Sign-up

VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-200809-0209 CVE-2008-3637 Apple Mac OS X  is running on  Java  of  HMAC  provider   Vulnerability to execute arbitrary code in CVSS V2: 9.3
CVSS V3: 8.8
Severity: HIGH
The Hash-based Message Authentication Code (HMAC) provider in Java on Apple Mac OS X 10.4.11, 10.5.4, and 10.5.5 uses an uninitialized variable, which allows remote attackers to execute arbitrary code via a crafted applet, related to an "error checking issue.". Successful exploits will allow an attacker to run arbitrary code in the context of the affected software. Failed exploit attempts may result in denial-of-service conditions. This issue affects the following: Mac OS X 10.5.5 (and prior versions) Mac OS X Server 10.5.5 (and prior versions) Mac OS X 10.4.11 (and prior versions) Mac OS X Server 10.4.11 (and prior versions). It is related to a "false detection vulnerability". ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: Mac OS X Java Multiple Vulnerabilities SECUNIA ADVISORY ID: SA32018 VERIFY ADVISORY: http://secunia.com/advisories/32018/ CRITICAL: Highly critical IMPACT: Security Bypass, Exposure of system information, Exposure of sensitive information, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/advisories/product/96/ DESCRIPTION: Some vulnerabilities have been reported and acknowledged in Java for Mac OS X, which can be exploited by malicious people to cause a DoS (Denial of Service), to bypass certain security restrictions, disclose system information or potentially sensitive information, or to compromise a vulnerable system. 2) An error in the Java plug-in within the handling of "file://" URLs can be exploited to launch local files when a user visits a web page containing a specially crafted java applet. 3) Some vulnerabilities in Java 1.4.2_16 and Java 1.5.0_13 can be exploited by malicious people to cause a DoS (Denial of Service), to bypass certain security restrictions, disclose system information or potentially sensitive information, or to compromise a vulnerable system. For more information: SA29239 SA31010 SOLUTION: -- Java for Mac OS X 10.4 -- Update to Release 7: http://www.apple.com/support/downloads/javaformacosx104release7.html -- Java for Mac OS X 10.5 -- Apply Update 2: http://www.apple.com/support/downloads/javaformacosx105update2.html PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Radim Marek. 2) The vendor credits Nitesh Dhanjani and Billy Rios. ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT3179 http://support.apple.com/kb/HT3178 OTHER REFERENCES: SA28115 http://secunia.com/advisories/28115/ SA29239: http://secunia.com/advisories/29239/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-200809-0037 CVE-2008-3803 Cisco IOS of Multiprotocol Label Switching (MPLS) VPN Vulnerability to read communication in CVSS V2: 5.1
CVSS V3: -
Severity: MEDIUM
A "logic error" in Cisco IOS 12.0 through 12.4, when a Multiprotocol Label Switching (MPLS) VPN with extended communities is configured, sometimes causes a corrupted route target (RT) to be used, which allows remote attackers to read traffic from other VPNs in opportunistic circumstances. Cisco IOS (Internetwork Operating System) is an operating system commonly used on Cisco routers and network switches. This vulnerability is tracked by Cisco Bug ID CSCee83237 and CVE-2008-3803. ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: Cisco IOS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA31990 VERIFY ADVISORY: http://secunia.com/advisories/31990/ CRITICAL: Moderately critical IMPACT: Exposure of sensitive information, DoS, System access WHERE: >From remote OPERATING SYSTEM: Cisco IOS R12.x http://secunia.com/advisories/product/50/ Cisco IOS 12.x http://secunia.com/advisories/product/182/ DESCRIPTION: Some vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to disclose sensitive information, cause a DoS (Denial of Service), or to compromise a vulnerable system. 1) An unspecified error exists in the processing of SSL packets during the termination of an SSL session, which can potentially be exploited to crash an affected system. 2) Two unspecified errors exist within the processing of Protocol Independent Multicast (PIM) packets, which can be exploited to cause an affected device to reload. 3) Unspecified errors within the processing of segmented Skinny Call Control Protocol (SCCP) messages can be exploited to cause a Cisco IOS device to reload. Successful exploitation requires that the device is configured with Network Address Translation (NAT) SCCP Fragmentation Support. 4) A memory leak in the processing of Session Initiation Protocol (SIP) messages can be exploited to cause a DoS for all voice services. 5) Multiple unspecified errors exist in the processing of SIP messages, which can be exploited to cause a reload of an affected device. 6) An unspecified error in the IOS Intrusion Prevention System (IPS) feature when processing certain IPS signatures that use the SERVICE.DNS engine can be exploited to cause a DoS via specially crafted network traffic. NOTE: This security issue was introduced with CSCee83237. 8) An unspecified error within the Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) can be exploited to cause a DoS via specially crafted network packets. Successful exploitation requires access to the MPLS network. 9) An unspecified error within the Application Inspection Control (AIC) can be exploited to cause a reload of an affected device via specially crafted HTTP packets. 10) An unspecified error in the processing of Layer 2 Tunneling Protocol (L2TP) packets can be exploited to cause an affected device to reload via a specially crafted L2TP packets. Successful exploitation requires that the L2TP mgmt daemon process is running. This process may be enabled e.g. via Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP), or Cisco Virtual Private Dial-Up Networks (VPDN). 11) An unspecified error exists in the processing of IPC messages. This can be exploited to reload an affected device via a specially crafted UDP packet sent to port 1975. 12) A security issue is caused due to the device automatically enabling SNMP with a default community string, which can be exploited to gain control an affected system. Successful exploitation requires that a device is configured for linecard redundancy. SOLUTION: Update to the fixed version (please see the vendor's advisories for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Workarounds are available to help mitigate this vulnerability. This issue is triggered by a logic error when processing extended communities on the PE device. This issue cannot be deterministically exploited by an attacker. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml NOTE: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml Affected Products ================= Products running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and configured for MPLS VPNs or VRF Lite are potentially affected. Cisco IOS releases based on 12.1 are not affected. Vulnerable Products +------------------ Cisco IOS devices are vulnerable if they are configured for MPLS VPN or VRF Lite and have a BGP session between the CE and PE devices, and process extended communities. If a device is configured for MPLS VPN or VRF Lite the command address-family ipv4 vrf <vrf-name> or address-family ipv6 vrf <vrf-name> will be present in the device configuration. The following shows a command executed on a device configured for MPLS VPN: router#show running-config | include address-family [ipv4|ipv6] address-family ipv4 vrf <vrf-name> The following shows a PE device configured for an IPv4 BGP session between the PE and the CE: router bgp <Local AS> address-family ipv4 vrf one neighbor <neighbor IP> remote-as < Remote AS> neighbor <neighbor IP> activate To determine the software running on a Cisco product, log in to the device and issue the "show version" command to display the system banner. On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the IOS release name. Other Cisco devices will not have the "show version" command or will give different output. The following example identifies a Cisco product that is running Cisco IOS release 12.4(11)T2: Router#show version Cisco IOS Software, 7200 Software (C7200-ADVSECURITYK9-M), Version 12.4(11)T2, RELEASE SOFTWARE (fc4) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Tue 01-May-07 04:19 by prod_rel_team <output truncated> Additional information on the Cisco IOS release naming conventions can be found on the document entitled "White Paper: Cisco IOS Reference Guide", which is available at http://www.cisco.com/warp/public/620/1.html Products Confirmed Not Vulnerable +-------------------------------- Cisco products not configured for MPLS VPNs or VRF Lite are unaffected by this vulnerability. Cisco products that do not run IOS are unaffected by this vulnerability. Cisco IOS-XR is not affected. No other Cisco products are currently known to be affected by this vulnerability. Details ======= MPLS VPNs allow for the creation of 'virtual networks' that customers can use to segregate traffic into multiple, isolated VPNs. Traffic within each MPLS VPN is kept separate from the others, thereby maintaining a virtual private network. More information on MPLS and MPLS VPNs is available at the following link: http://www.cisco.com/en/US/products/ps6557/products_ios_technology_home.html A bug exists when processing extended communities with MPLS VPNs. If this occurs, traffic can leak from one MPLS VPN to another. The following two examples of this scenario are the most common: 1) MPLS VPN configuration with BGP running inside the VRF between the PE and CE devices. 2) MPLS Inter-AS option A with BGP running between the Autonomous System Border Routers (ASBR). The mitigation in the Workarounds section filters extended communities on a PE device, preventing them from being received by devices configured for MPLS VPN. Cisco IOS images that do not include CSCee83237 are not vulnerable to this issue. It is important to note that this condition cannot be triggered by an attacker and that the condition does not provide ways to determine the flow of traffic between VPNs. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CVSS Base Score - 5.1 Access Vector - Network Access Complexity - High Authentication - None Confidentiality Impact - Partial Integrity Impact - Partial Availability Impact - Partial CVSS Temporal Score - 4.2 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== This vulnerability may cause traffic to be improperly routed between MPLS VPNs, which may lead to a breach of confidentiality. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table. +-------------------------------------------------------------------+ | Major | Availability of Repaired Releases | | Release | | |--------------+----------------------------------------------------| | Affected | | Recommended | | 12.0-Based | First Fixed Release | Release | | Releases | | | |--------------+----------------------------------+-----------------| | 12.0 | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0DA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0DB | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0DC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | | 12.0(30)S5 | | | | | 12.0(32)S11 | | 12.0S | 12.0(31)S3 | | | | | 12.0(33)S1 | | | 12.0(32)S | | |--------------+----------------------------------+-----------------| | 12.0SC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0SL | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0SP | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0ST | Not Vulnerable | | |--------------+----------------------------------+-----------------| | | | 12.0(32)S11 | | 12.0SX | Vulnerable; first fixed in 12.0S | | | | | 12.0(33)S1 | |--------------+----------------------------------+-----------------| | 12.0SY | Not Vulnerable | | |--------------+----------------------------------+-----------------| | | | 12.0(32)S11 | | 12.0SZ | 12.0(30)SZ4 | | | | | 12.0(33)S1 | |--------------+----------------------------------+-----------------| | 12.0T | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0W | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0WC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0WT | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XB | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XD | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XE | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XF | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XG | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XH | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XI | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XJ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XK | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XL | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XM | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XN | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XQ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XR | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XS | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XT | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.0XV | Not Vulnerable | | |--------------+----------------------------------+-----------------| | Affected | | Recommended | | 12.1-Based | First Fixed Release | Release | | Releases | | | |-------------------------------------------------------------------| | There are no affected 12.1 based releases | |-------------------------------------------------------------------| | Affected | | Recommended | | 12.2-Based | First Fixed Release | Release | | Releases | | | |--------------+----------------------------------+-----------------| | 12.2 | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2B | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2BC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2BW | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2BX | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2BY | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2BZ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2CX | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2CY | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2CZ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2DA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2DD | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2DX | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2EW | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2EWA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2EX | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2EY | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2EZ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2FX | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2FY | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2FZ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2IRB | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2IXA | Vulnerable; migrate to any | 12.2(18)IXG | | | release in 12.2IXD | | |--------------+----------------------------------+-----------------| | 12.2IXB | Vulnerable; migrate to any | 12.2(18)IXG | | | release in 12.2IXD | | |--------------+----------------------------------+-----------------| | 12.2IXC | Vulnerable; migrate to any | 12.2(18)IXG | | | release in 12.2IXD | | |--------------+----------------------------------+-----------------| | 12.2IXD | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2IXE | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2IXF | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2IXG | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2JA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2JK | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2MB | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2MC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | | 12.2(30)S and later are | 12.2(33)SB2; | | 12.2S | vulnerable. 12.2(25)S and before | Available on | | | are not vulnerable | 26-SEP-08 | |--------------+----------------------------------+-----------------| | | 12.2(28)SB5 | | | | | 12.2(33)SB2; | | 12.2SB | 12.2(31)SB2 | Available on | | | | 26-SEP-08 | | | 12.2(31)SB3x | | |--------------+----------------------------------+-----------------| | | Vulnerable; first fixed in | 12.2(33)SB2; | | 12.2SBC | 12.2SB | Available on | | | | 26-SEP-08 | |--------------+----------------------------------+-----------------| | 12.2SCA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SE | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SEA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SEB | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SEC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SED | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SEE | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SEF | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SEG | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SG | 12.2(37)SG | 12.2(46)SG1 | |--------------+----------------------------------+-----------------| | 12.2SGA | 12.2(31)SGA8 | 12.2(31)SGA8 | |--------------+----------------------------------+-----------------| | 12.2SL | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SM | 12.2(29)SM2 | 12.2(29)SM4 | |--------------+----------------------------------+-----------------| | 12.2SO | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SRA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SRB | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SRC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SU | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SV | 12.2(29b)SV1 | | |--------------+----------------------------------+-----------------| | 12.2SVA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SVC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SVD | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SW | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SX | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SXA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SXB | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SXD | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SXE | Vulnerable; first fixed in | 12.2(18)SXF15 | | | 12.2SXF | | |--------------+----------------------------------+-----------------| | 12.2SXF | 12.2(18)SXF3 | 12.2(18)SXF15 | |--------------+----------------------------------+-----------------| | 12.2SXH | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SY | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2SZ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2T | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2TPC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XB | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XD | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XE | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XF | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XG | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XH | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XI | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XJ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XK | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XL | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XM | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XN | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XNA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XNB | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XO | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XQ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XR | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XS | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XT | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XU | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XV | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2XW | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YB | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YD | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YE | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YF | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YG | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YH | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YJ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YK | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YL | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YM | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YN | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YO | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YP | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YQ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YR | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YS | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YT | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YU | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YV | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YW | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YX | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YY | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2YZ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2ZA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2ZB | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2ZC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2ZD | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2ZE | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2ZF | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2ZG | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2ZH | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2ZJ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2ZL | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2ZP | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2ZU | Not Vulnerable | | |--------------+----------------------------------+-----------------| | | Vulnerable; first fixed in | 12.2(33)SB2; | | 12.2ZX | 12.2SB | Available on | | | | 26-SEP-08 | |--------------+----------------------------------+-----------------| | 12.2ZY | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.2ZYA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | Affected | | Recommended | | 12.3-Based | First Fixed Release | Release | | Releases | | | |--------------+----------------------------------+-----------------| | 12.3 | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3B | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3BC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3BW | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3EU | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3JA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3JEA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3JEB | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3JEC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3JK | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3JL | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3JX | Not Vulnerable | | |--------------+----------------------------------+-----------------| | | | 12.4(15)T7 | | 12.3T | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |--------------+----------------------------------+-----------------| | 12.3TPC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3VA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3XA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3XB | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3XC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3XD | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3XE | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3XF | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3XG | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3XI | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3XJ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3XK | Not Vulnerable | | |--------------+----------------------------------+-----------------| | | | 12.4(15)T7 | | 12.3XL | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |--------------+----------------------------------+-----------------| | 12.3XQ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3XR | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3XS | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3XU | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3XW | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3XX | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3XY | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3XZ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3YA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3YD | Not Vulnerable | | |--------------+----------------------------------+-----------------| | | Vulnerable; first fixed in | 12.3(14)YX13 | | 12.3YF | 12.3YX | | | | | 12.4(15)T7 | |--------------+----------------------------------+-----------------| | 12.3YG | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3YH | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3YI | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.3YJ | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |--------------+----------------------------------+-----------------| | 12.3YK | 12.3(11)YK3 | 12.4(15)T7 | |--------------+----------------------------------+-----------------| | | | 12.3(14)YM13; | | 12.3YM | 12.3(14)YM10 | Available on | | | | 30-SEP-08 | |--------------+----------------------------------+-----------------| | 12.3YQ | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |--------------+----------------------------------+-----------------| | 12.3YS | 12.3(11)YS2 | 12.4(15)T7 | |--------------+----------------------------------+-----------------| | 12.3YT | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |--------------+----------------------------------+-----------------| | | | 12.4(2)XB10 | | | Vulnerable; first fixed in | | | 12.3YU | 12.4XB | 12.4(9)XG3 | | | | | | | | 12.4(15)T7 | |--------------+----------------------------------+-----------------| | 12.3YX | 12.3(14)YX7 | 12.3(14)YX13 | |--------------+----------------------------------+-----------------| | 12.3YZ | 12.3(11)YZ2 | | |--------------+----------------------------------+-----------------| | 12.3ZA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | Affected | | Recommended | | 12.4-Based | First Fixed Release | Release | | Releases | | | |--------------+----------------------------------+-----------------| | | 12.4(10c) | | | | | | | | 12.4(12a) | | | | | | | | 12.4(13) | | | | | | | 12.4 | 12.4(3h) | 12.4(18c) | | | | | | | 12.4(5c) | | | | | | | | 12.4(7e) | | | | | | | | 12.4(8d) | | |--------------+----------------------------------+-----------------| | 12.4JA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4JK | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4JL | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4JMA | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4JMB | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4JMC | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4JX | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4MD | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4MR | Not Vulnerable | | |--------------+----------------------------------+-----------------| | | | 12.4(15)SW2; | | 12.4SW | 12.4(11)SW1 | Available on | | | | 28-SEP-08 | |--------------+----------------------------------+-----------------| | | 12.4(11)T2 | | | | | | | | 12.4(15)T | | | | | | | | 12.4(2)T6 | | | 12.4T | | 12.4(15)T7 | | | 12.4(4)T8 | | | | | | | | 12.4(6)T7 | | | | | | | | 12.4(9)T3 | | |--------------+----------------------------------+-----------------| | 12.4XA | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |--------------+----------------------------------+-----------------| | 12.4XB | 12.4(2)XB6 | 12.4(2)XB10 | |--------------+----------------------------------+-----------------| | 12.4XC | 12.4(4)XC7 | 12.4(15)T7 | |--------------+----------------------------------+-----------------| | | | 12.4(4)XD11; | | 12.4XD | 12.4(4)XD7 | Available on | | | | 26-SEP-08 | |--------------+----------------------------------+-----------------| | 12.4XE | 12.4(6)XE3 | 12.4(15)T7 | |--------------+----------------------------------+-----------------| | 12.4XF | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4XG | 12.4(9)XG2 | 12.4(9)XG3 | |--------------+----------------------------------+-----------------| | 12.4XJ | 12.4(11)XJ2 | 12.4(15)T7 | |--------------+----------------------------------+-----------------| | 12.4XK | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |--------------+----------------------------------+-----------------| | 12.4XL | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4XM | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4XN | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4XP | Vulnerable; contact TAC | | |--------------+----------------------------------+-----------------| | 12.4XQ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4XR | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4XT | 12.4(6)XT1 | 12.4(15)T7 | |--------------+----------------------------------+-----------------| | 12.4XV | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4XW | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4XY | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4XZ | Not Vulnerable | | |--------------+----------------------------------+-----------------| | 12.4YA | Not Vulnerable | | +-------------------------------------------------------------------+ Workarounds =========== Customers running versions of Cisco IOS that support filtering of extended communities can prevent the corruption of the route target (RT) by applying a BGP route-map that removes RT entries on inbound BGP sessions. The following configuration example applied in the ipv4 address family of a PE device removes extended communities from the CE router: router bgp <Local AS> address-family ipv4 vrf one neighbor <neighbor IP> remote-as <Remote AS> neighbor <neighbor IP> activate neighbor <neighbor IP> route-map FILTER in exit-address-family ! ip extcommunity-list 100 permit _RT.*_ ! ! route-map FILTER permit 10 set extcomm-list 100 delete ! The following configuration example applied in the ipv6 address family of a PE device removes extended communities from the CE router: router bgp <Local AS> address-family ipv6 vrf one neighbor <neighbor IP> remote-as <Remote AS> neighbor <neighbor IP> activate neighbor <neighbor IP> route-map FILTER in exit-address-family ! ip extcommunity-list 100 permit _RT.*_ ! ! route-map FILTER permit 10 set extcomm-list 100 delete ! Note: The capability of filtering extended communities is only available in certain 12.0S and 12.2S based Cisco IOS releases. BGP session between the PE and the CE needs to cleared to make this configuration change effective. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability cannot be deterministically triggered by an attacker. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-Sep-24 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkjaLeoACgkQ86n/Gc8U/uCNwQCdEOd3v5A+paECb9s2gMBUr0JH DEwAnRtvu3aQrECRin/QmElp7oudHZJX =EVLU -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
VAR-200809-0356 CVE-2008-3810 Cisco IOS In SCCP Service disruption related to message processing (DoS) Vulnerabilities CVSS V2: 7.8
CVSS V3: -
Severity: HIGH
Cisco IOS 12.2 and 12.4, when NAT Skinny Call Control Protocol (SCCP) Fragmentation Support is enabled, allows remote attackers to cause a denial of service (device reload) via segmented SCCP messages, aka CSCsg22426, a different vulnerability than CVE-2008-3811. The problem is Bug ID : CSCsg22426 It is a problem. this is CVE-2008-3811 Is a different vulnerability.Service disruption by a third party (DoS) There is a possibility that. A successful exploit may cause affected devices to reload, denying service to legitimate users. ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: Cisco IOS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA31990 VERIFY ADVISORY: http://secunia.com/advisories/31990/ CRITICAL: Moderately critical IMPACT: Exposure of sensitive information, DoS, System access WHERE: >From remote OPERATING SYSTEM: Cisco IOS R12.x http://secunia.com/advisories/product/50/ Cisco IOS 12.x http://secunia.com/advisories/product/182/ DESCRIPTION: Some vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to disclose sensitive information, cause a DoS (Denial of Service), or to compromise a vulnerable system. 1) An unspecified error exists in the processing of SSL packets during the termination of an SSL session, which can potentially be exploited to crash an affected system. 2) Two unspecified errors exist within the processing of Protocol Independent Multicast (PIM) packets, which can be exploited to cause an affected device to reload. Successful exploitation requires that the device is configured with Network Address Translation (NAT) SCCP Fragmentation Support. 4) A memory leak in the processing of Session Initiation Protocol (SIP) messages can be exploited to cause a DoS for all voice services. 6) An unspecified error in the IOS Intrusion Prevention System (IPS) feature when processing certain IPS signatures that use the SERVICE.DNS engine can be exploited to cause a DoS via specially crafted network traffic. 7) A security issue exists in the processing of extended communities with Multi Protocol Label Switching (MPLS) Virtual Private Networks (VPN), which can lead to traffic leaking from one MPLS VPN to another. NOTE: This security issue was introduced with CSCee83237. 8) An unspecified error within the Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) can be exploited to cause a DoS via specially crafted network packets. Successful exploitation requires access to the MPLS network. 9) An unspecified error within the Application Inspection Control (AIC) can be exploited to cause a reload of an affected device via specially crafted HTTP packets. 10) An unspecified error in the processing of Layer 2 Tunneling Protocol (L2TP) packets can be exploited to cause an affected device to reload via a specially crafted L2TP packets. Successful exploitation requires that the L2TP mgmt daemon process is running. This process may be enabled e.g. via Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP), or Cisco Virtual Private Dial-Up Networks (VPDN). 11) An unspecified error exists in the processing of IPC messages. This can be exploited to reload an affected device via a specially crafted UDP packet sent to port 1975. 12) A security issue is caused due to the device automatically enabling SNMP with a default community string, which can be exploited to gain control an affected system. Successful exploitation requires that a device is configured for linecard redundancy. SOLUTION: Update to the fixed version (please see the vendor's advisories for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Cisco has released free software updates that address this vulnerability. A workaround that mitigates this vulnerability is available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml Note: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: * http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml Affected Products ================= Vulnerable Products +------------------ This security advisory applies to all Cisco products that run Cisco IOS Software configured for NAT and that support the NAT SCCP Fragmentation Support feature. This feature was first introduced in Cisco IOS version 12.4(6)T. To verify if NAT is enabled on a Cisco IOS device log into the device and issue the command show ip nat statistics. The following example shows a device configured with NAT: Router# show ip nat statistics Total translations: 2 (0 static, 2 dynamic; 0 extended) Outside interfaces: Serial0 Inside interfaces: Ethernet1 Hits: 135 Misses: 5 Expired translations: 2 Dynamic mappings: -- Inside Source access-list 1 pool mypool refcount 2 pool mypool: netmask 255.255.255.0 start 192.168.10.1 end 192.168.10.254 type generic, total addresses 14, allocated 2 (14%), misses 0 Alternatively, you can use the show running-config | include ip nat command to verify if NAT has been enabled on the router interfaces. Note: With reference to NAT, the term "inside" refers to those networks that will be translated. Inside this domain, hosts will have addresses in one address space, while on the "outside", they will appear to have addresses in another address space when NAT is configured. The first address space is referred to as the local address space and the second is referred to as the global address space. The ip nat inside and ip nat outside interface commands must be present on the corresponding router interfaces in order for NAT to be enabled. In order to determine the software that runs on a Cisco IOS product, log in to the device and issue the show version command to display the system banner. Cisco IOS software identifies itself as "Internetwork Operating System Software" or simply "IOS." On the next line of output, the image name displays between parentheses, followed by "Version" and the Cisco IOS release name. Other Cisco devices do not have the show version command or give different output. The following example shows output from a device that runs an IOS image: router>show version Cisco IOS Software, 7200 Software (C7200-ADVSECURITYK9-M), Version 12.4(6)T2, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Tue 16-May-06 16:09 by kellythw <more output removed for brevity> Products Confirmed Not Vulnerable +-------------------------------- Cisco IOS XR and IOS XE are not affected by this vulnerability. Cisco IOS devices not explicitly configured for NAT are not vulnerable. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= The Skinny Call Control Protocol (SCCP) enables voice communication between an SCCP client and a Call Manager (CM). Typically, the CM provides service to the SCCP clients on TCP Port 2000 by default. Initially, an SCCP client connects to the CM by establishing a TCP connection; the client will also establish a TCP connection with a secondary CM, if available. A segmented payload that requires an IP or port translation will no longer be dropped. The NAT SCCP Fragmentation Support feature was introduced in Cisco IOS version 12.4(6)T. This vulnerability is documented in Cisco Bug ID CSCsg22426 and CSCsi17020, and has been assigned CVE identifiers CVE-2008-3810 and CVE-2008-3811. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsg22426 - Cisco IOS Skinny Call Control Protocol (SCCP) Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsi17020 - Router may reload after NAT with certain skinny packets CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of this vulnerability may cause the affected device to reload. Repeated exploitation will result in a denial of service (DoS) condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table. +-------------------------------------------------------------------+ | Major Release | Availability of Repaired Releases | |-------------------+-----------------------------------------------| | Affected | | | | 12.0-Based | First Fixed Release | Recommended Release | | Releases | | | |-------------------------------------------------------------------| | There are no affected 12.0 based releases | |-------------------------------------------------------------------| | Affected | | | | 12.1-Based | First Fixed Release | Recommended Release | | Releases | | | |-------------------------------------------------------------------| | There are no affected 12.1 based releases | |-------------------------------------------------------------------| | Affected | | | | 12.2-Based | First Fixed Release | Recommended Release | | Releases | | | |-------------------+-----------------------+-----------------------| | 12.2 | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2B | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2BC | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2BW | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2BX | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2BY | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2BZ | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2CX | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2CY | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2CZ | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2DA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2DD | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2DX | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2EW | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2EWA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2EX | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2EY | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2EZ | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2FX | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2FY | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2FZ | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2IRB | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2IXA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2IXB | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2IXC | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2IXD | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2IXE | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2IXF | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2IXG | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2JA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2JK | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2MB | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2MC | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2S | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SB | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SBC | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SCA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SE | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SEA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SEB | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SEC | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SED | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SEE | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SEF | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SEG | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SG | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SGA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SL | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SM | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SO | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SRA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SRB | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SRC | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SU | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SV | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SVA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SVC | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SVD | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SW | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SX | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SXA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SXB | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SXD | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SXE | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SXF | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | | Not Vulnerable | | | 12.2SXH | | | | | http://www.cisco.com/ | | | | go/pn | | |-------------------+-----------------------+-----------------------| | 12.2SY | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SZ | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2T | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2TPC | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XB | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XC | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XD | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XE | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XF | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XG | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XH | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XI | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XJ | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XK | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XL | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XM | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XN | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XNA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XNB | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XO | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XQ | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XR | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XS | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XT | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XU | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XV | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XW | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YB | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YC | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YD | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YE | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YF | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YG | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YH | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YJ | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YK | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YL | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YM | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YN | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YO | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YP | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YQ | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YR | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YS | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YT | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YU | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YV | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YW | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YX | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YY | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YZ | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2ZA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2ZB | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2ZC | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2ZD | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2ZE | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2ZF | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2ZG | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2ZH | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2ZJ | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2ZL | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2ZP | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2ZU | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2ZX | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2ZY | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2ZYA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | Affected | | | | 12.3-Based | First Fixed Release | Recommended Release | | Releases | | | |-------------------------------------------------------------------| | There are no affected 12.3 based releases | |-------------------------------------------------------------------| | Affected | | | | 12.4-Based | First Fixed Release | Recommended Release | | Releases | | | |-------------------+-----------------------+-----------------------| | 12.4 | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.4JA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.4JK | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.4JL | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.4JMA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.4JMB | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.4JMC | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.4JX | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.4MD | 12.4(11)MD4 | 12.4(15)MD1 | |-------------------+-----------------------+-----------------------| | 12.4MR | 12.4(16)MR | 12.4(19)MR | |-------------------+-----------------------+-----------------------| | | 12.4(15)SW2; | 12.4(15)SW2; | | 12.4SW | Available on | Available on | | | 28-SEP-08 | 28-SEP-08 | |-------------------+-----------------------+-----------------------| | | 12.4(11)T4 | | | | | | | | 12.4(15)T2 | | | | | | | 12.4T | 12.4(20)T | 12.4(15)T7 | | | | | | | 12.4(6)T11 | | | | | | | | 12.4(9)T5 | | |-------------------+-----------------------+-----------------------| | 12.4XA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.4XB | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.4XC | Vulnerable; first | 12.4(15)T7 | | | fixed in 12.4T | | |-------------------+-----------------------+-----------------------| | 12.4XD | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.4XE | Vulnerable; first | 12.4(15)T7 | | | fixed in 12.4T | | |-------------------+-----------------------+-----------------------| | 12.4XF | Vulnerable; first | 12.4(15)T7 | | | fixed in 12.4T | | |-------------------+-----------------------+-----------------------| | 12.4XG | 12.4(9)XG3 | 12.4(9)XG3 | |-------------------+-----------------------+-----------------------| | 12.4XJ | Vulnerable; first | 12.4(15)T7 | | | fixed in 12.4T | | |-------------------+-----------------------+-----------------------| | 12.4XK | Vulnerable; first | 12.4(15)T7 | | | fixed in 12.4T | | |-------------------+-----------------------+-----------------------| | 12.4XL | 12.4(15)XL2 | 12.4(15)XL2 | |-------------------+-----------------------+-----------------------| | 12.4XM | 12.4(15)XM1 | 12.4(15)XM1 | |-------------------+-----------------------+-----------------------| | 12.4XN | Vulnerable; contact | | | | TAC | | |-------------------+-----------------------+-----------------------| | 12.4XP | Vulnerable; contact | | | | TAC | | |-------------------+-----------------------+-----------------------| | 12.4XQ | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.4XR | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.4XT | Vulnerable; first | 12.4(15)T7 | | | fixed in 12.4T | | |-------------------+-----------------------+-----------------------| | 12.4XV | Vulnerable; contact | | | | TAC | | |-------------------+-----------------------+-----------------------| | 12.4XW | 12.4(11)XW7 | 12.4(11)XW9 | |-------------------+-----------------------+-----------------------| | 12.4XY | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.4XZ | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.4YA | Not Vulnerable | | +-------------------------------------------------------------------+ Workarounds =========== As workaround, an administrator can disable SCCP NAT support using the no ip nat service skinny tcp port 2000 command, as shown in the following example: Router(config)# no ip nat service skinny tcp port 2000 Note: If your Cisco CallManager is using a TCP port for skinny signaling different from the default port (2000), you need to adjust this command accordingly. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2008-September-24 | public | | | | release | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkjaLdUACgkQ86n/Gc8U/uBM1ACeMzZ03zyWQhMRkiHOGUi20KeT NAoAnR9OVAOw7st0mwFWyEmatcQIxy2v =CqpX -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
VAR-200809-0357 CVE-2008-3811 Cisco IOS In SCCP Service disruption related to message processing (DoS) Vulnerabilities CVSS V2: 7.8
CVSS V3: -
Severity: HIGH
Cisco IOS 12.2 and 12.4, when NAT Skinny Call Control Protocol (SCCP) Fragmentation Support is enabled, allows remote attackers to cause a denial of service (device reload) via segmented SCCP messages, aka Cisco Bug ID CSCsi17020, a different vulnerability than CVE-2008-3810. The problem is Bug ID : CSCsi17020 It is a problem. this is CVE-2008-3810 Is a different vulnerability.Service disruption by a third party (DoS) There is a possibility that. A successful exploit may cause affected devices to reload, denying service to legitimate users. ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: Cisco IOS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA31990 VERIFY ADVISORY: http://secunia.com/advisories/31990/ CRITICAL: Moderately critical IMPACT: Exposure of sensitive information, DoS, System access WHERE: >From remote OPERATING SYSTEM: Cisco IOS R12.x http://secunia.com/advisories/product/50/ Cisco IOS 12.x http://secunia.com/advisories/product/182/ DESCRIPTION: Some vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to disclose sensitive information, cause a DoS (Denial of Service), or to compromise a vulnerable system. 1) An unspecified error exists in the processing of SSL packets during the termination of an SSL session, which can potentially be exploited to crash an affected system. 2) Two unspecified errors exist within the processing of Protocol Independent Multicast (PIM) packets, which can be exploited to cause an affected device to reload. Successful exploitation requires that the device is configured with Network Address Translation (NAT) SCCP Fragmentation Support. 4) A memory leak in the processing of Session Initiation Protocol (SIP) messages can be exploited to cause a DoS for all voice services. 6) An unspecified error in the IOS Intrusion Prevention System (IPS) feature when processing certain IPS signatures that use the SERVICE.DNS engine can be exploited to cause a DoS via specially crafted network traffic. 7) A security issue exists in the processing of extended communities with Multi Protocol Label Switching (MPLS) Virtual Private Networks (VPN), which can lead to traffic leaking from one MPLS VPN to another. NOTE: This security issue was introduced with CSCee83237. 8) An unspecified error within the Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) can be exploited to cause a DoS via specially crafted network packets. Successful exploitation requires access to the MPLS network. 9) An unspecified error within the Application Inspection Control (AIC) can be exploited to cause a reload of an affected device via specially crafted HTTP packets. 10) An unspecified error in the processing of Layer 2 Tunneling Protocol (L2TP) packets can be exploited to cause an affected device to reload via a specially crafted L2TP packets. Successful exploitation requires that the L2TP mgmt daemon process is running. This process may be enabled e.g. via Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP), or Cisco Virtual Private Dial-Up Networks (VPDN). 11) An unspecified error exists in the processing of IPC messages. This can be exploited to reload an affected device via a specially crafted UDP packet sent to port 1975. 12) A security issue is caused due to the device automatically enabling SNMP with a default community string, which can be exploited to gain control an affected system. Successful exploitation requires that a device is configured for linecard redundancy. SOLUTION: Update to the fixed version (please see the vendor's advisories for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Cisco has released free software updates that address this vulnerability. A workaround that mitigates this vulnerability is available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml Note: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: * http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml Affected Products ================= Vulnerable Products +------------------ This security advisory applies to all Cisco products that run Cisco IOS Software configured for NAT and that support the NAT SCCP Fragmentation Support feature. This feature was first introduced in Cisco IOS version 12.4(6)T. To verify if NAT is enabled on a Cisco IOS device log into the device and issue the command show ip nat statistics. The following example shows a device configured with NAT: Router# show ip nat statistics Total translations: 2 (0 static, 2 dynamic; 0 extended) Outside interfaces: Serial0 Inside interfaces: Ethernet1 Hits: 135 Misses: 5 Expired translations: 2 Dynamic mappings: -- Inside Source access-list 1 pool mypool refcount 2 pool mypool: netmask 255.255.255.0 start 192.168.10.1 end 192.168.10.254 type generic, total addresses 14, allocated 2 (14%), misses 0 Alternatively, you can use the show running-config | include ip nat command to verify if NAT has been enabled on the router interfaces. Note: With reference to NAT, the term "inside" refers to those networks that will be translated. Inside this domain, hosts will have addresses in one address space, while on the "outside", they will appear to have addresses in another address space when NAT is configured. The first address space is referred to as the local address space and the second is referred to as the global address space. The ip nat inside and ip nat outside interface commands must be present on the corresponding router interfaces in order for NAT to be enabled. In order to determine the software that runs on a Cisco IOS product, log in to the device and issue the show version command to display the system banner. Cisco IOS software identifies itself as "Internetwork Operating System Software" or simply "IOS." On the next line of output, the image name displays between parentheses, followed by "Version" and the Cisco IOS release name. Other Cisco devices do not have the show version command or give different output. The following example shows output from a device that runs an IOS image: router>show version Cisco IOS Software, 7200 Software (C7200-ADVSECURITYK9-M), Version 12.4(6)T2, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Tue 16-May-06 16:09 by kellythw <more output removed for brevity> Products Confirmed Not Vulnerable +-------------------------------- Cisco IOS XR and IOS XE are not affected by this vulnerability. Cisco IOS devices not explicitly configured for NAT are not vulnerable. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= The Skinny Call Control Protocol (SCCP) enables voice communication between an SCCP client and a Call Manager (CM). Typically, the CM provides service to the SCCP clients on TCP Port 2000 by default. Initially, an SCCP client connects to the CM by establishing a TCP connection; the client will also establish a TCP connection with a secondary CM, if available. A segmented payload that requires an IP or port translation will no longer be dropped. The NAT SCCP Fragmentation Support feature was introduced in Cisco IOS version 12.4(6)T. This vulnerability is documented in Cisco Bug ID CSCsg22426 and CSCsi17020, and has been assigned CVE identifiers CVE-2008-3810 and CVE-2008-3811. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsg22426 - Cisco IOS Skinny Call Control Protocol (SCCP) Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsi17020 - Router may reload after NAT with certain skinny packets CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of this vulnerability may cause the affected device to reload. Repeated exploitation will result in a denial of service (DoS) condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table. +-------------------------------------------------------------------+ | Major Release | Availability of Repaired Releases | |-------------------+-----------------------------------------------| | Affected | | | | 12.0-Based | First Fixed Release | Recommended Release | | Releases | | | |-------------------------------------------------------------------| | There are no affected 12.0 based releases | |-------------------------------------------------------------------| | Affected | | | | 12.1-Based | First Fixed Release | Recommended Release | | Releases | | | |-------------------------------------------------------------------| | There are no affected 12.1 based releases | |-------------------------------------------------------------------| | Affected | | | | 12.2-Based | First Fixed Release | Recommended Release | | Releases | | | |-------------------+-----------------------+-----------------------| | 12.2 | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2B | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2BC | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2BW | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2BX | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2BY | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2BZ | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2CX | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2CY | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2CZ | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2DA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2DD | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2DX | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2EW | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2EWA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2EX | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2EY | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2EZ | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2FX | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2FY | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2FZ | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2IRB | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2IXA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2IXB | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2IXC | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2IXD | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2IXE | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2IXF | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2IXG | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2JA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2JK | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2MB | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2MC | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2S | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SB | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SBC | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SCA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SE | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SEA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SEB | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SEC | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SED | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SEE | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SEF | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SEG | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SG | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SGA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SL | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SM | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SO | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SRA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SRB | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SRC | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SU | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SV | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SVA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SVC | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SVD | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SW | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SX | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SXA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SXB | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SXD | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SXE | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SXF | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | | Not Vulnerable | | | 12.2SXH | | | | | http://www.cisco.com/ | | | | go/pn | | |-------------------+-----------------------+-----------------------| | 12.2SY | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2SZ | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2T | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2TPC | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XB | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XC | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XD | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XE | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XF | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XG | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XH | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XI | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XJ | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XK | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XL | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XM | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XN | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XNA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XNB | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XO | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XQ | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XR | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XS | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XT | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XU | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XV | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2XW | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YB | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YC | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YD | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YE | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YF | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YG | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YH | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YJ | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YK | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YL | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YM | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YN | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YO | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YP | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YQ | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YR | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YS | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YT | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YU | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YV | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YW | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YX | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YY | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2YZ | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2ZA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2ZB | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2ZC | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2ZD | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2ZE | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2ZF | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2ZG | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2ZH | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2ZJ | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2ZL | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2ZP | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2ZU | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2ZX | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2ZY | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.2ZYA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | Affected | | | | 12.3-Based | First Fixed Release | Recommended Release | | Releases | | | |-------------------------------------------------------------------| | There are no affected 12.3 based releases | |-------------------------------------------------------------------| | Affected | | | | 12.4-Based | First Fixed Release | Recommended Release | | Releases | | | |-------------------+-----------------------+-----------------------| | 12.4 | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.4JA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.4JK | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.4JL | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.4JMA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.4JMB | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.4JMC | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.4JX | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.4MD | 12.4(11)MD4 | 12.4(15)MD1 | |-------------------+-----------------------+-----------------------| | 12.4MR | 12.4(16)MR | 12.4(19)MR | |-------------------+-----------------------+-----------------------| | | 12.4(15)SW2; | 12.4(15)SW2; | | 12.4SW | Available on | Available on | | | 28-SEP-08 | 28-SEP-08 | |-------------------+-----------------------+-----------------------| | | 12.4(11)T4 | | | | | | | | 12.4(15)T2 | | | | | | | 12.4T | 12.4(20)T | 12.4(15)T7 | | | | | | | 12.4(6)T11 | | | | | | | | 12.4(9)T5 | | |-------------------+-----------------------+-----------------------| | 12.4XA | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.4XB | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.4XC | Vulnerable; first | 12.4(15)T7 | | | fixed in 12.4T | | |-------------------+-----------------------+-----------------------| | 12.4XD | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.4XE | Vulnerable; first | 12.4(15)T7 | | | fixed in 12.4T | | |-------------------+-----------------------+-----------------------| | 12.4XF | Vulnerable; first | 12.4(15)T7 | | | fixed in 12.4T | | |-------------------+-----------------------+-----------------------| | 12.4XG | 12.4(9)XG3 | 12.4(9)XG3 | |-------------------+-----------------------+-----------------------| | 12.4XJ | Vulnerable; first | 12.4(15)T7 | | | fixed in 12.4T | | |-------------------+-----------------------+-----------------------| | 12.4XK | Vulnerable; first | 12.4(15)T7 | | | fixed in 12.4T | | |-------------------+-----------------------+-----------------------| | 12.4XL | 12.4(15)XL2 | 12.4(15)XL2 | |-------------------+-----------------------+-----------------------| | 12.4XM | 12.4(15)XM1 | 12.4(15)XM1 | |-------------------+-----------------------+-----------------------| | 12.4XN | Vulnerable; contact | | | | TAC | | |-------------------+-----------------------+-----------------------| | 12.4XP | Vulnerable; contact | | | | TAC | | |-------------------+-----------------------+-----------------------| | 12.4XQ | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.4XR | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.4XT | Vulnerable; first | 12.4(15)T7 | | | fixed in 12.4T | | |-------------------+-----------------------+-----------------------| | 12.4XV | Vulnerable; contact | | | | TAC | | |-------------------+-----------------------+-----------------------| | 12.4XW | 12.4(11)XW7 | 12.4(11)XW9 | |-------------------+-----------------------+-----------------------| | 12.4XY | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.4XZ | Not Vulnerable | | |-------------------+-----------------------+-----------------------| | 12.4YA | Not Vulnerable | | +-------------------------------------------------------------------+ Workarounds =========== As workaround, an administrator can disable SCCP NAT support using the no ip nat service skinny tcp port 2000 command, as shown in the following example: Router(config)# no ip nat service skinny tcp port 2000 Note: If your Cisco CallManager is using a TCP port for skinny signaling different from the default port (2000), you need to adjust this command accordingly. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2008-September-24 | public | | | | release | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkjaLdUACgkQ86n/Gc8U/uBM1ACeMzZ03zyWQhMRkiHOGUi20KeT NAoAnR9OVAOw7st0mwFWyEmatcQIxy2v =CqpX -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
VAR-200809-0358 CVE-2008-3812 Cisco IOS of IOS firewall Application Inspection Control (AIC) Service disruption in (DoS) Vulnerabilities CVSS V2: 7.1
CVSS V3: -
Severity: HIGH
Cisco IOS 12.4, when IOS firewall Application Inspection Control (AIC) with HTTP Deep Packet Inspection is enabled, allows remote attackers to cause a denial of service (device reload) via a malformed HTTP transit packet. A successful exploit may cause affected devices to reload, denying service to legitimate users. Cisco IOS is the Internet operating system used on Cisco networking equipment. Cisco has released free software updates that address this vulnerability. A mitigation for this vulnerability is available. See the "Workarounds" section for details. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml Note: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml Affected Products ================= The HTTP AIC feature was introduced in Cisco IOS Software Release 12.4(9)T. The software table in this advisory identifies the affected releases. To determine the software running on a Cisco IOS product, log in to the device and issue the show version command-line interface (CLI) command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS." On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the Cisco IOS release name. Other Cisco devices will not have the show version command, or will give different output. The following example shows output from a device running Cisco IOS image 12.4(15)T2: router#show version Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(15)T2, RELEASE SOFTWARE (fc7) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 17-Jan-08 23:12 by prod_rel_team !--- Output truncated. Additional information on the Cisco IOS release naming conventions can be found on the document entitled "White Paper: Cisco IOS Reference Guide", which is available at http://www.cisco.com/warp/public/620/1.html The device is vulnerable if the configuration has a Layer 7 class map and Layer 7 policy map for HTTP deep packet inspection (DPI), and these policies are applied to any firewall zone. If the output contains Policy: http layer7-policymap name , the device is vulnerable. IOS releases before 12.4(9)T are not affected by this issue. Products confirmed not vulnerable include: * Cisco PIX * Cisco ASA * Cisco Firewall Services Module (FWSM) * The Virtual Firewall (VFW) application on the multiservice blade (MSB) on the Cisco XR 12000 Series Router Details ======= Firewalls are networking devices that control access to an organization's network assets. Firewalls are often positioned at the entrance points into networks. Cisco IOS software provides a set of security features that enable you to configure a simple or elaborate firewall policy, according to your particular requirements. HTTP uses port 80 by default to transport Internet web services, which are commonly used on the network and rarely challenged with regard to their legitimacy and conformance to standards. Because port 80 traffic is typically allowed through the network without being challenged, many application developers are leveraging HTTP traffic as an alternative transport protocol that will allow their application's traffic to travel through or even bypass the firewall. It also detects users who are tunneling applications through port 80. If the packet is not in compliance with the HTTP protocol, it will be dropped, the connection will be reset, and a syslog message will be generated, as appropriate. HTTP runs over TCP. For this vulnerability to be exploited, a full three-way handshake between client and server is required before any malicious traffic would be processed to result in a device reload. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsh12480 - IOSFW with HTTP AIC may reload on processing crafted HTTP packet CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability may result in a reload of the affected device. Repeated exploitation attempts may result in a sustained denial of service attack. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table. +-------------------------------------------------------------------+ | Major Release | Availability of Repaired Releases | |-----------------+-------------------------------------------------| | Affected | | Recommended | | 12.0-Based | First Fixed Release | Release | | Releases | | | |-------------------------------------------------------------------| | There are no affected 12.0 based releases | |-------------------------------------------------------------------| | Affected | | Recommended | | 12.1-Based | First Fixed Release | Release | | Releases | | | |-------------------------------------------------------------------| | There are no affected 12.1 based releases | |-------------------------------------------------------------------| | Affected | | Recommended | | 12.2-Based | First Fixed Release | Release | | Releases | | | |-------------------------------------------------------------------| | There are no affected 12.2 based releases | |-------------------------------------------------------------------| | Affected | | Recommended | | 12.3-Based | First Fixed Release | Release | | Releases | | | |-------------------------------------------------------------------| | There are no affected 12.3 based releases | |-------------------------------------------------------------------| | Affected | | Recommended | | 12.4-Based | First Fixed Release | Release | | Releases | | | |-----------------+-----------------------------------+-------------| | 12.4 | Not Vulnerable | | |-----------------+-----------------------------------+-------------| | 12.4JA | Not Vulnerable | | |-----------------+-----------------------------------+-------------| | 12.4JK | Not Vulnerable | | |-----------------+-----------------------------------+-------------| | 12.4JL | Not Vulnerable | | |-----------------+-----------------------------------+-------------| | 12.4JMA | Not Vulnerable | | |-----------------+-----------------------------------+-------------| | 12.4JMB | Not Vulnerable | | |-----------------+-----------------------------------+-------------| | 12.4JMC | Not Vulnerable | | |-----------------+-----------------------------------+-------------| | 12.4JX | Not Vulnerable | | |-----------------+-----------------------------------+-------------| | 12.4MD | Not Vulnerable | | |-----------------+-----------------------------------+-------------| | 12.4MR | Not Vulnerable | | |-----------------+-----------------------------------+-------------| | 12.4SW | Not Vulnerable | | |-----------------+-----------------------------------+-------------| | | Releases prior to 12.4(9)T are | | | | not vulnerable. First fixed in: | | | | | | | 12.4T | 12.4(9)T7 | 12.4(15)T7 | | | | | | | 12.4(11)T4 | | | | | | | | 12.4(15)T | | |-----------------+-----------------------------------+-------------| | 12.4XA | Not Vulnerable | | |-----------------+-----------------------------------+-------------| | 12.4XB | Not Vulnerable | | |-----------------+-----------------------------------+-------------| | 12.4XC | Not Vulnerable | | |-----------------+-----------------------------------+-------------| | 12.4XD | Not Vulnerable | | |-----------------+-----------------------------------+-------------| | 12.4XE | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |-----------------+-----------------------------------+-------------| | 12.4XF | Not Vulnerable | | |-----------------+-----------------------------------+-------------| | 12.4XG | Not Vulnerable | | |-----------------+-----------------------------------+-------------| | 12.4XJ | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |-----------------+-----------------------------------+-------------| | 12.4XK | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |-----------------+-----------------------------------+-------------| | 12.4XL | Not Vulnerable | | |-----------------+-----------------------------------+-------------| | 12.4XM | Not Vulnerable | | |-----------------+-----------------------------------+-------------| | 12.4XN | Not Vulnerable | | |-----------------+-----------------------------------+-------------| | 12.4XP | Not Vulnerable | | |-----------------+-----------------------------------+-------------| | 12.4XQ | Not Vulnerable | | |-----------------+-----------------------------------+-------------| | 12.4XT | Not Vulnerable | | |-----------------+-----------------------------------+-------------| | 12.4XV | Vulnerable; contact TAC | | |-----------------+-----------------------------------+-------------| | 12.4XW | 12.4(11)XW1 | 12.4(11)XW9 | |-----------------+-----------------------------------+-------------| | 12.4XY | Not Vulnerable | | |-----------------+-----------------------------------+-------------| | 12.4XZ | Not Vulnerable | | |-----------------+-----------------------------------+-------------| | 12.4YA | Not Vulnerable | | +-------------------------------------------------------------------+ Workarounds =========== There are no known workarounds for this vulnerability. All other firewall features will continue to perform normally. This example shows an existing configuration, followed by how to remove AIC HTTP Deep Packet Inspection: !--- Existing Configuration ! parameter-map type inspect global ! class-map type inspect http match-any layer7-classmap class-map type inspect match-any layer4-classmap match protocol http ! policy-map type inspect http layer7-policymap class type inspect http layer7-classmap allow class class-default policy-map type inspect layer4-policymap class type inspect layer4-classmap inspect global service-policy http layer7-policymap class class-default ! zone security inside description ** Inside Network ** zone security outside description ** Outside Network ** zone-pair security in2out source inside destination outside description ** Zone Pair - inside to outside ** service-policy type inspect layer4-policymap Remove the service-policy from the zone-pair in question: Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#zone-pair security in2out source inside destination outside Router(config-sec-zone-pair)#no service-policy type inspect layer4-policymap Router(config-sec-zone-pair)#exit Remove the linkage between policy-map type inspect layer4-policymap and policy-map type inspect http layer7-policymap: Router(config)#policy-map type inspect layer4-policymap Router(config-pmap)#class type inspect layer4-classmap Router(config-pmap-c)#no service-policy http layer7-policymap Router(config-pmap-c)#exit Router(config-pmap)#exit Reapply the service-policy to the zone-pair in question: Router(config)#zone-pair security in2out source inside destination outside Router(config-sec-zone-pair)#service-policy type inspect layer4-policymap Router(config-sec-zone-pair)#exit Although not required, for completeness of the configuration the policy-map type inspect http layer7-policymap and class-map type inspect http match-any layer7-classmap are recommended to be removed. Router(config)#no policy-map type inspect http layer7-policymap Router(config)#no class-map type inspect http match-any layer7-classmap Router(config)#exit Router# Obtaining Fixed Software ======================== Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was found by Cisco internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2008-September-24 | public | | | | release | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkjaLbkACgkQ86n/Gc8U/uBSqwCgi7dmsFhp1u9fxWgLqVpMPtV+ fuIAn3f11gNGT/LITk11YI6fjv7W1Q20 =0tmt -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: Cisco IOS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA31990 VERIFY ADVISORY: http://secunia.com/advisories/31990/ CRITICAL: Moderately critical IMPACT: Exposure of sensitive information, DoS, System access WHERE: >From remote OPERATING SYSTEM: Cisco IOS R12.x http://secunia.com/advisories/product/50/ Cisco IOS 12.x http://secunia.com/advisories/product/182/ DESCRIPTION: Some vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to disclose sensitive information, cause a DoS (Denial of Service), or to compromise a vulnerable system. 1) An unspecified error exists in the processing of SSL packets during the termination of an SSL session, which can potentially be exploited to crash an affected system. 2) Two unspecified errors exist within the processing of Protocol Independent Multicast (PIM) packets, which can be exploited to cause an affected device to reload. 3) Unspecified errors within the processing of segmented Skinny Call Control Protocol (SCCP) messages can be exploited to cause a Cisco IOS device to reload. Successful exploitation requires that the device is configured with Network Address Translation (NAT) SCCP Fragmentation Support. 4) A memory leak in the processing of Session Initiation Protocol (SIP) messages can be exploited to cause a DoS for all voice services. 6) An unspecified error in the IOS Intrusion Prevention System (IPS) feature when processing certain IPS signatures that use the SERVICE.DNS engine can be exploited to cause a DoS via specially crafted network traffic. 7) A security issue exists in the processing of extended communities with Multi Protocol Label Switching (MPLS) Virtual Private Networks (VPN), which can lead to traffic leaking from one MPLS VPN to another. NOTE: This security issue was introduced with CSCee83237. 8) An unspecified error within the Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) can be exploited to cause a DoS via specially crafted network packets. Successful exploitation requires access to the MPLS network. 10) An unspecified error in the processing of Layer 2 Tunneling Protocol (L2TP) packets can be exploited to cause an affected device to reload via a specially crafted L2TP packets. Successful exploitation requires that the L2TP mgmt daemon process is running. This process may be enabled e.g. via Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP), or Cisco Virtual Private Dial-Up Networks (VPDN). 11) An unspecified error exists in the processing of IPC messages. This can be exploited to reload an affected device via a specially crafted UDP packet sent to port 1975. 12) A security issue is caused due to the device automatically enabling SNMP with a default community string, which can be exploited to gain control an affected system. SOLUTION: Update to the fixed version (please see the vendor's advisories for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-200809-0359 CVE-2008-3813 Cisco IOS of L2TP mgmt daemon process In L2TP Vulnerabilities CVSS V2: 7.8
