Release Notes for Cisco 2800 Series Integrated Services Routers with Cisco IOS Release 12.4(20)YA
Available Languages
Table Of Contents
Release Notes for Cisco 2800 Series Integrated Services Routers with Cisco IOS Release 12.4(20)YA
Determining the Software Version
Upgrading to a New Software Release
New Hardware Features in Cisco IOS Release 12.4(20)YA3
New Software Features in Cisco IOS Release 12.4(20)YA3
New Hardware Features in Cisco IOS Release 12.4(20)YA2
New Software Features in Cisco IOS Release 12.4(20)YA2
New Hardware Features in Cisco IOS Release 12.4(20)YA1
New Software Features in Cisco IOS Release 12.4(20)YA1
New Hardware Features in Cisco IOS Release 12.4(20)YA
New Software Features in Cisco IOS Release 12.4(20)YA
CallBack on Busy for Analog Phones on Cisco Voice Gateways
Call Hold/Resume for Shared Lines for SCCP Analog Ports
Application Performance Assurance Network Module
Limitations and Restriction - Release 12.4(20)YA
Open Caveats - Release 12.4(20)YA3
Resolved Caveats - Release 12.4(20)YA3
Open Caveats - Release 12.4(20)YA2
Resolved Caveats - Release 12.4(20)YA2
Open Caveats - Release 12.4(20)YA1
Resolved Caveats - Release 12.4(20)YA1
Open Caveats - Release 12.4(20)YA
Resolved Caveats - Release 12.4(20)YA
Cisco IOS Software Documentation Set
Release Notes for Cisco 2800 Series Integrated Services Routers with Cisco IOS Release 12.4(20)YA
First Released: August 1, 2008Last Revised: April 7, 2009Cisco IOS Release 12.4(20)YA3OL-17463-04 Fourth ReleaseThese release notes describe new features and significant software components for the Cisco 2800 series routers that support the Cisco IOS Release 12.4(20)YA releases. These release notes are updated as needed. Use these release notes with the Cross-Platform Release Notes for Cisco IOS Release 12.4T and About Cisco IOS Release Notes.
For a list of the software caveats that apply to the Release 12.4(20)YA releases, see the "Caveats" section. See also Caveats for Cisco IOS Release 12.4(20)T. The online caveats document is updated for every maintenance release.
Contents
System Requirements
This section describes the system requirements for Release 12.4(20)YA and includes the following sections:
•
Determining the Software Version
•
Memory Requirements
Table 1 describes the memory requirements for the Cisco IOS feature sets supported by Cisco IOS Release 12.4(20)YA on the Cisco 2800 series routers.
Hardware Supported
Cisco IOS Release 12.4(20)YA supports the following Cisco 2800 series routers:
•
•
•
•
For descriptions of existing hardware features and supported modules, see the hardware installation guides, configuration and command reference guides, and additional documents specific to the Cisco 2800 series routers, which are available at:
http://www.cisco.com/en/US/products/ps5854/tsd_products_support_series_home.html
Determining the Software Version
To determine the version of Cisco IOS software currently running on your Cisco 2800 series router, see About Cisco IOS Release Notes located at: http://www.cisco.com/en/US/docs/ios/12_4/12_4x/12_4xy15/ReleaseNote.html.
Upgrading to a New Software Release
For general information about upgrading to a new software release, see About Cisco IOS Release Notes located at:
http://www.cisco.com/en/US/docs/ios/12_4/12_4x/12_4xy15/ReleaseNote.html.
Feature Set Tables
For information about feature set tables, see About Cisco IOS Release Notes located at: http://www.cisco.com/en/US/docs/ios/12_4/12_4x/12_4xy15/ReleaseNote.html.
New and Changed Information
This section contains the following information:
•
•
•
•
•
•
•
•
New Hardware Features in Cisco IOS Release 12.4(20)YA3
There are no new hardware features in this release.
New Software Features in Cisco IOS Release 12.4(20)YA3
There are no new software features in this release.
New Hardware Features in Cisco IOS Release 12.4(20)YA2
There are no new hardware features in this release.
New Software Features in Cisco IOS Release 12.4(20)YA2
There are no new software features in this release.
New Hardware Features in Cisco IOS Release 12.4(20)YA1
There are no new hardware features in this release.
New Software Features in Cisco IOS Release 12.4(20)YA1
There are no new software features in this release.
