Cisco 800 Series - Cisco IOS Release 12.2(4)YA11.
Available Languages
Table Of Contents
Release Notes for Cisco 800 and SOHO 90 Series Routers for Cisco IOS Release 12.3(8)YA
Determining the Software Version
Upgrading to a New Software Release
New Software Features in Cisco IOS Release 12.2(4)YA1
New Software Features in Release 12.2(4)YA
Dynamic DNS Support for Cisco IOS
New Software Features in Release 12.3(8)T
Resolved Caveats - Cisco IOS Release 12.2(4)YA12
Resolved Caveats - Cisco IOS Release 12.2(4)YA
Open Caveats - Cisco IOS Release 12.2(4)YA
Cisco IOS Software Documentation Set
Obtaining Documentation, Obtaining Support, and Security Guidelines
Release Notes for Cisco 800 and SOHO 90 Series Routers for Cisco IOS Release 12.3(8)YA
August 3, 2007Cisco IOS Release 12.2(4)YA12OL-14334-02These release notes describe new features and significant software components for the Cisco 800 and SOHO 90 Series Routers that support the Cisco IOS Release 12.2(4)YA releases. These release notes are updated as needed to describe new memory requirements, new features, new hardware support, changes to the microcode or modem code, and any other important changes. Use these release notes with Cross-Platform Release Notes for Cisco IOS Release 12.2T located on Cisco.com.
For a list of the software caveats that apply to Cisco IOS Release 12.2(4)YA12, see Caveats and see the online Caveats for Cisco IOS Release 12.2T. The caveats document is updated for every 12.2T maintenance release and is located on Cisco.com.
Contents
•
Obtaining Documentation, Obtaining Support, and Security Guidelines
System Requirements
This section describes the system requirements for Cisco IOS Cisco IOS Release 12.2(4)YA and includes the following sections:
•
•
Memory Requirements
This section describes the memory requirements for the Cisco IOS feature sets that are supported by Cisco IOS Cisco IOS Release 12.2(4)YA on the Cisco 831, 836, 837, SOHO 91, SOHO 96, and SOHO 97 routers.
Table 1 Recommended Memory for the Cisco 831, 836, 837, SOHO 91, SOHO 96, and SOHO 97 Routers