CVSS V3: -
Severity: HIGH
Unspecified vulnerability in Cisco IOS 12.2 and 12.4, when the L2TP mgmt daemon process is enabled, allows remote attackers to cause a denial of service (device reload) via a crafted L2TP packet. Cisco IOS is prone to a denial-of-service vulnerability. A remote attacker can exploit this issue to cause an affected device to reload. This vulnerability is tracked by Cisco bug ID CSCsh48879 and by CVE-2008-3813. ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: Cisco IOS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA31990 VERIFY ADVISORY: http://secunia.com/advisories/31990/ CRITICAL: Moderately critical IMPACT: Exposure of sensitive information, DoS, System access WHERE: >From remote OPERATING SYSTEM: Cisco IOS R12.x http://secunia.com/advisories/product/50/ Cisco IOS 12.x http://secunia.com/advisories/product/182/ DESCRIPTION: Some vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to disclose sensitive information, cause a DoS (Denial of Service), or to compromise a vulnerable system. 1) An unspecified error exists in the processing of SSL packets during the termination of an SSL session, which can potentially be exploited to crash an affected system. 2) Two unspecified errors exist within the processing of Protocol Independent Multicast (PIM) packets, which can be exploited to cause an affected device to reload. Successful exploitation requires that the device is configured with Network Address Translation (NAT) SCCP Fragmentation Support. 4) A memory leak in the processing of Session Initiation Protocol (SIP) messages can be exploited to cause a DoS for all voice services. 6) An unspecified error in the IOS Intrusion Prevention System (IPS) feature when processing certain IPS signatures that use the SERVICE.DNS engine can be exploited to cause a DoS via specially crafted network traffic. 7) A security issue exists in the processing of extended communities with Multi Protocol Label Switching (MPLS) Virtual Private Networks (VPN), which can lead to traffic leaking from one MPLS VPN to another. NOTE: This security issue was introduced with CSCee83237. 8) An unspecified error within the Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) can be exploited to cause a DoS via specially crafted network packets. Successful exploitation requires access to the MPLS network. 11) An unspecified error exists in the processing of IPC messages. 12) A security issue is caused due to the device automatically enabling SNMP with a default community string, which can be exploited to gain control an affected system. SOLUTION: Update to the fixed version (please see the vendor's advisories for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Cisco IOS Software Layer 2 Tunneling Protocol (L2TP) Denial of Service Vulnerability Advisory ID: cisco-sa-20080924-l2tp http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml Revision 1.0 For Public Release 2008 September 24 1600 UTC (GMT) - --------------------------------------------------------------------- Summary ======= A vulnerability exists in the Cisco IOS software implementation of Layer 2 Tunneling Protocol (L2TP), which affects limited Cisco IOS software releases. Several features enable the L2TP mgmt daemon process within Cisco IOS software, including but not limited to Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP) and Cisco Virtual Private Dial-Up Networks (VPDN). Once this process is enabled the device is vulnerable. This vulnerability will result in a reload of the device when processing a specially crafted L2TP packet. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml Note: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml Affected Products ================= All devices running affected versions of 12.2 or 12.4 Cisco IOS system software and that have a vulnerable configuration are affected by this vulnerability. Vulnerable Products +------------------ To determine if a device is vulnerable, first confirm that the device is running an affected version of 12.2 or 12.4 Cisco IOS system software. Then check for the process L2TP mgmt daemon running on the device. To determine the software version running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS." On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the IOS release name. Other Cisco devices will not have the show version command or will give different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 12.4(11)T2: Router#show version Cisco IOS Software, 7200 Software (C7200-ADVSECURITYK9-M), Version 12.4(11)T2, RELEASE SOFTWARE (fc4) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Tue 01-May-07 04:19 by prod_rel_team <output truncated> Additional information on the Cisco IOS release naming conventions can be found in the document entitled "White Paper: Cisco IOS Reference Guide," which is available at http://www.cisco.com/warp/public/620/1.html To check if the process L2TP mgmt daemon is running on a device, log into the command line interface (CLI) and issue the command show processes | include L2TP . (NOTE: The command is case sensitive.) If the output returns a line with the process name L2TP mgmt daemon, the device is vulnerable. The following example shows a device running the L2TP mgmt daemon process: Router#show processes | include L2TP 158 Mwe 62590FE4 4 3 133322900/24000 0 L2TP mgmt daemon Router# The L2TP mgmt daemon is started by several different types of configurations that may be deployed in networks that leverage the L2TP protocol. If any of the following commands appear within a device's configuration, show running-config, then the device will have started the L2TP mgmt daemon and is vulnerable. * Device is configured with Virtual Private Dial-Up Networks (VPDN). The command vpdn enable will appear in the device configuration. * Device is configured for L2TP or L2TPv3 Client-Initiated VPDN Tunneling. The command pseudowire peer-ip-address vcid pw-class pw-class-name " appears in the device configuration. * Device is configured with Stack Group Bidding Protocol (SGBP). The command sgbp group group-name will appear in the device configuration. * A L2TP signaling template has been defined. The command l2tp-class l2tp-class name will appear in the device configuration. * Devices configured for Layer 2 Tunnel Protocol Version 3 The commands pseudowire-class pseudowire-class name and a successfully applied interface xconnect command will appear in the device configuration. Products Confirmed Not Vulnerable +-------------------------------- * Devices that are running Cisco IOS versions that are not explicitly listed in the software table below as vulnerable, are not affected. * Cisco IOS XR is not affected. No other Cisco products are currently known to be affected by this vulnerability. Details ======= Documented in RFC2661, L2TP and RFC3931, L2TPv3 are protocols for tunneling network traffic between two peers over an existing network. Several features leverage the L2TP protocol and start the L2TP mgmt daemon within Cisco IOS. These features have been outlined in this advisory under the Vulnerable Products section. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsh48879 - Crafted L2TP packet triggers a device reload. CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability will result in a reload of the device. Repeated exploitation may result in an extended denial of service (DoS) condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table. +-------------------------------------------------------------------+ | Major | Availability of Repaired Releases | | Release | | |--------------+----------------------------------------------------| | Affected | | Recommended | | 12.0-Based | First Fixed Release | Release | | Releases | | | |-------------------------------------------------------------------| | There are no affected 12.0 based releases | |-------------------------------------------------------------------| | Affected | | Recommended | | 12.1-Based | First Fixed Release | Release | | Releases | | | |-------------------------------------------------------------------| | There are no affected 12.1 based releases | |-------------------------------------------------------------------| | Affected | | Recommended | | 12.2-Based | First Fixed Release | Release | | Releases | | | |--------------+-----------------------------------+----------------| | 12.2 | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2B | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2BC | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2BW | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2BX | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2BY | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2BZ | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2CX | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2CY | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2CZ | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2DA | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2DD | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2DX | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2EW | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2EWA | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2EX | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2EY | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2EZ | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2FX | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2FY | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2FZ | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2IRB | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2IXA | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2IXB | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2IXC | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2IXD | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2IXE | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2IXF | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2IXG | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2JA | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2JK | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2MB | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2MC | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2S | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2SB | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2SBC | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2SCA | Not Vulnerable | | |--------------+-----------------------------------+----------------| | | Note: Releases prior to 12.2(37) | | | 12.2SE | SE are not vulnerable. First | 12.2(46)SE | | | fixed in 12.2(44)SE | | |--------------+-----------------------------------+----------------| | 12.2SEA | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2SEB | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2SEC | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2SED | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2SEE | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2SEF | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2SEG | Not Vulnerable | | |--------------+-----------------------------------+----------------| | | Note: Releases prior to 12.2(37) | | | 12.2SG | SG are not vulnerable. First | 12.2(46)SG1 | | | Fixed in 12.2(44)SG | | |--------------+-----------------------------------+----------------| | 12.2SGA | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2SL | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2SM | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2SO | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2SRA | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2SRB | 12.2(33)SRB1 | 12.2(33)SRB4 | |--------------+-----------------------------------+----------------| | 12.2SRC | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2SU | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2SV | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2SVA | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2SVC | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2SVD | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2SW | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2SX | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2SXA | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2SXB | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2SXD | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2SXE | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2SXF | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2SXH | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2SY | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2SZ | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2T | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2TPC | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2XA | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2XB | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2XC | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2XD | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2XE | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2XF | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2XG | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2XH | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2XI | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2XJ | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2XK | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2XL | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2XM | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2XN | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2XNA | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2XNB | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2XO | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2XQ | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2XR | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2XS | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2XT | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2XU | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2XV | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2XW | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2YA | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2YB | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2YC | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2YD | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2YE | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2YF | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2YG | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2YH | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2YJ | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2YK | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2YL | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2YM | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2YN | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2YO | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2YP | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2YQ | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2YR | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2YS | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2YT | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2YU | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2YV | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2YW | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2YX | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2YY | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2YZ | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2ZA | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2ZB | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2ZC | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2ZD | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2ZE | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2ZF | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2ZG | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2ZH | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2ZJ | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2ZL | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2ZP | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2ZU | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2ZX | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2ZY | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.2ZYA | Not Vulnerable | | |--------------+-----------------------------------+----------------| | Affected | | Recommended | | 12.3-Based | First Fixed Release | Release | | Releases | | | |-------------------------------------------------------------------| | There are no affected 12.3 based releases | |-------------------------------------------------------------------| | Affected | | Recommended | | 12.4-Based | First Fixed Release | Release | | Releases | | | |--------------+-----------------------------------+----------------| | 12.4 | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.4JA | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.4JK | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.4JL | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.4JMA | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.4JMB | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.4JMC | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.4JX | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.4MD | Not Vulnerable | | |--------------+-----------------------------------+----------------| | | Note: Releases prior to 12.4(11) | | | 12.4MR | MR are not vulnerable. First | 12.4(19)MR | | | fixed in 12.4(16)MR | | |--------------+-----------------------------------+----------------| | | | 12.4(15)SW2; | | 12.4SW | 12.4(11)SW3 | Available on | | | | 28-SEP-08 | |--------------+-----------------------------------+----------------| | | Note: Releases prior to 12.4(11)T | | | 12.4T | are not vulnerable. First fixed | 12.4(15)T7 | | | in 12.4(15)T | | |--------------+-----------------------------------+----------------| | 12.4XA | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.4XB | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.4XC | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.4XD | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.4XE | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.4XF | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.4XG | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.4XJ | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |--------------+-----------------------------------+----------------| | 12.4XK | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.4XL | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.4XM | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.4XN | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.4XP | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.4XQ | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.4XT | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.4XV | Vulnerable; contact TAC | | |--------------+-----------------------------------+----------------| | 12.4XW | 12.4(11)XW1 | 12.4(11)XW9 | |--------------+-----------------------------------+----------------| | 12.4XY | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.4XZ | Not Vulnerable | | |--------------+-----------------------------------+----------------| | 12.4YA | Not Vulnerable | | +-------------------------------------------------------------------+ Workarounds =========== The following workarounds have been identified for this vulnerability. Note: L2TP implementations will need to allow UDP 1701, from trusted addresses to infrastructure addresses. This does not provide for a full mitigation as the source addresses may be spoofed. Note: L2TPv3 over IP only implementations need to deny all UDP 1701 from anywhere to the infrastructure addresses. * Infrastructure Access Control Lists Although it is often difficult to block traffic that transits a network, it is possible to identify traffic that should never be allowed to target infrastructure devices and block that traffic at the border of networks. Infrastructure Access Control Lists (iACLs) are a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for these specific vulnerabilities. The iACL example below should be included as part of the deployed infrastructure access-list which will protect all devices with IP addresses in the infrastructure IP address range: !--- Permit L2TP UDP 1701 packets from all trusted !--- sources destined to infrastructure addresses. !--- NOTE: This does not prevent spoofed attacks. !--- To be a full mitigation, no trusted source !--- addresses should be listed. !--- Omit this line if using a L2TPv3 over IP implementation only. access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES MASK INFRASTRUCTURE_ADDRESSES MASK eq 1701 !--- Deny L2TP UDP 1701 packets from all !--- sources destined to infrastructure addresses. access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 1701 !--- If using a L2TPv3 over IP implementation ensure to allow L2TPv3 access-list 150 permit 115 <source_ip_address and mask> <destination_ip_address and mask> !--- Permit/deny all other Layer 3 and Layer 4 traffic in accordance !--- with existing security policies and configurations !--- Permit all other traffic to transit the device. access-list 150 permit ip any any !--- Apply access-list to all interfaces (only one example shown) interface serial 2/0 ip access-group 150 in The white paper entitled "Protecting Your Core: Infrastructure Protection Access Control Lists" presents guidelines and recommended deployment techniques for infrastructure protection access lists. This white paper can be obtained at the following link: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml * Control Plane Policing Control Plane Policing (CoPP) can be used to block L2TP access to the device. CoPP can be configured on a device to protect the management and control planes and minimize the risk and effectiveness of direct infrastructure attacks by explicitly permitting only authorized traffic that is sent to infrastructure devices in accordance with existing security policies and configurations. The CoPP example below should be included as part of the deployed CoPP which will protect all devices with IP addresses in the infrastructure IP address range. !--- Deny all trusted source L2TP UDP traffic sent to all IP addresses !--- configured on all interfaces of the affected device so that it !--- will not be policed by the CoPP feature. !--- NOTE: This does not prevent spoofed attacks. !--- To be a full mitigation, no trusted source !--- addresses should be listed. !--- Omit this line if using an L2TPv3 over IP implementation only. access-list 111 deny udp TRUSTED_SOURCE_ADDRESSES MASK INFRASTRUCTURE_ADDRESSES MASK eq 1701 !--- Permit all L2TP UDP traffic sent to all IP addresses !--- configured on all interfaces of the affected device so that it !--- will be policed and dropped by the CoPP feature access-list 111 permit udp any INFRASTRUCTURE_ADDRESSES MASK eq 1701 !--- If using an L2TPv3 over IP implementation ensure not to drop L2TPv3 access-list 111 deny 115 <source_ip_address and mask> <destination_ip_address and mask> !--- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4 !--- traffic in accordance with existing security policies and !--- configurations for traffic that is authorized to be sent !--- to infrastructure devices !--- Create a Class-Map for traffic to be policed by !--- the CoPP feature class-map match-all drop-l2tp-class match access-group 111 !--- Create a Policy-Map that will be applied to the !--- Control-Plane of the device. policy-map drop-l2tp-traffic class drop-l2tp-class drop !--- Apply the Policy-Map to the !--- Control-Plane of the device control-plane service-policy input drop-l2tp-traffic In the above CoPP example, the access control list entries (ACEs) that match the potential exploit packets with the "permit" action result in these packets being discarded by the policy-map "drop" function, while packets that match the "deny" action (not shown) are not affected by the policy-map drop function. Please note that the policy-map syntax is different in the 12.2S and 12.0S Cisco IOS trains: policy-map drop-l2tp-traffic class drop-l2tp-class police 32000 1500 1500 conform-action drop exceed-action drop Additional information on the configuration and use of the CoPP feature is available at the following link: http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20080924-l2tp.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2008-September-24 | public | | | | release | +----------------------------------------+ Cisco Security Procedures ========================== Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkjaLcgACgkQ86n/Gc8U/uC/CQCfcC70VVLkBqFMyqTqBh9mP0pu BY4AniOvIpCfu1wKu/Zz7USner4MTUnB =jfZd -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
VAR-200809-0320 CVE-2008-2739 Cisco IOS of SERVICE.DNS Signature engine Service disruption in (DoS) Vulnerabilities CVSS V2: 7.8
CVSS V3: -
Severity: HIGH
The SERVICE.DNS signature engine in the Intrusion Prevention System (IPS) in Cisco IOS 12.3 and 12.4 allows remote attackers to cause a denial of service (device crash or hang) via network traffic that triggers unspecified IPS signatures, a different vulnerability than CVE-2008-1447. A successful exploit will cause an affected device to crash, denying service to legitimate users. Cisco has released free software updates that address this vulnerability. There is a workaround for this vulnerability. Note: This vulnerability is not related in any way to CVE-2008-1447 - Cache poisoning attacks. Cisco Systems has published a Cisco Security Advisory for that vulnerability, which can be found at http://www.cisco.com/en/US/products/products_security_advisory09186a00809c2168.shtml This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml Note: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml Affected Products ================= Vulnerable Products +------------------ Any Cisco IOS device configured with the Cisco IOS IPS feature is vulnerable, regardless if it is configured to use the built-in signatures or an external signature file. Devices using either version 4 or version 5 signatures are affected by this vulnerability. The Cisco IOS IPS feature is not enabled by default. The command show ip ips interfaces can be used to determine if the Cisco IOS IPS feature has been configured and applied to any interface on the device, as in the following example: Router#show ip ips interfaces Interface Configuration Interface FastEthernet0/0 Inbound IPS rule is ios-ips-incoming Outgoing IPS rule is not set Interface FastEthernet0/1 Inbound IPS rule is not set Outgoing IPS rule is ios-ips-outgoing Router# The output of the show ip ips interfaces command when the Cisco IOS IPS feature has not been configured is dependent on which Cisco IOS release is installed and running on the device. It may be similar to the following example: Router#show ip ips interfaces Router# or it may be similar to the following: Router#show ip ips interfaces Interface Configuration IPS is not configured on any interface Router# Any version of Cisco IOS prior to the versions which are listed in the Software Versions and Fixes section below is vulnerable. To determine the version of the Cisco IOS software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS". On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the IOS release name. Other Cisco devices will not have the show version command or will give different output. The following example identifies a Cisco product running Cisco IOS Software release 12.3(26) with an installed image name of C2500-IS-L: Router#show version Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by cisco Systems, Inc. Compiled Mon 17-Mar-08 14:39 by dchih <output truncated> Router# The next example shows a product running Cisco IOS Software release 12.4(20)T with an image name of C1841-ADVENTERPRISEK9-M: Router#show version Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 10-Jul-08 20:25 by prod_rel_team <output truncated> Router# Additional information on the Cisco IOS release naming conventions can be found on the document entitled "White Paper: Cisco IOS Reference Guide", which is available at http://www.cisco.com/warp/public/620/1.html Products Confirmed Not Vulnerable +-------------------------------- The following Cisco products are confirmed not vulnerable: * Cisco IOS devices running the Intrusion Detection System feature * Cisco ASA Security Appliances running the Intrusion Detection System feature * Cisco PIX 500 Series Security Appliances running the Intrusion Detection System feature * Cisco IPS 4200 Sensors * Cisco AIP-SSM for ASA 5500 Series Adaptive Security Appliances * Cisco Catalyst 6500 Series Intrusion detection System (IDSM-2) Services Module * Cisco IPS Advanced Integration Module for Integrated Services Routers No other Cisco products are currently known to be affected by this vulnerability. A component of the Cisco IOS Integrated Threat Control framework and complemented by Cisco IOS Flexible Packet Matching feature, Cisco IOS IPS provides your network with the intelligence to accurately identify, classify, and stop or block malicious traffic in real time. The Cisco IOS IDS feature is not affected by this vulnerability. This may cause a denial of service that results in disruption of network traffic. This vulnerability is documented in Cisco Bug ID CSCsq13348. This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2008-2739. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsq13348 - Watchdog timeout with IPS configured CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of this vulnerability may cause a Cisco IOS device configured with the Cisco IOS IPS feature to crash or hang, resulting in a denial of service condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table. +-------------------------------------------------------------------+ | Major | Availability of Repaired Releases | | Release | | |------------+------------------------------------------------------| | Affected | | Recommended | | 12.0-Based | First Fixed Release | Release | | Releases | | | |-------------------------------------------------------------------| | There are no affected 12.0 based releases | |-------------------------------------------------------------------| | Affected | | Recommended | | 12.1-Based | First Fixed Release | Release | | Releases | | | |-------------------------------------------------------------------| | There are no affected 12.1 based releases | |-------------------------------------------------------------------| | Affected | | Recommended | | 12.2-Based | First Fixed Release | Release | | Releases | | | |-------------------------------------------------------------------| | There are no affected 12.2 based releases | |-------------------------------------------------------------------| | Affected | | Recommended | | 12.3-Based | First Fixed Release | Release | | Releases | | | |------------+--------------------------------------+---------------| | 12.3 | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.3B | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.3BC | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.3BW | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.3EU | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.3JA | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.3JEA | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.3JEB | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.3JEC | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.3JK | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.3JL | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.3JX | Not Vulnerable | | |------------+--------------------------------------+---------------| | | | 12.4(15)T7 | | 12.3T | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+--------------------------------------+---------------| | 12.3TPC | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.3VA | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.3XA | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.3XB | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.3XC | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.3XD | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.3XE | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.3XF | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.3XG | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.3XI | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.3XJ | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.3XK | Not Vulnerable | | |------------+--------------------------------------+---------------| | | | 12.4(15)T7 | | 12.3XL | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+--------------------------------------+---------------| | | | 12.4(15)T7 | | 12.3XQ | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+--------------------------------------+---------------| | | | 12.4(15)T7 | | 12.3XR | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+--------------------------------------+---------------| | | | 12.4(15)T7 | | 12.3XS | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+--------------------------------------+---------------| | 12.3XU | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.3XW | Not Vulnerable | | |------------+--------------------------------------+---------------| | | | 12.4(15)T7 | | 12.3XX | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+--------------------------------------+---------------| | 12.3XY | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.3XZ | Not Vulnerable | | |------------+--------------------------------------+---------------| | | | 12.4(15)T7 | | 12.3YA | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+--------------------------------------+---------------| | 12.3YD | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+--------------------------------------+---------------| | 12.3YF | Not Vulnerable | | |------------+--------------------------------------+---------------| | | Releases prior to 12.3(8)YG7 are | | | 12.3YG | vulnerable, release 12.3(8)YG7 and | 12.4(15)T7 | | | later are not vulnerable; first | | | | fixed in 12.4T | | |------------+--------------------------------------+---------------| | 12.3YH | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+--------------------------------------+---------------| | 12.3YI | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+--------------------------------------+---------------| | 12.3YJ | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.3YK | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+--------------------------------------+---------------| | | | 12.3(14)YM13; | | 12.3YM | 12.3(14)YM13; Available on 30-SEP-08 | Available on | | | | 30-SEP-08 | |------------+--------------------------------------+---------------| | 12.3YQ | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.3YS | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+--------------------------------------+---------------| | 12.3YT | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+--------------------------------------+---------------| | 12.3YU | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.3YX | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.3YZ | Vulnerable; contact TAC | | |------------+--------------------------------------+---------------| | 12.3ZA | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+--------------------------------------+---------------| | Affected | | Recommended | | 12.4-Based | First Fixed Release | Release | | Releases | | | |------------+--------------------------------------+---------------| | | 12.4(18b) | | | | | | | 12.4 | 12.4(19a) | 12.4(18c) | | | | | | | 12.4(21) | | |------------+--------------------------------------+---------------| | 12.4JA | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4JK | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4JL | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4JMA | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4JMB | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4JMC | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4JX | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4MD | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4MR | 12.4(19)MR | 12.4(19)MR | |------------+--------------------------------------+---------------| | 12.4SW | Not Vulnerable | | |------------+--------------------------------------+---------------| | | 12.4(15)T6 | | | 12.4T | | 12.4(15)T7 | | | 12.4(20)T | | |------------+--------------------------------------+---------------| | 12.4XA | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+--------------------------------------+---------------| | 12.4XB | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XC | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+--------------------------------------+---------------| | | | 12.4(4)XD11; | | 12.4XD | 12.4(4)XD11; Available on 26-SEP-08 | Available on | | | | 26-SEP-08 | |------------+--------------------------------------+---------------| | 12.4XE | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+--------------------------------------+---------------| | 12.4XF | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+--------------------------------------+---------------| | 12.4XG | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XJ | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+--------------------------------------+---------------| | 12.4XK | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+--------------------------------------+---------------| | 12.4XL | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XM | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XN | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XP | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XQ | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XT | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+--------------------------------------+---------------| | 12.4XV | Vulnerable; contact TAC | | |------------+--------------------------------------+---------------| | 12.4XW | 12.4(11)XW9 | 12.4(11)XW9 | |------------+--------------------------------------+---------------| | 12.4XY | 12.4(15)XY4 | 12.4(15)XY4 | |------------+--------------------------------------+---------------| | 12.4XZ | 12.4(15)XZ2 | 12.4(15)XZ2 | |------------+--------------------------------------+---------------| | 12.4YA | 12.4(20)YA1 | 12.4(20)YA1 | +-------------------------------------------------------------------+ Workarounds =========== The workaround consists of adding an Access Control List (ACL) to every Cisco IOS IPS policy configured on the device so that traffic destined to ports 53/udp or 53/tcp is not inspected by the Cisco IOS IPS feature. The following ACL would need to be added to the device configuration: ! deny inspection of traffic with a destination port of 53/udp access-list 177 deny udp any any eq 53 ! deny inspection of traffic with a destination port of 53/tcp access-list 177 deny tcp any any eq 53 ! allow all other traffic to be inspected access-list 177 permit ip any any Every instance of a Cisco IOS IPS policy on the device would then need to be modified in order to reference the previous ACL. In order to determine which Cisco IOS IPS policies are configured on the device, execute the command show running-config | include ip ips name as in the following example: Router#show running-config | include ip ips name ip ips name ios-ips-incoming ip ips name ios-ips-outgoing Router# In the previous example, two Cisco IOS IPS policies are configured on the device. The following example shows the addition of an ACL to each one of the Cisco IOS IPS policies previously identified: Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#ip ips name ios-ips-incoming list 177 Router(config)#ip ips name ios-ips-outgoing list 177 Router(config)#end Router# As a verification step, the command show ip ips interfaces can be executed again to verify the ACL has been properly attached to each one of the Cisco IOS IPS policies: Router#show ip ips interfaces Interface Configuration Interface FastEthernet0/0 Inbound IPS rule is ios-ips-incoming acl list 177 Outgoing IPS rule is not set Interface FastEthernet0/1 Inbound IPS rule is not set Outgoing IPS rule is ios-ips-outgoing acl list 177 Router# Note: Disabling or deleting individual or all signatures using the SERVICE.DNS engine of the Cisco IOS IPS feature is not a recommended workaround. The previous workaround is the only Cisco-recommended workaround for this vulnerability. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com/ Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was reported to Cisco by a customer. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2008-September-24 | public | | | | release | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkjaLb4ACgkQ86n/Gc8U/uCOcQCfVtBrGIC3MJQr9jaPkMlt3ikc XrEAn1XOyW6nTAO/lsY5edWYzRoTuLDe =HgRp -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: Cisco IOS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA31990 VERIFY ADVISORY: http://secunia.com/advisories/31990/ CRITICAL: Moderately critical IMPACT: Exposure of sensitive information, DoS, System access WHERE: >From remote OPERATING SYSTEM: Cisco IOS R12.x http://secunia.com/advisories/product/50/ Cisco IOS 12.x http://secunia.com/advisories/product/182/ DESCRIPTION: Some vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to disclose sensitive information, cause a DoS (Denial of Service), or to compromise a vulnerable system. 1) An unspecified error exists in the processing of SSL packets during the termination of an SSL session, which can potentially be exploited to crash an affected system. 2) Two unspecified errors exist within the processing of Protocol Independent Multicast (PIM) packets, which can be exploited to cause an affected device to reload. 3) Unspecified errors within the processing of segmented Skinny Call Control Protocol (SCCP) messages can be exploited to cause a Cisco IOS device to reload. Successful exploitation requires that the device is configured with Network Address Translation (NAT) SCCP Fragmentation Support. 4) A memory leak in the processing of Session Initiation Protocol (SIP) messages can be exploited to cause a DoS for all voice services. 5) Multiple unspecified errors exist in the processing of SIP messages, which can be exploited to cause a reload of an affected device. 7) A security issue exists in the processing of extended communities with Multi Protocol Label Switching (MPLS) Virtual Private Networks (VPN), which can lead to traffic leaking from one MPLS VPN to another. NOTE: This security issue was introduced with CSCee83237. 8) An unspecified error within the Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) can be exploited to cause a DoS via specially crafted network packets. Successful exploitation requires access to the MPLS network. 9) An unspecified error within the Application Inspection Control (AIC) can be exploited to cause a reload of an affected device via specially crafted HTTP packets. 10) An unspecified error in the processing of Layer 2 Tunneling Protocol (L2TP) packets can be exploited to cause an affected device to reload via a specially crafted L2TP packets. Successful exploitation requires that the L2TP mgmt daemon process is running. This process may be enabled e.g. via Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP), or Cisco Virtual Private Dial-Up Networks (VPDN). 11) An unspecified error exists in the processing of IPC messages. This can be exploited to reload an affected device via a specially crafted UDP packet sent to port 1975. 12) A security issue is caused due to the device automatically enabling SNMP with a default community string, which can be exploited to gain control an affected system. Successful exploitation requires that a device is configured for linecard redundancy. SOLUTION: Update to the fixed version (please see the vendor's advisories for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-200809-0020 CVE-2008-3798 Cisco IOS In SSL Service operation disruption related to session termination processing (DoS) Vulnerabilities CVSS V2: 7.8
CVSS V3: -
Severity: HIGH
Cisco IOS 12.4 allows remote attackers to cause a denial of service (device crash) via a normal, properly formed SSL packet that occurs during termination of an SSL session. A successful exploit may cause an affected device to crash, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCsj85065. ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: Cisco IOS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA31990 VERIFY ADVISORY: http://secunia.com/advisories/31990/ CRITICAL: Moderately critical IMPACT: Exposure of sensitive information, DoS, System access WHERE: >From remote OPERATING SYSTEM: Cisco IOS R12.x http://secunia.com/advisories/product/50/ Cisco IOS 12.x http://secunia.com/advisories/product/182/ DESCRIPTION: Some vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to disclose sensitive information, cause a DoS (Denial of Service), or to compromise a vulnerable system. 2) Two unspecified errors exist within the processing of Protocol Independent Multicast (PIM) packets, which can be exploited to cause an affected device to reload. 3) Unspecified errors within the processing of segmented Skinny Call Control Protocol (SCCP) messages can be exploited to cause a Cisco IOS device to reload. Successful exploitation requires that the device is configured with Network Address Translation (NAT) SCCP Fragmentation Support. 4) A memory leak in the processing of Session Initiation Protocol (SIP) messages can be exploited to cause a DoS for all voice services. 5) Multiple unspecified errors exist in the processing of SIP messages, which can be exploited to cause a reload of an affected device. 6) An unspecified error in the IOS Intrusion Prevention System (IPS) feature when processing certain IPS signatures that use the SERVICE.DNS engine can be exploited to cause a DoS via specially crafted network traffic. 7) A security issue exists in the processing of extended communities with Multi Protocol Label Switching (MPLS) Virtual Private Networks (VPN), which can lead to traffic leaking from one MPLS VPN to another. NOTE: This security issue was introduced with CSCee83237. 8) An unspecified error within the Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) can be exploited to cause a DoS via specially crafted network packets. Successful exploitation requires access to the MPLS network. 9) An unspecified error within the Application Inspection Control (AIC) can be exploited to cause a reload of an affected device via specially crafted HTTP packets. 10) An unspecified error in the processing of Layer 2 Tunneling Protocol (L2TP) packets can be exploited to cause an affected device to reload via a specially crafted L2TP packets. Successful exploitation requires that the L2TP mgmt daemon process is running. This process may be enabled e.g. via Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP), or Cisco Virtual Private Dial-Up Networks (VPDN). 11) An unspecified error exists in the processing of IPC messages. This can be exploited to reload an affected device via a specially crafted UDP packet sent to port 1975. 12) A security issue is caused due to the device automatically enabling SNMP with a default community string, which can be exploited to gain control an affected system. Successful exploitation requires that a device is configured for linecard redundancy. SOLUTION: Update to the fixed version (please see the vendor's advisories for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Vulnerability in Cisco IOS While Processing SSL Packet Advisory ID: cisco-sa-20080924-ssl http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml Revision 1.0 For Public Release 2008 September 24 1600 UTC (GMT) - --------------------------------------------------------------------- Summary ======= A Cisco IOS device may crash while processing an SSL packet. This can happen during the termination of an SSL-based session. The offending packet is not malformed and is normally received as part of the packet exchange. Cisco has released free software updates that address this vulnerability. Aside from disabling affected services, there are no available workarounds to mitigate an exploit of this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml Note: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml Affected Products ================= Vulnerable Products +------------------ Devices running Cisco IOS and using SSL-based services are susceptible to this vulnerability. Some of the services that utilize SSL are: * HTTP server supporting SSL encryption (HTTPS) The following example shows a device that has the standard Cisco IOS HTTP server disabled, but the SSL-enabled Cisco IOS HTTP server enabled: Router#show running-config | include ip http no ip http server ip http secure-server Router# * SSL Virtual Private Network (SSL VPN) also known as AnyConnect VPN The following example shows a device that has the SSL VPN feature enabled: Router#show running-config | include webvpn webvpn enable webvpn Router# * Open Settlement Protocol (OSP) for Packet Telephony feature The following example shows a device that has the OSP feature enabled and uses HTTPS protocol that is vulnerable: Router#show running-config | include url url https://<host_ip_address>:443/ Router# The Cisco IOS Bug Toolkit may not accurately reflect the affected releases for this advisory. The affected releases are as follows: * 12.4(16)MR, 12.4(16)MR1, 12.4(16)MR2 * 12.4(17) To determine the version of the Cisco IOS software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS Software will identify itself as "Internetwork Operating System Software" or simply "IOS." On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the IOS release name. Other Cisco devices will not have the show version command or will give different output. Router#show version Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(15)T2, RELEASE SOFTWARE (fc7) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 17-Jan-08 23:12 by prod_rel_team Additional information about Cisco IOS software release naming is available at the following link: http://www.cisco.com/warp/public/620/1.html Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products and Cisco IOS releases are currently known to be affected by this vulnerability. Possession of valid credentials such as a username, password or a certificate is not required. SSL protocol uses TCP as a transport protocol. The requirement of the complete TCP 3-way handshake reduces the probability that this vulnerability will be exploited through the use of spoofed IP addresses. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsj85065 - Router reload while processing SSL packets CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== A successful exploit of this vulnerability may cause a crash of the affected device. Repeated exploitation may result in a sustained denial of service condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table. +-------------------------------------------------------------------+ | Major Release | Availability of Repaired Releases | |---------------------------+---------------------------------------| | Affected 12.0-Based | First Fixed | Recommended | | Releases | Release | Release | |-------------------------------------------------------------------| | There are no affected 12.0 based releases | |-------------------------------------------------------------------| | Affected 12.1-Based | First Fixed | Recommended | | Releases | Release | Release | |-------------------------------------------------------------------| | There are no affected 12.1 based releases | |-------------------------------------------------------------------| | Affected 12.2-Based | First Fixed | Recommended | | Releases | Release | Release | |-------------------------------------------------------------------| | There are no affected 12.2 based releases | |-------------------------------------------------------------------| | Affected 12.3-Based | First Fixed | Recommended | | Releases | Release | Release | |-------------------------------------------------------------------| | There are no affected 12.3 based releases | |-------------------------------------------------------------------| | Affected 12.4-Based | First Fixed | Recommended | | Releases | Release | Release | |---------------------------+-------------------+-------------------| | | 12.4(17a) | | | 12.4 | | 12.4(18c) | | | 12.4(18) | | |---------------------------+-------------------+-------------------| | 12.4JA | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4JK | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4JL | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4JMA | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4JMB | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4JMC | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4JX | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4MD | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4MR | 12.4(19)MR | 12.4(19)MR | |---------------------------+-------------------+-------------------| | 12.4SW | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4T | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XA | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XB | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XC | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XD | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XE | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XF | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XG | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XJ | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XK | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XL | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XM | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XN | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XP | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XQ | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XT | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XV | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XW | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XY | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XZ | Not Vulnerable | | +-------------------------------------------------------------------+ Workarounds =========== To prevent an exploit of a vulnerable device, SSL-based services need to be disabled. However, if regular maintenance and operation of the device relies on this service, there is no workaround. The following command will disable the vulnerable HTTPS service: Router(config)#no ip http secure-server The following command will disable the vulnerable SSL VPN service: Router(config)#no webvpn enable The following command will disable the vulnerable OSP service: Router(config)#no settlement <n> Another option is to revert to HTTP protocol instead using HTTPS. The downside of this workaround is that the settlement information will be sent over the network unprotected. It is possible to mitigate this vulnerability by preventing unauthorized hosts from accessing affected devices. Control Plane Policing (CoPP) +---------------------------- Cisco IOS software versions that support Control Plane Policing (CoPP) can be configured to help protect the device from attacks that target the management and control planes. CoPP is available in Cisco IOS release trains 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T. In the following CoPP example, the ACL entries that match the exploit packets with the permit action will be discarded by the policy-map drop function, whereas packets that match a deny action (not shown) are not affected by the policy-map drop function: !-- Include deny statements up front for any protocols/ports/IP addresses that !-- should not be impacted by CoPP !-- Include permit statements for the protocols/ports that will be !-- governed by CoPPaccess-list 100 permit tcp any any eq 443 !-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4 !-- traffic in accordance with existing security policies and !-- configurations for traffic that is authorized to be sent !-- to infrastructure devices. ! !-- Create a Class-Map for traffic to be policed by !-- the CoPP feature. ! class-map match-all drop-SSL-class match access-group 100 ! !-- Create a Policy-Map that will be applied to the !-- Control-Plane of the device. ! policy-map drop-SSL-policy class drop-SSL-class drop !-- Apply the Policy-Map to the Control-Plane of the !-- device. ! control-plane service-policy input drop-SSL-policy Note: In the preceding CoPP example, the ACL entries with the permit action that match the exploit packets will result in the discarding of those packets by the policy-map drop function, whereas packets that match the deny action are not affected by the policy-map drop function. Additional information on the configuration and use of the CoPP feature is available at the following links: http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd804fa16a.shtml and http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a008052446b.html Access Control List (ACL) +------------------------ An Access Control List (ACL) can be used to help mitigate attacks that target this vulnerability. ACLs can specify that only packets from legitimate sources are permitted to reach a device, and all others are to be dropped. The following example shows how to allow legitimate SSL sessions from trusted sources and deny all other SSL sessions: access-list 101 permit tcp host <legitimate_host_IP_address> host <router_IP_address> eq 443 access-list 101 deny tcp any any eq 443 Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2008-September-24 | public | | | | release | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt - --------------------------------------------------------------------- Toolbar Contacts & Feedback | Help | Site Map 2007 - 2008 Cisco Systems, Inc. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks of Cisco Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkjaLeIACgkQ86n/Gc8U/uDvigCfcWXjj9bLlpN4XB1nMsDRt2h6 F5EAnRsZsoyb0638vZK7pU8owyw+Ust5 =gXdE -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
VAR-200809-0022 CVE-2008-3800 Cisco IOS and Unified Communications Manager of SIP In implementation SIP Service disruption related to message processing (DoS) Vulnerabilities

Related entries in the VARIoT exploits database: VAR-E-200809-0948		 CVSS V2: 7.1
CVSS V3: -
Severity: HIGH
Unspecified vulnerability in the Session Initiation Protocol (SIP) implementation in Cisco IOS 12.2 through 12.4 and Unified Communications Manager 4.1 through 6.1, when VoIP is configured, allows remote attackers to cause a denial of service (device or process reload) via unspecified valid SIP messages, aka Cisco Bug ID CSCsu38644, a different vulnerability than CVE-2008-3801 and CVE-2008-3802. The problem is Bug ID : CSCsu38644 It is a problem. this is CVE-2008-3801 and CVE-2008-3802 Is a different vulnerability.Service operation disrupted by a third party (DoS) There is a possibility of being put into a state. Cisco Unified Communications Manager is prone to multiple denial-of-service vulnerabilities. These issues affect the Session Initiation Protocol (SIP) service. These issues are documented by Cisco bug IDs CSCsu38644 and CSCsm46064. An attacker can exploit these issues to cause denial-of-service conditions in the affected application. Cisco IOS is the Internet operating system used on Cisco networking equipment. A remote attacker causes a denial of service by unidentifying a valid SIP message. An exploit of these vulnerabilities may cause an interruption in voice services. Cisco will release free software updates that address these vulnerabilities and this advisory will be updated as fixed software becomes available. There are no workarounds for these vulnerabilities. Note: Cisco IOS software is also affected by the vulnerabilities described in this advisory. The software version can also be determined by running the command show version active via the command line interface. In Cisco Unified CallManager version 4.x, the use of SIP as a call signaling protocol is not enabled by default, and for the Cisco Unified CallManager server to start listening for SIP messages on TCP and UDP ports 5060 and 5061 a SIP trunk needs to be configured. A companion security advisory for Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml Products Confirmed Not Vulnerable +-------------------------------- With the exception of Cisco IOS software, no other Cisco products are currently known to be vulnerable to the issues described in this advisory. Cisco Unified CallManager version 4.x is not affected by these vulnerabilities if it does not have any SIP trunks configured. Details ======= Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, voice-over-IP gateways, and multimedia applications. SIP is a popular signaling protocol that is used to manage voice and video calls across IP networks such as the Internet. SIP is responsible for handling all aspects of call setup and termination. Voice and video are the most popular types of sessions that SIP handles, but the protocol is flexible to accommodate for other applications that require call setup and termination. SIP call signaling can use UDP (port 5060), TCP (port 5060), or TLS (TCP port 5061) as the underlying transport protocol. Version 4.x of Cisco Unified CallManager do not have SIP enabled by default unless a SIP trunk is configured. The vulnerabilities are being tracked by the following Cisco bug IDs: * CSCsu38644, assigned CVE ID CVE-2008-3800 * CSCsm46064, assigned CVE ID CVE-2008-3801 Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsu38644 - Valid SIP message can cause CCM process to crash CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.9 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsm46064 - Problem when CUCM sends out SIP message with valid header CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities described in this advisory may result in a reload of the Cisco Unified Communications Manager process, which could result in the interruption of voice services. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Cisco Unified CallManager version 4.1(3)SR8 contains fixes for all vulnerabilities affecting Cisco Unified CallManager version 4.1 listed in this advisory, and is scheduled to be released in early October 2008. Workarounds =========== There are no workarounds for these vulnerabilities. It is possible to mitigate the vulnerabilities by implementing filtering on screening devices. To change the ports from their default values, log into the Cisco Unified CallManager Administration web interface, go to System > Cisco Unified CM, locate the appropriate Cisco Unified Communications Manager, change the fields SIP Phone Port and SIP Phone Secure Port to a non-standard port, then click Save. SIP Phone Port, by default 5060, refers to the TCP and UDP ports where the Cisco Unified Communications Manager listens for normal SIP messages, and SIP Phone Secure Port, by default 5061, refers to the TCP and UDP ports where the Cisco Unified Communications Manager listens for SIP over TLS messages. Note: For a change of the SIP ports to take effect, the Cisco CallManager Service needs to be restarted. For information on how to accomplish this, refer to "Restarting the Cisco CallManager Service" at http://www.cisco.com/en/US/docs/voice_ip_comm/cucmbe/admin/7_0_1/ccmcfg/b03dpi.html#wp1075124 Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20080924-sip.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. These vulnerabilities were discovered by Cisco internal testing and during handling of customer service requests. Status of this Notice: INTERIM ============================== THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2008-September-24 | public | | | | release | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkjaR1gACgkQ86n/Gc8U/uCAAQCfW5xFaGdt0C6ubIIW2kVj37Ak znYAn12eZ9BJNa4m6ia6Di1o+CQ4FAr3 =0Yk+ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: Cisco IOS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA31990 VERIFY ADVISORY: http://secunia.com/advisories/31990/ CRITICAL: Moderately critical IMPACT: Exposure of sensitive information, DoS, System access WHERE: >From remote OPERATING SYSTEM: Cisco IOS R12.x http://secunia.com/advisories/product/50/ Cisco IOS 12.x http://secunia.com/advisories/product/182/ DESCRIPTION: Some vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to disclose sensitive information, cause a DoS (Denial of Service), or to compromise a vulnerable system. 1) An unspecified error exists in the processing of SSL packets during the termination of an SSL session, which can potentially be exploited to crash an affected system. 2) Two unspecified errors exist within the processing of Protocol Independent Multicast (PIM) packets, which can be exploited to cause an affected device to reload. Successful exploitation requires that the device is configured with Network Address Translation (NAT) SCCP Fragmentation Support. 6) An unspecified error in the IOS Intrusion Prevention System (IPS) feature when processing certain IPS signatures that use the SERVICE.DNS engine can be exploited to cause a DoS via specially crafted network traffic. 7) A security issue exists in the processing of extended communities with Multi Protocol Label Switching (MPLS) Virtual Private Networks (VPN), which can lead to traffic leaking from one MPLS VPN to another. NOTE: This security issue was introduced with CSCee83237. 8) An unspecified error within the Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) can be exploited to cause a DoS via specially crafted network packets. Successful exploitation requires access to the MPLS network. 9) An unspecified error within the Application Inspection Control (AIC) can be exploited to cause a reload of an affected device via specially crafted HTTP packets. 10) An unspecified error in the processing of Layer 2 Tunneling Protocol (L2TP) packets can be exploited to cause an affected device to reload via a specially crafted L2TP packets. Successful exploitation requires that the L2TP mgmt daemon process is running. This process may be enabled e.g. via Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP), or Cisco Virtual Private Dial-Up Networks (VPDN). 11) An unspecified error exists in the processing of IPC messages. This can be exploited to reload an affected device via a specially crafted UDP packet sent to port 1975. This vulnerability is reported in Cisco 10000, uBR10012, and uBR7200 series devices. 12) A security issue is caused due to the device automatically enabling SNMP with a default community string, which can be exploited to gain control an affected system. Successful exploitation requires that a device is configured for linecard redundancy. SOLUTION: Update to the fixed version (please see the vendor's advisories for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-200809-0023 CVE-2008-3801 Cisco IOS and Unified Communications Manager of SIP In implementation SIP Service disruption related to message processing (DoS) Vulnerabilities

Related entries in the VARIoT exploits database: VAR-E-200809-0948		 CVSS V2: 7.1
CVSS V3: -
Severity: HIGH
Unspecified vulnerability in the Session Initiation Protocol (SIP) implementation in Cisco IOS 12.2 through 12.4 and Unified Communications Manager 4.1 through 6.1, when VoIP is configured, allows remote attackers to cause a denial of service (device or process reload) via unspecified valid SIP messages, aka Cisco Bug ID CSCsm46064, a different vulnerability than CVE-2008-3800 and CVE-2008-3802. The problem is Bug ID : CSCsm46064 It is a problem. this is CVE-2008-3800 and CVE-2008-3802 Is a different vulnerability.Service operation disrupted by a third party (DoS) There is a possibility of being put into a state. Cisco Unified Communications Manager is prone to multiple denial-of-service vulnerabilities. These issues affect the Session Initiation Protocol (SIP) service. These issues are documented by Cisco bug IDs CSCsu38644 and CSCsm46064. An attacker can exploit these issues to cause denial-of-service conditions in the affected application. Cisco IOS is the Internet operating system used on Cisco networking equipment. A remote attacker causes a denial of service by unidentifying a valid SIP message. An exploit of these vulnerabilities may cause an interruption in voice services. Cisco will release free software updates that address these vulnerabilities and this advisory will be updated as fixed software becomes available. There are no workarounds for these vulnerabilities. Note: Cisco IOS software is also affected by the vulnerabilities described in this advisory. The software version can also be determined by running the command show version active via the command line interface. In Cisco Unified CallManager version 4.x, the use of SIP as a call signaling protocol is not enabled by default, and for the Cisco Unified CallManager server to start listening for SIP messages on TCP and UDP ports 5060 and 5061 a SIP trunk needs to be configured. A companion security advisory for Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml Products Confirmed Not Vulnerable +-------------------------------- With the exception of Cisco IOS software, no other Cisco products are currently known to be vulnerable to the issues described in this advisory. Cisco Unified CallManager version 4.x is not affected by these vulnerabilities if it does not have any SIP trunks configured. Details ======= Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, voice-over-IP gateways, and multimedia applications. SIP is a popular signaling protocol that is used to manage voice and video calls across IP networks such as the Internet. SIP is responsible for handling all aspects of call setup and termination. Voice and video are the most popular types of sessions that SIP handles, but the protocol is flexible to accommodate for other applications that require call setup and termination. SIP call signaling can use UDP (port 5060), TCP (port 5060), or TLS (TCP port 5061) as the underlying transport protocol. Version 4.x of Cisco Unified CallManager do not have SIP enabled by default unless a SIP trunk is configured. The vulnerabilities are being tracked by the following Cisco bug IDs: * CSCsu38644, assigned CVE ID CVE-2008-3800 * CSCsm46064, assigned CVE ID CVE-2008-3801 Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsu38644 - Valid SIP message can cause CCM process to crash CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.9 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsm46064 - Problem when CUCM sends out SIP message with valid header CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities described in this advisory may result in a reload of the Cisco Unified Communications Manager process, which could result in the interruption of voice services. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Cisco Unified CallManager version 4.1(3)SR8 contains fixes for all vulnerabilities affecting Cisco Unified CallManager version 4.1 listed in this advisory, and is scheduled to be released in early October 2008. Workarounds =========== There are no workarounds for these vulnerabilities. It is possible to mitigate the vulnerabilities by implementing filtering on screening devices. To change the ports from their default values, log into the Cisco Unified CallManager Administration web interface, go to System > Cisco Unified CM, locate the appropriate Cisco Unified Communications Manager, change the fields SIP Phone Port and SIP Phone Secure Port to a non-standard port, then click Save. SIP Phone Port, by default 5060, refers to the TCP and UDP ports where the Cisco Unified Communications Manager listens for normal SIP messages, and SIP Phone Secure Port, by default 5061, refers to the TCP and UDP ports where the Cisco Unified Communications Manager listens for SIP over TLS messages. Note: For a change of the SIP ports to take effect, the Cisco CallManager Service needs to be restarted. For information on how to accomplish this, refer to "Restarting the Cisco CallManager Service" at http://www.cisco.com/en/US/docs/voice_ip_comm/cucmbe/admin/7_0_1/ccmcfg/b03dpi.html#wp1075124 Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20080924-sip.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. These vulnerabilities were discovered by Cisco internal testing and during handling of customer service requests. Status of this Notice: INTERIM ============================== THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2008-September-24 | public | | | | release | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkjaR1gACgkQ86n/Gc8U/uCAAQCfW5xFaGdt0C6ubIIW2kVj37Ak znYAn12eZ9BJNa4m6ia6Di1o+CQ4FAr3 =0Yk+ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: Cisco IOS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA31990 VERIFY ADVISORY: http://secunia.com/advisories/31990/ CRITICAL: Moderately critical IMPACT: Exposure of sensitive information, DoS, System access WHERE: >From remote OPERATING SYSTEM: Cisco IOS R12.x http://secunia.com/advisories/product/50/ Cisco IOS 12.x http://secunia.com/advisories/product/182/ DESCRIPTION: Some vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to disclose sensitive information, cause a DoS (Denial of Service), or to compromise a vulnerable system. 1) An unspecified error exists in the processing of SSL packets during the termination of an SSL session, which can potentially be exploited to crash an affected system. 2) Two unspecified errors exist within the processing of Protocol Independent Multicast (PIM) packets, which can be exploited to cause an affected device to reload. Successful exploitation requires that the device is configured with Network Address Translation (NAT) SCCP Fragmentation Support. 6) An unspecified error in the IOS Intrusion Prevention System (IPS) feature when processing certain IPS signatures that use the SERVICE.DNS engine can be exploited to cause a DoS via specially crafted network traffic. 7) A security issue exists in the processing of extended communities with Multi Protocol Label Switching (MPLS) Virtual Private Networks (VPN), which can lead to traffic leaking from one MPLS VPN to another. NOTE: This security issue was introduced with CSCee83237. 8) An unspecified error within the Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) can be exploited to cause a DoS via specially crafted network packets. Successful exploitation requires access to the MPLS network. 9) An unspecified error within the Application Inspection Control (AIC) can be exploited to cause a reload of an affected device via specially crafted HTTP packets. 10) An unspecified error in the processing of Layer 2 Tunneling Protocol (L2TP) packets can be exploited to cause an affected device to reload via a specially crafted L2TP packets. Successful exploitation requires that the L2TP mgmt daemon process is running. This process may be enabled e.g. via Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP), or Cisco Virtual Private Dial-Up Networks (VPDN). 11) An unspecified error exists in the processing of IPC messages. This can be exploited to reload an affected device via a specially crafted UDP packet sent to port 1975. This vulnerability is reported in Cisco 10000, uBR10012, and uBR7200 series devices. 12) A security issue is caused due to the device automatically enabling SNMP with a default community string, which can be exploited to gain control an affected system. Successful exploitation requires that a device is configured for linecard redundancy. SOLUTION: Update to the fixed version (please see the vendor's advisories for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-200809-0036 CVE-2008-3802 Cisco IOS of SIP In implementation SIP Service disruption related to message processing (DoS) Vulnerabilities

Related entries in the VARIoT exploits database: VAR-E-200809-0948		 CVSS V2: 7.1
CVSS V3: -
Severity: HIGH
Unspecified vulnerability in the Session Initiation Protocol (SIP) implementation in Cisco IOS 12.2 through 12.4, when VoIP is configured, allows remote attackers to cause a denial of service (device reload) via unspecified valid SIP messages, aka Cisco bug ID CSCsk42759, a different vulnerability than CVE-2008-3800 and CVE-2008-3801. The problem is Bug ID : CSCsk42759 It is a problem. this is CVE-2008-3800 and CVE-2008-3801 Is a different vulnerability.Service operation disrupted by a third party (DoS) There is a possibility of being put into a state. Devices running Cisco IOS with SIP enabled are prone to multiple denial-of-service vulnerabilities. These issues are tracked by the following Cisco bug IDs and CVEs: CSCse56800 (CVE-2008-3799) CSCsg91306 (CVE-2008-3800) CSCsl62609 (CVE-2008-3801) CSCsk42759 (CVE-2008-3802) An attacker can exploit these issues to deny service to legitimate users. Cisco IOS is the Internet operating system used on Cisco networking equipment. A remote attacker causes a denial of service by unidentifying a valid SIP message. ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: Cisco IOS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA31990 VERIFY ADVISORY: http://secunia.com/advisories/31990/ CRITICAL: Moderately critical IMPACT: Exposure of sensitive information, DoS, System access WHERE: >From remote OPERATING SYSTEM: Cisco IOS R12.x http://secunia.com/advisories/product/50/ Cisco IOS 12.x http://secunia.com/advisories/product/182/ DESCRIPTION: Some vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to disclose sensitive information, cause a DoS (Denial of Service), or to compromise a vulnerable system. 1) An unspecified error exists in the processing of SSL packets during the termination of an SSL session, which can potentially be exploited to crash an affected system. 2) Two unspecified errors exist within the processing of Protocol Independent Multicast (PIM) packets, which can be exploited to cause an affected device to reload. Successful exploitation requires that the device is configured with Network Address Translation (NAT) SCCP Fragmentation Support. 5) Multiple unspecified errors exist in the processing of SIP messages, which can be exploited to cause a reload of an affected device. 6) An unspecified error in the IOS Intrusion Prevention System (IPS) feature when processing certain IPS signatures that use the SERVICE.DNS engine can be exploited to cause a DoS via specially crafted network traffic. 7) A security issue exists in the processing of extended communities with Multi Protocol Label Switching (MPLS) Virtual Private Networks (VPN), which can lead to traffic leaking from one MPLS VPN to another. This security issue does not affect Cisco IOS releases based on 12.1. NOTE: This security issue was introduced with CSCee83237. Cisco IOS images that do not include CSCee83237 are reportedly not affected. 8) An unspecified error within the Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) can be exploited to cause a DoS via specially crafted network packets. Successful exploitation requires access to the MPLS network. 9) An unspecified error within the Application Inspection Control (AIC) can be exploited to cause a reload of an affected device via specially crafted HTTP packets. 10) An unspecified error in the processing of Layer 2 Tunneling Protocol (L2TP) packets can be exploited to cause an affected device to reload via a specially crafted L2TP packets. Successful exploitation requires that the L2TP mgmt daemon process is running. This process may be enabled e.g. via Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP), or Cisco Virtual Private Dial-Up Networks (VPDN). 11) An unspecified error exists in the processing of IPC messages. This can be exploited to reload an affected device via a specially crafted UDP packet sent to port 1975. This vulnerability is reported in Cisco 10000, uBR10012, and uBR7200 series devices. 12) A security issue is caused due to the device automatically enabling SNMP with a default community string, which can be exploited to gain control an affected system. Successful exploitation requires that a device is configured for linecard redundancy. SOLUTION: Update to the fixed version (please see the vendor's advisories for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-200809-0363 CVE-2008-3809 Used in gigabit switch router Cisco IOS In PIM Denial of service operation related to packet processing (DoS) Vulnerabilities

