to Copy Verbose Score
AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
-
Cisco routers and switches running Cisco IOS® or Cisco IOS XR software may be vulnerable to a remotely exploitable crafted IP option Denial of Service (DoS) attack. Exploitation of the vulnerability may potentially allow for arbitrary code execution. The vulnerability may be exploited after processing an Internet Control Message Protocol (ICMP) packet, Protocol Independent Multicast version 2 (PIMv2) packet, Pragmatic General Multicast (PGM) packet, or URL Rendezvous Directory (URD) packet containing a specific crafted IP option in the packet's IP header. No other IP protocols are affected by this issue.
Cisco has made free software available to address this vulnerability for affected customers.
There are workarounds available to mitigate the effects of the vulnerability.
This vulnerability was discovered during internal testing.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070124-crafted-ip-option.
-
Vulnerable Products
This issue affects all Cisco devices running Cisco IOS or Cisco IOS XR software and configured to process Internet Protocol version 4 (IPv4) packets. Devices which run only Internet Protocol version 6 (IPv6) are not affected.
This vulnerability is present in all unfixed versions of Cisco IOS software, including versions 9.x, 10.x, 11.x and 12.x.
This vulnerability is present in all unfixed versions of Cisco IOS XR software, including versions 2.0.X, 3.0.X, and 3.2.X.
All versions of Cisco IOS or Cisco IOS XR prior to the versions listed in the Fixed Software table below may be susceptible to this vulnerability.
To determine the software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS". On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the IOS release name. Cisco IOS XR software will identify itself as "Cisco IOS XR Software" followed by "Version" and the version number. Other Cisco devices will not have the show version command or will give different output.
The following example identifies a Cisco product running Cisco IOS release 12.2(14)S16 with an installed image name of C7200-IS-M:
Cisco Internetwork Operating System Software IOS (tm) 7200 Software (C7200-IS-M), Version 12.2(14)S16, RELEASE SOFTWARE (fc1)
The release train label is "12.2".
The next example shows a product running IOS release 12.3(7)T12 with an image name of C7200-IK9S-M:
Cisco IOS Software, 7200 Software (C7200-IK9S-M), Version 12.3(7)T12, RELEASE SOFTWARE (fc1)
Additional information about Cisco IOS Banners is available at http://www.cisco.com/web/about/security/intelligence/ios-ref.html.
Cisco IOS XR Software is a member of the Cisco IOS software family that uses a microkernel-based distributed operating system infrastructure. Cisco IOS XR runs only on Cisco Carrier Routing System 1 (CRS-1) and Cisco XR 12000 series routers.
Additional information about Cisco IOS XR is available at http://www.cisco.com/en/US/products/ps5845/index.html
The following example shows partial output from the show version command which identifies a Cisco product running Cisco IOS XR release 3.3.0:
RP/0/RP0/CPU0:router#show version Cisco IOS XR Software, Version 3.3.0 Copyright (c) 2006 by cisco Systems, Inc. ROM: System Bootstrap, Version 1.32(20050525:193559) [CRS-1 ROMMON]
Products Confirmed Not Vulnerable
Cisco devices that do not run Cisco IOS or Cisco IOS XR software are not affected. CatOS software is not affected by this issue.
No other Cisco products are currently known to be affected by this vulnerability.
-
This vulnerability may be exploited when an affected device processes a packet that meets all three of the following conditions:
1. The packet contains a specific crafted IP option.
AND
2. The packet is one of the following protocols:
- ICMP - Echo (Type 8) - 'ping'
- ICMP - Timestamp (Type 13)
- ICMP - Information Request (Type 15)
- ICMP - Address Mask Request (Type 17)
- PIMv2 - IP protocol 103
- PGM - IP protocol 113
- URD - TCP Port 465
AND
3. The packet is sent to a physical or virtual IPv4 address configured on the affected device.
No other ICMP message types are affected by this issue.
No other IP protocols are affected by this issue.
No other TCP services are affected by this issue.
The packet can be sent from a local network or from a remote network.
The source IP address of the packet can be spoofed or non-spoofed.
Packets which transit the device (packets not sent to one of the device's IP addresses) do not trigger the vulnerability and the device is not affected.
This vulnerability is documented in these Bug IDs:
- Cisco Bug ID CSCec71950 ( registered customers only) for Cisco IOS
- Cisco Bug ID CSCeh52410 ( registered customers only) for Cisco IOS XR
Cisco IOS
A crafted packet addressed directly to a vulnerable device running Cisco IOS software may result in the device reloading or may allow execution of arbitrary code.
Cisco IOS XR
A crafted packet addressed directly to a vulnerable device running Cisco IOS XR software may result in the ipv4_io process restarting or may allow execution of arbitrary code. CRS-1 Nodes that run the ipv4_io process include Route Processors (RP), Distributed Route Processors (DRP), Modular Services Cards (MSC), and XR 12000 Line Cards. While the ipv4_io process is restarting, all ICMP traffic destined for the device itself and exception punts will be dropped. Examples of exception punts include packets having IP header information that requires further processing such as IP options, Time-to-Live equal to 0 or 1, and layer-2 keepalives. CLNS traffic to the Node or Line Card is not affected. If the ipv4_io process is restarted several times consecutively, the CRS-1 Node or XR 12000 Line Card may reload, causing a Denial of Service (DoS) condition for the transit traffic switched on that Node or Line card.
