NZNOG
Threads by month
- ----- 2025 -----
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2003 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2002 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2001 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2000 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1999 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1998 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- 1 participants
- 8357 discussions
What ever happened to nitrous.digex.net?
Mark
2
1
Our apologies to the folks who suffered from performance problems on
Citylink yesterday (Saturday). They were caused by an ISP under
apparent SYN attack - not in itself a particularly unusual occurence,
what was interesting was that in changes on Saturday morning (about 3am)
said ISP managed to make the IP address under attack an unfiltered
broadcast address on Citylink, so we all got to share the pain of a kind
of combo SYN/smurf attack.
The attacks manifested as 8-10Mb/s streams coming from the ISP onto
Citylink for 1-4 minutes, about twice every two hours, which in turn
caused some 10Mb customers on Citylink some disruption of service -
100Mb/1Gb customers seemed to be largely unaffected. The short duration
and occasional nature of the problem did cause a few issues with
tracking it and getting a resolution (about 9pm last night) - again, our
apologies for not getting it sorted faster.
Cheers
Si
1
0
I have seen attempts to exploit the recently-announced cisco vuln on a
router of my acquaintance in Auckland, starting early this morning
NZST. This confirms the notes on nanog (and in the updated cisco
advisory) about functional exploits being published and used in the
wild.
The source addresses appear spoofed, and so far all of the hits have
been received from outside NZ. The address "x.x.x.114" (see below)
isn't in use on a router or anywhere else. Presumably the k1dd13z will
realise at some point that there is more dead air on the Internet than
ciscos, and will start harvesting victim addresses from traceroute
instead of choosing them randomly.
Is anybody contemplating customer-facing filters which block protocols
53, 54, 77 and 103?
Jul 19 01:26:52 router 3587: Jul 19 01:22:37 NZST:
%SEC-6-IPACCESSLOGNP: list 127 denied 54 216.191.222.139
(FastEthernet0/1.500 0002.xxxx.xxxx) -> x.x.x.164, 1 packet
Jul 19 01:38:27 router 5320: Jul 19 01:34:12 NZST:
%SEC-6-IPACCESSLOGNP: list 127 denied 53 245.128.83.9 (Serial2/2.1 DLCI
xxx) -> x.x.x.114, 1 packet
Jul 19 01:38:27 router 5321: Jul 19 01:34:13 NZST:
%SEC-6-IPACCESSLOGRP: list 127 denied pim 216.225.202.10 (Serial2/2.1
DLCI xxx) -> x.x.x.114, 1 packet
Jul 19 01:41:38 router 5327: .Jul 19 01:37:23 NZST:
%SEC-6-IPACCESSLOGNP: list 127 denied 77 157.160.104.37 (Serial2/2.1
DLCI xxx) -> x.x.x.114, 1 packet
Jul 19 01:42:02 router 5331: .Jul 19 01:37:47 NZST:
%SEC-6-IPACCESSLOGNP: list 127 denied 55 222.21.158.112 (Serial2/2.1
DLCI xxx) -> x.x.x.114, 1 packet
Jul 19 01:46:06 router 5343: .Jul 19 01:41:51 NZST:
%SEC-6-IPACCESSLOGNP: list 127 denied 55 221.44.200.77 (Serial2/2.1
DLCI xxx) -> x.x.x.114, 1 packet
Jul 19 01:46:06 router 5344: .Jul 19 01:41:51 NZST:
%SEC-6-IPACCESSLOGRP: list 127 denied pim 148.246.222.60 (Serial2/2.1
DLCI xxx) -> x.x.x.114, 1 packet
Jul 19 01:48:25 router 5347: .Jul 19 01:44:10 NZST:
%SEC-6-IPACCESSLOGNP: list 127 denied 55 159.136.236.96 (Serial2/2.1
DLCI xxx) -> x.x.x.114, 1 packet
Jul 19 01:48:25 router 5348: .Jul 19 01:44:10 NZST:
%SEC-6-IPACCESSLOGRP: list 127 denied pim 151.142.170.98 (Serial2/2.1
DLCI xxx) -> x.x.x.114, 1 packet
Jul 19 01:51:02 router 5353: Jul 19 01:46:48 NZST:
%SEC-6-IPACCESSLOGNP: list 127 denied 53 172.75.88.52 (Serial2/2.1 DLCI
xxx) -> x.x.x.114, 1 packet
Jul 19 01:51:02 router 5354: Jul 19 01:46:48 NZST:
%SEC-6-IPACCESSLOGRP: list 127 denied pim 146.95.71.5 (Serial2/2.1 DLCI
xxx) -> x.x.x.114, 1 packet
Jul 19 01:52:17 router 5359: Jul 19 01:48:02 NZST:
%SEC-6-IPACCESSLOGNP: list 127 denied 53 252.40.243.114 (Serial2/2.1
DLCI xxx) -> x.x.x.114, 1 packet
Jul 19 01:52:17 router 5360: Jul 19 01:48:02 NZST:
%SEC-6-IPACCESSLOGRP: list 127 denied pim 151.94.44.88 (Serial2/2.1
DLCI xxx) -> x.x.x.114, 1 packet
Jul 19 01:52:35 router 5362: Jul 19 01:48:20 NZST:
%SEC-6-IPACCESSLOGNP: list 127 denied 53 24.17.251.39 (Serial2/2.1 DLCI
xxx) -> x.x.x.114, 1 packet
1
0
17 Jul '03
FYI.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet
Revision 1.3
============
Last Updated 2003 July 17 at 23:00 UTC (GMT)
For Public Release 2003 July 17 at 6:10 UTC (GMT)
=================
- ----------------------------------------------------------------------
Please provide your feedback on this document.
- ----------------------------------------------------------------------
Contents
========
Summary
Affected Products
Details
Impact
Software Versions and Fixes
Obtaining Fixed Software
Workarounds
Exploitation and Public Announcements
Status of This Notice: INTERIM
Distribution
Revision History
Cisco Security Procedures
- ----------------------------------------------------------------------
Summary
=======
Cisco routers and switches running Cisco IOS� software and configured
to process Internet Protocol version 4 (IPv4) packets are vulnerable to
a Denial of Service (DoS) attack. A rare sequence of crafted IPv4
packets with specific protocol fields sent directly to the device may
cause the input interface to stop processing traffic once the input
queue is full. No authentication is required to process the inbound
packet. Processing of IPv4 packets is enabled by default. Devices
running only IP version 6 (IPv6) are not affected. A workaround is
available.
Cisco has made software available, free of charge, to correct the
problem.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml.
Affected Products
=================
This issue affects all Cisco devices running Cisco IOS software and
configured to process Internet Protocol version 4 (IPv4) packets. Cisco
devices which do not run Cisco IOS software are not affected. Devices
which run only Internet Protocol version 6 (IPv6) are not affected.
Details
=======
Cisco routers are configured to process and accept Internet Protocol
version 4 (IPv4) packets by default. A rare, specially crafted sequence
of IPv4 packets with protocol type 53 (SWIPE), 55 (IP Mobility), 77
(Sun ND), or 103 (Protocol Independent Multicast - PIM) which is
handled by the processor on a Cisco IOS device may force the device to
incorrectly flag the input queue on an interface as full, which will
cause the router to stop processing inbound traffic on that interface.
This can cause routing protocols to drop due to dead timers.
Interfaces which are explicitly configured to run PIM will not be
affected by traffic with protocol type 103. An interface with PIM
enabled will have one of the following three commands in the interface
configuration: ip pim dense-mode, ip pim sparse-mode, or ip pim
sparse-dense-mode.
On Ethernet interfaces, Address Resolution Protocol (ARP) times out
after a default time of four hours, and no traffic can be processed.
The device must be rebooted to clear the input queue on the interface,
and will not reload without user intervention. The attack may be
repeated on all interfaces causing the router to be remotely
inaccessible. A workaround is available, and is documented in the
Workarounds section.
The following two Cisco vulnerabilities are documented in DDTS:
CSCea02355 ( registered customers only) affects all Cisco routers
running Cisco IOS software. This documents the flaw with protocols 53,
55, and 77. CSCdz71127 ( registered customers only) was introduced by
an earlier code revision, and documents an input queue vulnerability to
protocol 103 with a device which is not configured for PIM. Any version
of software which has the fix for CSCdx02283 ( registered customers
only) is vulnerable.
Registered customers can find more details using the Bug Toolkit at
http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl (
registered customers only) .
To identify a blocked input interface, use the show interfaces command
and look for the Input Queue line. If the current size (in this case,
76) is larger than the maximum size (75), the input queue is blocked.
Use the show buffers command and look for the prot field. Below are two
examples:
Router#show interface ethernet 0/0
Ethernet0/0 is up, line protocol is up
Hardware is AmdP2, address is 0050.500e.f1e0 (bia 0050.500e.f1e0)
Internet address is 172.16.1.9/24
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 255/255, load 1/255
Encapsulation ARPA, loopback not set, keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:41, output 00:00:07, output hang never
Last clearing of "show interface" counters 00:07:18
Input queue: 76/75/1091/0 (size/max/drops/flushes); Total output drops: 0
!--- The 76/75 shows that this is blocked
Router#show buffers input-interface serial 0/0
Buffer information for Small buffer at 0x612EAF3C
data_area 0x7896E84, refcount 1, next 0x0, flags 0x0
linktype 7 (IP), enctype 0 (None), encsize 46, rxtype 0
if_input 0x6159D340 (FastEthernet3/2), if_output 0x0 (None)
inputtime 0x0, outputtime 0x0, oqnumber 65535
datagramstart 0x7896ED8, datagramsize 728, maximum size 65436
mac_start 0x7896ED8, addr_start 0x7896ED8, info_start 0x0
network_start 0x7896ED8, transport_start 0x0
source: 212.176.72.138, destination: 212.111.64.174, id: 0xAAB8, ttl: 41, prot: 103
!--- prot: 103 is proof that this is one of the attack packets
Impact
======
A device receiving these specifically crafted IPv4 packets will force
the inbound interface to stop processing traffic. The device may stop
processing packets destined to the router, including routing protocol
packets and ARP packets. No alarms will be triggered, nor will the
router reload to correct itself. This issue can affect all Cisco
devices running Cisco IOS software. This vulnerability may be exercised
repeatedly resulting in loss of availability until a workaround has
been applied or the device has been upgraded to a fixed version of
code.