New Hardware Features in Cisco IOS Release 12.4(20)YA
The new hardware features are:
NME-IPS-K9
NME-IPS is a Cisco Intrusion Prevention System (Cisco IPS) that you can install in any network module slot in the Cisco 2800 and Cisco 3800 series integrated services routers (Cisco ISRs). NME-IPS modules run Cisco IPS Sensor software (6.0 or a later version) and provide full support for current versions of Cisco IPS products.
New Software Features in Cisco IOS Release 12.4(20)YA
The new software features are:
•
•
•
•
CVP IOS Debug CLI
When a voice gateway is used as a contact center, it is often necessary to turn on the error debugging for AFW/IVR, HTTP, MRCP, RTSP, and VoiceXML. Enabling the ivr contact-center command automatically turns on all of these error debugs, and also prevents these error debugs from being turned off when the no debug all command is entered. For more information, see the ivr contact-center command in the Cisco IOS Voice Command Reference:
http://www.cisco.com/en/US/docs/ios/voice/command/reference/vr_i2.html#wp1112650
SIT Detection and Reporting
This feature provides detection of the eight U.S. special information tones (SITs) and reporting of the detected SIT with a preassigned disconnect cause code for disconnect supervision. This capability is supported for analog FXO trunk and T1/E1 channel-associated signaling (CAS) FXO loop-start. The SIT reporting complies with standard Q.850 messages in order for fax servers to uniquely identify each condition.For more information, see the supervisory sit us command in the Cisco IOS Voice Command Reference:
http://www.cisco.com/en/US/docs/ios/voice/command/reference/vr_s12.html#wp1198948
Cisco IOS Release 12.4(20)YA provides SCCP features requested by customers planning to deploy Cisco Unified Communications including the following features for FXS ports on Cisco VG224 Analog Phone Gateways and Cisco 2800 series integrated services routers:
•
•
•
CallBack on Busy for Analog Phones on Cisco Voice Gateways
CallBack on Busy is on analog phones that are connected to FXS ports on Cisco IOS voice gateways and controlled by Cisco Unified Communications Manager 6.1.2 or a later version. With CallBack on Busy, users on analog phones can place a callback notification if the destination user is busy on another call.
Call Hold/Resume for Shared Lines for SCCP Analog Ports
Hold/Resume is on analog SCCP phones that share a line and directory number with one or more other phones in Cisco Unified Communications Manager 6.0 or a later version. Hold/Resume is supported only on analog SCCP phones connected to FXS ports on which hold-resume is configured.
Flexible Feature Access Codes
This feature enables users on SCCP-controlled Cisco VG224s or Cisco ISRs analog port to customize the Feature Access Codes for invoking supplementary services.
SIP Supplementary Features for Analog Ports on Cisco VG224/Cisco ISRs with Cisco Unified Communications Manager
Analog phones connected on Cisco ISRs and Cisco VG224s now support SIP Supplementary Services with a SIP trunk configured towards the Cisco Unified Communications Manager. Features supported are:
•
•
•
•
Application Performance Assurance Network Module
The applications manage traffic on NME-APA service modules installed in Cisco 2811, 2821, 2851, and Cisco 3800 Series Integrated Services Routers by enabling or disabling the flow of packets through the router and the service module. Configure the router interface with the service-module apa traffic-management [monitor | inline] command. The monitor command enables the interface to copy the packet and designate the copy as the one forwarded to the NME-APA. The inline command (promiscuous mode) sends the packet to the router, instead of a copy of the packet to the router. For more information see the Cisco Application Performance Assurance User Guide:
http://www.cisco.com/en/US/docs/cable/serv_exch/serv_control/broadband_app/apa/NME-APA_User_Guide/NME-APA-User-Guide.html
New Features in Release 12.4T
For information regarding the features supported in Cisco IOS Release 12.4T, see the Cross-Platform Release Notes links at:
http://www.cisco.com/en/US/products/ps6441/prod_release_notes_list.html
Limitations and Restrictions
Limitations and Restriction - Release 12.4(20)YA
•
•
•
•
•
•
•
•
•
Caveats
For general information on caveats and the bug toolkit, see About Cisco IOS Release Notes located at: http://www.cisco.com/en/US/docs/ios/12_4/12_4x/12_4xy15/ReleaseNote.html.
This section contains the following caveat information:
•
•
•
•
•
•
•
•
Open Caveats - Release 12.4(20)YA3
There are no open caveats in this release.