Devices Configured for ICMP Message Types
ICMP Type 8
By default, devices running all Cisco IOS and Cisco IOS XR versions will process ICMP echo-request (Type 8) packets. This behavior cannot be modified.
ICMP Type 13
By default, devices running all Cisco IOS versions will process ICMP timestamp (Type 13) packets. This behavior cannot be modified.
By default, devices running all Cisco IOS XR versions will NOT process ICMP timestamp (Type 13) packets. This behavior cannot be modified.
ICMP Type 15
With the introduction of CSCdz50424, by default routers will NOT process ICMP information request (Type 15) packets. Releases of Cisco IOS that contain CSCdz50424 include 12.3, 12.3T, 12.4, 12.4T, later 12.0S and later 12.2S. See CSCdz50424 ( registered customers only) for complete release information.
A router running a Cisco IOS release containing CSCdz50424 that has been modified to process ICMP information request packets will have the interface configuration statement ip information-reply, which can be seen by issuing the command show running-config as shown in the following examples:
router#show running-config | include information-reply ip information-reply
or
router#show running-config interface FastEthernet0/0 ip address 192.0.2.1 255.255.255.0 ip information-reply
By default, devices running all other Cisco IOS versions will process ICMP information request (Type 15) packets. This behavior cannot be modified. Since this is the default behavior, ip information-reply will not be visible in the device's configuration.
By default, devices running all Cisco IOS XR versions will NOT process ICMP information request (Type 15) packets. This behavior cannot be modified.
ICMP Type 17
Beginning in Cisco IOS version 10.0, by default devices will NOT process ICMP address mask request (Type 17) packets. A router that has been modified to process ICMP address mask request packets will have the interface configuration statement ip mask-reply, which can be seen by issuing the command show running-config as shown in the following examples:
router#show running-config | include mask-reply ip mask-reply
or
router#show running-config interface FastEthernet0/0 ip address 192.0.2.1 255.255.255.0 ip mask-reply
By default, devices running all Cisco IOS XR versions will NOT process ICMP address mask request (Type 17) packets. A router that has been modified to process ICMP address mask request packets will have the interface configuration statement ipv4 mask-reply, which can be seen by issuing the command show running-config as shown in the following examples:
RP/0/RP0/CPU0:router#show running-config | include mask-reply Building configuration... ipv4 mask-reply
or
RP/0/RP0/CPU0:router#show running-config interface POS0/1/3/0 ipv4 address 192.0.2.1 255.255.255.252 ipv4 mask-reply
Devices Configured for Protocol Independent Multicast Version 2 (PIMv2)
Cisco IOS
A router running Cisco IOS that is configured to process PIMv2 packets will have an interface configuration statement that begins with ip pim, which can be seen by issuing the command show running-config as shown in the following examples:
router#show running-config | include ip pim ip pim sparse-mode
or
router#show running-config interface FastEthernet0/0 ip address 192.0.2.1 255.255.255.0 ip pim sparse-dense-mode
The command show ip pim interface can also be used to determine if a router is configured to process PIMv2 packets, as shown in the following example:
router#show ip pim interface Address Interface Ver/ Nbr Query DR DR Mode Count Intvl Prior 192.0.2.1 FastEthernet0/0 v1/S 0 30 1 0.0.0.0 192.168.1.1 FastEthernet1/0 v2/SD 0 30 1 0.0.0.0
Interfaces running PIMv2 will show "v2/" under the Ver/Mode column. Interfaces without PIM configured will not be shown in the command output.
PIMv2 is the default PIM version. Routers configured to process only PIMv1 messages are not vulnerable to the PIMv2 exploit. Routers that do not have PIM configured are not vulnerable to the PIMv2 exploit. PIM is not enabled by default.
Additional information about PIM is available at http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.3/multicast/configuration/guide/mc33mcst.html.
Cisco IOS XR
The command show pim interface can be used to determine if a router running Cisco IOS XR is configured to process PIMv2 packets, as shown in the following example:
RP/0/0/CPU0:router#show pim interface Address Interface PIM Nbr Hello DR DR Count Intvl Prior 192.168.1.1 Loopback0 on 1 30 1 this system 192.168.2.1 MgmtEth0/0/CPU0/0 off 0 30 1 not elected 192.168.3.1 Loopback1 on 1 30 1 this system 192.168.4.1 Loopback3 on 1 30 1 this system 192.168.5.1 POS0/4/0/0 on 1 30 1 this system 192.0.2.1 POS0/4/0/1 on 1 30 1 this systemInterfaces running PIMv2 will show on under the PIM column. Interfaces without PIM configured will show "off" under the PIM column.
Cisco IOS XR does not support PIMv1. PIM is not enabled by default on Cisco IOS XR.
Additional information about PIM on Cisco IOS XR is available at http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.3/multicast/configuration/guide/mc33mcst.html.
