|
|
Document ID: 44020
Revision 1.4
Last Updated 2003 July 18 at 10:00 UTC (GMT)
For Public Release 2003 July 17 at 6:10 UTC (GMT)
--------------------------------------------------------------------------------
Summary
Cisco routers and switches running Cisco IOS® software and configured to process Internet Protocol version 4 (IPv4) packets are vulnerable to a Denial of Service (DoS) attack. A rare sequence of crafted IPv4 packets with specific protocol fields sent directly to the device may cause the input interface to stop processing traffic once the input queue is full. No authentication is required to process the inbound packet. Processing of IPv4 packets is enabled by default. Devices running only IP version 6 (IPv6) are not affected. A workaround is available.
Cisco has made software available, free of charge, to correct the problem.
This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml.
Affected Products
This issue affects all Cisco devices running Cisco IOS software and configured to process Internet Protocol version 4 (IPv4) packets. Cisco devices which do not run Cisco IOS software are not affected. Devices which run only Internet Protocol version 6 (IPv6) are not affected.
Details
Cisco routers are configured to process and accept Internet Protocol version 4 (IPv4) packets by default. A rare, specially crafted sequence of IPv4 packets with protocol type 53 (SWIPE), 55 (IP Mobility), 77 (Sun ND), or 103 (Protocol Independent Multicast - PIM) which is handled by the processor on a Cisco IOS device may force the device to incorrectly flag the input queue on an interface as full, which will cause the router to stop processing inbound traffic on that interface. This can cause routing protocols to drop due to dead timers.
Interfaces which are explicitly configured to run PIM will not be affected by traffic with protocol type 103. An interface with PIM enabled will have one of the following three commands in the interface configuration: ip pim dense-mode, ip pim sparse-mode, or ip pim sparse-dense-mode.
On Ethernet interfaces, Address Resolution Protocol (ARP) times out after a default time of four hours, and no traffic can be processed. The device must be rebooted to clear the input queue on the interface, and will not reload without user intervention. The attack may be repeated on all interfaces causing the router to be remotely inaccessible. A workaround is available, and is documented in the Workarounds section.
The following two Cisco vulnerabilities are documented in DDTS: CSCea02355 ( registered customers only) affects all Cisco routers running Cisco IOS software. This documents the flaw with protocols 53, 55, and 77. CSCdz71127 ( registered customers only) was introduced by an earlier code revision, and documents an input queue vulnerability to protocol 103 with a device which is not configured for PIM. Any version of software which has the fix for CSCdx02283 ( registered customers only) is vulnerable.
Registered customers can find more details using the Bug Toolkit at http://www.cisco.com/pcgi-bin/Support/Bugtool/launch_bugtool.pl ( registered customers only) .
To identify a blocked input interface, use the show interfaces command and look for the Input Queue line. If the current size (in this case, 76) is larger than the maximum size (75), the input queue is blocked.
Use the show buffers command and look for the prot field. Below are two examples:
Router#show interface ethernet 0/0
Ethernet0/0 is up, line protocol is up
Hardware is AmdP2, address is 0050.500e.f1e0 (bia 0050.500e.f1e0)
Internet address is 172.16.1.9/24
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 255/255, load 1/255
Encapsulation ARPA, loopback not set, keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:41, output 00:00:07, output hang never
Last clearing of show interface counters 00:07:18
Input queue: 76/75/1091/0 (size/max/drops/flushes); Total output drops: 0
!--- The 76/75 shows that this is blocked
Router#show buffers input-interface serial 0/0
Buffer information for Small buffer at 0x612EAF3C
data_area 0x7896E84, refcount 1, next 0x0, flags 0x0
linktype 7 (IP), enctype 0 (None), encsize 46, rxtype 0
if_input 0x6159D340 (FastEthernet3/2), if_output 0x0 (None)
inputtime 0x0, outputtime 0x0, oqnumber 65535
datagramstart 0x7896ED8, datagramsize 728, maximum size 65436
mac_start 0x7896ED8, addr_start 0x7896ED8, info_start 0x0
network_start 0x7896ED8, transport_start 0x0
source: 212.176.72.138, destination: 212.111.64.174, id: 0xAAB8, ttl: 41, prot: 103
!--- prot: 103 is proof that this is one of the attack packets
Impact
A device receiving these specifically crafted IPv4 packets will force the inbound interface to stop processing traffic. The device may stop processing packets destined to the router, including routing protocol packets and ARP packets. No alarms will be triggered, nor will the router reload to correct itself. This issue can affect all Cisco devices running Cisco IOS software. This vulnerability may be exercised repeatedly resulting in loss of availability until a workaround has been applied or the device has been upgraded to a fixed version of code.