Software Versions and Fixes
===========================
Each row of the table describes a release train and the platforms or
products for which it is intended. If a given release train is
vulnerable, then the earliest possible releases that contain the fix
and the anticipated date of availability for each are listed in the
Rebuild, Interim, and Maintenance columns. In some cases, no rebuild of
a particular release is planned; this is marked with the label "Not
scheduled." A device running any release in the given train that is
earlier than the release in a specific column (less than the earliest
fixed release) is known to be vulnerable, and it should be upgraded at
least to the indicated release or a later version (greater than the
earliest fixed release label).
When selecting a release, keep in mind the following definitions:
* Maintenance
Most heavily tested and highly recommended release of any label in
a given row of the table.
* Rebuild
Constructed from the previous maintenance or major release in the
same train, it contains the fix for a specific vulnerability.
Although it receives less testing, it contains only the minimal
changes necessary to effect the repair. Cisco has made available
several rebuilds of mainline trains to address this vulnerability,
but strongly recommends running only the latest maintenance release
on mainline trains.
* Interim
Built at regular intervals between maintenance releases and
receives less testing. Interims should be selected only if there is
no other suitable release that addresses the vulnerability, and
interim images should be upgraded to the next available maintenance
release as soon as possible. Interim releases are not available
through manufacturing, and usually they are not available for
customer download from CCO without prior arrangement with the Cisco
Technical Assistance Center (TAC).
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco TAC for assistance, as shown in the section following this
table.
+--------------------------------------------------------------------+
|Train |Description of |Availability of Fixed Releases |
| |Image or Platform | |
|--------------------------+-----------------------------------------+
| 11.x based releases | Rebuild |Interim| Maintenance |
|--------------------------+-----------+-------+---------------------+
|11.1CA| |11.1(36)CA4| | |
| | |** | | |
|------+-------------------+-----------+-------+---------------------+
|11.2 | |11.2(26e)**| | |
|------+-------------------+-----------+-------+---------------------+
|11.2P | |11.2(26)P5*| | |
| | |* | | |
|------+-------------------+-----------------------------------------+
|11.3 | |Not scheduled |
|------+-------------------+-----------------------------------------+
|11.3T | |Not scheduled |
|--------------------------+-----------------------------------------+
|12.0 based releases |Rebuild |Interim|Maintenance |
|--------------------------+-----------+-------+---------------------+
| |General Deployment | | | |
|12.0 |release for all | | |12.0(26) |
| |platforms | | | |
|------+-------------------+-----------------------------------------+
|12.0DA|xDSL support: 6100,|Migrate to 12.2DA; 12.2(10)DA2 - |
| |6200 |Aug-15-2003, 12.2(12)DA3 - Aug-22-2003: |
| | |Engineering Specials available on |
| | |request. |
|------+-------------------+-----------------------------------------+
|12.0DB|Early Deployment |Migrate to 12.3(1a) |
| |6400 UAC for NSP | |
|------+-------------------+-----------------------------------------+
|12.0DC|Early Deployment |Migrate to 12.3(1a) |
| |6400 UAC for NRP | |
|------+-------------------+-----------------------------------------+
| | |12.0(24)S2 | | |
| | |12.0(23)S3 | | |
| | |12.0(22)S5 | | |
| | |12.0(21)S7 | | |
| | |12.0(19)S4 | | |
| |Core/ISP support: |12.0(18)S7 | | |
|12.0S |GSR, RSP, c7200, |12.0(17)S7 | |12.0(25)S |
| |c10k |12.0(16)S10| | |
| | |12.0(15)S7 | | |
| | |12.0(14)S8 | | |
| | |12.0(13)S8 | | |
| | |12.0(12)S4 | | |
| | |12.0(10)S8 | | |
|------+-------------------+-----------------------------------------+
|12.0SC|Cable/broadband |Migrate to 12.1(19)EC |
| |ISP: ubr7200 | |
|------+-------------------+-----------------------------------------+
|12.0SL|100000 ESR:c10k |Migrate to 12.0(23)S3, **12.0(17)SL9 - |
| | |Jul-15-2003 |
|------+-------------------+-----------------------------------------+
|12.0SP|Early Deployment |Migrate to 12.0(22)S5 |
|------+-------------------+-----------------------------------------+
| |Early Deployment |12.0(21)ST7| | |
|12.0ST|release for Core/ |12.0(20)ST6| | |
| |ISP support: GSR, |12.0(19)ST6| | |
| |RSP, c7200 |12.0(17)ST8| | |
|------+-------------------+-----------------------------------------+
|12.0SX|Early Deployment |Migrate to 12.0(22)S5 |
|------+-------------------+-----------------------------------------+
|12.0SY|Early Deployment |Migrate to 12.0(23)S3 |
|------+-------------------+-----------------------------------------+
|12.0SZ|Early Deployment |Migrate to 12.0(23)S3 |
|------+-------------------+-----------------------------------------+
|12.0T |Early Deployment |12.0(7)T3**| | |
|------+-------------------+-----------+-------+---------------------+
| |8510c, ls1010, | | |12.0(26)W5(28) |
| |cat8540c,cat8540m, | | | |
| |ls1010 | | | |
| |-------------------+-----------+-------+---------------------+
| |c5atm |12.0(26)W5 | | |
| | |(28a) | | |
| |-------------------+-----------+-------+---------------------+
| |Cat4232 and |12.0(25)W5 | | |
|12.0W5|Cat2948G-L3 |(27) | | |
| |-------------------+-----------+-------+---------------------+
| |C6MSM |Engineering| | |
| | |Special | | |
| | |available | | |
| | |on request | | |
| |-------------------+-----------+-------+---------------------+
| |c5rsfc,c5rsm,C3620,| | |12.1(20) |
| |C3640, C4500, | | | |
| |C7200, RSP | | | |
|------+-------------------+-----------+-------+---------------------+
|12.0WC|Early deployment |12.0(05)WC8| | |
| |2900XL-LRE,2900XL/ | | | |
| |3500XL; 2950 | | | |
| |release | | | |
|------+-------------------+-----------+-------+---------------------+
|12.0WT|Early deployment |Engineering| | |
| |Catalyst switches: |Special | | |
| |cat4840g, |Available | | |
| | |upon | | |
| | |request | | |
|------+-------------------+-----------------------------------------+
|12.0X |Shortlived Early |All 12.0X(any letter) releases have |
|(l) |Deployment Releases|migrated to either 12.0T or 12.1 unless |
| | |otherwise documented in the X release |
| | |technical notes pertaining to the |
| | |specific release. Please check migration |
| | |paths for all 12.0X releases. |
|--------------------------+-----------------------------------------+
|12.1 based releases |Rebuild |Interim|Maintenance |
|--------------------------+-----------+-------+---------------------+
| |General Deployment | |12.1 | |
|12.1 |release for all | |(18.4) |12.1(19) |
| |platforms | | | |
|------+-------------------+-----------------------------------------+
|12.1AA| |Migrate to 12.2 |
|------+-------------------+-----------------------------------------+
|12.1AX|Catalyst 3750 |12.1(14)EA1| | |
| | |- | | |
| | |Engineering| | |
| | |special | | |
| | |available | | |
| | |upon | | |
| | |request | | |
|------+-------------------+-----------+-------+---------------------+
|12.1AY|Catalyst 2940 | | |12.1(13)AY |
|------+-------------------+-----------------------------------------+
|12.1DA|6160 platform |Migrate to 12.2DA |
|------+-------------------+-----------------------------------------+
|12.1DB|6400 UAC |Migrate to 12.3(1a) |
|------+-------------------+-----------------------------------------+
|12.1DC|6400 UAC |Migrate to 12.3(1a) |
|------+-------------------+-----------------------------------------+
|12.1E |Core Enterprise |12.1(8b)E14| |12.1(19)E |
| |support - c7200, |12.1(13)E7 | | |
| |Catalyst 6000, RSP |12.1(14)E4 | | |
| | |**12.1(12c)| | |
| | |E7 | | |
| | |12.1(11b) | | |
| | |E12- | | |
| | |Aug-4-2003 | | |
| | |12.1(6)E12 | | |
|------+-------------------+-----------------------------------------+
|12.1EA|12.1(4)EA |Migrate to 12.1(13)EA1c |
| |12.1(6)EA | |
| |12.1(8)EA | |
| |12.1(9)EA | |
| |12.1(11)EA | |
| |-------------------+-----------------------------------------+
| |12.1(12c)EA |12.1(13) | | |
| |12.1(13)EA |EA1c | | |
|------+-------------------+-----------+-------+---------------------+
|12.1EB|LS1010 | | |12.1(14)EB |
|------+-------------------+-----------+-------+---------------------+
|12.1EC|Early Deployment | | |12.1(19)EC (scheduled|
| | | | |last week of July) |
|------+-------------------+-----------+-------+---------------------+
|12.1EV|Early Deployment | | |12.1(12c)EV |
|------+-------------------+-----------+-------+---------------------+
|12.1EW|Early Deployment | | |12.1(13)EW,12.1(19)EW|
| |Cat4000 L3 | | | |
|------+-------------------+-----------+-------+---------------------+
|12.1EX|Early deployment |12.1(13)EX2| | |
|------+-------------------+-----------+-------+---------------------+
|12.1EY| | |12.1(14)E4 | | |
|------+---------+---------+-----------+-------+---------------------+
| | | |12.1(14)EA1| | |
|12.1YJ| | |- | | |
| | | |Jul-28-2003| | |
|------+-------------------+-----------+-------+---------------------+
|12.1T |Early deployment |12.1(5)T15*| | |
| | |* | | |
|------+-------------------------------------------------------------+
|12.1X |12.1X releases generally migrate to 12.1T, 12.2 or 12.2T as |
|(l) |specified below. Please refer to specific train Technical |
| |notes for documented migration path. |