Devices Configured for Pragmatic General Multicast (PGM)
A router that is configured to process PGM packets will have the interface configuration statement ip pgm router, which can be seen by issuing the command show running-config as shown in the following examples:
router#show running-config | include ip pgm ip pgm router
or
router#show running-config interface FastEthernet1/0 ip address 192.0.2.1 255.255.255.0 ip pim sparse-dense-mode ip pgm router
or
router#show running-config interface FastEthernet1/0 ip address 192.0.2.1 255.255.255.0 ip pgm router
Routers that do not have PGM configured are not vulnerable to the PGM exploit. PGM is not enabled by default.
Additional information about PGM is available at http://www.cisco.com/en/US/docs/ios/ipmulti/configuration/guide/imc_cfg_pgm_routasst_ps6350_TSD_Products_Configuration_Guide_Chapter.html.
Cisco IOS XR does not support PGM and is not affected by PGM packets that exploit this vulnerability.
Devices Configured for URL Rendezvous Directory (URD)
A router that is configured to process URD packets will have the interface configuration statement ip urd or ip urd proxy, which can be seen by issuing the command show running-config as shown in the following examples:
router#show running-config | include ip urd ip urd
or
router#show running-config | include ip urd ip urd proxy
or
router#show running-config interface FastEthernet1/0 ip address 192.0.2.1 255.255.255.0 ip pim sparse-mode ip urd
or
router#show running-config interface FastEthernet1/0 ip address 192.0.2.1 255.255.255.0 ip pim sparse-dense-mode ip urd proxy
or
router#show running-config interface FastEthernet1/0 ip address 192.0.2.1 255.255.255.0 ip urd
Routers that do not have URD configured are not vulnerable to the URD exploit. URD is not enabled by default.
Additional information about URD is available at http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfssm.html.
Cisco IOS XR does not support URD and is not affected by URD packets that exploit this vulnerability.
-
Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory:
IP Options Selective Drop
The IP Options Selective Drop feature allows Cisco routers to mitigate the effects of IP options by dropping packets containing them or by not processing (ignoring) IP options in a packet.
The most effective workaround is using the "drop" option of this global configuration command: ip options drop. This command will drop all IP packets containing IP options that are both destined to the router itself or transiting through the router before they are processed, preventing exploitation locally and downstream.
The IP Options Selective Drop feature is available beginning in Cisco IOS software version 12.0(23)S for 12000, 12.0(32)S for 10720, and 12.3(4)T, 12.2(25)S, and 12.2(27)SBC for other hardware platforms.
Please note that deploying this command will drop legitimate packets containing IP options as well. Protocols this may impact include RSVP (used by Microsoft NetMeeting), MPLS TE, MPLS OAM, DVMRP, IGMPv3, IGMPv2, and legitimate PGM.
Note: The ignore option of the global command ip options ignore, available only on the Cisco 12000 router beginning in 12.0(23)S, is NOT a workaround for this issue.
Additional information about IP Options Selective Drop feature is available at http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_acl_sel_drop_ps6017_TSD_Products_Configuration_Guide_Chapter.html .
Transit Access Control Lists (ACLs)
Configure an interface ACL that blocks traffic of these types:
- Echo (Ping) ICMP type 8
- Timestamp ICMP type 13
- Information Request ICMP type 15
- Address Mask Request ICMP Type 17
- Protocol Independent Multicast (PIM) IP protocol 103
- Pragmatic General Multicast (PGM) IP protocol 113
- URL Rendezvous Directory (URD) TCP port 465
The Internet Control Message Protocol is an integral part of the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite that is used to report error conditions and provide diagnostic information. Filtering ICMP messages may impact this error condition and diagnostic reporting including "ping" and Windows traceroute which uses ICMP ping.
If the device is configured to process PIM, PGM, or URD, blocking those packets will prevent legitimate operation of the protocols.
Since the source IP address of these packets can be easily spoofed, the affected traffic should be blocked on all of the device's IPv4 interfaces.
The following ACL is specifically designed to block attack traffic and should be applied to all IPv4 interfaces of the device and should include topology-specific filters:
access-list 150 deny icmp any any echo access-list 150 deny icmp any any information-request access-list 150 deny icmp any any timestamp-request access-list 150 deny icmp any any mask-request access-list 150 deny tcp any any eq 465 access-list 150 deny 103 any any access-list 150 deny 113 any any access-list 150 permit ip any any interface serial 2/0 ip access-group 150 in
These ACL statements should be deployed at the network edge as part of a transit access list which will protect the router where the ACL is configured as well as other devices behind it. Further information about transit ACLs is available in the white paper "Transit Access Control Lists: Filtering at Your Edge", available at http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml.
The following Cisco IOS XR ACL is specifically designed to block attack traffic and should be applied to all IPv4 interfaces of the device and should include topology-specific filters:
ipv4 access-list ios-xr-transit-acl 10 deny icmp any any echo 20 deny icmp any any information-request 30 deny icmp any any timestamp-request 40 deny icmp any any mask-request 50 deny tcp any any eq 465 60 deny 103 any any 70 deny 113 any any 80 permit ip any any interface POS 0/2/0/ ipv4 access-group ios-xr-transit-acl ingress
Information about configuring access lists on Cisco IOS XR is available at http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.2/addr_serv/command/reference/ir32acl.html.