Software Versions and Fixes
Each row of the table describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix and the anticipated date of availability for each are listed in the Rebuild, Interim, and Maintenance columns. In some cases, no rebuild of a particular release is planned; this is marked with the label Not scheduled. A device running any release in the given train that is earlier than the release in a specific column (less than the earliest fixed release) is known to be vulnerable, and it should be upgraded at least to the indicated release or a later version (greater than the earliest fixed release label).
When selecting a release, keep in mind the following definitions:
Maintenance
Most heavily tested and highly recommended release of any label in a given row of the table.
Rebuild
Constructed from the previous maintenance or major release in the same train, it contains the fix for a specific vulnerability. Although it receives less testing, it contains only the minimal changes necessary to effect the repair. Cisco has made available several rebuilds of mainline trains to address this vulnerability, but strongly recommends running only the latest maintenance release on mainline trains.
Interim
Built at regular intervals between maintenance releases and receives less testing. Interims should be selected only if there is no other suitable release that addresses the vulnerability, and interim images should be upgraded to the next available maintenance release as soon as possible. Interim releases are not available through manufacturing, and usually they are not available for customer download from CCO without prior arrangement with the Cisco Technical Assistance Center (TAC).
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco TAC for assistance, as shown in the section following this table.
Train
Description of Image or Platform
Availability of Fixed Releases
11.x-based Releases
Rebuild
Interim
Maintenance
11.1CA
11.1(36)CA4**
11.2
11.2(26e)**
11.2P
11.2(26)P5**
11.3
Not scheduled
11.3T
Not scheduled
12.0-based Releases
Rebuild
Interim
Maintenance
12.0
General Deployment release for all platforms
12.0(26)
12.0DA
xDSL support: 6100, 6200
Migrate to 12.2DA; 12.2(10)DA2 - Aug-15-2003, 12.2(12)DA3 - Aug-22-2003: Engineering Specials available on request.
12.0DB
Early Deployment
6400 UAC for NSP
Migrate to 12.3(1a)
12.0DC
Early Deployment 6400 UAC for NRP
Migrate to 12.3(1a)
12.0S
Core/ISP support: GSR, RSP, c7200, c10k
12.0(24)S2
12.0(23)S3
12.0(22)S5
12.0(21)S7
12.0(19)S4
12.0(18)S7
12.0(17)S7
12.0(16)S10
12.0(15)S7 12.0(14)S8
12.0(13)S8
12.0(12)S4
12.0(10)S8
12.0(25)S
12.0SC
Cable/broadband ISP: uBR7200
Migrate to 12.1(19)EC
12.0SL
10000ESR: c10k
Migrate to 12.0(23)S3, **12.0(17)SL9 - Jul-15-2003
12.0SP
Early Deployment
Migrate to 12.0(22)S5
12.0ST
Early Deployment release for Core/ISP support: GSR, RSP, c7200
12.0(21)ST7, 12.0(20)ST6, 12.0(19)ST6, 12.0(17)ST8
12.0SX
Early Deployment
Migrate to 12.0(22)S5
12.0SY
Early Deployment
Migrate to 12.0(23)S3
12.0SZ
Early Deployment
Migrate to 12.0(23)S3
12.0T
Early Deployment
12.0(7)T3**
12.0W5
Cat8510c, cat8510m, cat8540c, cat8540m, ls1010
12.0(26)W5(28)
c5atm
12.0(26)W5(28a)
Cat4232 and Cat2948G-L3
12.0(25)W5(27)
C6MSM
Engineering Special available on request
C5rsfc, C5rsm,C3620, C3640, C4500, C7200, RSP
12.1(20)
12.0WC
Early deployment 2900XL-LRE,2900XL/3500XL; 2950 release
12.0(05)WC8
12.0WT
Early deployment Catalyst switches: cat4840g
Engineering Special Available upon request
12.0X(l)
Short-lived Early Deployment Releases
All 12.0X(any letter) releases have migrated to either 12.0T or 12.1 unless otherwise documented in the X release technical notes pertaining to the specific release. Please check migration paths for all 12.0X releases.
