The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
•Open Caveats in Release 12.2(18)SXD7b
•Resolved Caveats in Release 12.2(18)SXD7b
•Resolved Caveats in Release 12.2(18)SXD7a
•Resolved Caveats in Release 12.2(18)SXD7
•Resolved Caveats in Release 12.2(18)SXD6
•Resolved Caveats in Release 12.2(18)SXD5
•Resolved Caveats in Release 12.2(18)SXD4
•Resolved Caveats in Release 12.2(18)SXD3
•Resolved Caveats in Release 12.2(18)SXD2
•Resolved Caveats in Release 12.2(18)SXD1
•Resolved Caveats in Release 12.2(18)SXD
Resolved Infrastructure Caveats
•CSCsc64976—Resolved in 12.2(18)SXD7b
A vulnerability exists in the IOS HTTP server in which HTML code inserted into dynamically generated output, such as the output from a show buffers command, will be passed to the browser requesting the page. This HTML code could be interpreted by the client browser and potentially execute malicious commands against the device or other possible cross-site scripting attacks. Successful exploitation of this vulnerability requires that a user browse a page containing dynamic content in which HTML commands have been injected.
Cisco will be making free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/en/US/products/csa/cisco-sa-20051201-http.html
Resolved Management Caveats
•CSCsf07847—Resolved in 12.2(18)SXD7b
Symptoms: Specifically crafted CDP packets can cause a router to allocate and keep extra memory. Exploitation of this behaviour by sending multiple specifically crafted CDP packets could cause memory allocation problems on the router.
Conditions: This issue occurs in IOS images that has the fix for CSCse85200.
Workaround: Disable CDP on interfaces where CDP is not required.
Further Problem Description: Because CDP is a Layer-2 protocol, the symptom can only be triggered by routers that reside on the same network segment.
Other Resolved Caveats in Release 12.2(18)SXD7b
Resolved Infrastructure Caveats
•CSCsf04754—Resolved in 12.2(18)SXD7a
Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document.
The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044 to these vulnerabilities.
Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0960 has been assigned to these vulnerabilities.
This advisory will be posted at
http://www.cisco.com/en/US/products/csa/cisco-sa-20080610-snmpv3.html
Resolved LAN Caveats
•CSCsd34759—Resolved in 12.2(18)SXD7a
Symptom: The VTP feature in certain versions of Cisco IOS software may be vulnerable to a crafted packet sent from the local network segment which may lead to denial of service condition.
Conditions: The packets must be received on a trunk enabled port.
Further Information :On the 13th September 2006, Phenoelit Group posted an advisory containing three vulnerabilities:
–VTP Version field DoS
–Integer Wrap in VTP revision
–Buffer Overflow in VTP VLAN name
These vulnerabilities are addressed by Cisco IDs:
–CSCsd52629/CSCsd34759 -- VTP version field DoS
–CSCse40078/CSCse47765 -- Integer Wrap in VTP revision
–CSCsd34855/CSCei54611 -- Buffer Overflow in VTP VLAN name
Cisco's statement and further information are available on the Cisco public website at
http://www.cisco.com/en/US/products/csr/cisco-sr-20060913-vtp.html
Resolved Routing Caveats
•CSCsd40334—Resolved in 12.2(18)SXD7a
Processing a specially crafted IPv6 Type 0 Routing header can crash a device running Cisco IOS software. This vulnerability does not affect IPv6 Type 2 Routing header which is used in mobile IPv6. IPv6 is not enabled by default in Cisco IOS.
Cisco has made free software available to address this vulnerability for affected customers.
There are workarounds available to mitigate the effects of the vulnerability. The workaround depends on if Mobile IPv6 is used and what version on Cisco IOS is being currently used.
This advisory is posted at
http://www.cisco.com/en/US/products/csa/cisco-sa-20070124-IOS-IPv6.html
•CSCec71950—Resolved in 12.2(18)SXD7a
Cisco routers and switches running Cisco IOS or Cisco IOS XR software may be vulnerable to a remotely exploitable crafted IP option Denial of Service (DoS) attack. Exploitation of the vulnerability may potentially allow for arbitrary code execution. The vulnerability may be exploited after processing an Internet Control Message Protocol (ICMP) packet, Protocol Independent Multicast version 2 (PIMv2) packet, Pragmatic General Multicast (PGM) packet, or URL Rendezvous Directory (URD) packet containing a specific crafted IP option in the packet's IP header. No other IP protocols are affected by this issue.