Related entries in the VARIoT exploits database: VAR-E-200809-0862		 CVSS V2: 7.1
CVSS V3: -
Severity: HIGH
Cisco IOS 12.0 through 12.4 on Gigabit Switch Router (GSR) devices (aka 12000 Series routers) allows remote attackers to cause a denial of service (device crash) via a malformed Protocol Independent Multicast (PIM) packet. Cisco IOS is prone to multiple remote denial-of-service vulnerabilities because the software fails to properly handle malformed network datagrams. Successfully exploiting these issues allows remote attackers to cause targeted devices to reload. Multiple exploits can lead to a sustained denial-of-service. These issues are tracked by Cisco Bug IDs CSCsd95616 and CSCsl34355. Cisco IOS is the Internet operating system used on Cisco networking equipment. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml Note: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml Affected Products ================= Vulnerable Products +------------------ Devices that are running Cisco IOS Software and configured for PIM have a vulnerability related to a specially crafted PIM packet. In addition, Cisco 12000 Series (GSR) routers running Cisco IOS Software have a second vulnerability related to a crafted PIM packet. The show running-config | include ip pim command can be issued to verify that a Cisco IOS device is configured for PIM. In the following example, the Cisco IOS router is configured for PIM sparse-dense mode. Router#show running-config | include ip pim ip pim sparse-dense-mode Note that available PIM modes on a Cisco IOS device are dense mode, sparse mode, or sparse-dense mode. A device that is configured for any of these modes is affected by these vulnerabilities. The mode determines how the device populates its multicast routing table and how multicast packets are forwarded. PIM must be enabled in one of these modes for an interface to perform IP multicast routing. More information on the configuration of each mode is in the "Details" section. Additionally, To display information about interfaces configured for Protocol Independent Multicast (PIM), use the show ip pim interface command in user EXEC or privileged EXEC mode, as shown in the following example: Router# show ip pim interface Address Interface Ver/ Nbr Query DR DR Mode Count Intvl Prior 10.1.0.1 GigabitEthernet0/0 v2/SD 0 30 1 10.1.0.1 10.6.0.1 GigabitEthernet0/1 v2/SD 1 30 1 10.6.0.2 In order to determine the software that runs on a Cisco IOS product, log in to the device and issue the show version command to display the system banner. Cisco IOS software identifies itself as "Internetwork Operating System Software" or simply "IOS." On the next line of output, the image name displays between parentheses, followed by "Version" and the Cisco IOS release name. Other Cisco devices do not have the show version command or give different output. The following example shows output from a device that runs an IOS image: router>show version Cisco IOS Software, 7200 Software (C7200-ADVSECURITYK9-M), Version 12.4(6)T2, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Tue 16-May-06 16:09 by kellythw <more output removed for brevity> Products Confirmed Not Vulnerable +-------------------------------- Cisco IOS devices that are not configured for PIM are not vulnerable. Cisco IOS XR Software is not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. Devices that run Cisco IOS Software and are configured for PIM are affected by the first vulnerability. Only Cisco 12000 Series (GSR) routers that are configured for PIM are affected by the second vulnerability. Available PIM modes on a Cisco IOS device are dense mode, sparse mode, or sparse-dense mode. The mode determines how the device populates its multicast routing table and how multicast packets are forwarded. PIM must be enabled in one of these modes for an interface to perform IP multicast routing. Note: There is no default mode setting. By default, multicast routing is disabled on an interface. To configure PIM on an interface to be in dense mode, use the following command in interface configuration mode: Router(config-if)# ip pim dense-mode To configure PIM on an interface to be in sparse mode, use the following command in interface configuration mode: Router(config-if)# ip pim sparse-mode To configure PIM on an interface to be in sparse-dense mode, use the following command in interface configuration mode: Router(config-if)# ip pim sparse-dense-mode These vulnerabilities are documented in the following Cisco Bug IDs: * CSCsd95616 - Crafted PIM packets may cause an IOS device to reload * CSCsl34355 - GSR may crash with malformed PIM packets These vulnerabilities have been assigned the Common Vulnerabilities and Exposures (CVE) identifiers CVE-2008-3808 and CVE-2008-3809. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsd95616 - Crafted PIM packets may cause an IOS device to reload CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsl34355 - GSR may crash with malformed PIM packets CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation may cause a reload of the affected device. Repeated exploitation could result in a sustained denial of service (DoS) condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table. +-------------------------------------------------------------------+ | Major | Availability of Repaired Releases | | Release | | |------------+------------------------------------------------------| | Affected | | Recommended | | 12.0-Based | First Fixed Release | Release | | Releases | | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0 | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | Releases prior to 12.0(8)DA3 are | 12.2(12)DA13 | | | vulnerable, release 12.0(8)DA3 and | | | 12.0DA | later are not vulnerable; first fixed | 12.4(15)T7 | | | in 12.2DA | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0DB | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0DC | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | 12.0(32)S8 | 12.0(32)S11 | | 12.0S | | | | | 12.0(33)S | 12.0(33)S1 | |------------+---------------------------------------+--------------| | | | 12.0(32)S11 | | 12.0SC | Vulnerable; first fixed in 12.0S | | | | | 12.0(33)S1 | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0SL | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0SP | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.0(32)S11 | | 12.0ST | Vulnerable; first fixed in 12.0S | | | | | 12.0(33)S1 | |------------+---------------------------------------+--------------| | | | 12.0(32)S11 | | 12.0SX | Vulnerable; first fixed in 12.0S | | | | | 12.0(33)S1 | |------------+---------------------------------------+--------------| | | | 12.0(32)SY7; | | 12.0SY | 12.0(32)SY5 | Available on | | | | 29-SEP-08 | |------------+---------------------------------------+--------------| | | | 12.0(32)S11 | | 12.0SZ | 12.0(30)SZ4 | | | | | 12.0(33)S1 | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0T | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.0W | Vulnerable; first fixed in 12.2 | 12.0(3c)W5 | | | | (8) | |------------+---------------------------------------+--------------| | | Releases prior to 12.0(5)WC10 are | 12.4(15)T7 | | 12.0WC | vulnerable, release 12.0(5)WC10 and | | | | later are not vulnerable; first fixed | 12.4(18c) | | | in 12.2 | | |------------+---------------------------------------+--------------| | 12.0WT | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XA | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XB | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | Releases prior to 12.0(2)XC2 are | 12.4(15)T7 | | 12.0XC | vulnerable, release 12.0(2)XC2 and | | | | later are not vulnerable; first fixed | 12.4(18c) | | | in 12.2 | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XD | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XE | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.0XF | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XG | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XH | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | Releases prior to 12.0(4)XI2 are | 12.4(15)T7 | | 12.0XI | vulnerable, release 12.0(4)XI2 and | | | | later are not vulnerable; first fixed | 12.4(18c) | | | in 12.2 | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XJ | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XK | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XL | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XM | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XN | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XQ | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XR | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.0XS | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XT | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XV | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | Affected | | Recommended | | 12.1-Based | First Fixed Release | Release | | Releases | | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1 | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1AA | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.1AX | Vulnerable; first fixed in 12.2EY | 12.2(46)SE | |------------+---------------------------------------+--------------| | | Releases prior to 12.1(22)AY1 are | 12.1(22)EA12 | | 12.1AY | vulnerable, release 12.1(22)AY1 and | | | | later are not vulnerable; first fixed | 12.2(46)SE | | | in 12.1EA | | |------------+---------------------------------------+--------------| | 12.1AZ | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1CX | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(12)DA13 | | | | | | 12.1DA | Vulnerable; first fixed in 12.2DA | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1DB | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1DC | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.1E | 12.1(27b)E2 | 12.2(18) | | | | SXF15 | |------------+---------------------------------------+--------------| | 12.1EA | 12.1(22)EA10 | 12.1(22)EA12 | |------------+---------------------------------------+--------------| | 12.1EB | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.2(33)SCA1 | | 12.1EC | Vulnerable; first fixed in 12.3BC | | | | | 12.3(23)BC4 | |------------+---------------------------------------+--------------| | 12.1EO | Vulnerable; first fixed in 12.2SV | | |------------+---------------------------------------+--------------| | | | 12.2(25) | | | | EWA14 | | 12.1EU | Vulnerable; first fixed in 12.2EWA | | | | | 12.2(31)SGA8 | | | | | | | | 12.2(46)SG1 | |------------+---------------------------------------+--------------| | 12.1EV | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.2(25) | | | | EWA14 | | | | | | | | 12.2(31)SGA8 | | 12.1EW | Vulnerable; first fixed in 12.2 | | | | | 12.2(46)SG1 | | | | | | | | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1EX | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.1EY | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.2(18) | | | | SXF15 | | 12.1EZ | Vulnerable; first fixed in 12.1E | | | | | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1GA | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1GB | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1T | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XA | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XB | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XC | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XD | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XE | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XF | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XG | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XH | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XI | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XJ | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XL | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XM | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XP | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XQ | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XR | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XS | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XT | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XU | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XV | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XW | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XX | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XY | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XZ | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1YA | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1YB | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1YC | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1YD | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | Releases prior to 12.1(5)YE6 are | 12.4(15)T7 | | 12.1YE | vulnerable, release 12.1(5)YE6 and | | | | later are not vulnerable; first fixed | 12.4(18c) | | | in 12.2 | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1YF | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1YH | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.1YI | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.1YJ | Not Vulnerable | | |------------+---------------------------------------+--------------| | Affected | | Recommended | | 12.2-Based | First Fixed Release | Release | | Releases | | | |------------+---------------------------------------+--------------| | | 12.2(26c) | | | | | | | | 12.2(27c) | | | | | 12.4(15)T7 | | 12.2 | 12.2(28d) | | | | | 12.4(18c) | | | 12.2(29b) | | | | | | | | 12.2(46) | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2B | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(33)SCA1 | | | | | | | | 12.3(23)BC4 | | 12.2BC | Vulnerable; first fixed in 12.3 | | | | | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2BW | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(33)SB2; | | | | Available on | | | | 26-SEP-08 | | 12.2BX | Vulnerable; first fixed in 12.3 | | | | | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2BY | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2BZ | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(33)SCA1 | | | | | | | | 12.3(23)BC4 | | 12.2CX | Vulnerable; first fixed in 12.3 | | | | | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(33)SCA1 | | | | | | | | 12.3(23)BC4 | | 12.2CY | Vulnerable; first fixed in 12.3 | | | | | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(33)SB2; | | 12.2CZ | Vulnerable; first fixed in 12.2S | Available on | | | | 26-SEP-08 | |------------+---------------------------------------+--------------| | | 12.2(10)DA9 | | | 12.2DA | | 12.2(12)DA13 | | | 12.2(12)DA13 | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2DD | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2DX | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(25) | | | | EWA14 | | 12.2EW | Vulnerable; first fixed in 12.2EWA | | | | | 12.2(31)SGA8 | | | | | | | | 12.2(46)SG1 | |------------+---------------------------------------+--------------| | | 12.2(25)EWA10 | 12.2(25) | | 12.2EWA | | EWA14 | | | 12.2(25)EWA11 | | |------------+---------------------------------------+--------------| | 12.2EX | 12.2(37)EX | 12.2(35)EX2 | |------------+---------------------------------------+--------------| | 12.2EY | 12.2(37)EY | | |------------+---------------------------------------+--------------| | 12.2EZ | Vulnerable; first fixed in 12.2SEE | 12.2(46)SE | |------------+---------------------------------------+--------------| | 12.2FX | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2FY | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2FZ | Vulnerable; first fixed in 12.2SE | 12.2(46)SE | |------------+---------------------------------------+--------------| | 12.2IRB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2IXA | Vulnerable; migrate to any release in | 12.2(18)IXG | | | 12.2IXE | | |------------+---------------------------------------+--------------| | 12.2IXB | Vulnerable; migrate to any release in | 12.2(18)IXG | | | 12.2IXE | | |------------+---------------------------------------+--------------| | 12.2IXC | Vulnerable; migrate to any release in | 12.2(18)IXG | | | 12.2IXE | | |------------+---------------------------------------+--------------| | 12.2IXD | Vulnerable; migrate to any release in | 12.2(18)IXG | | | 12.2IXE | | |------------+---------------------------------------+--------------| | 12.2IXE | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2IXF | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2IXG | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2JA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2JK | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.2(25)SW12 | | | | | | 12.2MB | Vulnerable; first fixed in 12.2SW | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2MC | 12.2(15)MC2i | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | 12.2(14)S18 | | | | | | | | 12.2(18)S13 | 12.2(33)SB2; | | 12.2S | | Available on | | | 12.2(20)S13 | 26-SEP-08 | | | | | | | 12.2(25)S13 | | |------------+---------------------------------------+--------------| | | 12.2(28)SB7 | | | | | 12.2(33)SB2; | | 12.2SB | 12.2(31)SB5 | Available on | | | | 26-SEP-08 | | | 12.2(33)SB | | |------------+---------------------------------------+--------------| | | | 12.2(33)SB2; | | 12.2SBC | Vulnerable; first fixed in 12.2SB | Available on | | | | 26-SEP-08 | |------------+---------------------------------------+--------------| | 12.2SCA | Not Vulnerable | | |------------+---------------------------------------+--------------| | | 12.2(35)SE4 | | | 12.2SE | | 12.2(46)SE | | | 12.2(37)SE | | |------------+---------------------------------------+--------------| | 12.2SEA | Vulnerable; first fixed in 12.2SEE | 12.2(46)SE | |------------+---------------------------------------+--------------| | 12.2SEB | Vulnerable; first fixed in 12.2SEE | 12.2(46)SE | |------------+---------------------------------------+--------------| | 12.2SEC | Vulnerable; first fixed in 12.2SEE | 12.2(46)SE | |------------+---------------------------------------+--------------| | 12.2SED | Vulnerable; first fixed in 12.2SEE | 12.2(46)SE | |------------+---------------------------------------+--------------| | 12.2SEE | 12.2(25)SEE4 | 12.2(46)SE | |------------+---------------------------------------+--------------| | 12.2SEF | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SEG | 12.2(25)SEG3 | 12.2(25)SEG6 | |------------+---------------------------------------+--------------| | | 12.2(25)SG3 | | | | | | | 12.2SG | 12.2(31)SG3 | 12.2(46)SG1 | | | | | | | 12.2(37)SG | | |------------+---------------------------------------+--------------| | 12.2SGA | 12.2(31)SGA2 | 12.2(31)SGA8 | |------------+---------------------------------------+--------------| | 12.2SL | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SM | 12.2(29)SM3 | 12.2(29)SM4 | |------------+---------------------------------------+--------------| | 12.2SO | Vulnerable; first fixed in 12.2SV | | |------------+---------------------------------------+--------------| | | | 12.2(33)SRB4 | | 12.2SRA | 12.2(33)SRA4 | | | | | 12.2(33)SRC2 | |------------+---------------------------------------+--------------| | 12.2SRB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SRC | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2SU | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2SV | 12.2(29b)SV1 | | |------------+---------------------------------------+--------------| | 12.2SVA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SVC | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SVD | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SW | 12.2(25)SW12 | 12.2(25)SW12 | |------------+---------------------------------------+--------------| | 12.2SX | Vulnerable; first fixed in 12.2SXF | 12.2(18) | | | | SXF15 | |------------+---------------------------------------+--------------| | 12.2SXA | Vulnerable; first fixed in 12.2SXF | 12.2(18) | | | | SXF15 | |------------+---------------------------------------+--------------| | 12.2SXB | Vulnerable; first fixed in 12.2SXF | 12.2(18) | | | | SXF15 | |------------+---------------------------------------+--------------| | 12.2SXD | Vulnerable; first fixed in 12.2SXF | 12.2(18) | | | | SXF15 | |------------+---------------------------------------+--------------| | 12.2SXE | Vulnerable; first fixed in 12.2SXF | 12.2(18) | | | | SXF15 | |------------+---------------------------------------+--------------| | 12.2SXF | 12.2(18)SXF9 | 12.2(18) | | | | SXF15 | |------------+---------------------------------------+--------------| | | Not Vulnerable | | | 12.2SXH | | | | | http://www.cisco.com/go/pn | | |------------+---------------------------------------+--------------| | | | 12.2(33)SB2; | | 12.2SY | Vulnerable; first fixed in 12.2S | Available on | | | | 26-SEP-08 | |------------+---------------------------------------+--------------| | | | 12.2(33)SB2; | | 12.2SZ | Vulnerable; first fixed in 12.2S | Available on | | | | 26-SEP-08 | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2T | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2TPC | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XA | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XB | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XC | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XD | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XE | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(33)SCA1 | | | | | | | | 12.3(23)BC4 | | 12.2XF | Vulnerable; first fixed in 12.3 | | | | | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | Releases prior to 12.2(2)XG1 are | 12.4(15)T7 | | 12.2XG | vulnerable, release 12.2(2)XG1 and | | | | later are not vulnerable; first fixed | 12.4(18c) | | | in 12.3 | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XH | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XI | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XJ | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XK | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XL | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XM | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(33)SB2; | | | | Available on | | | | 26-SEP-08 | | 12.2XN | 12.2(33)XN1 | | | | | 12.2(33)SRC2 | | | | | | | | 12.2(33)XNA2 | |------------+---------------------------------------+--------------| | 12.2XNA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XNB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XO | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XQ | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | Releases prior to 12.2(15)XR are | 12.3(8)JEA3 | | | vulnerable, release 12.2(15)XR and | | | 12.2XR | later are not vulnerable; first fixed | 12.4(15)T7 | | | in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XS | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XT | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XU | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XV | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XW | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2YA | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2YB | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YC | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YD | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YE | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YF | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YG | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YH | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YJ | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YK | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YL | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2YM | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2YN | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YO | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2YP | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2YQ | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YR | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YS | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2YT | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YU | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YV | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YW | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YX | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YY | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YZ | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2ZA | Vulnerable; first fixed in 12.2SXF | 12.2(18) | | | | SXF15 | |------------+---------------------------------------+--------------| | 12.2ZB | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2ZC | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2ZD | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2ZE | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2ZF | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2ZG | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2ZH | 12.2(13)ZH9 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2ZJ | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2ZL | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2ZP | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2ZU | Vulnerable; migrate to any release in | 12.2(33)SXH3 | | | 12.2SXH | | |------------+---------------------------------------+--------------| | | | 12.2(33)SB2; | | 12.2ZX | Vulnerable; first fixed in 12.2SB | Available on | | | | 26-SEP-08 | |------------+---------------------------------------+--------------| | 12.2ZY | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2ZYA | Not Vulnerable | | |------------+---------------------------------------+--------------| | Affected | | Recommended | | 12.3-Based | First Fixed Release | Release | | Releases | | | |------------+---------------------------------------+--------------| | | 12.3(17c) | | | | | | | | 12.3(18a) | | | | | 12.4(15)T7 | | 12.3 | 12.3(19a) | | | | | 12.4(18c) | | | 12.3(20a) | | | | | | | | 12.3(21) | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3B | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | 12.3(17b)BC6 | | | 12.3BC | | 12.3(23)BC4 | | | 12.3(21)BC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3BW | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.3EU | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JEA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JEB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JEC | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JK | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JL | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JX | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3T | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.3TPC | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.3VA | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XA | 12.3(2)XA7 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.3XB | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XC | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XD | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XE | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.3XF | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XG | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(33)SB2; | | 12.3XI | 12.3(7)XI10 | Available on | | | | 26-SEP-08 | |------------+---------------------------------------+--------------| | | | 12.3(14)YX13 | | 12.3XJ | Vulnerable; first fixed in 12.3YX | | | | | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XK | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XL | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XQ | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XR | 12.3(7)XR7 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XS | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.3XU | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.3(14)YX13 | | 12.3XW | Vulnerable; first fixed in 12.3YX | | | | | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XX | 12.3(8)XX2d | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XY | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XZ | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3YA | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.3YD | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.3(14)YX13 | | 12.3YF | Vulnerable; first fixed in 12.3YX | | | | | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YG | 12.3(8)YG6 | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YH | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YI | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YJ | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YK | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.3(14) | | 12.3YM | 12.3(14)YM10 | YM13; | | | | Available on | | | | 30-SEP-08 | |------------+---------------------------------------+--------------| | 12.3YQ | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YS | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YT | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.4(2)XB10 | | | | | | 12.3YU | Vulnerable; first fixed in 12.4XB | 12.4(9)XG3 | | | | | | | | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YX | 12.3(14)YX8 | 12.3(14)YX13 | |------------+---------------------------------------+--------------| | 12.3YZ | 12.3(11)YZ3 | | |------------+---------------------------------------+--------------| | 12.3ZA | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | Affected | | Recommended | | 12.4-Based | First Fixed Release | Release | | Releases | | | |------------+---------------------------------------+--------------| | | 12.4(10c) | | | | | | | | 12.4(12) | | | | | | | | 12.4(3h) | | | 12.4 | | 12.4(18c) | | | 12.4(5c) | | | | | | | | 12.4(7e) | | | | | | | | 12.4(8d) | | |------------+---------------------------------------+--------------| | 12.4JA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JK | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JL | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JMA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JMB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JMC | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JX | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4MD | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4MR | 12.4(11)MR | 12.4(19)MR | |------------+---------------------------------------+--------------| | 12.4SW | Not Vulnerable | | |------------+---------------------------------------+--------------| | | 12.4(11)T | | | | | | | | 12.4(2)T6 | | | | | | | 12.4T | 12.4(4)T8 | 12.4(15)T7 | | | | | | | 12.4(6)T7 | | | | | | | | 12.4(9)T3 | | |------------+---------------------------------------+--------------| | 12.4XA | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.4XB | 12.4(2)XB6 | 12.4(2)XB10 | |------------+---------------------------------------+--------------| | 12.4XC | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.4(4)XD11; | | 12.4XD | 12.4(4)XD8 | Available on | | | | 26-SEP-08 | |------------+---------------------------------------+--------------| | 12.4XE | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.4XF | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XG | 12.4(9)XG2 | 12.4(9)XG3 | |------------+---------------------------------------+--------------| | 12.4XJ | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XK | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XL | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XM | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XN | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XP | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.4XQ | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XR | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XT | 12.4(6)XT2 | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.4XV | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XW | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XY | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XZ | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4YA | Not Vulnerable | | +-------------------------------------------------------------------+ Workarounds =========== Specifying trusted PIM neighbors is a workaround for both vulnerabilities. A PIM router must receive PIM Hellos to establish PIM neighborship. PIM neighborship is also the basis for designated router (DR) election, DR failover, and accepting/sending PIM Join/ Prune/Assert messages. To specify trusted PIM neighbors, use the ip pim neighbor-filter command, as shown in the following example: Router(config)#access-list 1 permit host 10.10.10.123 !-- An access control list is created to allow a trusted PIM neighbor !-- in this example the neighbor is 10.10.10.123 ! Router(config)#interface fastEthernet 0/0 Router(config-if)#ip pim neighbor-filter 1 !-- The PIM neighbor filter is then applied to the respective interface(s) The ip pim neighbor-filter command filters PIM packets from untrusted devices including Hellos, Join/Prune, and BSR packets. Note: The vulnerabilities described in this document can be exploited by spoofed IP packets if the attacker knows the IP address of the trusted PIM neighbors listed in the ip pim neighbor-filter implementation. To protect infrastructure devices and minimize the risk, impact, and effectiveness of direct infrastructure attacks, administrators are advised to deploy ACLs to perform policy enforcement of traffic sent to core infrastructure equipment. PIM is IP protocol 103. As an additional workaround, administrators can explicitly permit only authorized PIM (IP protocol 103) traffic sent to infrastructure devices in accordance with existing security policies and configurations. An ACL can be deployed as shown in the following example: ip access-list extended Infrastructure-ACL-Policy ! !-- When applicable, include explicit permit statements for trusted !-- sources that require access on the vulnerable protocol !-- PIM routers need to communicate with the rendezvous point (RP). !-- In this example, 192.168.100.1 is the IP address of the !-- rendezvous point, which is a trusted host that requires access !-- to and from the affected PIM devices. ! permit pim host 192.168.100.1 192.168.60.0 0.0.0.255 permit pim 192.168.60.0 0.0.0.255 host 192.168.100.1 ! !-- Permit PIM segment traffic, packets have destination of: !-- 224.0.0.13 (PIMv2) !-- 224.0.0.2 (Required only by legacy PIMv1) ! permit pim 192.168.60.0 0.0.0.255 host 224.0.0.13 permit pim 192.168.60.0 0.0.0.255 host 224.0.0.2 ! !-- The following vulnerability-specific access control entries !-- (ACEs) can aid in identification of attacks ! deny pim any 192.168.60.0 0.0.0.255 ! !-- Explicit deny ACE for traffic sent to addresses configured within !-- the infrastructure address space ! deny ip any 192.168.60.0 0.0.0.255 ! !-- Permit/deny all other Layer 3 and Layer 4 traffic in accordance !-- with existing security policies and configurations ! !-- Apply iACL to interfaces in the ingress direction ! interface GigabitEthernet0/0 ip access-group Infrastructure-ACL-Policy in Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were found during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2008-September-24 | public | | | | release | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkjaLdEACgkQ86n/Gc8U/uBLYQCfbFNaZROaq5OZX5KzZAVwv0gr oBwAoJeb3PdxAWcVg3sBKladJgqbb1oy =f4p/ -----END PGP SIGNATURE----- . 1) An unspecified error exists in the processing of SSL packets during the termination of an SSL session, which can potentially be exploited to crash an affected system. 3) Unspecified errors within the processing of segmented Skinny Call Control Protocol (SCCP) messages can be exploited to cause a Cisco IOS device to reload. Successful exploitation requires that the device is configured with Network Address Translation (NAT) SCCP Fragmentation Support. 4) A memory leak in the processing of Session Initiation Protocol (SIP) messages can be exploited to cause a DoS for all voice services. 5) Multiple unspecified errors exist in the processing of SIP messages, which can be exploited to cause a reload of an affected device. 6) An unspecified error in the IOS Intrusion Prevention System (IPS) feature when processing certain IPS signatures that use the SERVICE.DNS engine can be exploited to cause a DoS via specially crafted network traffic. 7) A security issue exists in the processing of extended communities with Multi Protocol Label Switching (MPLS) Virtual Private Networks (VPN), which can lead to traffic leaking from one MPLS VPN to another. NOTE: This security issue was introduced with CSCee83237. 8) An unspecified error within the Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) can be exploited to cause a DoS via specially crafted network packets. Successful exploitation requires access to the MPLS network. 9) An unspecified error within the Application Inspection Control (AIC) can be exploited to cause a reload of an affected device via specially crafted HTTP packets. 10) An unspecified error in the processing of Layer 2 Tunneling Protocol (L2TP) packets can be exploited to cause an affected device to reload via a specially crafted L2TP packets. Successful exploitation requires that the L2TP mgmt daemon process is running. This process may be enabled e.g. via Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP), or Cisco Virtual Private Dial-Up Networks (VPDN). 11) An unspecified error exists in the processing of IPC messages. This can be exploited to reload an affected device via a specially crafted UDP packet sent to port 1975. 12) A security issue is caused due to the device automatically enabling SNMP with a default community string, which can be exploited to gain control an affected system. SOLUTION: Update to the fixed version (please see the vendor's advisories for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-200809-0039 CVE-2008-3805 Cisco IOS In UDP Interfering with service operations related to packet processing (DoS) Vulnerabilities CVSS V2: 8.5
CVSS V3: -
Severity: HIGH