Resolved Caveats - Release 12.4(20)YA3
CSCsu84868 c3845: Error mesg %SYS-2-BADSHARE: Bad refcount in datagram_done.Symptom Cisco 3845 experiences trackback error:
Aug 14 12:34:55.960: %SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=7006C010, count=0, -Traceback= 0x61816650 0x60641BD0 0x60C27A80 Aug 17 16:51:45.739: %SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=705985A4, count=0, -Traceback= 0x61816650 0x60641BD0 0x60C27A80
Conditions
Workaround
CSCsy22826 VG224 sending incorrect ssType in 1+ node CUCM cluster.Symptom VG224 endpoint does not connect to callback destination, once the callback destination is idle.
Conditions
Workaround
Further Problem Description: The activation of the callback is successful. What fails is when the callback destination becomes idle again and the VG224 endpoint gets notified (ring). After the VG224 endpoint goes offhook, the system should automatically connect to the Callback destination.This does not happen and VG224 endpoint gets silence.
Open Caveats - Release 12.4(20)YA2
There are no open caveats in this release.
Resolved Caveats - Release 12.4(20)YA2
•
Multiple Cisco products are affected by denial of service (DoS) vulnerabilities that manipulate the state of Transmission Control Protocol (TCP) connections. By manipulating the state of a TCP connection, an attacker could force the TCP connection to remain in a long-lived state, possibly indefinitely. If enough TCP connections are forced into a long-lived or indefinite state, resources on a system under attack may be consumed, preventing new TCP connections from being accepted. In some cases, a system reboot may be necessary to recover normal system operation. To exploit these vulnerabilities, an attacker must be able to complete a TCP three-way handshake with a vulnerable system.
In addition to these vulnerabilities, Cisco Nexus 5000 devices contain a TCP DoS vulnerability that may result in a system crash. This additional vulnerability was found as a result of testing the TCP state manipulation vulnerabilities.
Cisco has released free software updates for download from the Cisco website that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090908-tcp24.shtml.
CSCsr16693A series of TCP packets may cause a denial of service (DoS) condition on Cisco IOS devices that are configured as Easy VPN servers with the Cisco Tunneling Control Protocol (cTCP) encapsulation feature. Cisco has released free software updates that address this vulnerability. No workarounds are available; however, the IPSec NAT traversal (NAT-T) feature can be used as an alternative.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml.
Note: The March 25, 2009, Cisco IOS Security Advisory bundled publication includes eight Security Advisories. All of the advisories address vulnerabilities in Cisco IOS Software. Each advisory lists the releases that correct the vulnerability or vulnerabilities in the advisory. The following table lists releases that correct all Cisco IOS Software vulnerabilities that have been published in Cisco Security Advisories on March 25, 2009, or earlier.
http://www.cisco.com/en/US/products/products_security_advisories_listing.html
CSCsu21828A series of TCP packets may cause a denial of service (DoS) condition on Cisco IOS devices that are configured as Easy VPN servers with the Cisco Tunneling Control Protocol (cTCP) encapsulation feature. Cisco has released free software updates that address this vulnerability. No workarounds are available; however, the IPSec NAT traversal (NAT-T) feature can be used as an alternative.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml.
Note: The March 25, 2009, Cisco IOS Security Advisory bundled publication includes eight Security Advisories. All of the advisories address vulnerabilities in Cisco IOS Software. Each advisory lists the releases that correct the vulnerability or vulnerabilities in the advisory. The following table lists releases that correct all Cisco IOS Software vulnerabilities that have been published in Cisco Security Advisories on March 25, 2009, or earlier.
http://www.cisco.com/en/US/products/products_security_advisories_listing.html
CSCsv38166The server side of the Secure Copy (SCP) implementation in Cisco IOS software contains a vulnerability that could allow authenticated users with an attached command-line interface (CLI) view to transfer files to and from a Cisco IOS device that is configured to be an SCP server, regardless of what users are authorized to do, per the CLI view configuration. This vulnerability could allow valid users to retrieve or write to any file on the device's file system, including the device's saved configuration and Cisco IOS image files, even if the CLI view attached to the user does not allow it. This configuration file may include passwords or other sensitive information.
The Cisco IOS SCP server is an optional service that is disabled by default. CLI views are a fundamental component of the Cisco IOS Role-Based CLI Access feature, which is also disabled by default. Devices that are not specifically configured to enable the Cisco IOS SCP server, or that are configured to use it but do not use role-based CLI access, are not affected by this vulnerability.
