Cisco IOS Software Multicast Source Discovery Protocol Vulnerability

Available Languages

Updated:July 10, 2015
Document ID:1454784889320859

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Cisco Security Advisory

Cisco IOS Software Multicast Source Discovery Protocol Vulnerability

High
Advisory ID:
cisco-sa-20120328-msdp
First Published:
2012 March 28 16:00 GMT
Version 1.0:
Final
Workarounds:
See below
Cisco Bug IDs:
CSCtr28857
CVE-2012-0382
CVSS Score:
Base 7.1, Temporal 5.9Click Icon to Copy Verbose Score
AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE-2012-0382

Summary

  • A vulnerability in the Multicast Source Discovery Protocol (MSDP) implementation of Cisco IOS Software and Cisco IOS XE Software could allow a remote, unauthenticated attacker to cause a reload of an affected device. Repeated attempts to exploit this vulnerability could result in a sustained denial of service (DoS) condition.
     
    Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link:
    https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-msdp

    Note: The March 28, 2012, Cisco IOS Software Security Advisory bundled publication includes nine Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the March 2012 bundled publication.

    Individual publication links are in "Cisco Event Response: Semi-Annual Cisco IOS Software Security Advisory Bundled Publication" at the following link:

    http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html


Affected Products

  • Vulnerable Products

    The following products are affected by this vulnerability:
    • Cisco IOS Software
    • Cisco IOS XE Software
    To determine whether a Cisco IOS or Cisco IOS XE Software release is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software." The image name displays in parentheses, followed by "Version" and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output.

    The following example identifies a Cisco product that is running Cisco IOS Software Release 12.4(20)T with an installed image name of C1841-ADVENTERPRISEK9-M:
    Router#show version
    
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 20:25 by prod_rel_team
    Additional information about Cisco IOS Software release naming conventions is available in the White Paper: Cisco IOS and NX-OS Software Reference Guide

    Products Confirmed Not Vulnerable

    Cisco IOS XR Software is not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability.

Details

  • MSDP is the protocol used to connect multiple Protocol Independent Multicast sparse mode (PIM-SM) domains. MSDP allows multicast sources for a group to be known to all rendezvous points (RPs) in different domains.  An RP runs MSDP over TCP to discover multicast sources.

    An RP in a PIM-SM domain has an MSDP peering relationship with MSDP-enabled routers in another domain. The peering relationship occurs over a TCP connection, where primarily a list of sources sending to multicast groups is exchanged. The TCP connections between RPs are achieved by the underlying routing system. The receiving RP uses the source lists to establish a source path.

    The purpose of this topology is to have domains discover multicast sources in other domains. If the multicast sources are of interest to a domain that has receivers, multicast data is delivered over the normal, source-tree building mechanism in PIM-SM.

    An MSDP packet containing encapsulated Internet Group Management Protocol (IGMP) data, received from an external MSDP-configured peer router, can cause an affected device to reload. This vulnerability can only be exploited if the router is explicitly joined to the multicast group. The MSDP packet destination address is a unicast address and can be addressed to any IP address on the affected device, including loopback addresses.

    Transit traffic will not trigger this vulnerability.

    A vulnerable interface configuration contains an explicitly joined multicast group. Some example configurations that permit exploitation of this vulnerability are:


    !--- Interface configured for SAP Listener Support (a common multicast group)

    interface GigabitEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip pim sparse-mode
ip sap listen

    !--- Interface configured to join a multicast group

    interface GigabitEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip pim sparse-mode
ip igmp join-group 224.2.127.254

    You can also use the show igmp interface command to determine if an interface is joined to a multicast group.

    RouterA#show ip igmp interface 
    GigabitEthernet0/0 is up, line protocol is up
      Internet address is 192.168.0.1/24
      IGMP is enabled on interface
      Current IGMP host version is 2
      Current IGMP router version is 2
      IGMP query interval is 60 seconds
      IGMP querier timeout is 120 seconds
      IGMP max query response time is 10 seconds
      Last member query count is 2
      Last member query response interval is 1000 ms
      Inbound IGMP access group is not set
      IGMP activity: 2 joins, 0 leaves
      Multicast routing is disabled on interface
      Multicast TTL threshold is 0
      Multicast groups joined by this system (number of users):
          224.2.127.254(2)  239.255.255.255(1)

    This vulnerability is documented in Cisco bug ID CSCtr28857 (registered customers only). This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2012-0382.

Workarounds

  • Customers with an MSDP-configured router who do not require membership to multicast groups can remove the ip sap listen or ip igmp join-group <multicast-group address> commands on the router interface as a workaround.

    For example:

      RouterA#conf t
        RouterA(config)# interface GigabitEthernet0/0
        RouterA(config-if)# no ip sap listen
        RouterA(config-if)# no ip igmp join-group 224.2.127.254


      interface GigabitEthernet0/0
      ip address 192.168.0.1 255.255.255.0
      ip pim sparse-mode

    To determine if a router is configured for MSDP peers, run the command show ip msdp peer at the router command prompt:

    RouterA# show ip msdp peer
    MSDP Peer 192.168.0.2 (?), AS 100
      Connection status:
        State: Up, Resets: 0, Connection source: none configured
        Uptime(Downtime): 01:23:42, Messages sent/received: 25/24
        Output messages discarded: 0
        Connection and counters cleared 01:15:14 ago
      SA Filtering:
        Input (S,G) filter: none, route-map: none
        Input RP filter: none, route-map: none
        Output (S,G) filter: none, route-map: none
        Output RP filter: none, route-map: none
      SA-Requests:
        Input filter: none
      Peer ttl threshold: 0
      SAs learned from this peer: 0
        Input queue size: 0, Output queue size: 0
      Message counters:
        RPF Failure count: 0
        SA Messages in/out: 13/8
        SA Requests in: 0
        SA Responses out: 0    
        Data Packets in/out: 7/8
    To remove an untrusted MSDP peer from your configuration, use the no ip msdp peer <address> or ip msdp default-peer <ip-address | name> command on the router configuration interface.

    RouterA(config)# no ip msdp peer 192.168.0.2 
    interface GigabitEthernet0/0
     ip address 192.168.0.1 255.255.255.0
     ip pim sparse-mode

Fixed Software

Exploitation and Public Announcements

  • The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

    This vulnerability was found during the troubleshooting of customer service requests.

Cisco Security Vulnerability Policy

  • To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

Related to This Advisory

URL

Revision History

  • Revision 1.0 2012-March-28 Initial public release
    Show Less

Cisco Security Vulnerability Policy

  • To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

Related to This Advisory