|------+-------------------------------------------------------------+
|12.1XA|Short lived Early |Migrate to 12.1(5)T15 |
| |Deployment Release | |
|------+-------------------+-----------------------------------------+
|12.1XC|Short lived Early |Migrate to12.2(17) |
|12.1XD|Deployment Releases| |
|12.1XH| | |
|12.1XI| | |
|------+-------------------+-----------------------------------------+
|12.1XB|Short lived Early |Migrate to 12.2(15)T5 |
|12.1XF|Deployment Releases| |
|12.1XG| | |
|12.1XJ| | |
|12.1XL| | |
|12.1XP| | |
|12.1XR| | |
|12.1XT| | |
|12.1YB| | |
|12.1YC| | |
|12.1YD| | |
|12.1YH| | |
|------+-------------------+-----------------------------------------+
|12.1XM|Short lived Early |Migrate to 12.2(2)XB11 |
|12.1XQ|Deployment Releases| |
|12.1XV| | |
|------+-------------------+-----------------------------------------+
|12.1XU|Short lived Early |Migrate to 12.2(4)T6 |
| |Deployment Release | |
|------+-------------------+-----------------------------------------+
|12.1YE|Short lived Early |Migrate to 12.2(2)YC |
|12.1YF|Deployment Release | |
|12.1YI| | |
|--------------------------+-----------------------------------------+
|12.2 based releases |Rebuild |Interim|Maintenance |
|--------------------------+-----------+-------+---------------------+
| |General Deployment |12.2(16a) | | |
|12.2 |(GD) candidate for |12.2(12e) | |12.2(17) |
| |all platforms |12.2(10d) | | |
|------+-------------------+-----------+-------+---------------------+
|12.2B |12.2(2)B-12.2(4)B7 |12.3(1a) | | |
| |-------------------+-----------+-------+---------------------+
| |12.2(4)B8-12.2(16)B|12.2(16)B1 | | |
|------+-------------------+-----------+-------+---------------------+
|12.2BC|Early Deployment |12.2(15)BC1| | |
| |Release |(Scheduled | | |
| | |end of | | |
| | |July) | | |
|------+-------------------+-----------+-------+---------------------+
|12.2BW|Early Deployment |Migrate to | | |
| |for use with 7200, |12.3(1a) | | |
| |7400, and 7411 | | | |
| |platforms | | | |
|------+-------------------+-----------+-------+---------------------+
|12.2BX|Broadband/Leased | | |12.2(16)BX |
| |line | | | |
|------+-------------------+-----------+-------+---------------------+
|12.2BZ|Early Deployment |12.2(15)BZ1| | |
| |Release | | | |
|------+-------------------+-----------------------------------------+
|12.2CX|Early Deployment |Migrate to 12.1(15)BC1 |
| |Release | |
|------+-------------------+-----------------------------------------+
|12.2CY|Early Deployment |Migrate to 12.1(15)BC1 |
| |Release | |
|------+-------------------+-----------------------------------------+
|12.2DA|Early Deployment |12.2(10)DA2| | |
| |Release |- | | |
| | |Jul-15-2003| | |
| | |12.2(12)DA3| | |
| | |- | | |
| | |Aug-22-2003| | |
| | |Enginering | | |
| | |Special | | |
| | |available | | |
| | |on request | | |
|------+-------------------+-----------------------------------------+
|12.2DD|Early Deployment |Migrate to 12.3(1a) |
| |Release | |
|------+-------------------+-----------------------------------------+
|12.2DX|Early Deployment |Migrate to 12.3(1a) |
| |Release | |
|------+-------------------+-----------------------------------------+
|12.2JA|Cisco Aironet | | |12.2(11)JA |
| |hardware platforms:| | | |
| |Introduction of | | | |
| |Access Point | | | |
| |feature in IOS, | | | |
| |Cisco 1100 Series | | | |
| |Access Point | | | |
| |(802.11b) | | | |
|------+-------------------+-----------+-------+---------------------+
|12.2MB|Specific Technology|12.2(4)MB12| | |
| |ED for 2600 7500 | | | |
| |(GPRS/PDSN/GGSN | | | |
| |2600/7200/7500) | | | |
|------+-------------------+-----------+-------+---------------------+
|12.2MC|Early Deployment: |12.2(13)MC1| | |
| |IP RAN |CCO: 7/24/ | | |
| | |03 | | |
|------+-------------------+-----------+-------+---------------------+
|12.2MX| |12.2(8)YD | | |
| | | | | |
|------+-------------------+-----------+-------+---------------------+
|12.2S |Core/ISP support: |12.2(14)S1 |12.2 | |
| |GSR, RSP, c7200 | |(16.5)S| |
|------+-------------------+-----------+-------+---------------------+
|12.2SX|IOS Support for |12.2(14)SX1| | |
| |C6500 Supervisor 3 | | | |
|------+-------------------+-----------+-------+---------------------+
|12.2SY|VPN feature release|12.2(14) | | |
| |for c6k/76xx VPN |SY1, 12.2 | | |
| |service module. |(8)YD | | |
|------+-------------------+-----------+-------+---------------------+
|12.2SZ|7304 Platform |12.2(14)SZ2| | |
|------+-------------------+-----------+-------+---------------------+
| | |12.2(15)T4/| |No more maintenance |
| |New Technology |5,12.2(13) | |trains for 12.2T are |
| |Early Deployment |T5, |12.2 |planned, please |
|12.2T |(ED) release for |12.2(11) |(16.5)T|migrate to latest |
| |all platforms |T9,12.2(8) | |12.3 Mainline |
| | |T10, | |release. |
| | |12.2(4)T6 | | |
|------+-------------------+-----------------------------------------+
|12.2X |Short lived Early |Many short lived releases migrate to the |
|(l) |Deployment Releases|same train; the trains below this point |
|12.2Y |- |until the following section are not |
|(l) | |grouped by strict alphabetical order, but|
| | |are grouped by migration path. Please |
| | |review documented migration paths for |
| | |your trains. |
|------+-------------------+-----------------------------------------+
|12.2XA|Short lived Early |Migrate to 12.2(11)T9 |
| |Deployment Releases| |
|------+-------------------+-----------------------------------------+
|12.2XS| |12.2(2)XB11 |
|------+-------------------+-----------------------------------------+
|12.2XD|Short lived Early |Migrate to 12.2(15)T5 |
|12.2XE|Deployment Releases| |
|12.2XH| | |
|12.2XI| | |
|12.2XJ| | |
|12.2XK| | |
|12.2XL| | |
|12.2XM| | |
|12.2XQ| | |
|12.2XU| | |
|12.2XW| | |
|12.2YA| | |
|12.2YB| | |
|12.2YC| | |
|12.2YF| | |
|12.2YG| | |
|12.2YH| | |
|12.2YJ| | |
|12.2YT| | |
|------+-------------------+-----------------------------------------+
|12.2YN|Short lived Early |Migrate to 12.2(13)ZH |
| |Deployment Releases| |
|------+-------------------+-----------------------------------------+
| |Short lived Early |Migrate to 12.2(14)SY1 available |
|12.2YO|Deployment Releases|Aug-4-2003: Engineering Special |
| | |available on request |
|------+-------------------+-----------------------------------------+
| |Early Deployment | | | |
|12.2XB|Release with |12.2(2)XB11| | |
| |continuing support | | | |
|------+-------------------+-----------------------------------------+
|12.2XC|Short lived Early |Migrate to 12.2(16)B1 |
| |Deployment Releases| |
|------+-------------------+-----------------------------------------+
|12.2XF|Short lived Early |Migrate to 12.2(15)BC1 |
| |Deployment Release | |
| |UBR10000 | |
|------+-------------------+-----------------------------------------+
|12.2XG|Short lived Early |Migrate to 12.2(8)T10 |
| |Deployment Release | |
|------+-------------------+-----------------------------------------+
|12.2XN|Short lived Early |Migrate to 12.2(11)T9 |
|12.2XT|Deployment Releases| |
|------+-------------------+-----------------------------------------+
|12.2YD|Short lived Early |Migrate to 12.2(8)YY |
| |Deployment Release | |
|------+-------------------+-----------------------------------------+
|12.2YP|Short lived Early |**12.2(11) | | |
| |Deployment Release |YP1 | | |
|------+-------------------+-----------------------------------------+
|12.2YK| |Migrate to 12.2(13)ZC |
|------+-------------------+-----------------------------------------+
|12.2YL|Short lived Early |Migrate to 12.2(13)ZH |
|12.2YM|Deployment Releases| |
|12.2YU| | |
|12.2YV| | |
|------+-------------------+-----------------------------------------+
|12.2YQ|Short lived Early |Migrate to 12.2(15)ZL |
|12.2YR|Deployment Releases| |
|------+-------------------+-----------------------------------------+
|12.2YS|Short lived Early |12.2(15)YS/| | |
| |Deployment Release |1.2(1) | | |
|------+-------------------+-----------+-------+---------------------+
|12.2YW|Short lived Early |12.2(8)YW2 | | |
| |Deployment Releases| | | |
|------+-------------------+-----------+-------+---------------------+
|12.2YX|Short lived Early |12.2(11)YX1| | |
| |Deployment Release | | | |
| |Crypto for 7100/ | | | |
| |7200 | | | |
|------+-------------------+-----------+-------+---------------------+
|12.2YY|Short lived Early |12.2(8)YY3 | | |
| |Deployment Releases| | | |
| |IOS support for | | | |
| |General Packet | | | |
| |Radio Service | | | |
|------+-------------------+-----------+-------+---------------------+
|12.2YZ|Short lived Early |12.2(11)YZ2| | |
| |Deployment Release | | | |
|------+-------------------+-----------+-------+---------------------+
|12.2ZA|Short lived Early | | |12.2(14)ZA2 |
| |Deployment Release | | | |
|------+-------------------+-----------+-------+---------------------+
|12.2ZB|Short lived Early |12.2(8)ZB7 | | |
| |Deployment Release | | | |
|------+-------------------+-----------+-------+---------------------+
|12.2ZC|Short lived Early | | |12.2(13)ZC |
| |Deployment Release | | | |
|------+-------------------+-----------+-------+---------------------+
|12.2ZD|Short lived Early |Not | | |
| |Deployment Release |Scheduled | | |
|------+-------------------+-----------+-------+---------------------+
|12.2ZE|Short lived Early |12.3(1a) | | |
| |Deployment Release | | | |
|------+-------------------+-----------+-------+---------------------+
|12.2ZF|Short lived Early |Not | | |
| |Deployment Release |Vulnerable | | |
|------+-------------------+-----------+-------+---------------------+