Cisco has made free software available to address this vulnerability for affected customers.
There are workarounds available to mitigate the effects of the vulnerability.
This vulnerability was discovered during internal testing.
This advisory is available at:
http://www.cisco.com/en/US/products/csa/cisco-sa-20070124-crafted-ip-option.html
Resolved Unknown Caveats
•CSCsb52717—Resolved in 12.2(18)SXD7a
Symptom: A Cisco router configured for multicast VPN may reload after receiving a malformed MDT data group join packet.
Conditions: Affects all IOS versions that support mVPN MDT.
Workaround: Filter out MDT Data Join messages from the router sending the malformed packet using a Receive Access Control List (rACL) feature. Note by doing this, the offending router will not be able to participate within the mVPN data trees.
The following example shows how to block malformed MDT Data Join messages that are sent from the device's IP addresses using a receive ACL:
!
ip receive access-list 111
!
access-list 111 deny udp host <ip address of router sending malformed join
request> host 224.0.0.13 eq 3232
access-list 111 permit ip any any
!
Note: Ensure that the rACL does not filter critical traffic such as routing protocols or interactive access to the routers. Filtering necessary traffic could result in an inability to remotely access the router, thus requiring a console connection. For this reason, lab configurations should mimic the actual deployment as closely as possible.
As always, Cisco recommends that you test this feature in the lab prior to deployment. For more information on rACLs, refer to "Protecting Your Core: Infrastructure Protection Access Control Lists" at
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a0a5e.shtml.
•CSCsd75273—Resolved in 12.2(18)SXD7a
Cisco Catalyst 6500, 6500 series and Cisco 7600 series that have a Network Analysis Module installed are vulnerable to an attack, which could allow an attacker to gain complete control of the system. Only Cisco Catalyst systems that have a NAM on them are affected. This vulnerability affects systems that run Internetwork Operating System (IOS) or Catalyst Operating System (CatOS).
Cisco has made free software available to address this vulnerability for affected customers.
A Cisco Security Advisory for this vulnerability is posted at http://www.cisco.com/en/US/products/csa/cisco-sa-20070228-nam.html
•CSCse52951—Resolved in 12.2(18)SXD7a
Cisco Catalyst 6500, 6500 series and Cisco 7600 series that have a Network Analysis Module installed are vulnerable to an attack, which could allow an attacker to gain complete control of the system. Only Cisco Catalyst systems that have a NAM on them are affected. This vulnerability affects systems that run Internetwork Operating System (IOS) or Catalyst Operating System (CatOS).
Cisco has made free software available to address this vulnerability for affected customers.
A Cisco Security Advisory for this vulnerability is posted at
http://www.cisco.com/en/US/products/csa/cisco-sa-20070228-nam.html
Resolved Voice Caveats
•CSCsc60249—Resolved in 12.2(18)SXD7a
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–Session Initiation Protocol (SIP)
–Media Gateway Control Protocol (MGCP)
–Signaling protocols H.323, H.254
–Real-time Transport Protocol (RTP)
–Facsimile reception
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at
http://www.cisco.com/en/US/products/csa/cisco-sa-20070808-IOS-voice.html.
Other Resolved Caveats in Release 12.2(18)SXD7a
Resolved AAA Caveats
•CSCed09685—Resolved in 12.2(18)SXD7
Symptoms: When command accounting is enabled, Cisco IOS routers will send the full text of each command to the ACS server. Though this information is sent to the server encrypted, the server will decrypt the packet and log these commands to the logfile in plain text. Thus sensitive information like passwords will be visible in the server's log files.
Conditions: This problem happens only with command accounting enabled.
Workaround: Disable command accounting.
Other Resolved Caveats in Release 12.2(18)SXD7
Resolved AAA Caveats
•CSCee45312—Resolved in 12.2(18)SXD5
Remote Authentication Dial In User Service (RADIUS) authentication on a device that is running certain versions of Cisco Internetworking Operating System (IOS) and configured with a fallback method to none can be bypassed.
Systems that are configured for other authentication methods or that are not configured with a fallback method to none are not affected.
Only the systems that are running certain versions of Cisco IOS are affected. Not all configurations using RADIUS and none are vulnerable to this issue. Some configurations using RADIUS, none and an additional method are not affected.
Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects of the vulnerability.