Infrastructure ACLs
Although it is often difficult to block traffic transiting your network, it is possible to identify traffic which should never be allowed to target your infrastructure devices and block that traffic at the border of your network. Infrastructure ACLs are considered a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The ACL example shown below should be included as part of the deployed infrastructure access list which will protect all devices with IP addresses in the infrastructure IP address range.
Cisco IOS
access-list 150 deny icmp any INFRASTRUCTURE_ADDRESSES echo access-list 150 deny icmp any INFRASTRUCTURE_ADDRESSES information-request access-list 150 deny icmp any INFRASTRUCTURE_ADDRESSES timestamp-request access-list 150 deny icmp any INFRASTRUCTURE_ADDRESSES mask-request access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES eq 465 access-list 150 deny 103 any INFRASTRUCTURE_ADDRESSES access-list 150 deny 113 any INFRASTRUCTURE_ADDRESSES access-list 150 permit ip any any interface serial 2/0 ip access-group 150 in
Cisco IOS XR
ipv4 access-list ios-xr-infrastructure-acl 10 deny icmp any INFRASTRUCTURE_ADDRESSES echo 20 deny icmp any INFRASTRUCTURE_ADDRESSES information-request 30 deny icmp any INFRASTRUCTURE_ADDRESSES timestamp-request 40 deny icmp any INFRASTRUCTURE_ADDRESSES mask-request 50 deny tcp any INFRASTRUCTURE_ADDRESSES eq 465 60 deny 103 any INFRASTRUCTURE_ADDRESSES 70 deny 113 any INFRASTRUCTURE_ADDRESSES 80 permit ip any any interface POS 0/2/0/2 ipv4 access-group ios-xr-infrastructure-acl ingress
The white paper entitled "Protecting Your Core: Infrastructure Protection Access Control Lists" presents guidelines and recommended deployment techniques for infrastructure protection access lists and is available at http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml.
Information about configuring access lists on Cisco IOS XR is available at http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.2/addr_serv/command/reference/ir32acl.html.
Receive ACLs
For distributed platforms, receive ACLs may be an option starting in Cisco IOS Software Versions 12.0(21)S2 for the 12000 (GSR), 12.0(24)S for the 7500, and 12.0(31)S for the 10720. The receive ACL protects the device from harmful traffic before the traffic can impact the route processor. A receive ACL is designed to protect only the device on which it is configured. On the 12000, 7500, and 10720, transit traffic is never affected by a receive ACL. Because of this, the destination IP address "any" used in the example ACL entries below only refer to the router's own physical or virtual IP addresses. Receive ACLs are considered a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability.
The white paper entitled "GSR: Receive Access Control Lists" will help you identify and allow legitimate traffic to your device and deny all unwanted packets and is available at http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a0a5e.shtml
The following receive path ACL is designed specifically to block this attack traffic:
access-list 101 deny icmp any any echo access-list 101 deny icmp any any information-request access-list 101 deny icmp any any timestamp-request access-list 101 deny icmp any any mask-request access-list 101 deny tcp any any eq 465 access-list 101 deny 103 any any access-list 101 deny 113 any any access-list 101 permit ip any any ! ip receive access-list 101
Control Plane Policing
The Control Plane Policing (CoPP) feature may be used to mitigate this vulnerability. In the following example, any packets that can exploit the vulnerability are denied while all other IP traffic is permitted. Because of the way routers process packets with IP options, CoPP will be applied to attack packets destined for the router itself and packets transiting through the router to other destination IP addresses. This applies to all platforms except the 12000 where only attack packets destined for the router itself will be dropped.
access-list 100 permit icmp any any echo access-list 100 permit icmp any any information-request access-list 100 permit icmp any any timestamp-request access-list 100 permit icmp any any mask-request access-list 100 permit tcp any any eq 465 access-list 100 permit 103 any any access-list 100 permit 113 any any access-list 100 deny ip any any ! class-map match-all drop-options-class match access-group 100 ! ! policy-map drop-options-policy class drop-options-class drop ! control-plane service-policy input drop-options-policy
Please note that in the 12.0S, 12.2S, and 12.2SX Cisco IOS trains, the policy-map syntax is different:
policy-map drop-options-policy class drop-options-class police 32000 1500 1500 conform-action drop exceed-action drop
Because of the way routers process packets with IP options, CoPP will be applied to attack packets destined for the router itself and packets transiting through the router to other destination IP addresses. In the following example, only packets with IP options that can exploit the vulnerability and that are destined for the router or that transit through the router are denied while all other IP traffic is permitted.
ip access-list extended drop-affected-options permit icmp any any echo option any-options permit icmp any any information-request option any-options permit icmp any any timestamp-request option any-options permit icmp any any mask-request option any-options permit pim any any option any-options permit 113 any any option any-options permit tcp any any eq 465 option any-options deny ip any any ! class-map match-all drop-options-class match access-group name drop-affected-options ! ! policy-map drop-opt-policy class drop-options-class drop ! control-plane service-policy input drop-opt-policy
Please note that in the 12.2S Cisco IOS train, the policy-map syntax is different:
policy-map drop-opt-policy class drop-options-class police 32000 1500 1500 conform-action drop exceed-action drop
CoPP is available in Cisco IOS release trains 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T.
