Summary

• A vulnerability in the IP Version 6 (IPv6) packet processing functions of multiple Cisco products could allow an unauthenticated, remote attacker to cause an affected device to stop processing IPv6 traffic, leading to a denial of service (DoS) condition on the device.
  
  The vulnerability is due to insufficient processing logic for crafted IPv6 packets that are sent to an affected device. An attacker could exploit this vulnerability by sending crafted IPv6 Neighbor Discovery (ND) packets to an affected device for processing. A successful exploit could allow the attacker to cause the device to stop processing IPv6 traffic, leading to a DoS condition on the device.
  
  This vulnerability is not Cisco specific: any IPv6 processing unit not capable of dropping such packets early in the processing path or in hardware is affected by this vulnerability.
  
  Cisco will release software updates that address this vulnerability.
  
  This advisory is available at the following link:
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160525-ipv6

Affected Products

• Cisco is currently investigating its product line to determine which products may be affected by this vulnerability and the impact of the vulnerability on each affected product. As the investigation progresses, Cisco will update this advisory with information about affected products, including the ID of the Cisco bug for each affected product. The bugs will be accessible through the Cisco Bug Search Tool and will contain additional platform-specific information, including any available workarounds and fixed software releases.

  Vulnerable Products

  Cisco has confirmed that Cisco IOS XR Software, Cisco IOS Software, Cisco IOS XE Software, Cisco NX-OS Software, Cisco ASA Software, and Cisco StarOS Software are affected by the vulnerability described in this advisory.
  
  Note: Affected devices that are configured with a global IPv6 address on at least one interface and are processing traffic can be exploited by a remote attacker. Affected devices that are configured with only a link-local address on interfaces and are processing IPv6 traffic can be exploited with crafted packets only by a Layer 2 adjacent attacker.
  
  For information about which software releases are affected, see the "Fixed Software" section of this advisory.
  
  Cisco IOS XR Software
  
  The following Cisco products are affected by this vulnerability if they are running an affected release of Cisco IOS XR Software and IPv6 is enabled on one or more interfaces:
  

  • Cisco 12000 Series Routers
  • Cisco ASR 9000 Series Aggregation Services Routers
  • Cisco Carrier Routing System
  • Cisco Network Convergence System 4000 Series
  • Cisco Network Convergence System 6000 Series Routers

  
  All types of line cards on those platforms are affected by this vulnerability.
  
  If a device is running an affected release of Cisco IOS XR Software and IPv6 is enabled, administrators can identify interfaces that have assigned IPv6 addresses by using the show ipv6 interface brief command in the command-line interface (CLI). The following example shows the output of the command on a device that is running Cisco IOS XR Software with IPv6 enabled:
  

  RP/0/RP0/CPU0:router# show ipv6 interface brief
  
   <!output omitted> 
   GigabitEthernet0/2/0/0 [Up/Up]
   fe80::212:daff:fe62:c150 
   202::1 

  In addition, if IPv6 is enabled, the ipv6 enable interface configuration command is present in the configuration. The following example shows the output of a vulnerable configuration:
  

  RP/0/RP0/CPU0:router(config)# interface GigabitEthernet0/2/0/0
  	
    RP/0/RP0/CPU0:router(config-if)# ipv6 enable
  

  If IPv6 is not supported by the Cisco IOS XR Software release that is running on a device, use of the show ipv6 interface brief command produces an error message. If IPv6 is not enabled on the device, use of the show ipv6 interface brief command does not show any interfaces with IPv6 addresses. In either scenario, the device is not affected by this vulnerability.
  
  Cisco IOS Software 
  
  Cisco products are affected by this vulnerability if they are running an affected release of Cisco IOS Software and IPv6 is enabled on one or more interfaces. By default, IPv6 is not enabled.
  
  To determine whether IPv6 is enabled on one or more interfaces, administrators can use the show running-config | include ipv6.(enable|address) privileged EXEC command in the CLI. If IPv6 is enabled, ipv6 enable and ipv6 address appear in the output of the command.
  