Cisco IOS 12.0 through 12.4 on Cisco 10000, uBR10012 and uBR7200 series devices handles external UDP packets that are sent to 127.0.0.0/8 addresses intended for IPC communication within the device, which allows remote attackers to cause a denial of service (device or linecard reload) via crafted UDP packets, a different vulnerability than CVE-2008-3806. this is CVE-2008-3806 Is a different vulnerability.Crafted by a third party UDP Service disruption by processing packets (DoS) There is a possibility of being put into a state. Multiple Cisco products running Cisco IOS (Internetwork Operating System) are prone to a denial-of-service vulnerability when handling maliciously crafted UDP-based IPC traffic. An attacker can exploit this issue to trigger device or linecard reloads, causing denial-of-service conditions. The following device series are affected: Cisco 10000 Cisco uBR10012 Cisco uBR7200. ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: Cisco IOS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA31990 VERIFY ADVISORY: http://secunia.com/advisories/31990/ CRITICAL: Moderately critical IMPACT: Exposure of sensitive information, DoS, System access WHERE: >From remote OPERATING SYSTEM: Cisco IOS R12.x http://secunia.com/advisories/product/50/ Cisco IOS 12.x http://secunia.com/advisories/product/182/ DESCRIPTION: Some vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to disclose sensitive information, cause a DoS (Denial of Service), or to compromise a vulnerable system. 1) An unspecified error exists in the processing of SSL packets during the termination of an SSL session, which can potentially be exploited to crash an affected system. 2) Two unspecified errors exist within the processing of Protocol Independent Multicast (PIM) packets, which can be exploited to cause an affected device to reload. 3) Unspecified errors within the processing of segmented Skinny Call Control Protocol (SCCP) messages can be exploited to cause a Cisco IOS device to reload. Successful exploitation requires that the device is configured with Network Address Translation (NAT) SCCP Fragmentation Support. 4) A memory leak in the processing of Session Initiation Protocol (SIP) messages can be exploited to cause a DoS for all voice services. 6) An unspecified error in the IOS Intrusion Prevention System (IPS) feature when processing certain IPS signatures that use the SERVICE.DNS engine can be exploited to cause a DoS via specially crafted network traffic. 7) A security issue exists in the processing of extended communities with Multi Protocol Label Switching (MPLS) Virtual Private Networks (VPN), which can lead to traffic leaking from one MPLS VPN to another. 8) An unspecified error within the Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) can be exploited to cause a DoS via specially crafted network packets. Successful exploitation requires access to the MPLS network. 9) An unspecified error within the Application Inspection Control (AIC) can be exploited to cause a reload of an affected device via specially crafted HTTP packets. 10) An unspecified error in the processing of Layer 2 Tunneling Protocol (L2TP) packets can be exploited to cause an affected device to reload via a specially crafted L2TP packets. Successful exploitation requires that the L2TP mgmt daemon process is running. This process may be enabled e.g. via Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP), or Cisco Virtual Private Dial-Up Networks (VPDN). 11) An unspecified error exists in the processing of IPC messages. 12) A security issue is caused due to the device automatically enabling SNMP with a default community string, which can be exploited to gain control an affected system. Successful exploitation requires that a device is configured for linecard redundancy. SOLUTION: Update to the fixed version (please see the vendor's advisories for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . No other platforms are affected. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml Note: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS^ software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml Affected Products ================= Cisco 10000, uBR10012 and uBR7200 series devices that are running an affected version of Cisco IOS are affected. The following example shows an output taken from a Cisco 10000 series device running Cisco IOS software release 12.2(31)SB10e: c10k#show version | include IOS Cisco IOS Software, 10000 Software (C10K3-P11-M), Version 12.2(31)SB10e, RELEASE SOFTWARE (fc1) c10k# The following example shows an output taken from a Cisco uBR10012 series device running Cisco IOS software release 12.3(17b)BC7: ubr10k#show version | include IOS IOS (tm) 10000 Software (UBR10K-K8P6U2-M), Version 12.3(17b)BC7, RELEASE SOFTWARE (fc1) ubr10k# The following example shows an output taken from a Cisco uBR7200 series device running Cisco IOS software release 12.3(21a)BC2: ubr7200#show version | include IOS IOS (tm) 7200 Software (UBR7200-IK9SU2-M), Version 12.3(21a)BC2, RELEASE SOFTWARE (fc1) ubr7200# Please refer to the document entitled "White Paper: Cisco IOS Reference Guide" for additional information on the Cisco IOS release naming conventions. This document is available at the following link: http://www.cisco.com/warp/public/620/1.html Any version of Cisco IOS prior to the fixed versions listed in the Software Versions and Fixes section below is vulnerable. No other Cisco products are currently known to be affected by this vulnerability. This channel uses addresses from the 127.0.0.0/8 range and UDP port 1975. Filtering unauthorized traffic destined to 127.0.0.0/8 or UDP port 1975 will mitigate this vulnerability. This vulnerability is documented in the Cisco Bug IDs CSCsg15342 and CSCsh29217 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2008-3805. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsg15342 - IPC processing needs to be more robust CVSS Base Score - 8.5 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - Partial Availability Impact - Complete CVSS Temporal Score - 7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsh29217 - IPC processing needs to be more robust CVSS Base Score - 8.5 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - Partial Availability Impact - Complete CVSS Temporal Score - 7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability may result in a reload of the device, linecards, or both, resulting in a DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table. +-------------------------------------------------------------------+ | Major | Availability of Repaired Releases | | Release | | |-------------+-----------------------------------------------------| | Affected | | Recommended | | 12.0-Based | First Fixed Release | Release | | Releases | | | |-------------+-------------------------------------+---------------| | 12.0 | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0DA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0DB | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0DC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | | Releases prior to 12.0(32)S are | 12.0(32)S11 | | 12.0S | vulnerable, release 12.0(32)S and | | | | later are not vulnerable; | 12.0(33)S1 | |-------------+-------------------------------------+---------------| | 12.0SC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0SL | Vulnerable, migrate to 12.0S, 12.1 | | |-------------+-------------------------------------+---------------| | 12.0SP | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0ST | Vulnerable, migrate to 12.0S, 12.1 | | |-------------+-------------------------------------+---------------| | 12.0SX | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0SY | Not Vulnerable | | |-------------+-------------------------------------+---------------| | | | 12.0(32)S11 | | 12.0SZ | 12.0(30)SZ4 | | | | | 12.0(33)S1 | |-------------+-------------------------------------+---------------| | 12.0T | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0W | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0WC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0WT | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XB | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XD | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XE | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XF | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XG | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XH | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XI | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XJ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XK | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XL | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XM | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XN | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XQ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XR | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XS | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XT | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XV | Not Vulnerable | | |-------------+-------------------------------------+---------------| | Affected | | Recommended | | 12.1-Based | First Fixed Release | Release | | Releases | | | |-------------------------------------------------------------------| | There are no affected 12.1 based releases | |-------------------------------------------------------------------| | Affected | | Recommended | | 12.2-Based | First Fixed Release | Release | | Releases | | | |-------------+-------------------------------------+---------------| | 12.2 | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2B | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2BC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2BW | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2BX | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2BY | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2BZ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2CX | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2CY | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2CZ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2DA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2DD | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2DX | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2EW | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2EWA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2EX | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2EY | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2EZ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2FX | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2FY | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2FZ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2IRB | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2IXA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2IXB | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2IXC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2IXD | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2IXE | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2IXF | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2IXG | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2JA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2JK | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2MB | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2MC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2S | Not Vulnerable | | |-------------+-------------------------------------+---------------| | | 12.2(31)SB13 | 12.2(33)SB2; | | 12.2SB | | Available on | | | 12.2(33)SB1 | 26-SEP-08 | |-------------+-------------------------------------+---------------| | 12.2SBC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SCA | 12.2(33)SCA1 | 12.2(33)SCA1 | |-------------+-------------------------------------+---------------| | 12.2SE | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SEA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SEB | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SEC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SED | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SEE | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SEF | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SEG | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SG | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SGA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SL | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SM | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SO | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SRA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SRB | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SRC | 12.2(33)SRC2 | 12.2(33)SRC2 | |-------------+-------------------------------------+---------------| | 12.2SU | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SV | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SVA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SVC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SVD | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SW | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SX | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SXA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SXB | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SXD | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SXE | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SXF | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SXH | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SY | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SZ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2T | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2TPC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XB | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XD | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XE | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XF | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XG | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XH | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XI | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XJ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XK | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XL | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XM | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XN | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XNA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XNB | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XO | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XQ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XR | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XS | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XT | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XU | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XV | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XW | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YB | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YD | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YE | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YF | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YG | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YH | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YJ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YK | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YL | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YM | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YN | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YO | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YP | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YQ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YR | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YS | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YT | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YU | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YV | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YW | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YX | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YY | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YZ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2ZA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2ZB | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2ZC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2ZD | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2ZE | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2ZF | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2ZG | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2ZH | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2ZJ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2ZL | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2ZP | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2ZU | Not Vulnerable | | |-------------+-------------------------------------+---------------| | | | 12.2(33)SB2; | | 12.2ZX | Vulnerable; first fixed in 12.2SB | Available on | | | | 26-SEP-08 | |-------------+-------------------------------------+---------------| | 12.2ZY | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2ZYA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | Affected | | Recommended | | 12.3-Based | First Fixed Release | Release | | Releases | | | |-------------+-------------------------------------+---------------| | 12.3 | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3B | Not Vulnerable | | |-------------+-------------------------------------+---------------| | | 12.3(17b)BC6 | | | | | | | 12.3BC | 12.3(21a)BC1 | 12.3(23)BC4 | | | | | | | 12.3(23)BC | | |-------------+-------------------------------------+---------------| | 12.3BW | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3EU | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3JA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3JEA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3JEB | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3JEC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3JK | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3JL | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3JX | Not Vulnerable | | |-------------+-------------------------------------+---------------| | | Note: Releases prior to 12.3(14)T3 | 12.4(15)T7 | | 12.3T | are vulnerable, release 12.3(14)T3 | | | | and later are not vulnerable; | 12.4(18c) | |-------------+-------------------------------------+---------------| | 12.3TPC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3VA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3XA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3XB | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3XC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3XD | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3XE | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3XF | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3XG | Not Vulnerable | | |-------------+-------------------------------------+---------------| | | | 12.2(33)SB2; | | 12.3XI | 12.3(7)XI10a | Available on | | | | 26-SEP-08 | |-------------+-------------------------------------+---------------| | 12.3XJ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3XK | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3XL | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3XQ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3XR | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3XS | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3XU | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3XW | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3XX | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3XY | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3XZ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3YA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3YD | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3YF | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3YG | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3YH | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3YI | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3YJ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3YK | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3YM | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3YQ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3YS | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3YT | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3YU | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3YX | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3YZ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3ZA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | Affected | | Recommended | | 12.4-Based | First Fixed Release | Release | | Releases | | | |-------------+-------------------------------------+---------------| | | Note: Releases prior to 12.4(3) are | | | 12.4 | vulnerable, release 12.4(3) and | 12.4(18c) | | | later are not vulnerable; | | |-------------+-------------------------------------+---------------| | 12.4JA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4JK | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4JL | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4JMA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4JMB | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4JMC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4JX | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4MD | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4MR | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4SW | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4T | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XB | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XD | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XE | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XF | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XG | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XJ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XK | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XL | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XM | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XN | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XP | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XQ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XR | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XT | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XV | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XW | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XY | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XZ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4YA | Not Vulnerable | | +-------------------------------------------------------------------+ Workarounds =========== Workarounds consist of filtering packets that are sent to 127.0.0.0/8 range and UDP packets that are sent to port 1975. Using Interface Access Control Lists +----------------------------------- Access lists that filter UDP packets destined to port 1975 can be used to mitigate this vulnerability. UDP port 1975 is a registered port number that can be used by certain applications. However, filtering all packets that are destined to UDP port 1975 may cause some applications to malfunction. Therefore, access lists need to explicitly deny UDP 1975 packets that are sent to any router interface IP addresses and permit transit traffic. Such access lists need to be applied on all interfaces to be effective. Since the IPC channel uses addresses from the 127.0.0.0/8 range, it is also necessary to filter packets that are sourced from or destined to this range. An example is given below: access-list 100 deny udp any host <router-interface 1> eq 1975 access-list 100 deny udp any host <router-interface 2> eq 1975 access-list 100 deny udp any host <router-interface ...> eq 1975 access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 deny ip any 127.0.0.0 0.255.255.255 access-list 100 permit ip any any interface Serial 0/0 ip access-group 100 in Using Control Plane Policing +--------------------------- Control Plane Policing (CoPP) can be used to block untrusted UDP port 1975 access to the affected device. Cisco IOS software releases 12.2BC and 12.2SCA support the CoPP feature. CoPP may be configured on a device to protect the management and control planes to minimize the risk and effectiveness of direct infrastructure attacks by explicitly permitting only authorized traffic sent to infrastructure devices in accordance with existing security policies and configurations. The following example can be adapted to your network. Note: CoPP is not supported on uBR10012 series devices. !-- Permit all UDP/1975 traffic so that it !-- will be policed and dropped by the CoPP feature ! access-list 111 permit udp any any eq 1975 access-list 111 permit ip any 127.0.0.0 0.255.255.255 access-list 111 permit ip 127.0.0.0 0.255.255.255 any ! !-- Permit (Police or Drop)/Deny (Allow) all other Layer 3 and !-- Layer 4 traffic in accordance with existing security policies !-- and configurations for traffic that is authorized to be sent !-- to infrastructure devices ! !-- Create a Class-Map for traffic to be policed by the CoPP !-- feature ! class-map match-all drop-IPC-class match access-group 111 ! !-- Create a Policy-Map that will be applied to the Control-Plane !-- of the device ! policy-map drop-IPC-traffic class drop-IPC-class drop ! !-- Apply the Policy-Map to the Control-Plane of the device ! control-plane service-policy input drop-IPC-traffic ! In the above CoPP example, the access control list entries (ACEs) which match the potential exploit packets with the "permit" action result in these packets being discarded by the policy-map "drop" function, while packets that match the "deny" action (not shown) are not affected by the policy-map drop function. Please note that in the Cisco IOS 12.2S and 12.0S trains the policy-map syntax is different: ! policy-map drop-IPC-traffic class drop-IPC-class police 32000 1500 1500 conform-action drop exceed-action drop ! Additional information on the configuration and use of the CoPP feature can be found at http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html, http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd804fa16a.html and http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html Using Infrastructure ACLs at Network Boundary +-------------------------------------------- Although it is often difficult to block traffic transiting your network, it is possible to identify traffic which should never be allowed to target your infrastructure devices and block that traffic at the border of your network. iACLs are a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The iACL example shown below should be included as part of the deployed infrastructure access-list which will protect all devices with IP addresses in the infrastructure IP address range: !-- Note: IPC packets sent to UDP destination port 1975 must not !-- be permitted from any trusted source as this traffic !-- should only be sent and received internally by the !-- affected device using an IP address allocated from the !-- 127.0.0.0/8 prefix. !-- !-- IPC that traffic that is internally generated and sent !-- and/or received by the affected device is not subjected !-- to packet filtering by the applied iACL policy. ! access-list 150 deny udp any host INTERFACE_ADDRESS#1 eq 1975 access-list 150 deny udp any host INTERFACE_ADDRESS#2 eq 1975 access-list 150 deny udp any host INTERFACE_ADDRESS#N eq 1975 ! !-- Deny all IP packets with a source or destination IP address !-- from the 127.0.0.0/8 prefix. ! access-list 150 deny ip 127.0.0.0 0.255.255.255 any access-list 150 deny ip any 127.0.0.0 0.255.255.255 ! !-- Permit/deny all other Layer 3 and Layer 4 traffic in accordance !-- with existing security policies and configurations. ! !-- Permit all other traffic to transit the device. ! access-list 150 permit ip any any ! !-- Apply iACL to interfaces in the ingress direction. ! interface GigabitEthernet0/0 ip access-group 150 in ! Note: iACLs that filter UDP packets destined to port 1975 can be used to mitigate this vulnerability. However, UDP port 1975 is a registered port number that can be used by certain applications. Filtering all packets that are destined to UDP port 1975 may cause some applications to malfunction. Therefore, the iACL policy needs to explicitly deny UDP packets using a destination port of 1975 that are sent to any router interface IP addresses for affected devices, then permit and/or deny all other Layer 3 and Layer 4 traffic in accordance with existing security policies and configurations, and then permit all other traffic to transit the device. iACLs must be applied on all interfaces to be used effectively. Since the IPC channel uses addresses from the 127.0.0.0/8 range, it is also necessary to filter packets that are sourced from or destined to this range as provided in the preceding example. The white paper entitled "Protecting Your Core: Infrastructure Protection Access Control Lists" presents guidelines and recommended deployment techniques for infrastructure protection access lists. This white paper can be obtained here: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml Additional Mitigation Techniques +------------------------------- Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20080924-ipc-and-ubr.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was found internally. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-Sep-24 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkjaLcIACgkQ86n/Gc8U/uDLHwCeO1ZYLn/jMCO2qIX5cBhtLo46 uokAn1Q+dApUNnQOJY6Eh1cVegNVXg43 =jP+C -----END PGP SIGNATURE-----
VAR-200809-0042 CVE-2008-3808 Cisco IOS In PIM Denial of service operation related to packet processing (DoS) Vulnerabilities

Related entries in the VARIoT exploits database: VAR-E-200809-0862		 CVSS V2: 7.8
CVSS V3: -
Severity: HIGH
Unspecified vulnerability in Cisco IOS 12.0 through 12.4 allows remote attackers to cause a denial of service (device reload) via a crafted Protocol Independent Multicast (PIM) packet. Cisco IOS is prone to multiple remote denial-of-service vulnerabilities because the software fails to properly handle malformed network datagrams. Successfully exploiting these issues allows remote attackers to cause targeted devices to reload. Multiple exploits can lead to a sustained denial-of-service. These issues are tracked by Cisco Bug IDs CSCsd95616 and CSCsl34355. Cisco IOS is the Internet operating system used on Cisco networking equipment. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml Note: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml Affected Products ================= Vulnerable Products +------------------ Devices that are running Cisco IOS Software and configured for PIM have a vulnerability related to a specially crafted PIM packet. The show running-config | include ip pim command can be issued to verify that a Cisco IOS device is configured for PIM. In the following example, the Cisco IOS router is configured for PIM sparse-dense mode. Router#show running-config | include ip pim ip pim sparse-dense-mode Note that available PIM modes on a Cisco IOS device are dense mode, sparse mode, or sparse-dense mode. A device that is configured for any of these modes is affected by these vulnerabilities. The mode determines how the device populates its multicast routing table and how multicast packets are forwarded. PIM must be enabled in one of these modes for an interface to perform IP multicast routing. More information on the configuration of each mode is in the "Details" section. Additionally, To display information about interfaces configured for Protocol Independent Multicast (PIM), use the show ip pim interface command in user EXEC or privileged EXEC mode, as shown in the following example: Router# show ip pim interface Address Interface Ver/ Nbr Query DR DR Mode Count Intvl Prior 10.1.0.1 GigabitEthernet0/0 v2/SD 0 30 1 10.1.0.1 10.6.0.1 GigabitEthernet0/1 v2/SD 1 30 1 10.6.0.2 In order to determine the software that runs on a Cisco IOS product, log in to the device and issue the show version command to display the system banner. Cisco IOS software identifies itself as "Internetwork Operating System Software" or simply "IOS." On the next line of output, the image name displays between parentheses, followed by "Version" and the Cisco IOS release name. Other Cisco devices do not have the show version command or give different output. The following example shows output from a device that runs an IOS image: router>show version Cisco IOS Software, 7200 Software (C7200-ADVSECURITYK9-M), Version 12.4(6)T2, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Tue 16-May-06 16:09 by kellythw <more output removed for brevity> Products Confirmed Not Vulnerable +-------------------------------- Cisco IOS devices that are not configured for PIM are not vulnerable. Cisco IOS XR Software is not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. Devices that run Cisco IOS Software and are configured for PIM are affected by the first vulnerability. Only Cisco 12000 Series (GSR) routers that are configured for PIM are affected by the second vulnerability. Available PIM modes on a Cisco IOS device are dense mode, sparse mode, or sparse-dense mode. The mode determines how the device populates its multicast routing table and how multicast packets are forwarded. PIM must be enabled in one of these modes for an interface to perform IP multicast routing. Note: There is no default mode setting. By default, multicast routing is disabled on an interface. To configure PIM on an interface to be in dense mode, use the following command in interface configuration mode: Router(config-if)# ip pim dense-mode To configure PIM on an interface to be in sparse mode, use the following command in interface configuration mode: Router(config-if)# ip pim sparse-mode To configure PIM on an interface to be in sparse-dense mode, use the following command in interface configuration mode: Router(config-if)# ip pim sparse-dense-mode These vulnerabilities are documented in the following Cisco Bug IDs: * CSCsd95616 - Crafted PIM packets may cause an IOS device to reload * CSCsl34355 - GSR may crash with malformed PIM packets These vulnerabilities have been assigned the Common Vulnerabilities and Exposures (CVE) identifiers CVE-2008-3808 and CVE-2008-3809. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsd95616 - Crafted PIM packets may cause an IOS device to reload CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsl34355 - GSR may crash with malformed PIM packets CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation may cause a reload of the affected device. Repeated exploitation could result in a sustained denial of service (DoS) condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table. +-------------------------------------------------------------------+ | Major | Availability of Repaired Releases | | Release | | |------------+------------------------------------------------------| | Affected | | Recommended | | 12.0-Based | First Fixed Release | Release | | Releases | | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0 | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | Releases prior to 12.0(8)DA3 are | 12.2(12)DA13 | | | vulnerable, release 12.0(8)DA3 and | | | 12.0DA | later are not vulnerable; first fixed | 12.4(15)T7 | | | in 12.2DA | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0DB | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0DC | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | 12.0(32)S8 | 12.0(32)S11 | | 12.0S | | | | | 12.0(33)S | 12.0(33)S1 | |------------+---------------------------------------+--------------| | | | 12.0(32)S11 | | 12.0SC | Vulnerable; first fixed in 12.0S | | | | | 12.0(33)S1 | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0SL | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0SP | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.0(32)S11 | | 12.0ST | Vulnerable; first fixed in 12.0S | | | | | 12.0(33)S1 | |------------+---------------------------------------+--------------| | | | 12.0(32)S11 | | 12.0SX | Vulnerable; first fixed in 12.0S | | | | | 12.0(33)S1 | |------------+---------------------------------------+--------------| | | | 12.0(32)SY7; | | 12.0SY | 12.0(32)SY5 | Available on | | | | 29-SEP-08 | |------------+---------------------------------------+--------------| | | | 12.0(32)S11 | | 12.0SZ | 12.0(30)SZ4 | | | | | 12.0(33)S1 | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0T | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.0W | Vulnerable; first fixed in 12.2 | 12.0(3c)W5 | | | | (8) | |------------+---------------------------------------+--------------| | | Releases prior to 12.0(5)WC10 are | 12.4(15)T7 | | 12.0WC | vulnerable, release 12.0(5)WC10 and | | | | later are not vulnerable; first fixed | 12.4(18c) | | | in 12.2 | | |------------+---------------------------------------+--------------| | 12.0WT | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XA | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XB | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | Releases prior to 12.0(2)XC2 are | 12.4(15)T7 | | 12.0XC | vulnerable, release 12.0(2)XC2 and | | | | later are not vulnerable; first fixed | 12.4(18c) | | | in 12.2 | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XD | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XE | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.0XF | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XG | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XH | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | Releases prior to 12.0(4)XI2 are | 12.4(15)T7 | | 12.0XI | vulnerable, release 12.0(4)XI2 and | | | | later are not vulnerable; first fixed | 12.4(18c) | | | in 12.2 | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XJ | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XK | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XL | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XM | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XN | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XQ | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XR | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.0XS | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XT | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XV | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | Affected | | Recommended | | 12.1-Based | First Fixed Release | Release | | Releases | | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1 | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1AA | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.1AX | Vulnerable; first fixed in 12.2EY | 12.2(46)SE | |------------+---------------------------------------+--------------| | | Releases prior to 12.1(22)AY1 are | 12.1(22)EA12 | | 12.1AY | vulnerable, release 12.1(22)AY1 and | | | | later are not vulnerable; first fixed | 12.2(46)SE | | | in 12.1EA | | |------------+---------------------------------------+--------------| | 12.1AZ | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1CX | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(12)DA13 | | | | | | 12.1DA | Vulnerable; first fixed in 12.2DA | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1DB | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1DC | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.1E | 12.1(27b)E2 | 12.2(18) | | | | SXF15 | |------------+---------------------------------------+--------------| | 12.1EA | 12.1(22)EA10 | 12.1(22)EA12 | |------------+---------------------------------------+--------------| | 12.1EB | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.2(33)SCA1 | | 12.1EC | Vulnerable; first fixed in 12.3BC | | | | | 12.3(23)BC4 | |------------+---------------------------------------+--------------| | 12.1EO | Vulnerable; first fixed in 12.2SV | | |------------+---------------------------------------+--------------| | | | 12.2(25) | | | | EWA14 | | 12.1EU | Vulnerable; first fixed in 12.2EWA | | | | | 12.2(31)SGA8 | | | | | | | | 12.2(46)SG1 | |------------+---------------------------------------+--------------| | 12.1EV | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.2(25) | | | | EWA14 | | | | | | | | 12.2(31)SGA8 | | 12.1EW | Vulnerable; first fixed in 12.2 | | | | | 12.2(46)SG1 | | | | | | | | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1EX | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.1EY | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.2(18) | | | | SXF15 | | 12.1EZ | Vulnerable; first fixed in 12.1E | | | | | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1GA | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1GB | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1T | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XA | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XB | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XC | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XD | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XE | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XF | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XG | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XH | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XI | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XJ | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XL | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XM | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XP | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XQ | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XR | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XS | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XT | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XU | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XV | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XW | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XX | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XY | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XZ | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1YA | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1YB | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1YC | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1YD | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | Releases prior to 12.1(5)YE6 are | 12.4(15)T7 | | 12.1YE | vulnerable, release 12.1(5)YE6 and | | | | later are not vulnerable; first fixed | 12.4(18c) | | | in 12.2 | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1YF | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1YH | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.1YI | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.1YJ | Not Vulnerable | | |------------+---------------------------------------+--------------| | Affected | | Recommended | | 12.2-Based | First Fixed Release | Release | | Releases | | | |------------+---------------------------------------+--------------| | | 12.2(26c) | | | | | | | | 12.2(27c) | | | | | 12.4(15)T7 | | 12.2 | 12.2(28d) | | | | | 12.4(18c) | | | 12.2(29b) | | | | | | | | 12.2(46) | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2B | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(33)SCA1 | | | | | | | | 12.3(23)BC4 | | 12.2BC | Vulnerable; first fixed in 12.3 | | | | | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2BW | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(33)SB2; | | | | Available on | | | | 26-SEP-08 | | 12.2BX | Vulnerable; first fixed in 12.3 | | | | | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2BY | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2BZ | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(33)SCA1 | | | | | | | | 12.3(23)BC4 | | 12.2CX | Vulnerable; first fixed in 12.3 | | | | | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(33)SCA1 | | | | | | | | 12.3(23)BC4 | | 12.2CY | Vulnerable; first fixed in 12.3 | | | | | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(33)SB2; | | 12.2CZ | Vulnerable; first fixed in 12.2S | Available on | | | | 26-SEP-08 | |------------+---------------------------------------+--------------| | | 12.2(10)DA9 | | | 12.2DA | | 12.2(12)DA13 | | | 12.2(12)DA13 | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2DD | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2DX | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(25) | | | | EWA14 | | 12.2EW | Vulnerable; first fixed in 12.2EWA | | | | | 12.2(31)SGA8 | | | | | | | | 12.2(46)SG1 | |------------+---------------------------------------+--------------| | | 12.2(25)EWA10 | 12.2(25) | | 12.2EWA | | EWA14 | | | 12.2(25)EWA11 | | |------------+---------------------------------------+--------------| | 12.2EX | 12.2(37)EX | 12.2(35)EX2 | |------------+---------------------------------------+--------------| | 12.2EY | 12.2(37)EY | | |------------+---------------------------------------+--------------| | 12.2EZ | Vulnerable; first fixed in 12.2SEE | 12.2(46)SE | |------------+---------------------------------------+--------------| | 12.2FX | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2FY | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2FZ | Vulnerable; first fixed in 12.2SE | 12.2(46)SE | |------------+---------------------------------------+--------------| | 12.2IRB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2IXA | Vulnerable; migrate to any release in | 12.2(18)IXG | | | 12.2IXE | | |------------+---------------------------------------+--------------| | 12.2IXB | Vulnerable; migrate to any release in | 12.2(18)IXG | | | 12.2IXE | | |------------+---------------------------------------+--------------| | 12.2IXC | Vulnerable; migrate to any release in | 12.2(18)IXG | | | 12.2IXE | | |------------+---------------------------------------+--------------| | 12.2IXD | Vulnerable; migrate to any release in | 12.2(18)IXG | | | 12.2IXE | | |------------+---------------------------------------+--------------| | 12.2IXE | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2IXF | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2IXG | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2JA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2JK | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.2(25)SW12 | | | | | | 12.2MB | Vulnerable; first fixed in 12.2SW | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2MC | 12.2(15)MC2i | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | 12.2(14)S18 | | | | | | | | 12.2(18)S13 | 12.2(33)SB2; | | 12.2S | | Available on | | | 12.2(20)S13 | 26-SEP-08 | | | | | | | 12.2(25)S13 | | |------------+---------------------------------------+--------------| | | 12.2(28)SB7 | | | | | 12.2(33)SB2; | | 12.2SB | 12.2(31)SB5 | Available on | | | | 26-SEP-08 | | | 12.2(33)SB | | |------------+---------------------------------------+--------------| | | | 12.2(33)SB2; | | 12.2SBC | Vulnerable; first fixed in 12.2SB | Available on | | | | 26-SEP-08 | |------------+---------------------------------------+--------------| | 12.2SCA | Not Vulnerable | | |------------+---------------------------------------+--------------| | | 12.2(35)SE4 | | | 12.2SE | | 12.2(46)SE | | | 12.2(37)SE | | |------------+---------------------------------------+--------------| | 12.2SEA | Vulnerable; first fixed in 12.2SEE | 12.2(46)SE | |------------+---------------------------------------+--------------| | 12.2SEB | Vulnerable; first fixed in 12.2SEE | 12.2(46)SE | |------------+---------------------------------------+--------------| | 12.2SEC | Vulnerable; first fixed in 12.2SEE | 12.2(46)SE | |------------+---------------------------------------+--------------| | 12.2SED | Vulnerable; first fixed in 12.2SEE | 12.2(46)SE | |------------+---------------------------------------+--------------| | 12.2SEE | 12.2(25)SEE4 | 12.2(46)SE | |------------+---------------------------------------+--------------| | 12.2SEF | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SEG | 12.2(25)SEG3 | 12.2(25)SEG6 | |------------+---------------------------------------+--------------| | | 12.2(25)SG3 | | | | | | | 12.2SG | 12.2(31)SG3 | 12.2(46)SG1 | | | | | | | 12.2(37)SG | | |------------+---------------------------------------+--------------| | 12.2SGA | 12.2(31)SGA2 | 12.2(31)SGA8 | |------------+---------------------------------------+--------------| | 12.2SL | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SM | 12.2(29)SM3 | 12.2(29)SM4 | |------------+---------------------------------------+--------------| | 12.2SO | Vulnerable; first fixed in 12.2SV | | |------------+---------------------------------------+--------------| | | | 12.2(33)SRB4 | | 12.2SRA | 12.2(33)SRA4 | | | | | 12.2(33)SRC2 | |------------+---------------------------------------+--------------| | 12.2SRB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SRC | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2SU | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2SV | 12.2(29b)SV1 | | |------------+---------------------------------------+--------------| | 12.2SVA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SVC | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SVD | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SW | 12.2(25)SW12 | 12.2(25)SW12 | |------------+---------------------------------------+--------------| | 12.2SX | Vulnerable; first fixed in 12.2SXF | 12.2(18) | | | | SXF15 | |------------+---------------------------------------+--------------| | 12.2SXA | Vulnerable; first fixed in 12.2SXF | 12.2(18) | | | | SXF15 | |------------+---------------------------------------+--------------| | 12.2SXB | Vulnerable; first fixed in 12.2SXF | 12.2(18) | | | | SXF15 | |------------+---------------------------------------+--------------| | 12.2SXD | Vulnerable; first fixed in 12.2SXF | 12.2(18) | | | | SXF15 | |------------+---------------------------------------+--------------| | 12.2SXE | Vulnerable; first fixed in 12.2SXF | 12.2(18) | | | | SXF15 | |------------+---------------------------------------+--------------| | 12.2SXF | 12.2(18)SXF9 | 12.2(18) | | | | SXF15 | |------------+---------------------------------------+--------------| | | Not Vulnerable | | | 12.2SXH | | | | | http://www.cisco.com/go/pn | | |------------+---------------------------------------+--------------| | | | 12.2(33)SB2; | | 12.2SY | Vulnerable; first fixed in 12.2S | Available on | | | | 26-SEP-08 | |------------+---------------------------------------+--------------| | | | 12.2(33)SB2; | | 12.2SZ | Vulnerable; first fixed in 12.2S | Available on | | | | 26-SEP-08 | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2T | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2TPC | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XA | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XB | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XC | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XD | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XE | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(33)SCA1 | | | | | | | | 12.3(23)BC4 | | 12.2XF | Vulnerable; first fixed in 12.3 | | | | | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | Releases prior to 12.2(2)XG1 are | 12.4(15)T7 | | 12.2XG | vulnerable, release 12.2(2)XG1 and | | | | later are not vulnerable; first fixed | 12.4(18c) | | | in 12.3 | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XH | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XI | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XJ | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XK | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XL | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XM | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(33)SB2; | | | | Available on | | | | 26-SEP-08 | | 12.2XN | 12.2(33)XN1 | | | | | 12.2(33)SRC2 | | | | | | | | 12.2(33)XNA2 | |------------+---------------------------------------+--------------| | 12.2XNA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XNB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XO | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XQ | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | Releases prior to 12.2(15)XR are | 12.3(8)JEA3 | | | vulnerable, release 12.2(15)XR and | | | 12.2XR | later are not vulnerable; first fixed | 12.4(15)T7 | | | in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XS | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XT | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XU | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XV | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XW | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2YA | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2YB | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YC | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YD | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YE | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YF | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YG | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YH | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YJ | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YK | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YL | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2YM | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2YN | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YO | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2YP | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2YQ | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YR | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YS | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2YT | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YU | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YV | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YW | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YX | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YY | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YZ | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2ZA | Vulnerable; first fixed in 12.2SXF | 12.2(18) | | | | SXF15 | |------------+---------------------------------------+--------------| | 12.2ZB | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2ZC | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2ZD | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2ZE | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2ZF | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2ZG | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2ZH | 12.2(13)ZH9 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2ZJ | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2ZL | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2ZP | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2ZU | Vulnerable; migrate to any release in | 12.2(33)SXH3 | | | 12.2SXH | | |------------+---------------------------------------+--------------| | | | 12.2(33)SB2; | | 12.2ZX | Vulnerable; first fixed in 12.2SB | Available on | | | | 26-SEP-08 | |------------+---------------------------------------+--------------| | 12.2ZY | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2ZYA | Not Vulnerable | | |------------+---------------------------------------+--------------| | Affected | | Recommended | | 12.3-Based | First Fixed Release | Release | | Releases | | | |------------+---------------------------------------+--------------| | | 12.3(17c) | | | | | | | | 12.3(18a) | | | | | 12.4(15)T7 | | 12.3 | 12.3(19a) | | | | | 12.4(18c) | | | 12.3(20a) | | | | | | | | 12.3(21) | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3B | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | 12.3(17b)BC6 | | | 12.3BC | | 12.3(23)BC4 | | | 12.3(21)BC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3BW | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.3EU | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JEA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JEB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JEC | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JK | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JL | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JX | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3T | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.3TPC | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.3VA | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XA | 12.3(2)XA7 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.3XB | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XC | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XD | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XE | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.3XF | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XG | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(33)SB2; | | 12.3XI | 12.3(7)XI10 | Available on | | | | 26-SEP-08 | |------------+---------------------------------------+--------------| | | | 12.3(14)YX13 | | 12.3XJ | Vulnerable; first fixed in 12.3YX | | | | | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XK | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XL | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XQ | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XR | 12.3(7)XR7 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XS | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.3XU | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.3(14)YX13 | | 12.3XW | Vulnerable; first fixed in 12.3YX | | | | | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XX | 12.3(8)XX2d | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XY | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XZ | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3YA | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.3YD | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.3(14)YX13 | | 12.3YF | Vulnerable; first fixed in 12.3YX | | | | | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YG | 12.3(8)YG6 | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YH | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YI | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YJ | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YK | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.3(14) | | 12.3YM | 12.3(14)YM10 | YM13; | | | | Available on | | | | 30-SEP-08 | |------------+---------------------------------------+--------------| | 12.3YQ | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YS | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YT | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.4(2)XB10 | | | | | | 12.3YU | Vulnerable; first fixed in 12.4XB | 12.4(9)XG3 | | | | | | | | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YX | 12.3(14)YX8 | 12.3(14)YX13 | |------------+---------------------------------------+--------------| | 12.3YZ | 12.3(11)YZ3 | | |------------+---------------------------------------+--------------| | 12.3ZA | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | Affected | | Recommended | | 12.4-Based | First Fixed Release | Release | | Releases | | | |------------+---------------------------------------+--------------| | | 12.4(10c) | | | | | | | | 12.4(12) | | | | | | | | 12.4(3h) | | | 12.4 | | 12.4(18c) | | | 12.4(5c) | | | | | | | | 12.4(7e) | | | | | | | | 12.4(8d) | | |------------+---------------------------------------+--------------| | 12.4JA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JK | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JL | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JMA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JMB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JMC | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JX | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4MD | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4MR | 12.4(11)MR | 12.4(19)MR | |------------+---------------------------------------+--------------| | 12.4SW | Not Vulnerable | | |------------+---------------------------------------+--------------| | | 12.4(11)T | | | | | | | | 12.4(2)T6 | | | | | | | 12.4T | 12.4(4)T8 | 12.4(15)T7 | | | | | | | 12.4(6)T7 | | | | | | | | 12.4(9)T3 | | |------------+---------------------------------------+--------------| | 12.4XA | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.4XB | 12.4(2)XB6 | 12.4(2)XB10 | |------------+---------------------------------------+--------------| | 12.4XC | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.4(4)XD11; | | 12.4XD | 12.4(4)XD8 | Available on | | | | 26-SEP-08 | |------------+---------------------------------------+--------------| | 12.4XE | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.4XF | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XG | 12.4(9)XG2 | 12.4(9)XG3 | |------------+---------------------------------------+--------------| | 12.4XJ | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XK | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XL | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XM | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XN | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XP | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.4XQ | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XR | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XT | 12.4(6)XT2 | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.4XV | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XW | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XY | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XZ | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4YA | Not Vulnerable | | +-------------------------------------------------------------------+ Workarounds =========== Specifying trusted PIM neighbors is a workaround for both vulnerabilities. A PIM router must receive PIM Hellos to establish PIM neighborship. PIM neighborship is also the basis for designated router (DR) election, DR failover, and accepting/sending PIM Join/ Prune/Assert messages. To specify trusted PIM neighbors, use the ip pim neighbor-filter command, as shown in the following example: Router(config)#access-list 1 permit host 10.10.10.123 !-- An access control list is created to allow a trusted PIM neighbor !-- in this example the neighbor is 10.10.10.123 ! Router(config)#interface fastEthernet 0/0 Router(config-if)#ip pim neighbor-filter 1 !-- The PIM neighbor filter is then applied to the respective interface(s) The ip pim neighbor-filter command filters PIM packets from untrusted devices including Hellos, Join/Prune, and BSR packets. Note: The vulnerabilities described in this document can be exploited by spoofed IP packets if the attacker knows the IP address of the trusted PIM neighbors listed in the ip pim neighbor-filter implementation. To protect infrastructure devices and minimize the risk, impact, and effectiveness of direct infrastructure attacks, administrators are advised to deploy ACLs to perform policy enforcement of traffic sent to core infrastructure equipment. PIM is IP protocol 103. As an additional workaround, administrators can explicitly permit only authorized PIM (IP protocol 103) traffic sent to infrastructure devices in accordance with existing security policies and configurations. An ACL can be deployed as shown in the following example: ip access-list extended Infrastructure-ACL-Policy ! !-- When applicable, include explicit permit statements for trusted !-- sources that require access on the vulnerable protocol !-- PIM routers need to communicate with the rendezvous point (RP). !-- In this example, 192.168.100.1 is the IP address of the !-- rendezvous point, which is a trusted host that requires access !-- to and from the affected PIM devices. ! permit pim host 192.168.100.1 192.168.60.0 0.0.0.255 permit pim 192.168.60.0 0.0.0.255 host 192.168.100.1 ! !-- Permit PIM segment traffic, packets have destination of: !-- 224.0.0.13 (PIMv2) !-- 224.0.0.2 (Required only by legacy PIMv1) ! permit pim 192.168.60.0 0.0.0.255 host 224.0.0.13 permit pim 192.168.60.0 0.0.0.255 host 224.0.0.2 ! !-- The following vulnerability-specific access control entries !-- (ACEs) can aid in identification of attacks ! deny pim any 192.168.60.0 0.0.0.255 ! !-- Explicit deny ACE for traffic sent to addresses configured within !-- the infrastructure address space ! deny ip any 192.168.60.0 0.0.0.255 ! !-- Permit/deny all other Layer 3 and Layer 4 traffic in accordance !-- with existing security policies and configurations ! !-- Apply iACL to interfaces in the ingress direction ! interface GigabitEthernet0/0 ip access-group Infrastructure-ACL-Policy in Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were found during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2008-September-24 | public | | | | release | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkjaLdEACgkQ86n/Gc8U/uBLYQCfbFNaZROaq5OZX5KzZAVwv0gr oBwAoJeb3PdxAWcVg3sBKladJgqbb1oy =f4p/ -----END PGP SIGNATURE----- . 1) An unspecified error exists in the processing of SSL packets during the termination of an SSL session, which can potentially be exploited to crash an affected system. Successful exploitation requires that the device is configured with Network Address Translation (NAT) SCCP Fragmentation Support. 4) A memory leak in the processing of Session Initiation Protocol (SIP) messages can be exploited to cause a DoS for all voice services. 5) Multiple unspecified errors exist in the processing of SIP messages, which can be exploited to cause a reload of an affected device. 6) An unspecified error in the IOS Intrusion Prevention System (IPS) feature when processing certain IPS signatures that use the SERVICE.DNS engine can be exploited to cause a DoS via specially crafted network traffic. 7) A security issue exists in the processing of extended communities with Multi Protocol Label Switching (MPLS) Virtual Private Networks (VPN), which can lead to traffic leaking from one MPLS VPN to another. NOTE: This security issue was introduced with CSCee83237. 8) An unspecified error within the Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) can be exploited to cause a DoS via specially crafted network packets. Successful exploitation requires access to the MPLS network. Successful exploitation requires that the L2TP mgmt daemon process is running. This process may be enabled e.g. via Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP), or Cisco Virtual Private Dial-Up Networks (VPDN). 11) An unspecified error exists in the processing of IPC messages. This can be exploited to reload an affected device via a specially crafted UDP packet sent to port 1975. 12) A security issue is caused due to the device automatically enabling SNMP with a default community string, which can be exploited to gain control an affected system. SOLUTION: Update to the fixed version (please see the vendor's advisories for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-200809-0041 CVE-2008-3807 Cisco uBR10012 Runs on series devices Cisco IOS of SNMP Service community name vulnerability CVSS V2: 9.3
CVSS V3: -
Severity: HIGH
Cisco IOS 12.2 and 12.3 on Cisco uBR10012 series devices, when linecard redundancy is configured, enables a read/write SNMP service with "private" as the community, which allows remote attackers to obtain administrative access by guessing this community and sending SNMP requests. Cisco uBR10012 routers are high-performance network devices. The routers are prone to a weak default configuration issue. A remote attacker may exploit this issue to gain complete access to the vulnerable device. Cisco uBR10012 routers are vulnerable. This issue is being tracked by Cisco bug ID CSCek57932. ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: Cisco IOS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA31990 VERIFY ADVISORY: http://secunia.com/advisories/31990/ CRITICAL: Moderately critical IMPACT: Exposure of sensitive information, DoS, System access WHERE: >From remote OPERATING SYSTEM: Cisco IOS R12.x http://secunia.com/advisories/product/50/ Cisco IOS 12.x http://secunia.com/advisories/product/182/ DESCRIPTION: Some vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to disclose sensitive information, cause a DoS (Denial of Service), or to compromise a vulnerable system. 1) An unspecified error exists in the processing of SSL packets during the termination of an SSL session, which can potentially be exploited to crash an affected system. 2) Two unspecified errors exist within the processing of Protocol Independent Multicast (PIM) packets, which can be exploited to cause an affected device to reload. 3) Unspecified errors within the processing of segmented Skinny Call Control Protocol (SCCP) messages can be exploited to cause a Cisco IOS device to reload. Successful exploitation requires that the device is configured with Network Address Translation (NAT) SCCP Fragmentation Support. 4) A memory leak in the processing of Session Initiation Protocol (SIP) messages can be exploited to cause a DoS for all voice services. 5) Multiple unspecified errors exist in the processing of SIP messages, which can be exploited to cause a reload of an affected device. 6) An unspecified error in the IOS Intrusion Prevention System (IPS) feature when processing certain IPS signatures that use the SERVICE.DNS engine can be exploited to cause a DoS via specially crafted network traffic. 7) A security issue exists in the processing of extended communities with Multi Protocol Label Switching (MPLS) Virtual Private Networks (VPN), which can lead to traffic leaking from one MPLS VPN to another. This security issue does not affect Cisco IOS releases based on 12.1. NOTE: This security issue was introduced with CSCee83237. Cisco IOS images that do not include CSCee83237 are reportedly not affected. 8) An unspecified error within the Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) can be exploited to cause a DoS via specially crafted network packets. Successful exploitation requires access to the MPLS network. 9) An unspecified error within the Application Inspection Control (AIC) can be exploited to cause a reload of an affected device via specially crafted HTTP packets. 10) An unspecified error in the processing of Layer 2 Tunneling Protocol (L2TP) packets can be exploited to cause an affected device to reload via a specially crafted L2TP packets. Successful exploitation requires that the L2TP mgmt daemon process is running. This process may be enabled e.g. via Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP), or Cisco Virtual Private Dial-Up Networks (VPDN). 11) An unspecified error exists in the processing of IPC messages. This can be exploited to reload an affected device via a specially crafted UDP packet sent to port 1975. 12) A security issue is caused due to the device automatically enabling SNMP with a default community string, which can be exploited to gain control an affected system. Successful exploitation requires that a device is configured for linecard redundancy. This vulnerability affects Cisco uBR10012 series devices running IOS. SOLUTION: Update to the fixed version (please see the vendor's advisories for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-200809-0038 CVE-2008-3804 Cisco IOS of MPLS Forwarding Infrastructure (MFI) In Service operation interruption (DoS) Vulnerabilities CVSS V2: 7.1
CVSS V3: -
Severity: HIGH
Unspecified vulnerability in the Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) in Cisco IOS 12.2 and 12.4 allows remote attackers to cause a denial of service (memory corruption) via crafted packets for which the software path is used. A successful exploit may cause an affected device to reload, denying service to legitimate users. ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: Cisco IOS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA31990 VERIFY ADVISORY: http://secunia.com/advisories/31990/ CRITICAL: Moderately critical IMPACT: Exposure of sensitive information, DoS, System access WHERE: >From remote OPERATING SYSTEM: Cisco IOS R12.x http://secunia.com/advisories/product/50/ Cisco IOS 12.x http://secunia.com/advisories/product/182/ DESCRIPTION: Some vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to disclose sensitive information, cause a DoS (Denial of Service), or to compromise a vulnerable system. 1) An unspecified error exists in the processing of SSL packets during the termination of an SSL session, which can potentially be exploited to crash an affected system. 2) Two unspecified errors exist within the processing of Protocol Independent Multicast (PIM) packets, which can be exploited to cause an affected device to reload. 3) Unspecified errors within the processing of segmented Skinny Call Control Protocol (SCCP) messages can be exploited to cause a Cisco IOS device to reload. Successful exploitation requires that the device is configured with Network Address Translation (NAT) SCCP Fragmentation Support. 4) A memory leak in the processing of Session Initiation Protocol (SIP) messages can be exploited to cause a DoS for all voice services. 6) An unspecified error in the IOS Intrusion Prevention System (IPS) feature when processing certain IPS signatures that use the SERVICE.DNS engine can be exploited to cause a DoS via specially crafted network traffic. 7) A security issue exists in the processing of extended communities with Multi Protocol Label Switching (MPLS) Virtual Private Networks (VPN), which can lead to traffic leaking from one MPLS VPN to another. NOTE: This security issue was introduced with CSCee83237. 9) An unspecified error within the Application Inspection Control (AIC) can be exploited to cause a reload of an affected device via specially crafted HTTP packets. 10) An unspecified error in the processing of Layer 2 Tunneling Protocol (L2TP) packets can be exploited to cause an affected device to reload via a specially crafted L2TP packets. Successful exploitation requires that the L2TP mgmt daemon process is running. This process may be enabled e.g. via Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP), or Cisco Virtual Private Dial-Up Networks (VPDN). 11) An unspecified error exists in the processing of IPC messages. This can be exploited to reload an affected device via a specially crafted UDP packet sent to port 1975. 12) A security issue is caused due to the device automatically enabling SNMP with a default community string, which can be exploited to gain control an affected system. Successful exploitation requires that a device is configured for linecard redundancy. SOLUTION: Update to the fixed version (please see the vendor's advisories for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Only the MFI is affected by this vulnerability. Older Label Forwarding Information Base (LFIB) implementation, which is replaced by MFI, is not affected. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml NOTE: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml Affected Products ================= Devices that run Cisco IOS software (including those that support Cisco IOS Software Modularity) and support MFI are affected if they are configured for MPLS. Vulnerable Products +------------------ A device that runs Cisco IOS software and supports MFI will have mfi_ios in the output of the show subsys command. The following example shows output from a device that supports MFI: Router#show subsys name mfi_ios Class Version mfi_ios Protocol 1.000.001 Router# The following example shows output from a device that is configured for MPLS: Router#show mpls interface Interface IP Tunnel BGP Static Operational Ethernet0/0 Yes (ldp) No No No Yes Router# To determine the software running on a Cisco product, log in to the device and issue the "show version" command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS". On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the IOS release name. Other Cisco devices will not have the "show version" command or will give different output. The following example identifies a Cisco product that is running Cisco IOS release 12.4(11)T2: Router#show version Cisco IOS Software,7200 Software (C7200-ADVSECURITYK9-M), Version 12.4(11)T2, RELEASE SOFTWARE (fc4) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Tue 01-May-07 04:19 by prod_rel_team <output truncated> Additional information on the Cisco IOS release naming conventions can be found on the document entitled "White Paper: Cisco IOS Reference Guide", which is available at http://www.cisco.com/warp/public/620/1.html Products Confirmed Not Vulnerable +-------------------------------- Devices running Cisco IOS software versions that do not include MFI are not vulnerable. Devices that are not configured for MPLS are not vulnerable. Devices that are running Cisco IOS XR software are not vulnerable. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= In newer versions of Cisco IOS software, a new packet forwarding infrastructure was introduced to improve scalability and performance. This forwarding infrastructure, called MFI, is transparent to the user. MFI manages MPLS data structures used for forwarding and replaces the older implementation, Label Forwarding Information Base (LFIB). Such packets can be sent from the local segment to the interfaces that are configured for MPLS or via tunnel interfaces that are configured for MPLS. To target a remote system in an MPLS network, an attacker needs to have access to the MPLS network through an MPLS-enabled interface. MPLS packets are dropped on interfaces that are not configured for MPLS. Devices that support MFI will have mfi_ios in the output of the show subsys command. Interfaces that are enabled for MPLS can be seen by the show mpls interface command. More information on MFI can be found at the following link: http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_lsc_removed.html This vulnerability is documented in the Cisco Bug ID CSCsk93241 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2008-3804. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsk93241 - Chunk memory corruption on LFDp Input Proc CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of this vulnerability may result in the reload of the device, leading to a DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table. +-------------------------------------------------------------------+ | Major | Availability of Repaired Releases | | Release | | |------------+------------------------------------------------------| | Affected | | Recommended | | 12.0-Based | First Fixed Release | Release | | Releases | | | |-------------------------------------------------------------------| | There are no affected 12.0 based releases | |-------------------------------------------------------------------| | Affected | | Recommended | | 12.1-Based | First Fixed Release | Release | | Releases | | | |-------------------------------------------------------------------| | There are no affected 12.1 based releases | |-------------------------------------------------------------------| | Affected | | Recommended | | 12.2-Based | First Fixed Release | Release | | Releases | | | |------------+--------------------------------------+---------------| | 12.2 | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2B | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2BC | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2BW | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2BX | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2BY | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2BZ | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2CX | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2CY | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2CZ | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2DA | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2DD | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2DX | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2EW | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2EWA | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2EX | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2EY | 12.2(44)EY; Available on 16-DEC-08 | | |------------+--------------------------------------+---------------| | 12.2EZ | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2FX | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2FY | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2FZ | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2IRB | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2IXA | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2IXB | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2IXC | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2IXD | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2IXE | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2IXF | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2IXG | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2JA | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2JK | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2MB | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2MC | Not Vulnerable | | |------------+--------------------------------------+---------------| | | Releases prior to 12.2(22)S are not | | | | vulnerable. | | | | | 12.2(33)SB2; | | 12.2S | Release 12.2(22)S and later and | Available on | | | prior to 12.2(30)S are vulnerable, | 26-SEP-08 | | | | | | | release 12.2(30)S and later are not | | | | vulnerable | | |------------+--------------------------------------+---------------| | | 12.2(31)SB12 | 12.2(33)SB2; | | 12.2SB | | Available on | | | 12.2(33)SB | 26-SEP-08 | |------------+--------------------------------------+---------------| | | | 12.2(33)SB2; | | 12.2SBC | Vulnerable; first fixed in 12.2SB | Available on | | | | 26-SEP-08 | |------------+--------------------------------------+---------------| | 12.2SCA | 12.2(33)SCA1 | 12.2(33)SCA1 | |------------+--------------------------------------+---------------| | | 12.2(44)SE3; Available on 30-SEP-08 | | | 12.2SE | | 12.2(46)SE | | | 12.2(46)SE | | |------------+--------------------------------------+---------------| | 12.2SEA | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2SEB | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2SEC | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2SED | Vulnerable; first fixed in 12.2SE | 12.2(46)SE | |------------+--------------------------------------+---------------| | 12.2SEE | Vulnerable; first fixed in 12.2SE | 12.2(46)SE | |------------+--------------------------------------+---------------| | 12.2SEF | Not Vulnerable | | |------------+--------------------------------------+---------------| | | Note: Releases prior to 12.2(25)SEG4 | | | 12.2SEG | are vulnerable, release 12.2(25)SEG4 | 12.2(25)SEG6 | | | and later are not vulnerable; | | |------------+--------------------------------------+---------------| | 12.2SG | 12.2(50)SG; Available on 24-NOV-08 | 12.2(46)SG1 | |------------+--------------------------------------+---------------| | 12.2SGA | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2SL | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2SM | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2SO | Not Vulnerable | | |------------+--------------------------------------+---------------| | | | 12.2(33)SRB4 | | 12.2SRA | Vulnerable; first fixed in 12.2SRB | | | | | 12.2(33)SRC2 | |------------+--------------------------------------+---------------| | 12.2SRB | 12.2(33)SRB4 | 12.2(33)SRB4 | |------------+--------------------------------------+---------------| | 12.2SRC | 12.2(33)SRC1 | 12.2(33)SRC2 | |------------+--------------------------------------+---------------| | 12.2SU | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2SV | Vulnerable; contact TAC | | |------------+--------------------------------------+---------------| | 12.2SVA | Vulnerable; contact TAC | | |------------+--------------------------------------+---------------| | 12.2SVC | Vulnerable; contact TAC | | |------------+--------------------------------------+---------------| | 12.2SVD | Vulnerable; contact TAC | | |------------+--------------------------------------+---------------| | | Note: Releases prior to 12.2(25)SW4 | | | 12.2SW | are vulnerable, release 12.2(25)SW4 | 12.2(25)SW12 | | | and later are not vulnerable; | | |------------+--------------------------------------+---------------| | 