|12.2ZG|Short lived Early |Not | | |
| |Deployment Release |Vulnerable | | |
|------+-------------------+-----------+-------+---------------------+
|12.2ZH|Short lived Early |Not | | |
| |Deployment Release |Vulnerable | | |
|------+-------------------+-----------+-------+---------------------+
|12.2ZJ|Short lived Early |12.2(15)ZJ1| | |
| |Deployment Release | | | |
|------+-------------------+-----------+-------+---------------------+
|12.2ZL|Short lived Early |Not | | |
| |Deployment Release |Vulnerable | | |
|--------------------------+-----------------------------------------+
|12.3 based releases |NOT VULNERABLE |
|--------------------------------------------------------------------+
|Notes: **Marked versions of code are not available on CCO. Please |
|contact TAC and request the specific images you need posted. |
+--------------------------------------------------------------------+
Notes:
** Marked versions of code are not available on CCO. Please contact the
Cisco TAC and request the specific images you need posted.
Obtaining Fixed Software
========================
Customers with contracts should obtain upgraded software free of charge
through their regular update channels. For most customers, this means
that upgrades should be obtained through the Software Center on the
Cisco worldwide website at
http://www.cisco.com/tacpage/sw-center/sw-ios.shtml.
Customers whose Cisco products are provided or maintained through prior
or existing agreement with third-party support organizations such as
Cisco Partners, authorized resellers, or service providers should
contact that support organization for assistance with obtaining the
free software upgrade(s).
Customers who purchase direct from Cisco but who do not hold a Cisco
service contract and customers who purchase through third-party vendors
but are unsuccessful at obtaining fixed software through their point of
sale should get their upgrades by contacting the Cisco Technical
Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac(a)cisco.com
Please have your product serial number available and give the URL of
this notice as evidence of your entitlement to a free upgrade. Free
upgrades for non-contract customers must be requested through the TAC.
Please do not contact either "psirt(a)cisco.com" or
"security-alert(a)cisco.com" for software upgrades.
See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for
additional TAC contact information, including special localized
telephone numbers, instructions, and e-mail addresses for use in
various languages.
Workarounds
===========
AFTER APPLYING THE WORKAROUND the input queue depth may be raised with
the hold-queue <new value> in interface command -- the default size is
75. This will allow traffic flow on the interface until the device can
be reloaded.
Cisco recommends that all IOS devices which process IPv4 packets be
configured to block traffic directed to the router from any
unauthorized source with the use of Access Control Lists (ACLs). This
can be done at multiple locations, and it is recommended that you
review all methods and use the combination which fits your network
best. Legitimate traffic is defined as management protocols such as
telnet, snmp or ssh, and configured routing protocols from explicitly
allowed peers. All other traffic destined to the device should be
blocked at the input interface. Traffic entering the network should
also be carefully evaluated and filtered at the network edge if
destined to an infrastructure device. Although network service
providers must often allow unknown traffic to transit their network, it
is not necessary to allow that same traffic destined to their network
infrastructure. Several white papers have been written to assist in
deploying these recommended security best practices.
ACLs can have performance impact on certain platforms, so care should
be taken when applying the recommended workarounds.
Transit ACLs
The following access list is specifically designed to block attack
traffic. Note that the attack traffic can include spoofed source
addresses. This access list should be applied to all interfaces of the
device, and should include topology-specific filters. This could
include filtering routing protocol traffic, management protocols, and
traffic destined for the internal network. Protocol 103 is Protocol
Independent Multicast (PIM), which is a commonly deployed application
in multicast networks. Interfaces with PIM enabled have not been found
to be vulnerable to exploit traffic with protocol 103; PIM traffic may
be permitted to those select devices.
access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny 103 any any
!--- insert any other previously applied ACL entries here
!--- you must permit other protocols through to allow normal
!--- traffic -- previously defined permit lists will work
!--- or you may use the permit ip any any shown here
access-list 101 permit ip any any
Prior to deploying ACLs that filter transit traffic, a classification
ACL can be used to help identify required permit statements. A
classification ACL is an ACL that permits a series of protocols.
Displaying access-list entry hit counters helps determine required
protocols: entries with zero packets counted are likely not required.
Classification access-lists are detailed in the link below for
infrastructure access-lists.
Receive ACLs
For distributed platforms, receive path access lists may be an option
starting in Cisco IOS Software Versions 12.0(21)S2 for the c12000 and
12.0(24)S for the c7500. The receive access lists protect the device
from harmful traffic before the traffic can impact the route processor.
The CPU load is distributed to the line card processors and helps
mitigate load on the main route processor. The white paper entitled
"GSR: Receive Access Control Lists" will help you identify and allow
legitimate traffic to your device and deny all unwanted packets:
http://www.cisco.com/warp/customer/707/racl.html
Infrastructure ACLs
Although it is often difficult to block traffic transiting your
network, it is possible to identify traffic which should never be
allowed to target your infrastructure devices and block that traffic at
the border of your network. The white paper entitled "Protecting Your
Core: Infrastructure Protection Access Control Lists" presents
guidelines and recommended deployment techniques for infrastructure
protection ACLs:
http://www.cisco.com/warp/customer/707/iacl.html
Exploitation and Public Announcements
=====================================
Since the initial posting of this document, the Cisco PSIRT has been
made aware of public announcements of the vulnerabilities described in
this advisory. PSIRT has chosen to resend to our standard distribution
list immediately with further details to assist network administrators
in mitigation.
Status of This Notice: INTERIM
==============================
This is an INTERIM notice. Although Cisco cannot guarantee the accuracy
of all statements in this notice, all of the facts have been checked to
the best of our ability. Cisco does not anticipate issuing updated
versions of this advisory unless there is some material change in the
facts. Should there be a significant change in the facts, Cisco will
update this advisory.
Distribution
============
This notice is posted on the Cisco worldwide website at
http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml. In
addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients at the public release date and time:
* cust-security-announce(a)cisco.com
* bugtraq(a)securityfocus.com
* full-disclosure(a)lists.netsys.com
* first-teams(a)first.org (includes CERT/CC)
* cisco(a)spot.colorado.edu
* cisco-nsp(a)puck.nether.net
* nanog(a)merit.edu
* sanog(a)sanog.org
* comp.dcom.sys.cisco
* Various internal Cisco mailing lists
Future updates of this advisory, if any, will be placed on the Cisco
worldwide web server. Users concerned about this problem are encouraged
to check the URL given above for any updates.
Revision History
================
+-------------------------------------------+
| Revision | 17-July-2003 | Initial public |
| 1.0 | 0:00 GMT | release |
|----------+--------------+-----------------|
| | | Updated |
| | | Workaround |
| Revision | 17-July-2003 | section (access |
| 1.1 | 6:10 GMT | lists), Updated |
| | | table with |
| | | information on |
| | | 12.0W5 |
|----------+--------------+-----------------|
| | | Corrected "Last |
| | | Updated" time; |
| | | corrected |
| Revision | 17-July-2003 | document title |
| 1.2 | 10:30 GMT | of |
| | | Infrastructure |
| | | ACL link under |
| | | Workaround |
| | | section |
|----------+--------------+-----------------|
| | | Added "with |
| | | specific |
| | | protocol |
| | | fields" in |
| | | Summary |
| | | section; |
| | | updated Details |
| | | section to |
| | | include |
| | | protocol types; |
| | | added details |
| Revision | 17-July-2003 | to the Cisco |
| 1.3 | 23:00 GMT | vulnerabilities |
| | | paragraph; |
| | | added an output |
| | | example to |
| | | identify an |
| | | attack packet; |
| | | rewrote Transit |
| | | ACLs section; |
| | | updated |
| | | Exploitation |
| | | and Public |
| | | Announcements |
| | | paragraph |
+-------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering
to receive security information from Cisco, is available on the Cisco
worldwide website at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This
includes instructions for press inquiries regarding Cisco security notices.