  The following example shows the output of the show running-config | include ipv6.(enable|address) command on a device that is running Cisco IOS XE Software with IPv6 configured:
  

  Router# show running-config | include ipv6.(enable|address)
   ipv6 enable  
   ipv6 address dhcp rapid-commit
   ipv6 address autoconfig  
   ipv6 address MANAGEMENT ::1FFF:0:0:0:3560/128
   ipv6 address 2001:DB8::1/64

  
  Cisco IOS XE Software
  
  The following Cisco products are affected by this vulnerability if they are running an affected release of Cisco IOS XE Software and IPv6 is enabled on one or more interfaces that process traffic:
  

  • Cisco 4300 Series Integrated Services Routers
  • Cisco 4400 Series Integrated Services Routers
  • Cisco ASR 900 Series Aggregation Services Routers
  • Cisco ASR 1000 Series Aggregation Services Routers
  • Cisco Cloud Services Router 1000V Series
  • Switches running Cisco IOS XE Software
    
     

  By default, IPv6 is not enabled.
  
  This vulnerability does not depend on any specific combination of Embedded Services Processor (ESP) and Route Processor (RP) installations on the chassis. Any combination of ESP and RP chassis installations is affected by this vulnerability.
  
  To determine whether IPv6 is enabled on one or more interfaces, administrators can use the show running-config | include ipv6.(enable|address) privileged EXEC command in the CLI. If IPv6 is enabled, ipv6 enable or ipv6 address appear in the output of the command.
  
  The following example shows the output of the show running-config | include ipv6.(enable|address) command on a device that is running Cisco IOS XE Software with IPv6 configured:
  

  Router# show running-config | include ipv6.(enable|address)
   ipv6 enable  
   ipv6 address dhcp rapid-commit
   ipv6 address autoconfig  
   ipv6 address MANAGEMENT ::1FFF:0:0:0:3560/128
   ipv6 address 2001:DB8::1/64

  
  Cisco NX-OS Software
  
  All Cisco products running Cisco NX-OS Software are affected by this vulnerability if IPv6 is enabled on one or more interfaces that process traffic. By default, IPv6 is not enabled.
  
  To determine whether IPv6 is enabled on one or more interfaces, administrators can use the show running-config | include ipv6.address privileged EXEC command in the CLI. If IPv6 is enabled, ipv6 address appears in the output of the command.
  
  The following example shows the output of the show running-config | include ipv6.address command on a device that is running Cisco NX-OS Software with IPv6 enabled:
  

  Router# show running-config | include ipv6.address
   ipv6 address 2001:DB8::1/64

  
  Cisco ASA Software
  
  IPv6 is not enabled by default. To enable IPv6 on a Cisco ASA or Cisco ASASM, at a minimum a link-local address needs to be configured for IPv6 to operate correctly. If a global address is configured, a link-local address is automatically configured on each interface. 
  
  To verify that the Cisco ASA or Cisco ASASM has IPv6 enabled, administrators can use the show ipv6 interface command in the CLI and confirm that the command returns output. The following example shows a Cisco ASA that has two interfaces (inside and outside) configured and IPv6 enabled:
  
  

  ciscoasa# show ipv6 interface
  outside is up, line protocol is up
    IPv6 is enabled, link-local address is fe80::219:2fff:fe83:4f42
    No global unicast address is configured
    Joined group address(es):
      ff02::1
      ff02::1:ff83:4f42
    ICMP error messages limited to one every 100 milliseconds
    ICMP redirects are enabled
    ND DAD is enabled, number of DAD attempts: 1
    ND reachable time is 30000 milliseconds
    ND advertised retransmit interval is 1000 milliseconds
    Hosts use stateless autoconfig for addresses.
  inside is up, line protocol is up
    IPv6 is enabled, link-local address is fe80::219:2fff:fe83:4f43
    No global unicast address is configured
    Joined group address(es):
      ff02::1
      ff02::1:ff83:4f43
    ICMP error messages limited to one every 100 milliseconds
    ICMP redirects are enabled
    ND DAD is enabled, number of DAD attempts: 1
    ND reachable time is 30000 milliseconds
    ND advertised retransmit interval is 1000 milliseconds
    Hosts use stateless autoconfig for addresses.

  
  
  Cisco StarOS Software
  
  Cisco ASR 5000 Series devices running Cisco StarOS Software are affected by this vulnerability if IPv6 is enabled on one or more interfaces that process traffic. By default, IPv6 is not enabled.
  
  To determine whether IPv6 is enabled on one or more interfaces, administrators can use the show ipv6 interface summary privileged EXEC command in the CLI. If IPv6 is enabled, an IPv6 address appears in the output of the command.
  