ACL support for filtering IP options requires named ACLs. ACL support for filtering IP options is not available in 12.0S or 12.2SX.
Please note that PGM packets typically use the "Router Alert" Option, and dropping PGM packets with IP options will affect legitimate PGM packets.
In the above CoPP examples, the ACL entries that match the exploit packets with the "permit" action result in these packets being discarded by the policy-map drop function, while packets that match the "deny" action are not affected by the policy-map drop function.
Additional information on the configuration and use of the CoPP feature can be found at http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd804fa16a.html and http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html.
Additional information for filtering IP Options with access lists can be found at http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_create_IP_al_ps6350_TSD_Products_Configuration_Guide_Chapter.html.
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
Each row of the Cisco IOS software table (below) describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix (the "First Fixed Release") and the anticipated date of availability for each are listed in the "Rebuild" and "Maintenance" columns. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label).
For more information on the terms "Rebuild" and "Maintenance," consult the following URL: http://www.cisco.com/web/about/security/intelligence/ios-ref.html.
Note: There are three IOS security advisories and one field notice being published on January 24, 2007. Each advisory lists only the releases which fix the issue described in the advisory. A combined software table is available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070124-bundle and can be used to choose a software release which fixes all security vulnerabilities published as of January 24, 2007. Links for the advisories and field notice are listed here.
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070124-IOS-IPv6
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070124-crafted-tcp
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070124-crafted-ip-option
- http://www.cisco.com/warp/public/770/fn62613.shtml
Requests for software rebuilds to include the change for Daylight Savings Time (DST) that will be implemented in March 2007 should be directed through the Technical Assistance Center (TAC), and this advisory should be used as reference.
Major Release
Availability of Repaired Releases
Affected 12.0-Based Release
Rebuild
Maintenance
12.0
Vulnerable; migrate to 12.2(37)or later
12.0DA
Vulnerable; migrate to 12.2(10)DA5 or later
12.0DB
Vulnerable; migrate to 12.3(4)T13 or later
12.0DC
Vulnerable; migrate to 12.3(4)T13 or later
12.0S
12.0(27)S3
12.0(28)S
12.0SC
Vulnerable; migrate to 12.3(9a)BC or later
12.0SL
Vulnerable; migrate to 12.0(28)S or later
12.0SP
Vulnerable; migrate to 12.0(28)S or later
12.0ST
Vulnerable; migrate to 12.0(28)S or later
12.0SX
12.0(25)SX11
12.0(30)SX
12.0SY
12.0(27)SY
12.0SZ
12.0(30)SZ
12.0T
Vulnerable; migrate to 12.2(37)or later
12.0W
12.0(28)W5(32b)
12.0WC
12.0(5)WC15
12.0WT
Vulnerable; contact TAC
12.0XA
Vulnerable; migrate to 12.2(37)or later
12.0XB
Vulnerable; migrate to 12.2(37)or later
12.0XC
Vulnerable; migrate to 12.2(37)or later
12.0XD
Vulnerable; migrate to 12.2(37)or later
12.0XE
Vulnerable; migrate to 12.1(23)E or later
12.0XF
Not vulnerable
12.0XG
Vulnerable; migrate to 12.2(37)or later
12.0XH
Vulnerable; migrate to 12.2(37)or later
12.0XI
Vulnerable; migrate to 12.2(37)or later
12.0XJ
Vulnerable; migrate to 12.2(37)or later
12.0XK
Vulnerable; migrate to 12.2(37)or later
12.0XL
Vulnerable; migrate to 12.2(37)or later
12.0XM
Vulnerable; migrate to 12.2(37)or later
12.0XN
Vulnerable; migrate to 12.2(37)or later
12.0XQ
Vulnerable; migrate to 12.2(37)or later
12.0XR
Vulnerable; migrate to 12.2(37)or later
12.0XS
Vulnerable; migrate to 12.1(23)E or later
12.0XV
Vulnerable; migrate to 12.2(37)or later
12.0XW
Vulnerable; migrate to 12.0(5)WC15 or later
Affected 12.1-Based Release
Rebuild
Maintenance
12.1
Vulnerable; migrate to 12.2(37)or later
12.1AA
Vulnerable; migrate to 12.2(37)or later
12.1AX
Vulnerable; for c3750-ME, migrate to 12.2(25)EY or later. For c2970 and 3750, migrate to 12.2(25)SE or later.