More details can be found in the security advisory which posted at the following URL http://www.cisco.com/en/US/products/csa/cisco-sa-20050629-aaa.html
Resolved Unknown Caveats
•CSCsa67611—Resolved in 12.2(18)SXD5
For packets incoming MPLS Tagged and going out as untagged IP (tag to IP case) if output features (like egress ACL, egress WCCP) are applied upon a reload of a switch one may find that the egress features no longer get applied.
This has been seen with 12.2(17b)SXB6 and 12.2(18d)SXD2.
Packet impacted Concern : Incoming packet hitting the 6500 with sup720 with one label and exiting the switch on a non mpls int (tag to ip path) on which some output feature are configured (like output acl , output wccp or...)
Impact : these packet should always be recirculated as there are some output feature. After a reload of the switch recirculation do not happen anymore and as a result all packet bypass the ACL or any output feature.
Workaround: disable and reapply all output features on the output interface and output feature will start to work again.
Other Resolved Caveats in Release 12.2(18)SXD5
Resolved LAN Caveats
•CSCsa67294—Resolved in 12.2(18)SXD4
Symptom: A Cisco Catalyst Switch may reload upon receipt of a malformed VTP packet.
Conditions: The malformed VTP packet must meet the following requirements:
–Must be received on a port configured for ISL or 802.1q trunking AND
–Must correctly match the VTP domain name
This does not affect switch ports configured for the voice vlan.
Affected platforms:
–Cisco 2900XL Series
–Cisco 2900XL LRE Series
–Cisco 2940 Series
–Cisco 2950 Series
–Cisco 2950-LRE Series
–Cisco 2955 Series
–Cisco 3500XL Series
–Cisco IGESM
No other Cisco devices are known to be vulnerable to this issue.
Workarounds:
Customers may want to connect ports configured for trunking to known, trusted devices.
Resolved Management Caveats
•CSCdz54403—Resolved in 12.2(18)SXD4
Symptoms: A Cisco router may crash when IPSec IKE SNMP variables are retrieved, and a bus error and a traceback may be logged.
Conditions: This symptom is observed when at least one SA is established. The symptom does not always occur, but when you retrieve the IPSec IKE SNMP variables once every 10 minutes, the router eventually crashes after a few hours.
Workaround: The workaround is to block access to the CISCO-IPSEC-FLOW-MONITOR-MIB - [or just the cikeTunnelTable] using SNMP views so that no one walks this MIB and cause this crash.
•CSCed11835—Resolved in 12.2(18)SXD4
Symptoms: A Cisco 7200 VXR router that terminates a large number of IPSec tunnels may restart unexpectedly.
Conditions: This symptom is observed when IKE MIB variables are being polled on the router.
Workaround: Avoid polling of IKE MIB variables.
Resolved Routing Caveats
•CSCef68324—Resolved in 12.2(18)SXD4
Cisco Internetwork Operating System (IOS) Software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation.
Cisco has made free software available to address this vulnerability for all affected customers.
More details can be found in the security advisory that is posted at:
http://www.cisco.com/en/US/products/csa/cisco-sa-20050729-ipv6.html
•CSCef61610—Resolved in 12.2(18)SXD4
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Dont' Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messages
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/en/US/products/csa/cisco-sa-20050412-icmp.html.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected.
CSCef60659—Resolved in 12.2(18)SXD4
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Dont' Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messages
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/en/US/products/csa/cisco-sa-20050412-icmp.html.
•CSCef67682—Resolved in 12.2(18)SXD4
Reception of certain IPv6 fragments with carefully crafted illegal contents may cause a router running Cisco IOS to reload if it has IPv6 configured. This applies to all versions of Cisco IOS that include support for IPv6.
The system may be protected by installing appropriate access lists to filter all IPv6 fragments destined for the system. For example:
interface Ethernet0/0
ipv6 traffic-filter nofragments in
!
ipv6 access-list nofragments
deny ipv6 any <my address1> undetermined-transport
deny ipv6 any <my address2> fragments
permit ipv6 any any
This must be applied across all interfaces, and must be applied to all IPv6 addresses which the system recognises as its own.
This will effectively disable reassembly of all IPv6 fragments. Some networks may rely on IPv6 fragmentation, so careful consideration should be given before applying this workaround.
We would recommend for customers to upgrade to the fixed IOS release. All IOS releases listed in IPv6 Routing Header Vulnerability Advisory at http://www.cisco.com/en/US/products/csa/cisco-sa-20070124-IOS-IPv6.html contain fixes for this issue.