All Cisco Security Advisories are available at
http://www.cisco.com/go/psirt.
- ----------------------------------------------------------------------
This notice is Copyright 2003 by Cisco Systems, Inc. This notice may be
redistributed freely after the release date given at the top of the
text, provided that redistributed copies are complete and unmodified,
and include all date and version information.
- ----------------------------------------------------------------------
Toolbar
=======
All contents are Copyright � 1992-2003 Cisco Systems, Inc. All rights
reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2
iQA/AwUBPxchOXsxqM8ytrWQEQLgzwCeMBqiamX2K/VvMhIgooz9d11K1VoAoLcF
nmN6hA5ZuyDFBhW3o+FydDop
=pSyP
-----END PGP SIGNATURE-----
2
1
Hey, I was just looking through the archives of the list, and found a post
that was about IPv6 peering in New Zealand.
I am currently trying to setup a website (http://www.ipv6.co.nz), but as
such, I am the only one involved :P.
If anyone wants to help me setup content for the site etc, or if you would
like to use the domain for such things as the domain for a New Zealand IPv6
Peer... then by allmeans... you can use it, just email me...
Antonio Broughton
14
32
17 Jul '03
Don't know how many windows admins out there, but incase you havn't yet heard
about the new windows RPC sploit, read below.
----- Forwarded message from Haroon Meer <haroon(a)sensepost.com> -----
Date: Fri, 18 Jul 2003 02:48:06 +0200 (SAST)
From: Haroon Meer <haroon(a)sensepost.com>
Reply-To: Haroon Meer <haroon(a)sensepost.com>
Subject: Critical Vulnerability discovered in Windows Servers
To: icepick(a)cybernett.co.za
Dear Barry Murphy,
Vulnerability in Microsoft Windows Servers.
Versions Affected : Windows XP, Windows NT4, Windows2000, Windows2003
Severity of Bug : CRITICAL
Port / Service : Port 135 - Microsoft RPC
A Polish security research group have found a remotely exploitable bug in
Windows based operating systems. The bug affects almost the entire Microsoft
Product range from Windows NT4, to Windows2000 and even Windows2003.
The exploit uses port 135 as its attack vector with the exploitable component
being Microsoft RPC.
This vulnerability should be considred "Critical" since it yields "SYSTEM"
privileges on the victim machine. Microsoft have issued an advisory and a patch
is available from them at the following location :
http://www.microsoft.com/security/security_bulletins/ms03-026.asp
The possible workarounds for the problem untill the patch is applied are to :
[a] Firewall off access to port 135
[b] Disable DCOM on the server (Using Dcomcnfg.exe)
While no exploit code for this vulnerability is currently reported in the wild,
the problem aknowledged by Microsoft to be exploitable, meaning that Proof of
Concept exploits (and possibly worms) will not be a long time coming.
Full details on the exploit can be found at http://lsd-pl.net/special.html.
Sincerely.
=======================================================
SensePost Research research(a)sensepost.com
http://www.sensepost.com (tel) +27 12 667 4737
=======================================================
----- End forwarded message -----
-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
1
0
At the nznog meeting in Auckland last week I said I'd give details of
how to apply for a connection once the new web pages were available and
so here they are:
http://www.citylink.co.nz/cgi-bin/wixape.pl?tmpl=ape.tmpl
http://www.citylink.co.nz/cgi-bin/wixape.pl?tmpl=wix.tmpl
You may also find the two Looking Glass pages, that give a view of what
is happening on the APE and WIX route servers, useful:
http://www.wix.net.nz/cgi-bin/mrlg-ape.cgi
http://www.wix.net.nz/cgi-bin/mrlg-wix.cgi
1
0
As mentioned by Joe, Cisco has just announced a vulnerability that
affects all versions of IOS, on any device, switches and routers.
In the first instance, it is important to note that there are currently
NO known exploitations of this vulnerability, and we are announcing it
after building and preparing the appropriate fixes for all current
platforms.
Fixes have been made available regardless of whether your routers are
under a maintentance support contract or not. The following URL also
defines how to build Access-lists that can protect you from this
vulnerability.
http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml
Do not panic, if you need more detail, feel free to give me a ring. If
you can find an opportunity we would recommend an upgrade, but this is
out of caution rather than need.
Hope this helps to clarify the situation
Arron Scott
Cisco NZ
***********************************************************************
Arron Scott (CCIE #4099) Phone: +64-9-3551951
Systems Engineer Mobile: +64-21-883163
Cisco New Zealand mailto:ascott(a)cisco.com
http://www.cisco.com
***********************************************************************
1
0
forwarded from cisco, not from any other source
Begin forwarded message:
> From: Scott McGrath <mcgrath(a)fas.harvard.edu>
> Date: Wed Jul 16, 2003 23:02:37 Canada/Eastern
> To: nanog(a)merit.edu
> Subject: IOS Vulnerability
>
>
>
> For full details about the vulnerability see
>
> http://www.cisco.com/en/US/products/hw/routers/ps341/
> products_security_advisory09186a00801a34c2.shtml
>
> Scott C. McGrath
>
1
1
Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet
by Cisco Systems Product Security Incident Response Team 16 Jul '03
by Cisco Systems Product Security Incident Response Team 16 Jul '03
16 Jul '03
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet
Revision 1.0
============
For Public Release 2003 July 17 at 0:00 UTC (GMT)
- --------------------------------------------------------------------------
Please provide your feedback on this document.
- --------------------------------------------------------------------------
Contents
========
Summary
Affected Products
Details
Impact
Software Versions and Fixes
Obtaining Fixed Software
Workarounds
Exploitation and Public Announcements
Status of This Notice: INTERIM
Distribution
Revision History
Cisco Security Procedures
- --------------------------------------------------------------------------
Summary
=======
Cisco routers and switches running Cisco IOS® software and configured to
process Internet Protocol version 4 (IPv4) packets are vulnerable to a
Denial of Service (DoS) attack. A rare sequence of crafted IPv4 packets
sent directly to the device may cause the input interface to stop
processing traffic once the input queue is full. No authentication is
required to process the inbound packet. Processing of IPv4 packets is
enabled by default. Devices running only IP version 6 (IPv6) are not
affected. A workaround is available.
Cisco has made software available, free of charge, to correct the problem.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml.
Affected Products
=================
This issue affects all Cisco devices running Cisco IOS software and
configured to process Internet Protocol version 4 (IPv4) packets. Cisco
devices which do not run Cisco IOS software are not affected. Devices which
run only Internet Protocol version 6 (IPv6) are not affected.
Details
=======
Cisco routers are configured to process and accept Internet Protocol
version 4 (IPv4) packets by default. A rare, specially crafted sequence of
IPv4 packets which is handled by the processor on a Cisco IOS device may
force the device to incorrectly flag the input queue on an interface as
full, which will cause the router to stop processing inbound traffic on
that interface. This can cause routing protocols to drop due to dead
timers.
On Ethernet interfaces, Address Resolution Protocol (ARP) times out after a
default time of four hours, and no traffic can be processed. The device
must be rebooted to clear the input queue on the interface, and will not
reload without user intervention. The attack may be repeated on all
interfaces causing the router to be remotely inaccessible. A workaround is
available, and is documented in the Workarounds section.
The following two Cisco vulnerabilities are documented in DDTS. CSCea02355
( registered customers only) affects all Cisco routers running Cisco IOS
software. CSCdz71127 ( registered customers only) was introduced by an
earlier code revision. Any version of software which has the fix for
CSCdx02283 ( registered customers only) is vulnerable.
Registered customers can find more details using the Bug Toolkit at
http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl ( registered
customers only) .
To identify a blocked input interface, use the show interfaces command and
look for the Input Queue line. If the current size (in this case, 76) is
larger than the maximum size (75), the input queue is blocked.
Router#show interface ethernet 0/0
Ethernet0/0 is up, line protocol is up
Hardware is AmdP2, address is 0050.500e.f1e0 (bia 0050.500e.f1e0)
Internet address is 172.16.1.9/24
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 255/255, load 1/255
Encapsulation ARPA, loopback not set, keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:41, output 00:00:07, output hang never
Last clearing of "show interface" counters 00:07:18
Input queue: 76/75/1091/0 (size/max/drops/flushes); Total output drops: 0
^^^^^^^^^^^^^^ ---> blocked
Impact
======
A device receiving these specifically crafted IPv4 packets will force the
inbound interface to stop processing traffic. The device may stop
processing packets destined to the router, including routing protocol
packets and ARP packets. No alarms will be triggered, nor will the router
reload to correct itself. This issue can affect all Cisco devices running
Cisco IOS software. This vulnerability may be exercised repeatedly
resulting in loss of availability until a workaround has been applied or
the device has been upgraded to a fixed version of code.
