Cisco Security Advisory
Click Icon to Copy Verbose Score
AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
-
A vulnerability within the virtual routing and forwarding (VRF) subsystem of Cisco IOS software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.
The vulnerability is due to a failure to properly process malicious ICMP version 4 (ICMPv4) messages received on a VRF-enabled interface. An attacker could exploit this vulnerability by submitting ICMPv4 messages designed to trigger the vulnerability on an affected device. When the ICMPv4 messages are processed, the packet queue of the affected interface may not be cleared, leading to a queue wedge. When a wedge occurs, the affected device will stop processing any additional packets received on the wedged interface.
Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150325-wedge
Note: The March 25, 2015, Cisco IOS & XE Software Security Advisory bundled publication includes seven Cisco Security Advisories. The advisories address vulnerabilities in Cisco IOS Software and Cisco IOS XE Software. Individual publication links are in Cisco Event Response: Semiannual Cisco IOS & XE Software Security Advisory Bundled Publication at the following link:http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar15.html
-
Vulnerable Products
Only devices with specific configurations are affected. Cisco devices that are running affected Cisco IOS Software versions are vulnerable when one or more interfaces are assigned to a VRF interface.
To determine whether an interface on a device is enabled for VRF, use the show vrf command-line interface exec CLI command. If the device is not configured for VRF, there will be no output to indicate that VRF is enabled. In the following example, VRF is not enabled on any interface:
Router#show vrf
Router#
If the device is configured for VRF, the output will indicate that VRF is enabled and identify the device interfaces on which it has been enabled as shown in the following example:
Router#show vrf
If the preceding output is returned, but no interfaces are assigned, VRF may be configured but is not enabled on an interface. This output in this situation is shown in the following example:
Name Default RD Protocols Interfaces VRF-01 <not-set> ipv4 Gi0/0
Router#show vrf
Only IPv4 traffic directed to the device will trigger the vulnerability.
Name Default RD Protocols Interfaces VRF-01 <not-set> ipv4
To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software. The image name displays in parentheses, followed by the Cisco IOS Software release number and release name. Other Cisco devices do not have the show version command or may provide different output.
The following example identifies a Cisco product that is running Cisco IOS Software Release 15.2(4)M5 with an installed image name of C3900-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.2(4)M5, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Fri 13-Sep-13 16:44 by prod_rel_team!--- output truncatedAdditional information about Cisco IOS Software release naming conventions is available in White Paper: Cisco IOS and NX-OS Software Reference Guide.
Products Confirmed Not Vulnerable
Cisco IOS-XE Software is not affected by this vulnerability.
Cisco IOS XR Software is not affected by this vulnerability.
Cisco NX-OS Software is not affected by this vulnerability.
No other Cisco products are currently known to be affected by this vulnerability.
-
Devices running Cisco IOS and configured to perform virtual routing and forwarding (VRF) are affected by a vulnerability that may be triggered during the processing of ICMP version 4 (ICMPv4) messages destined for the interface enabled for VRF. The vulnerability is due to a failure to properly process malicious ICMPv4 messages received on a VRF-enabled interface. When a malicious ICMP message enters the packet queue of the affected interface, it may fail to be properly processed or may not be cleared from the input queue, resulting in a queue wedge. When a wedge occurs, the affected device will stop processing any additional packets received on the wedged interface.
Queue wedges occur when certain packets are received and queued by a Cisco IOS router or switch but, due to a processing error, are never removed from the queue. Consult the "Workarounds" section of this advisory for more information about queue wedges and some detection mechanisms that may be used to identify a blocked interface in Cisco IOS Software. Also see the Cisco Security Blog Cisco IOS Queue Wedges Explained.
ICMP for IP version 4 (IPv4) messages transiting the device will not trigger this vulnerability; only packets terminating on an affected device can trigger the vulnerability.
This vulnerability has been documented in Cisco bug ID CSCsi02145 (registered customers only) and has been assigned the Common Vulnerabilities and Exposures (CVE) ID CVE-2015-0638.
-
There are no workarounds for this vulnerability, but the following identification mechanisms exist for this vulnerability:
Embedded Event Manager
A Cisco IOS Embedded Event Manager (EEM) policy that is based on Tool Command Language (Tcl) can be used on vulnerable Cisco IOS devices to identify and detect an interface queue wedge that is caused by this vulnerability. The policy allows administrators to monitor the interfaces for Cisco IOS device and detect when the interface input queues are full. When Cisco IOS EEM detects potential exploitation of this vulnerability, the policy can trigger a response by sending an alert to the network administrator, who could then decide to implement an upgrade, implement suitable mitigations or reload the device to clear the input queue.
The Tcl script is available for download at the "Cisco Beyond: Embedded Event Manager (EEM) Scripting Community" at the following link: https://supportforums.cisco.com/docs/DOC-19337
For additional information, see the Cisco Security Blog Cisco IOS Queue Wedges Explained.
-
When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Alerts archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Cisco IOS Software
Cisco provides a tool to help customers determine their exposure to vulnerabilities in Cisco IOS Software. The Cisco IOS Software Checker allows customers to perform the following tasks:
- Initiate a search by selecting releases from the drop-down menu or uploading a file from a local system
- Enter show version command output for the tool to parse
- Create a customized search by including all previously published Cisco Security Advisories, a specific publication, or all advisories in the most recent bundled publication
The tool identifies any Cisco Security Advisories that impact a queried software release and the earliest release that corrects all vulnerabilities in each Cisco Security Advisory ("First Fixed"). If applicable, the tool also returns the earliest possible release that corrects all vulnerabilities in all displayed advisories ("Combined First Fixed"). Please visit the Cisco IOS Software Checker or enter a Cisco IOS Software release in the following field to determine whether the release is affected by any published Cisco IOS Software advisory.
(Example entry: 15.1(4)M2)
Cisco IOS XE Software
Cisco IOS XE Software is not affected by the vulnerability that is disclosed in this document.Cisco IOS XR Software
Cisco IOS XR Software is not affected by any of the vulnerabilities that are disclosed in the March 2015 Cisco IOS Software Security Advisory Bundled Publication.
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
This vulnerability was discovered during the investigation of customer issues by the Cisco TAC.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show LessVersion Description Section Status Date 1.2 Updated Cisco IOS Checker Software Checker form to query all previously published Cisco IOS Software Security Advisories. 2016-January-14 1.1 Minor edit to Vulnerable Product Section to clarify that any interface Virtual or Physical that is assigned to a VRF is affected and not just physical interfaces. 2015-March-26 1.0 Initial public release. 2015-March-25
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.