  The following example shows the output of the show ipv6 interface summary command on a device that is running Cisco StarOS Software with IPv6 enabled:
  

  
  [local]router# show ipv6 interface summary 
  Friday February 21 09:00:07 UTC 2014
  Interface Name                 Address/Mask        Port               Status
  ============================== =================== ================== ======
  int1_test_v6                    2001:db8::1/64 	   20/1 vlan 122      UP
  int2_test_v6                    2001:db8::2/64 	   21/1 vlan 122      UP
  int3_test_v6                    2001:db8::3/64 	   22/1 vlan 122      UP
  int4_test_v6                    2001:db8::4/64 	   23/1 vlan 130      UP

  
  
  Determining the Cisco IOS XR Software Release
  
  To determine which Cisco IOS XR Software release is running on a device and the name of the device on which it is running, administrators can log in to the device and use the show version command in the CLI. If the device is running Cisco IOS XR Software, Cisco IOS XR Software or similar text appears in the system banner. The location and name of the system image file that is currently running on the device appears next to the System image file is text. The name of the hardware product appears on the line after the name of the system image file.
  
  The following example shows the output of the show version command on a device that is running Cisco IOS XR Software Release 4.1.0 with an installed image name of mbihfr-rp.vm:
  

  RP/0/RP0/CPU0:router# show version
   Mon May 31 02:14:12.722 DST
  
   Cisco IOS XR Software, Version 4.1.0
   Copyright (c) 2010 by Cisco Systems, Inc.
  
   ROM: System Bootstrap, Version 2.100(20100129:213223) [CRS-1 ROMMON],  
  
   router uptime is 1 week, 6 days, 4 hours, 22 minutes
   System image file is "bootflash:disk0/hfr-os-mbi-4.1.0/mbihfr-rp.vm"
  
   cisco CRS-8/S (7457) processor with 4194304K bytes of memory.
   7457 processor at 1197Mhz, Revision 1.2

  
  Determining the Cisco IOS Software Release
  
  To determine which Cisco IOS Software release is running on a Cisco product, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS Software, the system banner displays text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The image name appears in parentheses followed by the Cisco IOS Software release number and release name. Some Cisco devices do not support the show version command or may provide different output.
  
  The following example identifies a Cisco product that is running Cisco IOS Software Release 15.5(2)T1 with an installed image name of C2951-UNIVERSALK9-M:

  
  

  Router> show version 
  Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2015 by Cisco Systems, Inc.
  Compiled Mon 22-Jun-15 09:32 by prod_rel_team
  .
  .
  .

  
  Determining the Cisco IOS XE Software Release
  
  To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device and use the show version command in the CLI. If the device is running Cisco IOS XE Software, Cisco IOS XE Software or similar text appears in the system banner. 
  
  The following example shows the output of the show version command on a device that is running Cisco IOS XE Software Release 3.6.2S, which maps to Cisco IOS Software Release 15.2(2)S2: 

  Router# show version 
  Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.2(2)S2, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2012 by Cisco Systems, Inc.
  Compiled Tue 07-Aug-12 13:40 by mcpre
  

  Determining the Cisco NX-OS Software Release
  
  To determine which Cisco NX-OS Software release is running on a device, administrators can log in to the device and use the show version command in the CLI. If the device is running Cisco NX-OS Software, Cisco Nexus Operating System (NX-OS) Software or similar text appears in the system banner.
  
  The following example shows the output of the show version command for a Cisco Nexus 5000 Series Switch running Cisco NX-OS Software Release 7.1(1)N1(1): 
  

  # show version
  Cisco Nexus Operating System (NX-OS) Software
  TAC support: http://www.cisco.com/tac
  Documents: http://www.cisco.com/en/US/products/ps9372/tsd_products_support_series_home.html
  Copyright (c) 2002-2012, Cisco Systems, Inc. All rights reserved.
  The copyrights to certain works contained herein are owned by
  other third parties and are used and distributed under license.
  Some parts of this software are covered under the GNU Public
  License. A copy of the license is available at
  http://www.gnu.org/licenses/gpl.html.
  
  Software
  BIOS:      version 3.6.0
  loader:    version N/A
  kickstart: version 7.1(1)N1(1)
  system:    version 7.1(1)N1(1)

  
  Determining the Cisco ASA Software Release
  
  To determine whether a vulnerable version of Cisco ASA Software is running on an appliance, administrators can issue the show version command. The following example shows a device running Cisco ASA Software Release 8.4(1):
  

  ciscoasa#show version | include Version
  Cisco Adaptive Security Appliance Software Version 8.4(1) 
  Device Manager Version 6.4(1)

  Customers who use Cisco ASDM to manage devices can locate the software release in the table that appears in the login window or the upper-left corner of the Cisco ASDM window.
  