mum
mumCisco 831
Cisco 831 Series IOS IP/FW2 IPSec 3DES
IP/FW2/IPSec 3DES
c831-k9o3y6-mz
12 MB
12 MB
48 MB
48 MB
Cisco 831 Series IOS IP/FW2 Plus IPSec 3DES
IP Plus/FW2/IPSec 3DES
c831-k9o3sy6-mz
12 MB
12 MB
48 MB
48 MB
Cisco 836
Cisco 836 Series IOS IP/FW2 IPSec 3DES
IP/FW2/IPSec 3DES
c836-k9o3y6-mz
12 MB
12 MB
48 MB
48 MB
Cisco 836 Series IOS IP/FW2 Plus IPSec 3DES
IP Plus/FW2/IPSec 3DES
c836-k9o3sy6-mz
12 MB
12 MB
48 MB
48 MB
Cisco 836 Series IOS IP/FW2/Dial Backup Plus IPSec 3DES
IP Plus/FW2/Dial Backup IPSec 3DES
c836-k9o3s8y6-mz
12 MB
12 MB
48 MB
48 MB
Cisco 837
Cisco 837 Series IOS IP/FW2 IPSec 3DES
IP/FW2/IPSec 3DES
c837-k9o3y6-mz
12 MB
12 MB
48 MB
48 MB
Cisco 837 Series IOS IP/FW2 Plus IPSec 3DES
IP Plus/FW2/IPSec 3DES
c837-k9o3sy6-mz
12 MB
12 MB
48 MB
48 MB
Cisco SOHO 91
Cisco SOHO 91 Series IOS IP/FW/3DES
IP/FW 3DES
soho91-k9oy6-mz
8 MB
8 MB
32 MB
32 MB
Cisco SOHO 96
Cisco SOHO 96 Series IOS IP/FW/3DES
IP/FW 3DES
soho96-k9oy1-mz
8 MB
8 MB
32 MB
32 MB
Cisco SOHO 97
Cisco SOHO 97 Series IOS IP/FW 3DES
IP/FW 3DES
soho97-k9oy1-mz
8 MB
8 MB
32 MB
32 MB
1 Recommended memory is the memory required for potential future expansions.
Hardware Supported
Cisco IOS Cisco IOS Release 12.2(4)YA supports the following routers:
•
•
•
•
•
•
For detailed descriptions of new hardware features and which features are supported on each router, see the "New and Changed Information" section. For descriptions of existing hardware features and supported modules, see the hardware installation guides, configuration and command reference guides, and additional documents specific to the Cisco 831, 836, 837, SOHO 91, SOHO 96, and SOHO 97 routers, which are available on Cisco.com at the following location:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_fix/index.htm
This URL is subject to change without notice. If it changes, point your web browser to Cisco.com, and click the following path:
Technical Documentation: Routers: Fixed Config. Access Routers: <platform_name>
Determining the Software Version
To determine which version of the Cisco IOS software is currently running on your Cisco 831, 836, 837, SOHO 91, SOHO 96, or SOHO 97 router, log in to the router, and enter the show version command. The following sample output from the show version command indicates the version number on the second output line.
router> show versionCisco Internetwork Operating System SoftwareIOS (tm) C836 Software (C836-K9O3SY6-M), Version 12.2(4)YA, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) Synched to technology version 12.3(9.6)TUpgrading to a New Software Release
For general information about upgrading to a new software release, see the Software Installation and Upgrade Procedures located at http://www.cisco.com/pcgi-bin/Support/browse/index.pl?i=Hardware&f=742.
Feature Set Tables
The Cisco IOS software is packaged in feature sets consisting of software images, depending on the platform. Each feature set contains a specific set of Cisco IOS features. Release 12.3(8)YA1 includes the same feature sets supported by the Cisco 800 and SOHO 90 series routers as Releases 12.3, 12.3(8)T, and 12.3(8)YA. There are no new features in Release 12.3(8)YA1
Caution
Table 2 through Table 7 list the features and feature sets that are supported in Cisco IOS Cisco IOS Release 12.2(4)YA.
The tables use the following conventions:
•
•
•
Note
New and Changed Information
The following sections list the new software features supported by the Cisco 831, 836, 837, SOHO 91, SOHO 96, and SOHO 97 routers for Cisco IOS Release 12.2(4)YA.
New Software Features in Cisco IOS Release 12.2(4)YA1
There are no new software features in Cisco IOS Release 12.2(4)YA1.
New Software Features in Release 12.2(4)YA
The following sections describe the new software features supported by the Cisco 800 and SOHO 90 series routers for Release 12.2(4)YA.
Dynamic DNS Support for Cisco IOS
The Dynamic DNS Support for Cisco IOS feature enables Cisco IOS devices to perform Dynamic Domain Name System (DDNS) updates to ensure that an IP host DNS name is correctly associated with its IP address.
It provides two mechanisms to generate or perform DDNS: the IETF standard as defined by RFC 2136, and a generic HTTP using various DNS services. With this feature, you can define a list of host names and IP addresses that will receive updates, specify an update method, and specify a configuration for DHCP triggered updates.
With the Dynamic DNS Support feature, you can define a list of hostnames and/or IP addresses that will receive updates, can specify an update method, and can specify a configuration for DHCP-triggered updates.
For more details about the Dynamic DNS Support for Cisco IOS feature, see the following URL:
No Service Password Recovery
The No Service Password-Recovery feature is a security enhancement that prevents anyone with access to a console from accessing the router configuration and clearing the password. It also prevents anyone from changing the configuration register values and accessing non-volatile RAM (NVRAM).
The No Service Password Recovery feature is enabled using the no service password-recovery hidden command. When this hidden command is used, a warning and a confirmation prompt appear on your router.
To disable the feature, use the service password-recovery command.
The No Service Password Recovery feature also recovers the forgotten passwords. When this feature is enabled, the router accepts the break signal within 5 seconds, just after the Cisco IOS software is decompressed during booting. The user is then prompted to confirm the action. After confirmation, the startup configuration is erased, the password recovery procedure is enabled, and the router boots with the factory default configuration. When the user enters "no", the router boots normally and with the No Service Password Recovery feature enabled.
For more details about the No Service Password Recovery feature, see the following URL:
The No Service Password Recovery feature requires use of ROMMON version 12.2(11r)YV1. The procedure for upgrading the ROMMON image from ROMMON mode is given at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_fix/827/820rmup.htm#54965
Bridge MIB
The Bridge MIB feature, extracted from RFC 1493, defines objects for managing MAC bridges between LAN segments. The Bridge MIB feature provides information regarding various ports of the bridge, Spanning Tree Protocol (STP), and transparent bridging, and supports dot1dBase, dot1dStp, and dot1dTp standards.
