Cisco Security Advisory
Click Icon to Copy Verbose Score
AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
-
A vulnerability in the parsing of malformed IP version 6 (IPv6) packets in Cisco IOS XR Software for Cisco Network Convergence System 6000 (NCS 6000) and Cisco Carrier Routing System (CRS-X) could allow an unauthenticated, remote attacker to cause a reload of a line card that is processing traffic.
The vulnerability is due to improper processing of malformed IPv6 packets carrying extension headers. An attacker could exploit this vulnerability by sending a malformed IPv6 packet, carrying extension headers, through an affected Cisco IOS XR device line card. An exploit could allow the attacker to cause a reload of the line card on the affected Cisco IOS XR device.
Cisco has released software updates that address this vulnerability.
There are no workarounds that address this vulnerability.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150220-ipv6
-
Vulnerable Products
Cisco Network Convergence System 6000 (NCS 6000) and Cisco Carrier Routing System X (CRS-X) running an affected version of Cisco IOS XR Software are affected by this vulnerability.
All flavors of Cisco CRS-X line cards are affected by this vulnerability, including Cisco CRS-X 400-Gbps Modular Services Card (MSC-X) and Cisco CRS-X 400-Gbps Forwarding Processor Cards (FP-X).
Consult the "Software Versions and Fixes" section of this advisory for the details of affected releases.
A device running an affected version of Cisco IOS XR Software release that has IPv6 enabled will display interfaces with assigned IPv6 addresses when the show ipv6 interface brief command is issued.
The show ipv6 interface brief command will produce an error message if the running version of Cisco IOS XR Software does not support IPv6, or will not show any interfaces with IPv6 addresses if IPv6 is disabled. The system is not vulnerable in either scenario.
The following example shows the output from the show ipv6 interface brief command issued on a device running Cisco IOS XR Software with IPv6 enabled:
The IPv6 protocol is enabled if the interface configuration command ipv6 enable is present in the configuration. The following examples show a vulnerable configuration:RP/0/RP0/CPU0:router# show ipv6 interface brief
<!output omitted> GigabitEthernet0/2/0/0 [Up/Up]
fe80::212:daff:fe62:c150
202::1
RP/0/RP0/CPU0:router(config)# interface GigabitEthernet0/2/0/0
RP/0/RP0/CPU0:router(config-if)# ipv6 enable
To determine the Cisco IOS XR Software release and the exact name of the product on which it runs, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS XR Software by displaying "Cisco IOS XR Software" or similar text.
The location and name of the system image file currently running on the router are displayed under the "System image file is" text. The hardware product is indicated in the line following the name of the system image file.
The following example identifies a Cisco product that is running Cisco IOS XR Software Release 4.1.0 with an installed image name of mbihfr-rp.vm:
RP/0/RP0/CPU0:router# show version
Mon May 31 02:14:12.722 DST
Cisco IOS XR Software, Version 4.1.0
Copyright (c) 2010 by Cisco Systems, Inc.
ROM: System Bootstrap, Version 2.100(20100129:213223) [CRS-1 ROMMON],
router uptime is 1 week, 6 days, 4 hours, 22 minutes
System image file is "bootflash:disk0/hfr-os-mbi-4.1.0/mbihfr-rp.vm"
cisco CRS-8/S (7457) processor with 4194304K bytes of memory.
7457 processor at 1197Mhz, Revision 1.2Products Confirmed Not Vulnerable
Only the following products are affected by this vulnerability:
- Cisco NCS 6000
- All flavors of Cisco CRS-X line cards, including Cisco CRS-X Modular Services Card (MSC-X) and Cisco CRS-X 400-Gbps Forwarding Processor Cards (FP-X).
Cisco 12000 Series Routers, Cisco ASR 9000 Series Aggregation Services Routers, Cisco Carrier Routing System 1 (CRS-1) or Cisco Carrier Routing System 3 (CRS-3) running Cisco IOS XR Software are not affected by this vulnerability.
No other Cisco products are currently known to be affected by this vulnerability.
-
A vulnerability in the parsing of malformed IP version 6 (IPv6) packets in Cisco IOS XR Software for Cisco Network Convergence System 6000 (NCS 6000) and Cisco Carrier Routing System (CRS-X) could allow an unauthenticated, remote attacker to cause a reload of a line card that is processing traffic.
The vulnerability is due to improper processing of malformed IPv6 packets carrying extension headers. An attacker could exploit this vulnerability by sending a malformed IPv6 packet, carrying extension headers, through an affected Cisco IOS XR device line card. An exploit could allow the attacker to cause a reload of the line card on the affected Cisco IOS XR device.
This vulnerability could be exploited repeatedly to cause an extended DoS condition.
A device is vulnerable only if it is configured to process IPv6 traffic passing through the device.
This vulnerability can be exploited using only IPv6 packets. A crafted IPv6 packet carrying extension headers can trigger the vulnerability.
This vulnerability can only be triggered by the traffic transiting an affected device. IPv4 traffic, or IPv6 traffic destined to an affected device cannot be used to exploit this vulnerability on an affected device.
While certain intermediate devices may block malformed IPv6 packets, the possibility still exists for a malformed packet to originate from a remote network and exploit this vulnerability on an affected device.
This vulnerability has been documented in Cisco bug ID CSCuq95241 (registered customers only) and has been assigned the Common Vulnerabilities and Exposures (CVE) CVE-2015-0618.
-
There are no workarounds that address this vulnerability.
-
When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Cisco IOS XR release version 5.2.3 for Cisco NCS 6000 is not affected by this vulnerability. All other releases of Cisco IOS XR for Cisco NCS 6000 are affected by this vulnerability.
Cisco IOS XR release version 5.3.0 for CRS-X is not affected by this vulnerability. All other releases of Cisco IOS XR for CRS-X that have a support for Cisco CRS-X line cards, including Cisco CRS-X 400-Gbps Modular Service Card (MSC-X) and Cisco CRS-X 400-Gbps Forwarding Processor Cards (FP-X) are affected by this vulnerability.
This vulnerability is corrected in the following Cisco IOS XR Software software maintenance updates (SMUs):
ncs6k-5.0.1.CSCuq95241.smu for version 5.0.1 for NCS 6000
ncs6k-5.2.1.CSCuq95241.smu for version 5.2.1 for NCS 6000
hfr-px-5.1.1.CSCus54167.pie for versions 5.1.1 for CRS-X
hfr-px-5.1.2.CSCus54167.pie for versions 5.1.2 for CRS-X
hfr-px-5.1.3.CSCuq95241.pie for version 5.1.3 for CRS-X
hfr-px-5.1.4.CSCuq95241.pie for version 5.1.4 for CRS-X
Note: Cisco IOS XR Software SMUs for additional versions will be published when available.
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
This vulnerability was discovered during internal testing.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show LessRevision 1.1 2015-February-24 Software Versions and Fixes updated Revision 1.0 2015-February-20 Initial public release
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.