12.1-based Releases
Rebuild
Interim
Maintenance
12.1
General Deployment release for all platforms
12.1(18.4)
12.1(19)
12.1AA
Migrate to 12.2
12.1AX
Catalyst 3750
12.1(14)EA1 - Engineering special available upon request
12.1AY
Catalyst 2940
12.1(13)AY
12.1DA
6160 platform
Migrate to 12.2DA
12.1DB
6400 UAC
Migrate to 12.3(1a)
12.1DC
6400 UAC
Migrate to 12.3(1a)
12.1E
Core Enterprise support - c7200, Catalyst 6000, RSP
12.1(8b)E14
12.1(13)E7
12.1(14)E4
**12.1(12c)E7
12.1(11b)E12- Aug-4-2003
12.1(6)E12
12.1(19)E
12.1EA
12.1(4)EA
12.1(6)EA
12.1(8)EA
12.1(9)EA
12.1(11)EA
12.1(12c)EA
12.1(13)EA
Migrate to 12.1(13)EA1c
12.1EB
LS1010
12.1(14)EB
12.1EC
Early Deployment
12.1(19)EC (scheduled last week of July)
12.1EV
Early Deployment
12.1(12c)EV01
12.1EW
Early Deployment Cat4000 L3
12.1(13)EW,12.1(19)EW
12.1EX
Early Deployment
12.1(13)EX2
12.1EY
12.1(14)E4
12.1YJ
12.1(14)EA1 - Jul-28-2003
12.1T
Early Deployment
12.1(5)T15**
12.1X(l)
12.1X releases generally migrate to 12.1T, 12.2 or 12.2T as specified below. Please refer to specific train Technical notes for documented migration path.
12.1XA
Short-lived Early Deployment Release
Migrate to 12.1(5)T15
12.1XC 12.1XD 12.1XH 12.1XI
Short-lived Early Deployment Releases
Migrate to12.2(17)
12.1XB 12.1XF 12.1XG 12.1XJ 12.1XL 12.1XP 12.1XR 12.1XT 12.1YB 12.1YC 12.1YD 12.1YH
Short-lived Early Deployment Releases
Migrate to 12.2(15)T5
12.1XM 12.1XQ 12.1XV
Short-lived Early Deployment Releases
Migrate to 12.2(2)XB11
12.1XU
Short-lived Early Deployment Release
Migrate to 12.2(4)T6
12.1YE 12.1YF 12.1YI
Short-lived Early Deployment Releases
Migrate to 12.2(2)YC
12.2-based Releases
Rebuild
Interim
Maintenance
12.2
General Deployment (GD) candidate for all platforms
12.2(16a), 12.2(12e), 12.2(10d)
12.2(17)
12.2B
12.2(2)B-12.2(4)B7
12.3(1a)
12.2(4)B8-12.2(16)B
12.2(16)B1
12.2BC
Early Deployment Release
12.2(15)BC1 (Scheduled end of July)
12.2BW
Early Deployment for use with 7200, 7400, and 7411 platforms
Migrate to 12.3(1a)
12.2BX
Broadband/Leased line
12.2(16)BX
12.2BZ
Early Deployment Release
12.2(16)BX
12.2CX
Early Deployment Release
Migrate to 12.1(15)BC1
12.2CY
Early Deployment Release
Migrate to 12.1(15)BC1
12.2DA
Early Deployment Release
12.2(10)DA2 - Jul-15-2003, 12.2(12)DA3 - Aug-22-2003 Engineering Special available on request
12.2DD
Early Deployment Release
Migrate to 12.3(1a)
12.2DX
Early Deployment Release
Migrate to 12.3(1a)
12.2JA
Cisco Aironet hardware platforms: Introduction of Access Point feature in IOS, Cisco 1100 Series Access Point (802.11b)
12.2(11)JA
12.2MB
Specific Technology ED for 2600 7500 (GPRS/PDSN/GGSN 2600/7200/7500)
12.2(4)MB12
12.2MC
Early Deployment: IP RAN
12.2(13)MC1 CCO: 7/24/03
12.2MX
12.2(8)YD
12.2S
Core/ISP support: GSR, RSP, c7200
12.2(14)S1
12.2(16.5)S
12.2SX
IOS Support for C6500 Supervisor 3
12.2(14)SX1
12.2SY
VPN feature release for c6k/76xx VPN service module
12.2(14)SY1, 12.2(8)YD
12.2SZ
7304 Platform
12.2(14)SZ2
12.2T
New Technology Early Deployment (ED) release for all platforms
12.2(15)T4/5,12.2(13)T5, 12.2(11)T9,12.2(8)T10, 12.2(4)T6
12.2(16.5)T
No more maintenance trains for 12.2T are planned. Please migrate to the latest 12.3 Mainline release.
12.2X(l) 12.2Y(l)
Short-lived Early Deployment Releases
Many short-lived releases migrate to the same train; the trains below this point until the following section are not grouped by strict alphabetical order, but are grouped by migration path. Please review documented migration paths for your trains.