New Software Features in Release 12.3(8)T
For information regarding the features supported in the Cisco IOS Release 12.3(8)T, see the Cross-Platform Release Notes and New Feature Documentation links at the following location on Cisco.com:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123relnt/xprn123/index.htm
This URL is subject to change without notice. If it changes, point your web browser to Cisco.com, and click the following path:
Service & Support: Technical Documents: Cisco IOS Software: Release 12.3: Release Notes: Cross-Platform Release Notes (Cisco IOS Release 12.3(8)T)
Limitations and Restrictions
The following sections describe limitations concerning the new hardware and software features supported by the Cisco 800 series routers for Cisco IOS Release 12.2(4)YA and 12.3(8)YA.
No Service Password Recovery
The following limitations apply for the No Service Password Recovery feature:
•
•
•
Table 8 lists the meanings of the software configuration memory bits.
•
•
•
Caveats
Caveats describe unexpected behavior or defects in the Cisco IOS software releases. Severity 1 caveats are the most serious caveats, severity 2 caveats are less serious, and severity 3 caveats are the least serious of these three severity levels.
Note
Resolved Caveats - Cisco IOS Release 12.2(4)YA12
CSCei61732 Additional data integrity check in system timerCisco IOS may permit arbitrary code execution after exploitation of a heap-based buffer overflow vulnerability. Cisco has included additional integrity checks in its software, as further described below, that are intended to reduce the likelihood of arbitrary code execution.
Cisco has made free software available that includes the additional integrity checks for affected customers.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml
CSCef68324 ICMPv6 pkt tracebackCisco Internetwork Operating System (IOS®) Software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation.
Cisco has made free software available to address this vulnerability for all affected customers.
More details can be found in the security advisory that is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml
CSCsd92405 router crashed by repeated SSL connection with malformed finished messageCisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
•
•
•
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml
Note
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
CSCsc72722 CBAC - firewall resets TCP idle timer upon receiving invalid TCP packetsSymptom TCP connections that are opened through a Cisco IOS Firewall (CBAC) may not timeout.
Conditions
Workaround
CSCec71950 Crafted IP Option may cause DoS or code executionCisco routers and switches running Cisco IOS or Cisco IOS XR software may be vulnerable to a remotely exploitable crafted IP option Denial of Service (DoS) attack. Exploitation of the vulnerability may potentially allow for arbitrary code execution. The vulnerability may be exploited after processing an Internet Control Message Protocol (ICMP) packet, Protocol Independent Multicast version 2 (PIMv2) packet, Pragmatic General Multicast (PGM) packet, or URL Rendezvous Directory (URD) packet containing a specific crafted IP option in the packet's IP header. No other IP protocols are affected by this issue.
Cisco has made free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability. This vulnerability was discovered during internal testing.
This advisory is available at:
http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
CSCsb33172 short-circuit crypto engine operations when faking AM2Symptom A vulnerability exists in the way some Cisco products handle IKE phase I messages which allows an attacker to discover which group names are configured and valid on the device.
A Cisco Security Notice has been published on this issue and can be found at the following URL:
http://www.cisco.com/warp/public/707/cisco-sn-20050624-vpn-grpname.shtml
CSCee45312 Radius authentication bypass when configured with a none fallback methodRemote Authentication Dial In User Service (RADIUS) authentication on a device that is running certain versions of Cisco Internetworking Operating System (IOS) and configured with a fallback method to none can be bypassed.
Systems that are configured for other authentication methods or that are not configured with a fallback method to none are not affected.
Only the systems that are running certain versions of Cisco IOS are affected. Not all configurations using RADIUS and none are vulnerable to this issue.
Some configurations using RADIUS, none and an additional method are not affected. Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects of the vulnerability.
More details can be found in the security advisory which posted at the following URL http://www.cisco.com/warp/public/707/cisco-sa-20050629-aaa.shtml
CSCsa54608 IOS Firewall Auth-Proxy for FTP/Telnet Sessions buffer overflowThe Cisco IOS Firewall Authentication Proxy for FTP and/or Telnet Sessions feature in specific versions of Cisco IOS software is vulnerable to a remotely-exploitable buffer overflow condition.
Devices that do not support, or are not configured for Firewall Authentication Proxy for FTP and/or Telnet Services are not affected.
Devices configured with only Authentication Proxy for HTTP and/or HTTPS are not affected. Only devices running certain versions of Cisco IOS are affected.
Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects of the vulnerability.
This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20050907-auth_proxy.shtml
CSCse05736 A router running RCP can be reloaded with a specific packetSymptom A router that is running RCP can be reloaded by a specific packet.
Conditions
•
•
Workaround
CSCse05736 ssh leaks memory and buffersCertain release trains of Cisco Internetwork Operating System (IOS), when configured to use the IOS Secure Shell (SSH) server in combination with Terminal Access Controller Access Control System Plus (TACACS+) as a means to perform remote management tasks on IOS devices, may contain two vulnerabilities that can potentially cause IOS devices to exhaust resources and reload.
Repeated exploitation of these vulnerabilities can result in a Denial of Service (DoS) condition. Use of SSH with Remote Authentication Dial In User Service (RADIUS) is not affected by these vulnerabilities.
Cisco has made free software available to address these vulnerabilities for all affected customers. There are workarounds available to mitigate the effects of the vulnerability (see the "Workarounds" section of the full advisory for details.)
This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20050406-ssh.shtml
CSCsc64976 HTTP server should scrub embedded HTML tags from cmd outputA vulnerability exists in the IOS HTTP server in which HTML code inserted into dynamically generated output, such as the output from a show buffers command, will be passed to the browser requesting the page. This HTML code could be interpreted by the client browser and potentially execute malicious commands against the device or other possible cross-site scripting attacks. Successful exploitation of this vulnerability requires that a user browse a page containing dynamic content in which HTML commands have been injected. Cisco will be making free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051201-http.shtml
SCek37177 malformed tcp packets deplete processor memory.The Cisco IOS Transmission Control Protocol (TCP) listener in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable memory leak that may lead to a denial of service condition.
This vulnerability only applies to traffic destined to the Cisco IOS device. Traffic transiting the Cisco IOS device will not trigger this vulnerability.
Cisco has made free software available to address this vulnerability for affected customers.
This issue is documented as Cisco bug ID CSCek37177
There are workarounds available to mitigate the effects of the vulnerability. This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml
CSCsb12598 Router forced crash on receiving fragmented TLS ClientHelloCisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
•
•
•
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml
Note
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
CSCsb40304 Router crash on sending repetitive SSL ChangeCipherSpecCisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, A malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
•
•
•
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml
Note
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
CSCsb12598 Router forced crash on receiving fragmented TLS ClientHelloCSCsf07847 cdp may fail to discover neighbor information in releases wh CSCse85200Symptom Specifically crafted CDP packets can cause a router to allocate and keep extra memory. Exploitation of this behavior by sending multiple specifically crafted CDP packets could cause memory allocation problems on the router. Since CDP is a layer-2 protocol, this issue can only be triggered by systems that are residing on the same network segment.
Conditions
Workaround
CSCse85200 Inadequate validation of TLVs in cdpSymptom Specifically crafted CDP packets can cause a router to allocate and keep extra memory. Exploitation of this behavior by sending multiple specifically crafted CDP packets could cause memory allocation problems on the router.
Since CDP is a layer-2 protocol, this issue can only be triggered by systems that are residing on the same network segment.
Workaround
CSCsg40567 Memory leak found with malformed tls/ssl packets in http core processSymptom Malformed SSL packets may cause a router to leak multiple memory blocks.
Conditions
Workaround
Resolved Caveats - Cisco IOS Release 12.2(4)YA
This section documents possible unexpected behavior by Cisco IOS Release 12.2(4)YA1 and describes only severity 1 and 2 caveats and select severity 3 caveats.
•
Reception of certain IPv6 fragments with carefully crafted illegal contents may cause a router running Cisco IOS to reload if it has IPv6 configured. This applies to all versions of Cisco IOS that include support for IPv6.
The system may be protected by installing appropriate access lists to filter all IPv6 fragments destined for the system. For example:
interface Ethernet0/0ipv6 traffic-filter nofragments in!ipv6 access-list nofragmentsdeny ipv6 any <my address1> undetermined-transportdeny ipv6 any <my address2> fragmentspermit ipv6 any anyThis must be applied across all interfaces, and must be applied to all IPv6 addresses which the system recognizes as its own.This will effectively disable reassembly of all IPv6 fragments. Some networks may rely on IPv6 fragmentation, so careful consideration should be given before applying this workaround.
•
DHCP Client could not renew the IP address using the ATM unnumbered interface, after changing the configuration on the bridge.