This vulnerability does not apply to the Cisco IOS SCP client feature.
Cisco has released free software updates that address this vulnerability.
There are no workarounds available for this vulnerability apart from disabling either the SCP server or the CLI view feature if these services are not required by administrators.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml.
CSCsu11522A vulnerability exists in the Session Initiation Protocol (SIP) implementation in Cisco IOS software that can be exploited remotely to cause a reload of the Cisco IOS device.
Cisco has released free software updates that address this vulnerability. There are no workarounds available to mitigate the vulnerability apart from disabling SIP, if the Cisco IOS device does not need to run SIP for VoIP services. However, mitigation techniques are available to help limit exposure to the vulnerability.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml.
CSCsk64158Symptom Several features within Cisco IOS software are affected by a crafted UDP packet vulnerability. If any of the affected features are enabled, a successful attack will result in a blocked input queue on the inbound interface. Only crafted UDP packets destined for the device could result in the interface being blocked, transit traffic will not block the interface.
Conditions
Workaround
CSCsj27458 IOS display "Using -1 out of xx bytes" after "erase nvram"/"show start"Symptom The following message is seen when giving the command <CmdBold> show startup-config <noCmdBold>
"Using -1 out of xxxxx bytes"
This error message is misleading. This caveat does not affect the functionality.Conditions
Workaround
CSCsj31168 Loopback remote payload failed in 2800.Symptom Loopback remote payload failed for 2800 routers.
Conditions
Workaround
CSCsk41593 PAK_SUBBLOCK error found when ping with >1500-byte over cellular inter.Symptom The following error occurs when a ping packet is sent or received:
PAK_SUBBLOCK_ALREADY: 2 -Process= "IP Input"Conditions
Workaround
CSCso30142 Traceback due to channel-group configuration.Symptom Traceback is generated during boot up.
Conditions
Workaround
CSCso39750 router crashes at socket_inherit_fd after no ccm sccp.CSCso39964 QoS:router hangs while removing class-map.Symptom The router hangs when attempts are made to modify pure ACL configuration while traffic is still flowing.
Conditions
Workaround
CSCso41513 helper-address triggers ARP for non directly connected server.Symptom When using the <CmdBold>ip helper-address<noCmdBold> command to forward directed broadcast, an incomplete ARP entry will be created for the helper-address configured even if it is not a directly connected subnet. This may break BOOTP forwarding to the DHCP server.
Conditions
Workaround
Alternate Workaround: Configure static ARP on the router for the helper-address pointing towards the next hop.
CSCso52548 parser breakage in crypto isakmp key <> CLI.Symptom crypto isakmp key cli parser mode breakage.
Conditions
Workaround
Further information: Not service impacting. Only that, crypto isakmp key <0/6> ? option gives "% Ambiguous command" instead of WORD for (UNENCRYPTED/ENCRYPTED) password.
CSCso61743 Router crashes@stcapp_free_supported_codec_list when stop/start stcapp.Symptom Router crashes when stcapp is disabled, stcapp ccm-group is removed from configuration, and then stcapp is re-enabled.
Conditions
Workaround
CSCsq20970 ATM option missing, while configuring T1 controller for mode atm.Symptom On the 2432 platform UUT, the 'atm' option is missing in the 'mode' CLI when the T1 controller is being configured for ATM.
Conditions
Workaround
CSCsq91960 failed to delete vrf when it is 32 characters long.Symptom VRF may not get deleted if the VRF NAME size is 32 characters on a dual RP HA/SSO router.
Conditions
•
•
Workaround
CSCsq97697 No dialtone is heard when an outgoing call is made right after call disc.Symptom Sometimes dialtone is not heard when user disconnects the existing call and immediately makes another outgoing call via hookflash.
Conditions
Workaround
CSCsr06625 telephony-service command throws % Invalid input detected.CSCsr27960 Traceback observed after configuring credential under sip-ua.Symptom Traceback observed when configuring credentials CLI under sip-ua.
Conditions
Workaround
CSCsr68545 Error %DATACORRUPTION-1-DATAINCONSISTENCY when running ipsla with rtt.Symptom Error message occurs:
000302: Jul 24 13:00:13.575 CDT: %DATACORRUPTION-1-DATAINCONSISTENCY: copyerror -Traceback= 0x410FD1A4 0x41119DB0 0x41138324 0x41DE5714Conditions
Workaround
CSCsr74835 incorrect uses of sprintf() in tcp/telnet.c.Symptom Certain sprintf() calls in tcp/telnet.c are incorrect.