12.2XA
Short-lived Early Deployment Releases
Migrate to 12.2(11)T9
12.2XS
12.2(2)XB11
12.2XD 12.2XE 12.2XH 12.2XI 12.2XJ 12.2XK 12.2XL 12.2XM 12.2XQ 12.2XU 12.2XW 12.2YA 12.2YB 12.2YC 12.2YF 12.2YG 12.2YH 12.2YJ 12.2YT
Short-lived Early Deployment Releases
Migrate to 12.2(15)T5
12.2YN
Short-lived Early Deployment Release
Migrate to 12.2(13)ZH
12.2YO
Short-lived Early Deployment Release
Migrate to 12.2(14)SY1 available Aug-4-2003: Engineering Special available on request
12.2XB
Early Deployment Release with continuing support
12.2(2)XB11
12.2XC
Short-lived Early Deployment Release
Migrate to 12.2(16)B1
12.2XF
Short-lived Early Deployment Release uBR10000
Migrate to 12.2(15)BC1
12.2XG
Short-lived Early Deployment Release
Migrate to 12.2(8)T10
12.2XN 12.2XT
Short-lived Early Deployment Releases
Migrate to 12.2(11)T9
12.2YD
Short-lived Early Deployment Release
Migrate to 12.2(8)YY
12.2YP
Short-lived Early Deployment Release
**12.2(11)YP1
12.2YK
Migrate to 12.2(13)ZC
12.2YL 12.2YM 12.2YU 12.2YV
Short-lived Early Deployment Releases
Migrate to 12.2(13)ZH
12.2YQ 12.2YR
Short-lived Early Deployment Releases
Migrate to 12.2(15)ZL
12.2YS
Short-lived Early Deployment Release
12.2(15)YS/1.2(1)
12.2YW
Short-lived Early Deployment Release
12.2(8)YW2
12.2YX
Short-lived Early Deployment Release Crypto for 7100/7200
12.2(11)YX1
12.2YY
Short lived Early Deployment Releases IOS support for General Packet Radio Service
12.2(8)YY3
12.2YZ
Short-lived Early Deployment Release
12.2(11)YZ2
12.2ZA
Short-lived Early Deployment Release
12.2(14)ZA2
12.2ZB
Short-lived Early Deployment Release
12.2(8)ZB7
12.2ZC
Short-lived Early Deployment Release
12.2(13)ZC
12.2ZD
Short-lived Early Deployment Release
Not Scheduled
12.2ZE
Short-lived Early Deployment Release
12.3(1a)
12.2ZF
Short-lived Early Deployment Release
Not Vulnerable
12.2ZG
Short-lived Early Deployment Release
Not Vulnerable
12.2ZH
Short-lived Early Deployment Release
Not Vulnerable
12.2ZJ
Short-lived Early Deployment Release
12.2(15)ZJ1
12.2ZL
Short-lived Early Deployment Release
Not Vulnerable
12.3-based Releases
NOT VULNERABLE
Notes:
** Marked versions of code are not available on CCO. Please contact the Cisco TAC and request the specific images you need posted.
Obtaining Fixed Software
Customers with contracts should obtain upgraded software free of charge through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on the Cisco worldwide website at http://www.cisco.com/tacpage/sw-center/sw-ios.shtml.
Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with obtaining the free software upgrade(s).
Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows.
+1 800 553 2447 (toll free from within North America)
+1 408 526 7209 (toll call from anywhere in the world)
e-mail: tac@cisco.com
Please have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC.
Please do not contact either psirt@cisco.com or security-alert@cisco.com for software upgrades.
See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers, instructions, and e-mail addresses for use in various languages.
Workarounds
AFTER APPLYING THE WORKAROUND the input queue depth may be raised with the hold-queue in interface command -- the default size is 75. This will allow traffic flow on the interface until the device can be reloaded.
Cisco recommends that all IOS devices which process IPv4 packets be configured to block traffic directed to the router from any unauthorized source with the use of Access Control Lists (ACLs). This can be done at multiple locations, and it is recommended that you review all methods and use the combination which fits your network best. Legitimate traffic is defined as management protocols such as telnet, snmp or ssh, and configured routing protocols from explicitly allowed peers. All other traffic destined to the device should be blocked at the input interface. Traffic entering the network should also be carefully evaluated and filtered at the network edge if destined to an infrastructure device. Although network service providers must often allow unknown traffic to transit their network, it is not necessary to allow that same traffic destined to their network infrastructure. Several white papers have been written to assist in deploying these recommended security best practices.
ACLs can have performance impact on certain platforms, so care should be taken when applying the recommended workarounds.