Software Versions and Fixes
===========================
Each row of the table describes a release train and the platforms or
products for which it is intended. If a given release train is vulnerable,
then the earliest possible releases that contain the fix and the
anticipated date of availability for each are listed in the Rebuild,
Interim, and Maintenance columns. In some cases, no rebuild of a particular
release is planned; this is marked with the label "Not scheduled." A device
running any release in the given train that is earlier than the release in
a specific column (less than the earliest fixed release) is known to be
vulnerable, and it should be upgraded at least to the indicated release or
a later version (greater than the earliest fixed release label).
When selecting a release, keep in mind the following definitions:
* Maintenance
Most heavily tested and highly recommended release of any label in a
given row of the table.
* Rebuild
Constructed from the previous maintenance or major release in the same
train, it contains the fix for a specific vulnerability. Although it
receives less testing, it contains only the minimal changes necessary
to effect the repair. Cisco has made available several rebuilds of
mainline trains to address this vulnerability, but strongly recommends
running only the latest maintenance release on mainline trains.
* Interim
Built at regular intervals between maintenance releases and receives
less testing. Interims should be selected only if there is no other
suitable release that addresses the vulnerability, and interim images
should be upgraded to the next available maintenance release as soon as
possible. Interim releases are not available through manufacturing, and
usually they are not available for customer download from CCO without
prior arrangement with the Cisco Technical Assistance Center (TAC).
In all cases, customers should exercise caution to be certain the devices
to be upgraded contain sufficient memory and that current hardware and
software configurations will continue to be supported properly by the new
release. If the information is not clear, contact the Cisco TAC for
assistance, as shown in the section following this table.
+------------------------------------------------------------------------+
|Train |Description of |Availability of Fixed Releases |
| |Image or Platform| |
|------------------------+-----------------------------------------------+
| 11.x based releases | Rebuild |Interim| Maintenance |
|------------------------+-------------+-------+-------------------------+
|11.1CA| |11.1(36)CA4**| | |
|------+-----------------+-------------+-------+-------------------------+
|11.2 | |11.2(26e)** | | |
|------+-----------------+-------------+-------+-------------------------+
|11.2P | |11.2(26)P5** | | |
|------+-----------------+-----------------------------------------------+
|11.3 | |Not scheduled |
|------+-----------------+-----------------------------------------------+
|11.3T | |Not scheduled |
|------------------------+-----------------------------------------------+
|12.0 based releases |Rebuild |Interim|Maintenance |
|------------------------+-------------+-------+-------------------------+
| |General | | | |
|12.0 |Deployment | | |12.0(26) |
| |release for all | | | |
| |platforms | | | |
|------+-----------------+-----------------------------------------------+
|12.0DA|xDSL support: |Migrate to 12.2DA; 12.2(10)DA2 - Aug-15-2003, |
| |6100, 6200 |12.2(12)DA3 - Aug-22-2003: Engineering |
| | |Specials available on request. |
|------+-----------------+-----------------------------------------------+
|12.0DB|Early Deployment |Migrate to 12.3(1a) |
| |6400 UAC for NSP | |
|------+-----------------+-----------------------------------------------+
|12.0DC|Early Deployment |Migrate to 12.3(1a) |
| |6400 UAC for NRP | |
|------+-----------------+-----------------------------------------------+
| | |12.0(24)S2 | | |
| | |12.0(23)S3 | | |
| | |12.0(22)S5 | | |
| | |12.0(21)S7 | | |
| | |12.0(19)S4 | | |
| |Core/ISP support:|12.0(18)S7 | | |
|12.0S |GSR, RSP, c7200, |12.0(17)S7 | |12.0(25)S |
| |c10k |12.0(16)S10 | | |
| | |12.0(15)S7 | | |
| | |12.0(14)S8 | | |
| | |12.0(13)S8 | | |
| | |12.0(12)S4 | | |
| | |12.0(10)S8 | | |
|------+-----------------+-----------------------------------------------+
|12.0SC|Cable/broadband |Migrate to 12.1(19)EC |
| |ISP: ubr7200 | |
|------+-----------------+-----------------------------------------------+
|12.0SL|100000 ESR:c10k |Migrate to 12.0(23)S3, **12.0(17)SL9 - |
| | |Jul-15-2003 |
|------+-----------------+-----------------------------------------------+
|12.0SP|Early Deployment |Migrate to 12.0(22)S5 |
|------+-----------------+-----------------------------------------------+
| |Early Deployment |12.0(21)ST7 | | |
|12.0ST|release for Core/|12.0(20)ST6 | | |
| |ISP support: GSR,|12.0(19)ST6 | | |
| |RSP, c7200 |12.0(17)ST8 | | |
|------+-----------------+-----------------------------------------------+
|12.0SX|Early Deployment |Migrate to 12.0(22)S5 |
|------+-----------------+-----------------------------------------------+
|12.0SY|Early Deployment |Migrate to 12.0(23)S3 |
|------+-----------------+-----------------------------------------------+
|12.0SZ|Early Deployment |Migrate to 12.0(23)S3 |
|------+-----------------+-----------------------------------------------+
|12.0T |Early Deployment |12.0(7)T3** | | |
|------+-----------------+-------------+-------+-------------------------+
| |85xx ls1010 | | |12.0(26)W5(28) |
| |-----------------+-------------+-------+-------------------------+
| |c5atm |12.0(24)W5 | | |
| | |(26a) | | |
| |-----------------+-------------+-------+-------------------------+
| |Cat4232 and |12.0(25)W5 | | |
| |Cat2948G-L3 |(27) | | |
|12.0W5|-----------------+-------------+-------+-------------------------+
| |C6MSM,C5rsfc, |Engineering | | |
| |C5rsm, |Special | | |
| | |available on | | |
| | |request | | |
| |-----------------+-------------+-------+-------------------------+
| |C3620, C3640, | | | |
| |C4500, C7200, RSP| | | |
|------+-----------------+-------------+-------+-------------------------+
|12.0WC|Early deployment |12.0(05)WC8 | | |
| |2900XL-LRE,2900XL| | | |
| |/3500XL; 2950 | | | |
| |release | | | |
|------+-----------------+-------------+-------+-------------------------+
|12.0WT|Early deployment |Engineering | | |
| |Catalyst |Special | | |
| |switches: |Available | | |
| |cat4840g, |upon request | | |
|------+-----------------+-----------------------------------------------+
|12.0X |Shortlived Early |All 12.0X(any letter) releases have migrated to|
|(l) |Deployment |either 12.0T or 12.1 unless otherwise |
| |Releases |documented in the X release technical notes |
| | |pertaining to the specific release. Please |
| | |check migration paths for all 12.0X releases. |
|------------------------+-----------------------------------------------+
|12.1 based releases |Rebuild |Interim|Maintenance |
|------------------------+-------------+-------+-------------------------+
| |General | | | |
|12.1 |Deployment | |12.1 |12.1(19) |
| |release for all | |(18.4) | |
| |platforms | | | |
|------+-----------------+-----------------------------------------------+
|12.1AA| |Migrate to 12.2 |
|------+-----------------+-----------------------------------------------+
|12.1AX|Catalyst 3750 |12.1(14)EA1 -| | |
| | |Engineering | | |
| | |special | | |
| | |available | | |
| | |upon request | | |
|------+-----------------+-------------+-------+-------------------------+
|12.1AY|Catalyst 2940 | | |12.1(13)AY |
|------+-----------------+-----------------------------------------------+
|12.1DA|6160 platform |Migrate to 12.2DA |
|------+-----------------+-----------------------------------------------+
|12.1DB|6400 UAC |Migrate to 12.3(1a) |
|------+-----------------+-----------------------------------------------+
|12.1DC|6400 UAC |Migrate to 12.3(1a) |
|------+-----------------+-----------------------------------------------+
|12.1E |Core Enterprise |12.1(8b)E14 | |12.1(19)E |
| |support - c7200, |12.1(13)E7 | | |
| |Catalyst 6000, |12.1(14)E4 | | |
| |RSP |**12.1(12c)E7| | |
| | |12.1(11b)E12-| | |
| | |Aug-4-2003 | | |
| | |12.1(6)E12 | | |
|------+-----------------+-----------------------------------------------+
|12.1EA|12.1(4)EA |Migrate to 12.1(13)EA1c |
| |12.1(6)EA | |
| |12.1(8)EA | |
| |12.1(9)EA | |
| |12.1(11)EA | |
| |-----------------+-----------------------------------------------+
| |12.1(12c)EA |12.1(13)EA1c | | |
| |12.1(13)EA | | | |
|------+-----------------+-------------+-------+-------------------------+
|12.1EB|LS1010 | | |12.1(14)EB |
|------+-----------------+-------------+-------+-------------------------+
|12.1EC|Early Deployment | | |12.1(19)EC (scheduled |
| | | | |last week of July) |
|------+-----------------+-------------+-------+-------------------------+
|12.1EV|Early Deployment | | |12.1(12c)EV |
|------+-----------------+-------------+-------+-------------------------+
|12.1EW|Early Deployment | | |12.1(13)EW,12.1(19)EW |
| |Cat4000 L3 | | | |
|------+-----------------+-------------+-------+-------------------------+
|12.1EX|Early deployment |12.1(13)EX2 | | |
|------+-----------------+-------------+-------+-------------------------+
|12.1EY| | |12.1(14)E4 | | |
|------+--+--------------+-------------+-------+-------------------------+
|12.1YJ| | |12.1(14)EA1 -| | |
| | | |Jul-28-2003 | | |
|------+-----------------+-------------+-------+-------------------------+
|12.1T |Early deployment |12.1(5)T15** | | |
|------+-----------------------------------------------------------------+
|12.1X |12.1X releases generally migrate to 12.1T, 12.2 or 12.2T as |