Conditions
Workaround
CSCsr78883 Router console displays messages "Data corruption Data Inconsistency.Symptom There will be traceback on configuring mls qos cos pass-through dscp in supporting interface mode.
Conditions
Workaround
Further Problem Description: Due to the buffer overflow, there will be traceback when configuring the QoS in the supporting interface. Currently the CLI is not supported in most network modules, and is thus, invisible to the users.
CSCsr92741 TCP packets with zero fields misbehavior.Symptom When a TCP packet with all fields set to "zero" (at a tcp level) is sent to a remote router (whether using ipv4 and IPv6). The destination router (to which the destination IP belongs), will send a ACK/RST flag set TCP packet back to the source.
Workaround
CSCsu24050 Multiple PRC_NON_COMPLIANCE tracebacks found on configuring stcapp FAC.CSCsu58305 c880 build breaks due to stricter compiler flags in the throttle branch.CSCsu64215 ip tcp adjust-mss command results in packet loss for non-TCP traffic.Symptom Router may incorrectly drop non TCP traffic. TFTP and EIGRP traffic can be impacted as seen in CSCsv89579.
Conditions
Workaround
CSCsv13562 Router crashes due to double free of ccb->call_info.origRedirectNumber.Symptom The router crashes due to double free scenarios. While handling 302 response, "ccb->call_info.origRedirectNumber" attempts a double free due to signaling forking.
Conditions
Workaround
CSCsv54651 Crafted VTP packet could cause a crash.Cisco's VTP protocol implementation in some versions of Cisco IOS and CatOS may be vulnerable to a DoS attack via a specially crafted VTP packet sent from the local network segment when operating in either server or client VTP mode. When the device receives the specially crafted VTP packet, the switch may crash (and reload/hang). The crafted packet must be received on a switch interface configured to operate as a trunk port.
Workaround
This response is posted at http://www.cisco.com/warp/public/707/cisco-sr-20081105-vtp.shtml
CSCsv84605 When phone is onhook, media shouldn't be handled.Symptom Reporting port hang. The symptom is that when the port is blocked, the underlying low layer (VPM, VTSP) is already in clean IDLE state, but STCAPP keeps itself in the REM_ONHOOK_PEND -> CONNECTING -> ACTIVE_PENDING -> ONHOOK_PEND -> REM_ONHOOK_PEND loop.
Conditions
Workaround
Open Caveats - Release 12.4(20)YA1
There are no open caveats in this release.
Resolved Caveats - Release 12.4(20)YA1
CSCsu70214A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.
CSCsw47076A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.
CSCsv48603A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.
CSCsx07114A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.
CSCsu50252A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.
CSCsy54122A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.
CSCsy15227Cisco IOS Software configured with Authentication Proxy for HTTP(S), Web Authentication or the consent feature, contains a vulnerability that may allow an unauthenticated session to bypass the authentication proxy server or bypass the consent webpage.
There are no workarounds that mitigate this vulnerability.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090923-auth-proxy.shtml
CSCsz38104The H.323 implementation in Cisco IOS Software contains a vulnerability that can be exploited remotely to cause a device that is running Cisco IOS Software to reload. Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate the vulnerability apart from disabling H.323 if the device that is running Cisco IOS Software does not need to run H.323 for VoIP services. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-h323.shtml.
CSCsq58779Cisco IOS devices that are configured for Cisco Unified Communications Manager Express (CME) and the Extension Mobility feature are vulnerable to a buffer overflow vulnerability. Successful exploitation of this vulnerability may result in the execution of arbitrary code or a Denial of Service (DoS) condition on an affected device.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-cme.shtml.