Transit ACLs
The following access list is specifically designed to block attack traffic. Note that the attack traffic can include spoofed source addresses. This access list should be applied to all interfaces of the device, and should include topology-specific filters. This could include filtering routing protocol traffic, management protocols, and traffic destined for the internal network. Protocol 103 is Protocol Independent Multicast (PIM), which is a commonly deployed application in multicast networks. Interfaces with PIM enabled have not been found to be vulnerable to exploit traffic with protocol 103; PIM traffic may be permitted to those select devices.
access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny 103 any any
!--- insert any other previously applied ACL entries here
!--- you must permit other protocols through to allow normal
!--- traffic -- previously defined permit lists will work
!--- or you may use the permit ip any any shown here
access-list 101 permit ip any any
Prior to deploying ACLs that filter transit traffic, a classification ACL can be used to help identify required permit statements. A classification ACL is an ACL that permits a series of protocols. Displaying access-list entry hit counters helps determine required protocols: entries with zero packets counted are likely not required. Classification access-lists are detailed in the link below for infrastructure access-lists.
Receive ACLs
For distributed platforms, receive path access lists may be an option starting in Cisco IOS Software Versions 12.0(21)S2 for the c12000 and 12.0(24)S for the c7500. The receive access lists protect the device from harmful traffic before the traffic can impact the route processor. The CPU load is distributed to the line card processors and helps mitigate load on the main route processor. The white paper entitled GSR: Receive Access Control Lists will help you identify and allow legitimate traffic to your device and deny all unwanted packets:
http://www.cisco.com/warp/public/707/racl.html
Infrastructure ACLs
Although it is often difficult to block traffic transiting your network, it is possible to identify traffic which should never be allowed to target your infrastructure devices and block that traffic at the border of your network. The white paper entitled Protecting Your Core: Infrastructure Protection Access Control Lists presents guidelines and recommended deployment techniques for infrastructure protection ACLs:
http://www.cisco.com/warp/public/707/iacl.html
Exploitation and Public Announcements
Since the initial posting of this document, the Cisco PSIRT has been made aware of public announcements of the vulnerabilities described in this advisory. Cisco PSIRT is aware that the exploit for this vulnerability has been published on a public mailing list.
Status of This Notice: INTERIM
This is an INTERIM notice. Although Cisco cannot guarantee the accuracy of all statements in this notice, all of the facts have been checked to the best of our ability. Cisco does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Cisco will update this advisory.
Distribution
This notice is posted on the Cisco worldwide website at http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml. In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients at the public release date and time:
cust-security-announce@cisco.com
bugtraq@securityfocus.com
full-disclosure@lists.netsys.com
first-teams@first.org (includes CERT/CC)
cisco@spot.colorado.edu
cisco-nsp@puck.nether.net
nanog@merit.edu
sanog@sanog.org
comp.dcom.sys.cisco
Various internal Cisco mailing lists
Future updates of this advisory, if any, will be placed on the Cisco worldwide web server. Users concerned about this problem are encouraged to check the URL given above for any updates.
Revision History
Revision 1.0
17-July-2003 0:00 GMT
Initial public release
Revision 1.1
17-July-2003 6:10 GMT
Updated Workaround section (access lists), Updated table with information on 12.0W5
Revision 1.2
17-July-2003 10:30 GMT
Corrected Last Updated time; corrected document title of Infrastructure ACL link under Workaround section
Revision 1.3
17-July-2003 23:00 GMT
Added with specific protocol fields in Summary section; updated Details section to include protocol types; added details to the Cisco vulnerabilities paragraph; added an output example to identify an attack packet; rewrote Transit ACLs section; updated Exploitation and Public Announcements paragraph
Revision 1.4
18-July-2003 10:00 GMT
Added sentence in Exploitation and Public Announcements section.
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on the Cisco worldwide website at http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This includes instructions for press inquiries regarding Cisco security notices.
All Cisco Security Advisories are available at http://www.cisco.com/go/psirt.
--------------------------------------------------------------------------------
Please provide your feedback on this document.
--------------------------------------------------------------------------------
Contents
Summary
Affected Products
Details
Impact
Software Versions and Fixes
Obtaining Fixed Software
Workarounds
Exploitation and Public Announcements
Status of This Notice: INTERIM
Distribution
Revision History
Cisco Security Procedures
--------------------------------------------------------------------------------
This notice is Copyright 2003 by Cisco Systems, Inc. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, and include all date and version information.
http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml
|
|
|
 |
|
No Comments Allowed for Anonymous, please register |
|
| |
|
Login |
|
 |
|
|
|
|
· New User? · Click here to create a registered account.
|
|
|
Article Rating |
|
|
|
|
|
|
Average Score: 3
Votes: 2
|
|
|