  
  Determining the Cisco StarOS Software Release
  
  To determine which Cisco StarOS Software release is running on a Cisco product, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. Each software image can be identified by its release version and its corresponding build number. 
  
  The following example identifies a Cisco product that is running Cisco StarOS Software Release 15.0 (49328):
  
  

  [local<host_name># show version
  Active Software:
   Image Version: 15.0 (49328)
   Image Branch Version: 015.000(001)
   Image Description: Production_Build
   Image Date: Tue Apr 23 00:45:12 EDT 2013
   Boot Image: Unknown

  
  

  Products Confirmed Not Vulnerable

  No other Cisco products are currently known to be affected by this vulnerability.

Indicators of Compromise

• Exploitation of this vulnerability could cause high CPU usage on an affected platform. It could also cause an affected device to stop processing all IPv6 traffic. On some devices, exploitation of this vulnerability could cause a temporary loss of services for traffic that terminates on the device, in addition to IPv6 traffic.

Workarounds

• Any workarounds, when available, will be documented in the Cisco bugs, which are accessible through the Cisco Bug Search Tool.
  
  Customers should rely on external mitigation techniques, such as denying IPv6 ND packets in an access control list (ACL) placed on an Internet edge router, to protect infrastructure devices behind those routers. IPv6 ND packets should be limited to local links and dropping them on the edge can help protect the infrastructure. It is a commonly accepted best practice to drop these packets at the Internet edge. Alternatively, configuring static IPv6 neighbors where possible and denying all IPv6 ND packets at the edge will help mitigate this vulnerability.

Fixed Software

• All releases of Cisco IOS XR Software, Cisco IOS Software, Cisco IOS XE Software, and Cisco NX-OS Software are affected by the vulnerability described in this advisory.
  
  Not all hardware platforms are affected equally. Where software fixes are applicable, updates for affected software releases will be published when they are available and information about those updates will be documented in Cisco bugs, which are accessible from the Cisco Bug Search Tool. Where software updates are not applicable, guidance will be provided in the respective Cisco bug release notes.
  
  When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
  
  In all cases, customers should ensure that the devices to upgrade contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
  
  

Exploitation and Public Announcements

• As of May 26, 2016, the Cisco Product Security Incident Response Team (PSIRT) is aware of disruptions for some Cisco customers who are running the affected platforms.

Source

• This vulnerability was found during the resolution of a support case.

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160525-ipv6

Revision History

• Version	Description	Section	Status	Date
  1.16	Added Cisco bugs CSCvb19057 and CSCva17794. Changed status to Final.	Cisco Bug IDs, Status of this Notice	Final	2019-September-16
  1.15	Added Cisco bugs CSCva94139, CSCva61877	Cisco Bug IDs	Interim	2016-September-14
  1.14	Added Cisco bug CSCva3353.	Cisco Bug IDs	Interim	2016-August-09
  1.13	Added Cisco bug CSCva39982.	Cisco Bug IDs	Interim	2016-July-12
  1.12	Updated Summary and Workarounds to include information about potential mitigation.	Summary, Workarounds	Interim	2016-July-06
  1.11	Updated information about products under investigation and fixed software	Affected Products, Fixed Software	Interim	2016-July-01
  1.10	Updated information about fixed software.	Fixed Software	Interim	2016-June-20
  1.9	Updated information about fixed software.	Fixed Software	Interim	2016-June-16
  1.8	Updated information about products under investigation and confirmed as vulnerable.	Affected Products	Interim	2016-June-13
  1.7	Updated information about fixed software.	Fixed Software	Interim	2016-June-10
  1.6	Updated information about products under investigation.	Affected Products	Interim	2016-June-08
  1.5	Updated information about fixed software.	Fixed Software	Interim	2016-June-06
  1.4	Updated information about products under investigation and confirmed as vulnerable.	Affected Products	Interim	2016-June-03
  1.3	Updated Summary and Workarounds to include information about potential mitigation.	Summary, Workarounds	Interim	2016-June-01
  1.2	Updated information about products under investigation and confirmed as vulnerable. Added information about possible indicators of compromise and service disruption.	Affected Products	Interim	2016-May-31
  1.1	Updated information about products under investigation and confirmed as vulnerable. Added information about possible indicators of compromise and service disruption.	Affected Products, Indicators of Compromise, Exploitation and Public Announcements	Interim	2016-May-26
  1.0	Initial public release.	—	Interim	2016-May-25

  Show Less