12.1AY
Vulnerable; migrate to 12.1(22)EA8
12.1AZ
Vulnerable; migrate to 12.1(22)EA8
12.1CX
Vulnerable; migrate to 12.2(37)or later
12.1DA
Vulnerable; migrate to 12.2(10)DA5 or later
12.1DB
Vulnerable; migrate to 12.3(4)T13 or later
12.1DC
Vulnerable; migrate to 12.3(4)T13 or later
12.1E
12.1(23)E
12.1EA
12.1(22)EA8
12.1EB
12.1(23)EB
12.1EC
Vulnerable; migrate to 12.3(9a)BC or later
12.1EO
12.1(19)EO6
12.1(20)EO3
12.1EU
Vulnerable; migrate to 12.2(25)EWA or later
12.1EV
Vulnerable; migrate to 12.2(26)SV1 or later
12.1EW
Vulnerable; migrate to 12.2(18)EW3 or later
12.1EX
Vulnerable; migrate to 12.1(23)E or later
12.1EY
Vulnerable; migrate to 12.1(23)E or later
12.1EZ
Vulnerable; migrate to 12.1(23)E or later
12.1T
Vulnerable; migrate to 12.2(37)or later
12.1XA
Vulnerable; migrate to 12.2(37)or later
12.1XB
Vulnerable; migrate to 12.2(37)or later
12.1XC
Vulnerable; migrate to 12.2(37)or later
12.1XD
Vulnerable; migrate to 12.2(37)or later
12.1XE
Vulnerable; migrate to 12.1(23)E or later
12.1XF
Vulnerable; migrate to 12.3(8) or later
12.1XG
Vulnerable; migrate to 12.3(8) or later
12.1XH
Vulnerable; migrate to 12.2(37)or later
12.1XI
Vulnerable; migrate to 12.2(37)or later
12.1XJ
Vulnerable; migrate to 12.3(8) or later
12.1XL
Vulnerable; migrate to 12.3(8) or later
12.1XM
Vulnerable; migrate to 12.3(8) or later
12.1XP
Vulnerable; migrate to 12.3(8) or later
12.1XQ
Vulnerable; migrate to 12.3(8) or later
12.1XR
Vulnerable; migrate to 12.3(8) or later
12.1XS
Vulnerable; migrate to 12.2(37)or later
12.1XT
Vulnerable; migrate to 12.3(8) or later
12.1XU
Vulnerable; migrate to 12.3(8) or later
12.1XV
Vulnerable; migrate to 12.3(8) or later
12.1XW
Vulnerable; migrate to 12.2(37)or later
12.1XX
Vulnerable; migrate to 12.2(37)or later
12.1XY
Vulnerable; migrate to 12.2(37)or later
12.1XZ
Vulnerable; migrate to 12.2(37)or later
12.1YA
Vulnerable; migrate to 12.3(8) or later
12.1YB
Vulnerable; migrate to 12.3(8) or later
12.1YC
Vulnerable; migrate to 12.3(8) or later
12.1YD
Vulnerable; migrate to 12.3(8) or later
12.1YE
Vulnerable; migrate to 12.3(8) or later
12.1YF
Vulnerable; migrate to 12.3(8) or later
12.1YH
Vulnerable; migrate to 12.3(8) or later
12.1YI
Vulnerable; migrate to 12.3(8) or later
12.1YJ
Vulnerable; migrate to 12.1(22)EA8
Affected 12.2-Based Release
Rebuild
Maintenance
12.2
12.2(34a)
12.2(37)
12.2B
Vulnerable; migrate to 12.3(4)T13 or later
12.2BC
Vulnerable; migrate to 12.3(9a)BC or later
12.2BW
Vulnerable; migrate to 12.3(8) or later
12.2BY
Vulnerable; migrate to 12.3(4)T13 or later
12.2BZ
Vulnerable; migrate to 12.3(7)XI8 or later
12.2CX
Vulnerable; migrate to 12.3(9a)BC or later
12.2CY
Vulnerable; migrate to 12.3(9a)BC or later
12.2CZ
Vulnerable; contact TAC
12.2DA
12.2(10)DA5
12.2(12)DA10
12.2DD
Vulnerable; migrate to 12.3(4)T13 or later
12.2DX
Vulnerable; migrate to 12.3(4)T13 or later
12.2EU
Vulnerable; migrate to 12.2(25)EWA5 or later
12.2EW
12.2(18)EW3
12.2(20)EW4
12.2(25)EW
12.2EWA
12.2(20)EWA4
12.2(25)EWA
12.2EX
12.2(25)EX
12.2EY
All 12.2EY releases are fixed
12.2EZ
All 12.2EZ releases are fixed
12.2FX
All 12.2FX releases are fixed
12.2FY
All 12.2FY releases are fixed
12.2FZ
All 12.2FZ releases are fixed
12.2IXA
All 12.2IXA releases are fixed
12.2IXB
All 12.2IXB releases are fixed
12.2IXC
All 12.2IXC releases are fixed
12.2JA
Vulnerable; migrate to 12.3(8)JA or later
12.2JK
Vulnerable; migrate to 12.4(4)T or later
12.2MB
Vulnerable; migrate to 12.2(25)SW1 or later
12.2MC
12.2(15)MC2h
12.2S
12.2(25)S
12.2SB
12.2(28)SB
12.2SBC
All 12.2SBC releases are fixed
12.2SE
12.2(25)SE
12.2SEA
All 12.2SEA releases are fixed
12.2SEB
All 12.2SEB releases are fixed
12.2SEC