•
When configuring ezvpn using nat-t on a Cisco 831 router, the IPSec SA's are created but only encaps packets are shown in the byte counts. The esp frames are sent with protocol 50 instead of 4500 for nat-t.
•
DMZ - Huge delay transmitting traffic on Eth0 and Eth2.
•
Incorrect count loaded into Timer3 that handles ISDN layer1.
•
Unable to telnet.
•
ISDN TEI negotiation fails when Layer 2 is not activated. ISDN TEI negotiation on Layer 2 (and consequently ISDN calls on Layer 3) may fail on a Cisco 836 router when Layer 1 is active and Layer 2 is not activated.
•
Easy Virtual Private Network (EZVPN) crashes while reconnecting.
•
The output of the show ip access-list command does not show extended access lists.
•
•
•
Cisco Internetwork Operating System (IOS) Software release trains 12.2T, 12.3 and 12.3T may contain vulnerabilities in processing certain Internet Key Exchange (IKE) Xauth messages when configured to be an Easy VPN Server.
Successful exploitation of these vulnerabilities may permit an unauthorized user to complete authentication and potentially access network resources.
This advisory will be posted to http://www.cisco.com/warp/public/707/cisco-sa-20050406-xauth.shtml
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.cisco.com/en/US/products/products_security_advisory09186a00807b8e55.shtml.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.cisco.com/en/US/products/products_security_advisory09186a00807b8e55.shtml.
Open Caveats - Cisco IOS Release 12.2(4)YA
This section documents possible unexpected behavior by Cisco IOS Release 12.2(4)YA1 and describes only severity 1 and 2 caveats and select severity 3 caveats.
•
Traceback may be seen when show ip access-list command is given, when named access lists are configured.
Workaround
Use numbered access lists.
•
Additional References
The following sections describe the documentation available for the Cisco 800 and SOHO 90 Series Routers. Typically, these documents consist of hardware and software installation guides, Cisco IOS configuration and command references, system error messages, feature modules, and other documents. Documentation is available as printed manuals or electronic documents, except for feature modules, which are available online on Cisco.com in pdf or html form.
Use these release notes with the documents listed in the following sections:
Release-Specific Documents
The following documents are specific to Release 12.2 and apply to Cisco IOS Release 12.2(4)YA. They are located on Cisco.com:
•
•
•
Platform-Specific Documents
Hardware installation guides, configuration and command reference guides, and additional documents specific to the Cisco 800 and SOHO 90 Series Routers are available on Cisco.com at the following location:
http://www.cisco.com/en/US/products/hw/routers/tsd_products_support_category_home.html
Feature Modules
Feature modules describe new features supported by Cisco IOS Release 12.2 and Cisco IOS Release 12.2(4)YA, and are updates to the Cisco IOS documentation set. A feature module consists of a brief overview of the feature, benefits, configuration tasks, and a command reference. As updates, the feature modules are available online only.
Cisco Feature Navigator
Cisco Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a particular set of features and which features are supported in a particular Cisco IOS image. Cisco Feature Navigator is available 24 hours a day, 7 days a week.
To use Cisco Feature Navigator, you must have a JavaScript-enabled web browser such as Netscape 3.0 or later, or Internet Explorer 4.0 or later. Internet Explorer 4.0 always has JavaScript enabled. To enable JavaScript for Netscape 3.x or Netscape 4.x, follow the instructions provided with the web browser. For JavaScript support and enabling instructions for other browsers, check with the browser vendor.
Cisco Feature Navigator is updated when major Cisco IOS software releases and technology releases occur. You can access Feature Navigator at the following URL:
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
Cisco IOS Software Documentation Set
The Cisco IOS software documentation set consists of the Cisco IOS configuration guides, Cisco IOS command references, and several other supporting documents.
Documentation Modules
Each module in the Cisco IOS documentation set consists of one or more configuration guides and one or more corresponding command references. Chapters in a configuration guide describe protocols, configuration tasks, and Cisco IOS software functionality, and contain comprehensive configuration examples. Chapters in a command reference provide complete command syntax information. Use each configuration guide with its corresponding command reference. Cisco IOS Software Documentation is available in html or pdf form.
Select your release and click the command references, configuration guides, or any other Cisco IOS documentation you need
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feed-back, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Use this document in conjunction with the documents listed in the "Additional References" section.
CCVP, the Cisco logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networking Academy, Network Registrar, Packet, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0705R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007, Cisco Systems, Inc. All rights reserved
Feedback