|(l) |specified below. Please refer to specific train Technical notes |
| |for documented migration path. |
|------+-----------------------------------------------------------------+
|12.1XA|Short lived Early|Migrate to 12.1(5)T15 |
| |Deployment | |
| |Release | |
|------+-----------------+-----------------------------------------------+
|12.1XC|Short lived Early|Migrate to12.2(17) |
|12.1XD|Deployment | |
|12.1XH|Releases | |
|12.1XI| | |
|------+-----------------+-----------------------------------------------+
|12.1XB|Short lived Early|Migrate to 12.2(15)T5 |
|12.1XF|Deployment | |
|12.1XG|Releases | |
|12.1XJ| | |
|12.1XL| | |
|12.1XP| | |
|12.1XR| | |
|12.1XT| | |
|12.1YB| | |
|12.1YC| | |
|12.1YD| | |
|12.1YH| | |
|------+-----------------+-----------------------------------------------+
|12.1XM|Short lived Early|Migrate to 12.2(2)XB11 |
|12.1XQ|Deployment | |
|12.1XV|Releases | |
|------+-----------------+-----------------------------------------------+
|12.1XU|Short lived Early|Migrate to 12.2(4)T6 |
| |Deployment | |
| |Release | |
|------+-----------------+-----------------------------------------------+
|12.1YE|Short lived Early|Migrate to 12.2(2)YC |
|12.1YF|Deployment | |
|12.1YI|Release | |
|------------------------+-----------------------------------------------+
|12.2 based releases |Rebuild |Interim|Maintenance |
|------------------------+-------------+-------+-------------------------+
| |General |12.2(16a) | | |
|12.2 |Deployment (GD) |12.2(12e) | |12.2(17) |
| |candidate for all|12.2(10d) | | |
| |platforms | | | |
|------+-----------------+-------------+-------+-------------------------+
|12.2B |12.2(2)B-12.2(4) |12.3(1a) | | |
| |B7 | | | |
| |-----------------+-------------+-------+-------------------------+
| |12.2(4)B8-12.2 |12.2(16)B1 | | |
| |(16)B | | | |
|------+-----------------+-------------+-------+-------------------------+
|12.2BC|Early Deployment |12.2(15)BC1 | | |
| |Release |(Scheduled | | |
| | |end of July) | | |
|------+-----------------+-------------+-------+-------------------------+
|12.2BW|Early Deployment |Migrate to | | |
| |for use with |12.3(1a) | | |
| |7200, 7400, and | | | |
| |7411 platforms | | | |
|------+-----------------+-------------+-------+-------------------------+
|12.2BX|Broadband/Leased | | |12.2(16)BX |
| |line | | | |
|------+-----------------+-------------+-------+-------------------------+
|12.2BZ|Early Deployment |12.2(15)BZ1 | | |
| |Release | | | |
|------+-----------------+-----------------------------------------------+
|12.2CX|Early Deployment |Migrate to 12.1(15)BC1 |
| |Release | |
|------+-----------------+-----------------------------------------------+
|12.2CY|Early Deployment |Migrate to 12.1(15)BC1 |
| |Release | |
|------+-----------------+-----------------------------------------------+
|12.2DA|Early Deployment |12.2(10)DA2 -| | |
| |Release |Jul-15-2003 | | |
| | |12.2(12)DA3 -| | |
| | |Aug-22-2003 | | |
| | |Enginering | | |
| | |Special | | |
| | |available on | | |
| | |request | | |
|------+-----------------+-----------------------------------------------+
|12.2DD|Early Deployment |Migrate to 12.3(1a) |
| |Release | |
|------+-----------------+-----------------------------------------------+
|12.2DX|Early Deployment |Migrate to 12.3(1a) |
| |Release | |
|------+-----------------+-----------------------------------------------+
|12.2JA|Cisco Aironet | | |12.2(11)JA |
| |hardware | | | |
| |platforms: | | | |
| |Introduction of | | | |
| |Access Point | | | |
| |feature in IOS, | | | |
| |Cisco 1100 Series| | | |
| |Access Point | | | |
| |(802.11b) | | | |
|------+-----------------+-------------+-------+-------------------------+
|12.2MB|Specific |12.2(4)MB12 | | |
| |Technology ED for| | | |
| |2600 7500 (GPRS/ | | | |
| |PDSN/GGSN | | | |
| |2600/7200/7500) | | | |
|------+-----------------+-------------+-------+-------------------------+
|12.2MC|Early Deployment:|12.2(13)MC1 | | |
| |IP RAN |CCO: 7/24/03 | | |
|------+-----------------+-------------+-------+-------------------------+
|12.2MX| |12.2(8)YD | | |
| | | | | |
|------+-----------------+-------------+-------+-------------------------+
|12.2S |Core/ISP support:|12.2(14)S1 |12.2 | |
| |GSR, RSP, c7200 | |(16.5)S| |
|------+-----------------+-------------+-------+-------------------------+
|12.2SX|IOS Support for |12.2(14)SX1 | | |
| |C6500 Supervisor | | | |
| |3 | | | |
|------+-----------------+-------------+-------+-------------------------+
|12.2SY|VPN feature |12.2(14)SY1, | | |
| |release for c6k/ |12.2(8)YD | | |
| |76xx VPN service | | | |
| |module. | | | |
|------+-----------------+-------------+-------+-------------------------+
|12.2SZ|7304 Platform |12.2(14)SZ2 | | |
|------+-----------------+-------------+-------+-------------------------+
| | |12.2(15)T4/ | |No more maintenance |
| |New Technology |5,12.2(13)T5,| |trains for 12.2T are |
|12.2T |Early Deployment |12.2(11) |12.2 |planned, please migrate |
| |(ED) release for |T9,12.2(8) |(16.5)T|to latest 12.3 Mainline |
| |all platforms |T10, | |release. |
| | |12.2(4)T6 | | |
|------+-----------------+-----------------------------------------------+
|12.2X |Short lived Early|Many short lived releases migrate to the same |
|(l) |Deployment |train; the trains below this point until the |
|12.2Y |Releases - |following section are not grouped by strict |
|(l) | |alphabetical order, but are grouped by |
| | |migration path. Please review documented |
| | |migration paths for your trains. |
|------+-----------------+-----------------------------------------------+
|12.2XA|Short lived Early|Migrate to 12.2(11)T9 |
| |Deployment | |
| |Releases | |
|------+-----------------+-----------------------------------------------+
|12.2XS| |12.2(2)XB11 |
|------+-----------------+-----------------------------------------------+
|12.2XD|Short lived Early|Migrate to 12.2(15)T5 |
|12.2XE|Deployment | |
|12.2XH|Releases | |
|12.2XI| | |
|12.2XJ| | |
|12.2XK| | |
|12.2XL| | |
|12.2XM| | |
|12.2XQ| | |
|12.2XU| | |
|12.2XW| | |
|12.2YA| | |
|12.2YB| | |
|12.2YC| | |
|12.2YF| | |
|12.2YG| | |
|12.2YH| | |
|12.2YJ| | |
|12.2YT| | |
|------+-----------------+-----------------------------------------------+
| |Short lived Early| |
|12.2YN|Deployment |Migrate to 12.2(13)ZH |
| |Releases | |
|------+-----------------+-----------------------------------------------+
| |Short lived Early|Migrate to 12.2(14)SY1 available Aug-4-2003: |
|12.2YO|Deployment |Engineering Special available on request |
| |Releases | |
|------+-----------------+-----------------------------------------------+
| |Early Deployment | | | |
|12.2XB|Release with |12.2(2)XB11 | | |
| |continuing | | | |
| |support | | | |
|------+-----------------+-----------------------------------------------+
|12.2XC|Short lived Early|Migrate to 12.2(16)B1 |
| |Deployment | |
| |Releases | |
|------+-----------------+-----------------------------------------------+
|12.2XF|Short lived Early|Migrate to 12.2(15)BC1 |
| |Deployment | |
| |Release UBR10000 | |
|------+-----------------+-----------------------------------------------+
|12.2XG|Short lived Early|Migrate to 12.2(8)T10 |
| |Deployment | |
| |Release | |
|------+-----------------+-----------------------------------------------+
|12.2XN|Short lived Early|Migrate to 12.2(11)T9 |
|12.2XT|Deployment | |
| |Releases | |
|------+-----------------+-----------------------------------------------+
|12.2YD|Short lived Early|Migrate to 12.2(8)YY |
| |Deployment | |
| |Release | |
|------+-----------------+-----------------------------------------------+
| |Short lived Early| | | |
|12.2YP|Deployment |**12.2(11)YP1| | |
| |Release | | | |
|------+-----------------+-----------------------------------------------+
|12.2YK| |Migrate to 12.2(13)ZC |
|------+-----------------+-----------------------------------------------+
|12.2YL|Short lived Early|Migrate to 12.2(13)ZH |
|12.2YM|Deployment | |
|12.2YU|Releases | |
|12.2YV| | |
|------+-----------------+-----------------------------------------------+
|12.2YQ|Short lived Early|Migrate to 12.2(15)ZL |
|12.2YR|Deployment | |
| |Releases | |
|------+-----------------+-----------------------------------------------+
|12.2YS|Short lived Early|12.2(15)YS/ | | |
| |Deployment |1.2(1) | | |
| |Release | | | |
|------+-----------------+-------------+-------+-------------------------+
|12.2YW|Short lived Early|12.2(8)YW2 | | |
| |Deployment | | | |
| |Releases | | | |
|------+-----------------+-------------+-------+-------------------------+
|12.2YX|Short lived Early|12.2(11)YX1 | | |
| |Deployment | | | |
| |Release | | | |
| |Crypto for 7100/ | | | |
| |7200 | | | |
|------+-----------------+-------------+-------+-------------------------+
|12.2YY|Short lived Early|12.2(8)YY3 | | |
| |Deployment | | | |
| |Releases | | | |
| |IOS support for | | | |
| |General Packet | | | |
| |Radio Service | | | |
|------+-----------------+-------------+-------+-------------------------+
|12.2YZ|Short lived Early|12.2(11)YZ2 | | |
| |Deployment | | | |
| |Release | | | |
|------+-----------------+-------------+-------+-------------------------+
|12.2ZA|Short lived Early| | |12.2(14)ZA2 |
| |Deployment | | | |
| |Release | | | |
|------+-----------------+-------------+-------+-------------------------+
|12.2ZB|Short lived Early|12.2(8)ZB7 | | |
| |Deployment | | | |
| |Release | | | |
|------+-----------------+-------------+-------+-------------------------+
|12.2ZC|Short lived Early| | |12.2(13)ZC |
| |Deployment | | | |
| |Release | | | |
|------+-----------------+-------------+-------+-------------------------+
|12.2ZD|Short lived Early|Not Scheduled| | |
| |Deployment | | | |
| |Release | | | |
|------+-----------------+-------------+-------+-------------------------+