All 12.2SEC releases are fixed
12.2SED
All 12.2SED releases are fixed
12.2SEE
All 12.2SEE releases are fixed
12.2SEF
All 12.2SEF releases are fixed
12.2SEG
All 12.2SEG releases are fixed
12.2SG
All 12.2SG releases are fixed
12.2SGA
All 12.2SGA releases are fixed
12.2SO
12.2(18)SO7
12.2SRA
All 12.2SRA releases are fixed
12.2SRB
All 12.2SRB releases are fixed
12.2SU
Vulnerable; migrate to 12.3(14)T or later
12.2SV
12.2(23)SV
12.2SW
12.2(25)SW1
12.2SX
Vulnerable; migrate to 12.2(17d)SXB11a or later
12.2SXA
Vulnerable; migrate to 12.2(17d)SXB11a or later
12.2SXB
12.2(17d)SXB11a
12.2SXD
12.2(18)SXD7a
12.2SXE
All 12.2SXE releases are fixed
12.2SXF
All 12.2SXF releases are fixed
12.2SY
Vulnerable; migrate to 12.2(17d)SXB11a or later
12.2SZ
Vulnerable; migrate to 12.2(25)S or later
12.2T
Vulnerable; migrate to 12.3(8) or later
12.2TPC
Vulnerable; contact TAC
12.2XA
Vulnerable; migrate to 12.3(8) or later
12.2XB
Vulnerable; migrate to 12.3(8) or later
12.2XC
Vulnerable; migrate to 12.3(8)T or later
12.2XD
Vulnerable; migrate to 12.3(8) or later
12.2XE
Vulnerable; migrate to 12.3(8) or later
12.2XF
Vulnerable; migrate to 12.3(9a)BC or later
12.2XG
Vulnerable; migrate to 12.3(8) or later
12.2XH
Vulnerable; migrate to 12.3(8) or later
12.2XI
Vulnerable; migrate to 12.3(8) or later
12.2XJ
Vulnerable; migrate to 12.3(8) or later
12.2XK
Vulnerable; migrate to 12.3(8) or later
12.2XL
Vulnerable; migrate to 12.3(8) or later
12.2XM
Vulnerable; migrate to 12.3(8) or later
12.2XN
Vulnerable; migrate to 12.3(8) or later
12.2XQ
Vulnerable; migrate to 12.3(8) or later
12.2XR
Vulnerable; migrate to 12.3(8) or later
12.2XS
Vulnerable; migrate to 12.3(8) or later
12.2XT
Vulnerable; migrate to 12.3(8) or later
12.2XU
Vulnerable; migrate to 12.3(12) or later
12.2XV
Vulnerable; migrate to 12.3(8) or later
12.2XW
Vulnerable; migrate to 12.3(8) or later
12.2YA
Vulnerable; migrate to 12.3(8) or later
12.2YB
Vulnerable; migrate to 12.3(8) or later
12.2YC
Vulnerable; migrate to 12.3(8) or later
12.2YD
Vulnerable; migrate to 12.3(8)T or later
12.2YE
Vulnerable; migrate to 12.2(25)S or later
12.2YF
Vulnerable; migrate to 12.3(8) or later
12.2YG
Vulnerable; migrate to 12.3(8) or later
12.2YH
Vulnerable; migrate to 12.3(8) or later
12.2YJ
Vulnerable; migrate to 12.3(8) or later
12.2YK
Vulnerable; migrate to 12.3(8)T or later
12.2YL
Vulnerable; migrate to 12.3(8)T or later
12.2YM
Vulnerable; migrate to 12.3(8)T or later
12.2YN
Vulnerable; migrate to 12.3(8)T or later
12.2YO
Not vulnerable
12.2YP
Vulnerable; migrate to 12.3(8) or later
12.2YQ
Vulnerable; migrate to 12.3(4)T13 or later
12.2YR
Vulnerable; migrate to 12.3(4)T13 or later
12.2YS
Vulnerable; migrate to 12.3(8)T or later
12.2YT
Vulnerable; migrate to 12.3(8) or later
12.2YU
Vulnerable; migrate to 12.3(8)T or later
12.2YV
Vulnerable; migrate to 12.3(4)T13 or later
12.2YW
Vulnerable; migrate to 12.3(8)T or later
12.2YX
Vulnerable; migrate to 12.3(14)T or later
12.2YY
Vulnerable; migrate to 12.3(4)T13 or later
12.2YZ
Vulnerable; migrate to 12.2(25)S or later
12.2ZA
Vulnerable; migrate to 12.2(17d)SXBa or later
12.2ZB
Vulnerable; migrate to 12.3(8)T or later
12.2ZC
Vulnerable; migrate to 12.3(8)T or later
12.2ZD
Vulnerable; contact TAC
12.2ZE
Vulnerable; migrate to 12.3(8) or laer
12.2ZF
Vulnerable; migrate to 12.3(4)T13 or later
12.2ZG
Vulnerable; for SOHO9x, migrate to 12.3(8)YG2 or later. For c83x, migrate to 12.3(2)XA3 or later
12.2ZH
Vulnerable; contact TAC
12.2ZJ
Vulnerable; migrate to 12.3(8)T or later
12.2ZL
Vulnerable; contact TAC
12.2ZN
Vulnerable; migrate to 12.3(4)T13 or later
12.2ZP
Vulnerable; migrate to 12.3(8)XY or later
Affected 12.3-Based Release