CSCsr18691Cisco IOS devices that are configured with Cisco IOS Zone-Based Policy Firewall Session Initiation Protocol (SIP) inspection are vulnerable to denial of service (DoS) attacks when processing a specific SIP transit packet. Exploitation of the vulnerability could result in a reload of the affected device.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available within the workarounds section of the posted advisory.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090923-ios-fw.shtml
CSCsy07555Cisco IOS devices that are configured for Internet Key Exchange (IKE) protocol and certificate based authentication are vulnerable to a resource exhaustion attack. Successful exploitation of this vulnerability may result in the allocation of all available Phase 1 security associations (SA) and prevent the establishment of new IPsec sessions.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-ipsec.shtml
CSCee72997Cisco IOS devices that are configured for Internet Key Exchange (IKE) protocol and certificate based authentication are vulnerable to a resource exhaustion attack. Successful exploitation of this vulnerability may result in the allocation of all available Phase 1 security associations (SA) and prevent the establishment of new IPsec sessions. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-ipsec.shtml
CSCsu24505Cisco IOS Software with support for Network Time Protocol (NTP) version (v4) contains a vulnerability processing specific NTP packets that will result in a reload of the device. This results in a remote denial of service (DoS) condition on the affected device.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available and are documented in the workarounds section of the posted advisory.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090923-ntp.shtml
CSCsv75948Cisco IOS Software with support for Network Time Protocol (NTP) version (v4) contains a vulnerability processing specific NTP packets that will result in a reload of the device. This results in a remote denial of service (DoS) condition on the affected device.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available and are documented in the workarounds section of the posted advisory.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090923-ntp.shtml
CSCsx25880A vulnerability exists in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software that could allow an unauthenticated attacker to cause a denial of service (DoS) condition on an affected device when the Cisco Unified Border Element feature is enabled. Cisco has released free software updates that address this vulnerability. For devices that must run SIP there are no workarounds; however, mitigations are available to limit exposure of the vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-sip.shtml.
CSCsq24002Cisco IOS Software contains a vulnerability that could allow an attacker to cause a Cisco IOS device to reload by remotely sending a crafted encryption packet. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tls.shtml.
CSCsq31776Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml.
CSCsx70889Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml.
CSCsh97579Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml.
CSCsq13348The Cisco IOS Intrusion Prevention System (IPS) feature contains a vulnerability in the processing of certain IPS signatures that use the SERVICE.DNS engine. This vulnerability may cause a router to crash or hang, resulting in a denial of service condition.
Cisco has released free software updates that address this vulnerability. There is a workaround for this vulnerability.
Note
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml.CSCsr56699 CME router crashes when invoking call features while AIM-IPS-K9 is enabled.Symptom Router crashes.
Conditions
Workaround
CSCej70453 Unable to control application: OER Route Map Failure.Symptom OER Application Aware Routing will not work on 2600.
Workaround
CSCso56129 %SYS-2-BADSHARE: Bad refcount in datagram_done monitoring cme/cue calls.Symptom Bad Refcount with tracebacks seen.
Conditions
Workaround
CSCsq19144 AAA downloaded PBR not getting installed.Symptom User-specific policy-based routes that are downloaded from the AAA server using Attribute 104 may not be installed.
Conditions
Workaround
CSCsr16050 Ping fails from Service-Module-Engine to networks not directly connected.Open Caveats - Release 12.4(20)YA
There are no open caveats in this release.
Resolved Caveats - Release 12.4(20)YA
There are no resolved caveats in this release.
Additional References
Use this release note with the documents and websites in this release note and the documents listed in the following sections:
Release-Specific Documents
The following documents are specific to Release 12.4 and apply to Release 12.4(20)YA:
•
•
•
Platform-Specific Documents
Hardware installation guides, configuration and command reference guides, and additional documents specific to the Cisco 2800 series routers are available at:
http://www.cisco.com/en/US/products/ps5854/tsd_products_support_series_home.html
Cisco IOS Software Documentation Set
The Cisco IOS software documentation set consists of the Cisco IOS configuration guides, Cisco IOS command references, and other supporting documents.
Documentation Modules
Each module in the Cisco IOS documentation set consists of one or more configuration guides and one or more corresponding command references. Chapters in a configuration guide describe protocols, configuration tasks, and Cisco IOS software functionality, and contain comprehensive configuration examples. Chapters in a command reference provide complete command syntax information. Use each configuration guide with its corresponding command reference. Cisco IOS Software Documentation is available in html or pdf form.
Select your release and click the command references, configuration guides, or any other Cisco IOS documentation you need.
Notices
See the "Notices" section in About Cisco IOS Release Notes located at:
http://www.cisco.com/en/US/docs/ios/12_4/12_4x/12_4xy15/ReleaseNote.html
Use this document in conjunction with the documents listed in the "Additional References" section.
CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0812R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2008-2009 Cisco Systems, Inc. All rights reserved.
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)