|12.2ZE|Short lived Early|12.3(1a) | | |
| |Deployment | | | |
| |Release | | | |
|------+-----------------+-------------+-------+-------------------------+
|12.2ZF|Short lived Early|Not | | |
| |Deployment |Vulnerable | | |
| |Release | | | |
|------+-----------------+-------------+-------+-------------------------+
|12.2ZG|Short lived Early|Not | | |
| |Deployment |Vulnerable | | |
| |Release | | | |
|------+-----------------+-------------+-------+-------------------------+
|12.2ZH|Short lived Early|Not | | |
| |Deployment |Vulnerable | | |
| |Release | | | |
|------+-----------------+-------------+-------+-------------------------+
|12.2ZJ|Short lived Early|12.2(15)ZJ1 | | |
| |Deployment | | | |
| |Release | | | |
|------+-----------------+-------------+-------+-------------------------+
|12.2ZL|Short lived Early|Not | | |
| |Deployment |Vulnerable | | |
| |Release | | | |
|------------------------+-----------------------------------------------+
|12.3 based releases |NOT VULNERABLE |
|------------------------------------------------------------------------+
|Notes: **Marked versions of code are not available on CCO. Please |
|contact TAC and request the specific images you need posted. |
+------------------------------------------------------------------------+
Notes:
** Marked versions of code are not available on CCO. Please contact the
Cisco TAC and request the specific images you need posted.
Obtaining Fixed Software
========================
Customers with contracts should obtain upgraded software free of charge
through their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on the Cisco
worldwide website at
http://www.cisco.com/tacpage/sw-center/sw-ios.html.
Customers whose Cisco products are provided or maintained through prior or
existing agreement with third-party support organizations such as Cisco
Partners, authorized resellers, or service providers should contact that
support organization for assistance with obtaining the free software
upgrade(s).
Customers who purchase direct from Cisco but who do not hold a Cisco
service contract and customers who purchase through third-party vendors but
are unsuccessful at obtaining fixed software through their point of sale
should get their upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac(a)cisco.com
Please have your product serial number available and give the URL of this
notice as evidence of your entitlement to a free upgrade. Free upgrades for
non-contract customers must be requested through the TAC.
Please do not contact either "psirt(a)cisco.com" or
"security-alert(a)cisco.com" for software upgrades.
See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for
additional TAC contact information, including special localized telephone
numbers, instructions, and e-mail addresses for use in various languages.
Workarounds
===========
AFTER APPLYING THE WORKAROUND the input queue depth may be raised with the
hold-queue <new value> in interface command -- the default size is 75. This
will allow traffic flow on the interface until the device can be reloaded.
Cisco recommends that all IOS devices which process IPv4 packets be
configured to block traffic directed to the router from any unauthorized
source with the use of Access Control Lists (ACLs). This can be done at
multiple locations, and it is recommended that you review all methods and
use the combination which fits your network best. Legitimate traffic is
defined as management protocols such as telnet, snmp or ssh, and configured
routing protocols from explicitly allowed peers. All other traffic destined
to the device should be blocked at the input interface. Traffic entering
the network should also be carefully evaluated and filtered at the network
edge if destined to an infrastructure device. Although network service
providers must often allow unknown traffic to transit their network, it is
not necessary to allow that same traffic destined to their network
infrastructure. Several white papers have been written to assist in
deploying these recommended security best practices.
ACLs can have performance impact on certain platforms, so care should be
taken when applying the recommended workarounds.
Receive ACLs
For distributed platforms, receive path access lists may be an option
starting in Cisco IOS software versions 12.0(21)S2 for the c12000 and 12.0
(24)S for the c7500. The receive access lists protect the device from
harmful traffic before the traffic can impact the route processor. The CPU
load is distributed to the line card processors and helps mitigate load on
the main route processor. The white paper entitled "GSR: Receive Access
Control Lists" will help you identify and allow legitimate traffic to your
device and deny all unwanted packets:
http://www.cisco.com/warp/customer/707/racl.html
Infrastructure ACLs
Although it is often difficult to block traffic transiting your network, it
is possible to identify traffic which should never be allowed to target
your infrastructure devices and block that traffic at the border of your
network. The white paper entitled "GSR: Receive Access Control Lists"
presents guidelines and recommended deployment techniques for
infrastructure protection ACLs:
http://www.cisco.com/warp/customer/707/iacl.html
Transit ACLs
The two techniques described above protect infrastructure devices. This IP
protocol ACL can also be used to filter transit traffic passing through a
network. The ACL will need to permit all protocols used by end users, not
just those destined to routers. Since end users can run a wide array
of protocols, often unexpected or uncommon protocols, these protocol
requirements must be well understood prior to deploying this ACL. The
provided list is not a complete list of permissible protocols. This
access-list is applied inbound on edge facing interfaces. For complete
protection this access-list needs to be implemented on the edge router.
For basic TCP,UDP and ICMP, the following ACL will provide protection:
access-list 101 permit tcp any any
access-list 101 permit udp any any
!! GRE tunnel if required
access-list 101 permit gre any any
!! IPSec ESP if required
access-list 101 permit esp any any
!! IPSec AH if required
access-list 101 permit ah any any
access-list 101 permit icmp any any
access-list 101 deny ip any any
The last statement of the Transit ACL should be a deny any any for IP
traffic. Prior to deploying ACLs that filter transit traffic, a
classification ACL can be used to help identify required permit statements.
A classification ACL is an ACL that permits a series of protocols.
Displaying access-list entry hit counters helps determine required
protocols: entries with zero packets counted are likely not required.
Classification access-lists are detailed in the above link for
infrastructure access-lists.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious use
of the vulnerabilities described in this advisory. If PSIRT becomes aware
of any sign of public announcement of the crafted packet, or there is any
sign of exploitation of this vulnerability, a follow-up announcement will
be sent to our standard distribution list immediately with further details
to assist network administrators in mitigation.
Status of This Notice: INTERIM
======================
This is an INTERIM notice. Although Cisco cannot guarantee the accuracy of
all statements in this notice, all of the facts have been checked to the
best of our ability. Cisco does not anticipate issuing updated versions of
this advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Cisco will update this
advisory.
Distribution
============
This notice will be posted on the Cisco worldwide website at
http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml at
21:00 GMT on July 17th, 2003. In addition to worldwide web posting, a text
version of this notice is clear-signed with the Cisco PSIRT PGP key and will
be posted to the following e-mail and Usenet news recipients at the public
release date and time:
* cust-security-announce(a)cisco.com
* bugtraq(a)securityfocus.com
* full-disclosure(a)lists.netsys.com
* first-teams(a)first.org (includes CERT/CC)
* cisco(a)spot.colorado.edu
* cisco-nsp(a)puck.nether.net
* nanog(a)merit.edu
* sanog(a)sanog.org
* comp.dcom.sys.cisco
* Various internal Cisco mailing lists
Future updates of this advisory, if any, will be placed on the Cisco
worldwide web server. Users concerned about this problem are encouraged to
check the URL given above for any updates.
Revision History
================
+-------------------------------------------+
| Revision | 17-July-2003 | Initial public |
| 1.0 | 0:00 GMT | release |
+-------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering to
receive security information from Cisco, is available on the Cisco
worldwide website at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This
includes instructions for press inquiries regarding Cisco security notices.
All Cisco Security Advisories are available at
http://www.cisco.com/go/psirt.
- --------------------------------------------------------------------------
This notice is Copyright 2003 by Cisco Systems, Inc. This notice may be
redistributed freely after the release date given at the top of the text,
provided that redistributed copies are complete and unmodified, and include
all date and version information.
- --------------------------------------------------------------------------
All contents are Copyright © 1992-2003 Cisco Systems, Inc. All rights
reserved. Important Notices and Privacy Statement.
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2
iQA/AwUBPxYP5XsxqM8ytrWQEQJOfwCg04JnuUYEIYQZyfHAeClX5p2SpngAoNMn
t2zHq5JVCmsChl0DrSN9jMFq
=6bis
-----END PGP SIGNATURE-----
1
0