Rebuild
Maintenance
12.3
12.3(8)
12.3B
Vulnerable; migrate to 12.3(8)T7 or later
12.3BC
12.3(9a)BC
12.3BW
Vulnerable; migrate to 12.3(8)T or later
12.3JA
12.3(8)JA
12.3JEA
All 12.3JEA releases are fixed
12.3JEB
All 12.3JEA releases are fixed
12.3JK
12.3(2)JK2
12.3(8)JK
12.3JL
12.3(2)JL
12.3JX
12.3(7)JX6
12.3(11)JX
12.3T
12.3(4)T13
12.3(8)T
Limited platform support is available: Contact TAC
Please migrate to 12.4(1) or later
12.3TPC
12.3(4)TPC11b
12.3XA
12.3(2)XA6
12.3XB
Vulnerable; migrate to 12.3(8)T or later
12.3XC
Vulnerable; contact TAC
12.3XD
Vulnerable; migrate to 12.3(8)T7 or later
12.3XE
Vulnerable; contact TAC
12.3XF
Vulnerable; migrate to 12.3(11)T or later
12.3XG
Vulnerable; contact TAC
12.3XH
Vulnerable; migrate to 12.3(11)T or later
12.3XI
12.3(7)XI8
12.3XJ
Vulnerable; migrate to 12.3(8)XW or later
12.3XK
Vulnerable; migrate to 12.3(14)T or later
12.3XQ
Vulnerable; migrate to 12.4(1) or later
12.3XR
All 12.3XR releases are fixed
12.3XS
All 12.3XS releases are fixed
12.3XU
All 12.3XU releases are fixed
12.3XW
All 12.3XW releases are fixed
12.3XX
All 12.3XX releases are fixed
12.3XY
All 12.3XR releases are fixed
12.3YA
All 12.3YA releases are fixed
12.3YD
All 12.3YD releases are fixed
12.3YF
All 12.3YF releases are fixed
12.3YG
All 12.3YG releases are fixed
12.3YH
All 12.3YH releases are fixed
12.3YI
All 12.3YI releases are fixed
12.3YJ
All 12.3YJ releases are fixed
12.3YK
All 12.3YK releases are fixed
12.3YM
All 12.3YM releases are fixed
12.3YQ
All 12.3YQ releases are fixed
12.3YS
All 12.3YS releases are fixed
12.3YT
All 12.3YT releases are fixed
12.3YU
All 12.3YU releases are fixed
12.3YX
All 12.3YX releases are fixed
12.3YZ
All 12.3YZ releases are fixed
Affected 12.4-Based Release
Rebuild
Maintenance
All 12.4 releases are fixed
Cisco IOS XR Version
SMU ID
Package Installation Envelopes
3.2.2 for CRS-1
AA01482
hfr-base-3.2.2.CSCeh52410.pie
3.2.3 for CRS-1
AA01483
hfr-base-3.2.3.CSCeh52410.pie
3.2.4 for CRS-1
AA01484
hfr-base-3.2.4.CSCeh52410.pie
3.2.6 for CRS-1
AA01727
hfr-base-3.2.6.CSCeh52410.pie
3.3.x for CRS-1 and XR12000
Fixed
3.4.x for CRS-1 and XR12000
Fixed
IOS XR Package Installation Envelopes (PIE) can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/iosxr-smu?sort=release ( registered customers only) . Installation instructions are included in the accompanying .txt files.
-
In December of 2008, FX of Phenoelit delivered a presentation at the Chaos Communication Congress entitled 'Cisco IOS attack and defense,' during which he asserted he had devised an exploit that takes advantage of this vulnerability. No new vulnerabilities were disclosed during FX's presentation at the 2008 Chaos Communication Congress.
http://events.ccc.de/congress/2008/Fahrplan/events/2816.en.html
Cisco is not aware of any malicious exploitation of this vulnerability.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show LessRevision 1.5
2009-January-09
Updated the Exploitation and Public Announcements section to reflect information learned at the Dec 2008 Chaos Communication Conference
Revision 1.4
2007-April-22
Updates to the the Workarounds > Receive ACLs section. Updated 12.1EO and 12.2BC entries in the Software Version and Fixes table and added new entry 12.3JL.
Revision 1.3
2007-February-02
Updated 12.0W and 12.1EO entries in the Software Version and Fixes table.
Revision 1.2
2007-January-27
Updated Cisco IOS software table.
Revision 1.1
2007-January-25
In the Software Version and Fixes section, added Package Installation Envelopes information to the Cisco IOS XR Version table.
Revision 1.0
2007-January-24
Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.