Resolved Unknown Caveats
•CSCee59999—Resolved in 12.2(18)SXD4
Symptoms: When auto-reconnect is configured on an EzVPN server and an EzVPN client attempts to connect, failures may occur in AAA accounting.
The output of the debug crypto isakmp aaa command on the EzVPN server shows an error message such as the following:
ISAKMP AAA: Unable to send AAA Accounting Start %CRYPTO-4-IPSEC_AAA_START_FAILURE: IPSEC Accounting was unable to send start record
Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.3 or Release 12.3(8)T or a later release and that functions as an EzVPN server.
Workaround: There is no workaround.
•CSCef44225—Resolved in 12.2(18)SXD4
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Dont' Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messages
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/en/US/products/csa/cisco-sa-20050412-icmp.html.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected.
Other Resolved Caveats in Release 12.2(18)SXD4
Resolved Unknown Caveats
•CSCef90002—Resolved in 12.2(18)SXD3
Cisco Catalyst 6500 series systems that are running certain versions of Cisco Internetwork Operating System (IOS) are vulnerable to an attack from a Multi Protocol Label Switching (MPLS) packet. Only the systems that are running in Hybrid Mode (Catalyst OS (CatOS) software on the Supervisor Engine and IOS Software on the Multilayer Switch Feature Card (MSFC)) or running with Cisco IOS Software Modularity are affected.
MPLS packets can only be sent from the local network segment.
A Cisco Security Advisory for this vulnerability is posted at http://www.cisco.com/en/US/products/csa/cisco-sa-20070228-mpls.html
Other Resolved Caveats in Release 12.2(18)SXD3
Resolved Routing Caveats
•CSCee67450—Resolved in 12.2(18)SXD2
A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DoS) attack from a malformed BGP packet. Only devices with the command bgp log-neighbor-changes configured are vulnerable. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet.
Cisco has made free software available to address this problem.
This issue is tracked by CERT/CC VU#689326.
This advisory will be posted at http://www.cisco.com/en/US/products/csa/cisco-sa-20050126-bgp.html
Other Resolved Caveats in Release 12.2(18)SXD2
Resolved IPServices Caveats
•CSCed78149—Resolved in 12.2(18)SXD1
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Dont' Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messages
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/en/US/products/csa/cisco-sa-20050412-icmp.html
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected.
Resolved Routing Caveats
•CSCef48336—Resolved in 12.2(18)SXD1
OSPF is a routing protocol defined by RFC 2328. It is designed to manage IP routing inside an Autonomous System (AS). OSPF packets use IP protocol number 89.
A vulnerability exists in the processing of an OSPF packet that can be exploited to cause the reload of a system.
Since OSPF needs to process unicast packets as well as multicast packets, this vulnerability can be exploited remotely. It is also possible for an attacker to target multiple systems on the local segment at a time.
Using OSPF Authentication can be used to mitigate the effects of this vulnerability. Using OSPF Authentication is a highly recommended security best practice
A Cisco device receiving a malformed OSPF packet will reset and may take several minutes to become fully functional. This vulnerability may be exploited repeatedly resulting in an extended DOS attack.
Workarounds:
–Using OSPF Authentication
OSPF authentication may be used as a workaround. OSPF packets without a valid key will not be processed. MD5 authentication is highly recommended, due to inherent weaknesses in plain text authentication. With plain text authentication, the authentication key will be sent unencrypted over the network, which can allow an attacker on a local network segment to capture the key by sniffing packets.
Refer to http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094069.shtml for more information about OSPF authentication.
–Infrastructure Access Control Lists
Although it is often difficult to block traffic transiting your network, it is possible to identify traffic which should never be allowed to target your infrastructure devices and block that traffic at the border of your network. Infrastructure ACLs are considered a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The white paper "Protecting Your Core: Infrastructure Protection Access Control Lists" presents guidelines and recommended deployment techniques for infrastructure protection ACLs: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml
Resolved Unknown Caveats
•CSCin82407—Resolved in 12.2(18)SXD1
Cisco Internetwork Operating System (IOS) Software release trains 12.2T, 12.3 and 12.3T may contain vulnerabilities in processing certain Internet Key Exchange (IKE) Xauth messages when configured to be an Easy VPN Server.
Successful exploitation of these vulnerabilities may permit an unauthorized user to complete authentication and potentially access network resources.
This advisory will be posted to http://www.cisco.com/en/US/products/csa/cisco-sa-20050406-xauth.html
Other Resolved Caveats in Release 12.2(18)SXD1