12.2SX | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2SXA | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2SXB | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2SXD | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2SXE | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2SXF | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2SXH | 12.2(33)SXH3 | 12.2(33)SXH3 | |------------+--------------------------------------+---------------| | 12.2SY | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2SZ | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2T | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2TPC | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XA | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XB | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XC | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XD | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XE | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XF | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XG | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XH | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XI | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XJ | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XK | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XL | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XM | Not Vulnerable | | |------------+--------------------------------------+---------------| | | | 12.2(33)SB2; | | | | Available on | | | | 26-SEP-08 | | 12.2XN | Vulnerable; first fixed in 12.2SB | | | | | 12.2(33)SRC2 | | | | | | | | 12.2(33)XNA2 | |------------+--------------------------------------+---------------| | 12.2XNA | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XNB | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XO | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XQ | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XR | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XS | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XT | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XU | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XV | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XW | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YA | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YB | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YC | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YD | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YE | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YF | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YG | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YH | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YJ | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YK | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YL | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YM | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YN | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YO | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YP | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YQ | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YR | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YS | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YT | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YU | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YV | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YW | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YX | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YY | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YZ | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2ZA | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2ZB | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2ZC | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2ZD | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2ZE | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2ZF | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2ZG | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2ZH | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2ZJ | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2ZL | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2ZP | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2ZU | Not Vulnerable | | |------------+--------------------------------------+---------------| | | | 12.2(33)SB2; | | 12.2ZX | Vulnerable; first fixed in 12.2SB | Available on | | | | 26-SEP-08 | |------------+--------------------------------------+---------------| | 12.2ZY | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2ZYA | Not Vulnerable | | |------------+--------------------------------------+---------------| | Affected | | Recommended | | 12.3-Based | First Fixed Release | Release | | Releases | | | |-------------------------------------------------------------------| | There are no affected 12.3 based releases | |-------------------------------------------------------------------| | Affected | | Recommended | | 12.4-Based | First Fixed Release | Release | | Releases | | | |------------+--------------------------------------+---------------| | 12.4 | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4JA | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4JK | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4JL | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4JMA | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4JMB | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4JMC | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4JX | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4MD | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4MR | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4SW | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4T | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XA | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XB | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XC | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XD | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XE | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XF | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XG | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XJ | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XK | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XL | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XM | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XN | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XP | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XQ | 12.4(15)XQ1 | 12.4(15)XQ1 | |------------+--------------------------------------+---------------| | 12.4XR | Vulnerable; migrate to any release | 12.4(15)T7 | | | in 12.4T | | |------------+--------------------------------------+---------------| | 12.4XT | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XV | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XW | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XY | 12.4(15)XY4 | 12.4(15)XY4 | |------------+--------------------------------------+---------------| | 12.4XZ | 12.4(15)XZ1 | 12.4(15)XZ2 | |------------+--------------------------------------+---------------| | 12.4YA | Not Vulnerable | | +-------------------------------------------------------------------+ Workarounds =========== MPLS is normally enabled on physical and logical interfaces that are shared with other MPLS-enabled devices. It can be disabled on interfaces where MPLS is not necessary and from which a potential attack can be launched. This action may help to limit the exposure of this vulnerability. If it is not possible to disable MPLS on interfaces from which an attack can be launched, there are no workarounds to mitigate this vulnerability. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was found internally. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-Sep-24 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkjaLcwACgkQ86n/Gc8U/uCKtQCeOUTNVK58br0wqCUQAa506CGJ aWIAn3WBReM3lzWMM/+iT7SVaH6npY3E =7zu4 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
VAR-200809-0021 CVE-2008-3799 Cisco IOS of Session Initiation Protocol (SIP) In implementation SIP Memory leak vulnerability in message handling

Related entries in the VARIoT exploits database: VAR-E-200809-0948		 CVSS V2: 7.8
CVSS V3: -
Severity: HIGH
Memory leak in the Session Initiation Protocol (SIP) implementation in Cisco IOS 12.2 through 12.4, when VoIP is configured, allows remote attackers to cause a denial of service (memory consumption and voice-service outage) via unspecified valid SIP messages. Devices running Cisco IOS with SIP enabled are prone to multiple denial-of-service vulnerabilities. These issues are tracked by the following Cisco bug IDs and CVEs: CSCse56800 (CVE-2008-3799) CSCsg91306 (CVE-2008-3800) CSCsl62609 (CVE-2008-3801) CSCsk42759 (CVE-2008-3802) An attacker can exploit these issues to deny service to legitimate users. 1) An unspecified error exists in the processing of SSL packets during the termination of an SSL session, which can potentially be exploited to crash an affected system. 2) Two unspecified errors exist within the processing of Protocol Independent Multicast (PIM) packets, which can be exploited to cause an affected device to reload. Successful exploitation requires that the device is configured with Network Address Translation (NAT) SCCP Fragmentation Support. 5) Multiple unspecified errors exist in the processing of SIP messages, which can be exploited to cause a reload of an affected device. 6) An unspecified error in the IOS Intrusion Prevention System (IPS) feature when processing certain IPS signatures that use the SERVICE.DNS engine can be exploited to cause a DoS via specially crafted network traffic. 7) A security issue exists in the processing of extended communities with Multi Protocol Label Switching (MPLS) Virtual Private Networks (VPN), which can lead to traffic leaking from one MPLS VPN to another. NOTE: This security issue was introduced with CSCee83237. 8) An unspecified error within the Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) can be exploited to cause a DoS via specially crafted network packets. Successful exploitation requires access to the MPLS network. 9) An unspecified error within the Application Inspection Control (AIC) can be exploited to cause a reload of an affected device via specially crafted HTTP packets. 10) An unspecified error in the processing of Layer 2 Tunneling Protocol (L2TP) packets can be exploited to cause an affected device to reload via a specially crafted L2TP packets. Successful exploitation requires that the L2TP mgmt daemon process is running. This process may be enabled e.g. via Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP), or Cisco Virtual Private Dial-Up Networks (VPDN). 11) An unspecified error exists in the processing of IPC messages. This can be exploited to reload an affected device via a specially crafted UDP packet sent to port 1975. 12) A security issue is caused due to the device automatically enabling SNMP with a default community string, which can be exploited to gain control an affected system. Successful exploitation requires that a device is configured for linecard redundancy. SOLUTION: Update to the fixed version (please see the vendor's advisories for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Cisco has released free software updates that address these vulnerabilities. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities addressed in this advisory. There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself, if administrators do not require the Cisco IOS device to provide voice over IP services. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml Note: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml Affected Products ================= These vulnerabilities only affect devices running Cisco IOS that have SIP voice services enabled. The only requirement for these vulnerabilities is that the Cisco IOS device processes SIP messages as part of configured voice over IP (VoIP) functionality (this does not apply to processing of SIP messages as part of the NAT and firewall feature sets.) Recent versions of Cisco IOS do not process SIP messages by default, but creating a "dial peer" via the command dial-peer voice will start the SIP processes and cause Cisco IOS to start processing SIP messages. An example of an affected configuration is as follows: dial-peer voice <Voice dial-peer tag> voip ... Please refer to http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml for additional information on Cisco bug ID CSCsb25337. In the following example, the presence of the processes CCSIP_UDP_SOCKET and CCSIP_TCP_SOCKET indicates that the Cisco IOS device is processing SIP messages: Router#show processes | include SIP 147 Mwe 40F46DF4 12 2 600023468/24000 0 CCSIP_SPI_CONTRO 148 Mwe 40F21244 0 1 0 5524/6000 0 CCSIP_DNS 149 Mwe 40F48254 4 1 400023108/24000 0 CCSIP_UDP_SOCKET 150 Mwe 40F48034 4 1 400023388/24000 0 CCSIP_TCP_SOCKET Different versions of Cisco IOS have different ways of verifying whether the Cisco IOS device is listening for SIP messages. The show ip sockets, show udp, show tcp brief all, and show control-plane host open-ports commands can be used to determine this, although not all of these commands work on all IOS releases. Since it is not practical in this document to provide a list of commands corresponding to the various releases, users should try the aforementioned commands to determine which ones work for their device. The following is one example of one command that shows a router listening on port 5060 (the SIP port): router#show control-plane host open-ports Active internet connections (servers and established) Prot Local Address Foreign Address Service State <output removed for brevity> tcp *:5060 *:0 SIP LISTEN <outoput removed for brevity> udp *:5060 *:0 SIP LISTEN In order to determine the software that runs on a Cisco IOS product, log in to the device and issue the show version command to display the system banner. Cisco IOS software identifies itself as "Internetwork Operating System Software" or simply "IOS." On the next line of output, the image name displays between parentheses, followed by "Version" and the Cisco IOS release name. Other Cisco devices do not have the show version command or give different output. The following example shows output from a device that runs an IOS image: router>show version Cisco IOS Software, 7200 Software (C7200-ADVSECURITYK9-M), Version 12.4(6)T2, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Tue 16-May-06 16:09 by kellythw <more output removed for brevity> Additional information on the Cisco IOS release naming conventions can be found on the document entitled "White Paper: Cisco IOS Reference Guide", which is available at http://www.cisco.com/warp/public/620/1.html Cisco Unified Communications Manager is also affected by some of these vulnerabilities, although they are tracked by different Cisco bug IDs. A companion security advisory for Cisco Unified Communications Manager is available at http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml Products Confirmed Not Vulnerable +-------------------------------- The SIP Application Layer Gateway (ALG), which is used by the IOS Network Address Translation (NAT) and firewall features of Cisco IOS, is not affected by these vulnerabilities. With the exception of the Cisco Unified Communications Manager, no other Cisco products are currently known to be vulnerable to the issues described in this advisory. Details ======= SIP is a popular signaling protocol used to manage voice and video calls across IP networks such as the Internet. SIP is responsible for handling all aspects of call setup and termination. Voice and video are the most popular types of sessions that SIP handles, but the protocol is flexible to accommodate for other applications that require call setup and termination. SIP call signaling can use UDP (port 5060), TCP (port 5060), or TLS (TCP port 5061) as the underlying transport protocol. In all cases vulnerabilities can be triggered by processing valid SIP messages. Memory Leak Vulnerability +------------------------ CSCse56800 causes a memory leak in affected devices. This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2008-3799. Device Reload Vulnerabilities +---------------------------- The following vulnerabilities can lead to a reload of the Cisco IOS device while processing some specific and valid SIP messages: * CSCsg91306, assigned CVE ID CVE-2008-3800 * CSCsl62609, assigned CVE ID CVE-2008-3801 * CSCsk42759, assigned CVE ID CVE-2008-3802 Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCse56800 - SIP-3-BADPAIR register timer expiry causes slow memory leak CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsg91306 - processor pool memory corruption in CCSIP_SPI_CONTROL CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsk42759 - Voice Gateway reloads on receiving a valid SIP packet CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsl62609 - Router crash due to presence of valid SIP header CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities described in this document may result in a reload of the device. The issue could be repeatedly exploited to result in an extended Denial Of Service (DoS) condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table. +-------------------------------------------------------------------+ | Major | Availability of Repaired Releases | | Release | | |------------+------------------------------------------------------| | Affected | | Recommended | | 12.0-Based | First Fixed Release | Release | | Releases | | | |-------------------------------------------------------------------| | There are no affected 12.0 based releases | |-------------------------------------------------------------------| | Affected | | Recommended | | 12.1-Based | First Fixed Release | Release | | Releases | | | |-------------------------------------------------------------------| | There are no affected 12.1 based releases | |-------------------------------------------------------------------| | Affected | | Recommended | | 12.2-Based | First Fixed Release | Release | | Releases | | | |------------+---------------------------------------+--------------| | 12.2 | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2B | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2BC | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2BW | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.2(33)SB2; | | | | Available on | | | | 26-SEP-08 | | 12.2BX | Vulnerable; first fixed in 12.4 | | | | | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2BY | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2BZ | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2CX | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2CY | Not Vulnerable | | |------------+---------------------------------------+--------------| | | Vulnerable; migrate to any release in | 12.2(33)SB2; | | 12.2CZ | 12.2S | Available on | | | | 26-SEP-08 | |------------+---------------------------------------+--------------| | 12.2DA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2DD | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2DX | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2EW | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2EWA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2EX | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2EY | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2EZ | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2FX | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2FY | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2FZ | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2IRB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2IXA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2IXB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2IXC | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2IXD | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2IXE | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2IXF | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2IXG | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2JA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2JK | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2MB | Not Vulnerable | | |------------+---------------------------------------+--------------| | | Releases prior to 12.2(15)MC2c are | 12.4(15)T7 | | 12.2MC | vulnerable, release 12.2(15)MC2c and | | | | later are not vulnerable; first fixed | 12.4(18c) | | | in 12.4 | | |------------+---------------------------------------+--------------| | 12.2S | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SBC | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SCA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SE | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SEA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SEB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SEC | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SED | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SEE | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SEF | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SEG | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SG | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SGA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SL | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SM | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SO | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SRA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SRB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SRC | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SU | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SV | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SVA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SVC | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SVD | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SW | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SX | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SXA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SXB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SXD | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SXE | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SXF | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SXH | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SY | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SZ | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2T | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2TPC | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2XA | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XB | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2XC | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XD | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XE | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XF | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XG | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XH | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XI | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XJ | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XK | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XL | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XM | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2XN | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XNA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XNB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XO | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XQ | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XR | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XS | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XT | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XU | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2XV | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XW | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2YA | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2YB | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YC | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YD | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YE | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2YF | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YG | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2YH | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YJ | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YK | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2YL | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2YM | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2YN | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YO | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2YP | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2YQ | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2YR | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2YS | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2YT | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YU | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | Releases prior to 12.2(11)YV1 are | | | 12.2YV | vulnerable, release 12.2(11)YV1 and | | | | later are not vulnerable; | | |------------+---------------------------------------+--------------| | 12.2YW | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YX | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2YY | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YZ | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2ZA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2ZB | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2ZC | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2ZD | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2ZE | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2ZF | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2ZG | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2ZH | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2ZJ | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2ZL | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2ZP | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2ZU | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2ZX | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2ZY | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2ZYA | Not Vulnerable | | |------------+---------------------------------------+--------------| | Affected | | Recommended | | 12.3-Based | First Fixed Release | Release | | Releases | | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3 | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3B | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.3BC | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3BW | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3EU | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JEA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JEB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JEC | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JK | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JL | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JX | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3T | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.3TPC | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.3VA | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | Releases prior to 12.3(2)XA7 are | 12.4(15)T7 | | 12.3XA | vulnerable, release 12.3(2)XA7 and | | | | later are not vulnerable; first fixed | 12.4(18c) | | | in 12.4 | | |------------+---------------------------------------+--------------| | 12.3XB | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XC | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XD | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XE | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.3XF | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XG | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | Vulnerable; migrate to any release in | 12.2(33)SB2; | | 12.3XI | 12.2SB | Available on | | | | 26-SEP-08 | |------------+---------------------------------------+--------------| | | | 12.3(14)YX13 | | 12.3XJ | Vulnerable; first fixed in 12.3YX | | | | | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XK | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XL | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XQ | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XR | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.3XS | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3XU | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.3(14)YX13 | | 12.3XW | Vulnerable; first fixed in 12.3YX | | | | | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XX | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XY | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XZ | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.3YA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3YD | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.3(14)YX13 | | 12.3YF | Vulnerable; first fixed in 12.3YX | | | | | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YG | 12.3(8)YG7; Available on 01-OCT-08 | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YH | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3YI | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3YJ | Not Vulnerable | | |------------+---------------------------------------+--------------| | | Releases prior to 12.3(11)YK3 are | | | 12.3YK | vulnerable, release 12.3(11)YK3 and | 12.4(15)T7 | | | later are not vulnerable; first fixed | | | | in 12.4T | | |------------+---------------------------------------+--------------| | | | 12.3(14) | | 12.3YM | 12.3(14)YM13; Available on 30-SEP-08 | YM13; | | | | Available on | | | | 30-SEP-08 | |------------+---------------------------------------+--------------| | 12.3YQ | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YS | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YT | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.4(2)XB10 | | | | | | 12.3YU | Vulnerable; first fixed in 12.4XB | 12.4(9)XG3 | | | | | | | | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YX | 12.3(14)YX12 | 12.3(14)YX13 | |------------+---------------------------------------+--------------| | 12.3YZ | 12.3(11)YZ3 | | |------------+---------------------------------------+--------------| | 12.3ZA | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | Affected | | Recommended | | 12.4-Based | First Fixed Release | Release | | Releases | | | |------------+---------------------------------------+--------------| | | 12.4(13f) | | | | | | | 12.4 | 12.4(17b) | 12.4(18c) | | | | | | | 12.4(18) | | |------------+---------------------------------------+--------------| | 12.4JA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JK | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JL | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JMA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JMB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JMC | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JX | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4MD | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4MR | 12.4(19)MR | 12.4(19)MR | |------------+---------------------------------------+--------------| | 12.4SW | Not Vulnerable | | |------------+---------------------------------------+--------------| | | 12.4(15)T4 | | | | | | | 12.4T | 12.4(20)T | 12.4(15)T7 | | | | | | | 12.4(6)T11 | | |------------+---------------------------------------+--------------| | 12.4XA | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.4XB | 12.4(2)XB10 | 12.4(2)XB10 | |------------+---------------------------------------+--------------| | 12.4XC | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.4(4)XD11; | | 12.4XD | 12.4(4)XD11; Available on 26-SEP-08 | Available on | | | | 26-SEP-08 | |------------+---------------------------------------+--------------| | 12.4XE | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.4XF | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XG | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XJ | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.4XK | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XL | 12.4(15)XL2 | 12.4(15)XL2 | |------------+---------------------------------------+--------------| | 12.4XM | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XN | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XP | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.4XQ | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XR | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XT | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.4XV | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.4XW | 12.4(11)XW7 | 12.4(11)XW9 | |------------+---------------------------------------+--------------| | 12.4XY | 12.4(15)XY3 | 12.4(15)XY4 | |------------+---------------------------------------+--------------| | 12.4XZ | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4YA | Not Vulnerable | | +-------------------------------------------------------------------+ Workarounds =========== If the affected Cisco IOS device needs to provide voice over IP services and therefore SIP cannot be disabled then none of the listed vulnerabilities have workarounds. Users are advised to apply mitigation techniques to limit exposure to the listed vulnerabilities. Mitigation consists of only allowing legitimate devices to connect to the routers. To increase effectiveness, the mitigation must be coupled with anti-spoofing measures on the network edge. This action is required because SIP can use UDP as the transport protocol. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20080924-sip.shtml Disable SIP Listening Ports +-------------------------- For devices that do not require SIP to be enabled, the simplest and most effective workaround is to disable SIP processing on the device. Some versions of Cisco IOS allow administrators to accomplish this with the following commands: sip-ua no transport udp no transport tcp Warning: When applying this workaround to devices processing MGCP or H.323 calls, the device will not allow you to stop SIP processing while active calls are being processed. Under these circumstances, this workaround should be implemented during a maintenance window when active calls can be briefly stopped. It is recommended that after applying this workaround, the show commands discussed in the Vulnerable Products section be used to confirm that the Cisco IOS device is no longer processing SIP messages. Control Plane Policing +--------------------- For devices that need to offer SIP services it is possible to use Control Plane Policing (CoPP) to block SIP traffic to the device from untrusted sources. Cisco IOS software releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support the CoPP feature. CoPP may be configured on a device to protect the management and control planes to minimize the risk and effectiveness of direct infrastructure attacks by explicitly permitting only authorized traffic sent to infrastructure devices in accordance with existing security policies and configurations. The following example can be adapted to your network: !-- The 192.168.1.0/24 network and the 172.16.1.1 host are trusted. !-- Everything else is not trusted. The following access list is used !-- to determine what traffic needs to be dropped by a control plane !-- policy (the CoPP feature.) If the access list matches (permit) !-- then traffic will be dropped and if the access list does not !-- match (deny) then traffic will be processed by the router. access-list 100 deny udp 192.168.1.0 0.0.0.255 any eq 5060 access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 5060 access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 5061 access-list 100 deny udp host 172.16.1.1 any eq 5060 access-list 100 deny tcp host 172.16.1.1 any eq 5060 access-list 100 deny tcp host 172.16.1.1 any eq 5061 access-list 100 permit udp any any eq 5060 access-list 100 permit tcp any any eq 5060 access-list 100 permit tcp any any eq 5061 !-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4 !-- traffic in accordance with existing security policies and !-- configurations for traffic that is authorized to be sent !-- to infrastructure devices. !-- Create a Class-Map for traffic to be policed by !-- the CoPP feature. class-map match-all drop-sip-class match access-group 100 !-- Create a Policy-Map that will be applied to the !-- Control-Plane of the device. policy-map drop-sip-traffic class drop-sip-class drop !-- Apply the Policy-Map to the Control-Plane of the !-- device. control-plane service-policy input drop-sip-traffic Warning: Because SIP can utilize UDP as a transport protocol, it is possible to easily spoof the sender's IP address, which may defeat ACLs that permit communication to these ports from trusted IP addresses. In the above CoPP example, the access control list entries (ACEs) that match the potential exploit packets with the "permit" action result in these packets being discarded by the policy-map "drop" function, while packets that match the "deny" action (not shown) are not affected by the policy-map drop function. Additional information on the configuration and use of the CoPP feature can be found at http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd804fa16a.shtml and http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a008052446b.html Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. These vulnerabilities were discovered by Cisco internal testing and during handling of customer service requests. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2008-September-24 | public | | | | release | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkjaLd0ACgkQ86n/Gc8U/uDWJwCdHEe8XwtX0kKmTHf2T6/Nm02U 3N8AnjG1IaW/GWg78gj6k0NGXre3Mggr =4nzw -----END PGP SIGNATURE-----
VAR-200901-0123 CVE-2008-5994 Check Point Connectra NGX of index.php Vulnerable to cross-site scripting CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
Cross-site scripting (XSS) vulnerability in index.php in Check Point Connectra NGX R62 HFA_01 allows remote attackers to inject arbitrary web script or HTML via the dir parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Connectra NGX is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Connectra NGX R62 HFA_01, Hotfix 601, Builds 006 and 014 are vulnerable; other versions may also be affected. ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: Checkpoint Connectra NGX "dir" Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA31553 VERIFY ADVISORY: http://secunia.com/advisories/31553/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote OPERATING SYSTEM: Check Point Connectra Appliances http://secunia.com/advisories/product/13352/ DESCRIPTION: Sarid Harper has reported a vulnerability in Checkpoint Connectra NGX, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the "dir" parameter in index.php is not properly sanitised before being returned to the user. SOLUTION: Filter malicious characters and character sequences in a proxy. PROVIDED AND/OR DISCOVERED BY: Sarid Harper ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-200809-0483 No CVE Multiple SAGEM F@st Routers DHCP Hostname HTML Injection Vulnerability CVSS V2: -
CVSS V3: -
Severity: -
Multiple SAGEM F@st routers are prone to an HTML-injection vulnerability because they fail to sufficiently sanitize user-supplied input data. Attacker-supplied HTML and script code would run in the context of the web interface of the affected device, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible. The issue affects SAGEM F@st routers 1200, 1240, 1400, 1400W, 1500, 1500-WG, and 2404.
VAR-200903-0100 CVE-2008-6465 Parallels H-Sphere of webshell4 Vulnerable to cross-site scripting

Related entries in the VARIoT exploits database: VAR-E-200809-0699		 CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
Multiple cross-site scripting (XSS) vulnerabilities in login.php in webshell4 in Parallels H-Sphere 3.0.0 P9 and 3.1 P1 allow remote attackers to inject arbitrary web script or HTML via the (1) err, (2) errorcode, and (3) login parameters. (1) err Parameters (2) errorcode Parameters (3) login Parameters. H-Sphere is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. H-Sphere 3.0.0 Patch 9 and 3.1 Patch 1 are vulnerable; other versions may also be affected. ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: H-Sphere webshell4 "login.php" Cross-Site Scripting SECUNIA ADVISORY ID: SA31830 VERIFY ADVISORY: http://secunia.com/advisories/31830/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote SOFTWARE: H-Sphere 3.x http://secunia.com/advisories/product/19894/ DESCRIPTION: t0fx has reported two vulnerabilities in H-Sphere, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the "err" and "login" parameters in webshell4's login.php script is not properly sanitised before being returned to the user. The vulnerabilities are reported in versions 3.0.0 P9 and 3.1 P1. SOLUTION: Filter malicious characters and character sequences in a web proxy. PROVIDED AND/OR DISCOVERED BY: t0fx. Additional information from Peter M. Abraham. ORIGINAL ADVISORY: http://www.xssing.com/index.php?x=3&y=65 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------