-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet Revision 1.0 ============ For Public Release 2003 July 17 at 0:00 UTC (GMT) - -------------------------------------------------------------------------- Please provide your feedback on this document. - -------------------------------------------------------------------------- Contents ======== Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: INTERIM Distribution Revision History Cisco Security Procedures - -------------------------------------------------------------------------- Summary ======= Cisco routers and switches running Cisco IOS® software and configured to process Internet Protocol version 4 (IPv4) packets are vulnerable to a Denial of Service (DoS) attack. A rare sequence of crafted IPv4 packets sent directly to the device may cause the input interface to stop processing traffic once the input queue is full. No authentication is required to process the inbound packet. Processing of IPv4 packets is enabled by default. Devices running only IP version 6 (IPv6) are not affected. A workaround is available. Cisco has made software available, free of charge, to correct the problem. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml. Affected Products ================= This issue affects all Cisco devices running Cisco IOS software and configured to process Internet Protocol version 4 (IPv4) packets. Cisco devices which do not run Cisco IOS software are not affected. Devices which run only Internet Protocol version 6 (IPv6) are not affected. Details ======= Cisco routers are configured to process and accept Internet Protocol version 4 (IPv4) packets by default. A rare, specially crafted sequence of IPv4 packets which is handled by the processor on a Cisco IOS device may force the device to incorrectly flag the input queue on an interface as full, which will cause the router to stop processing inbound traffic on that interface. This can cause routing protocols to drop due to dead timers. On Ethernet interfaces, Address Resolution Protocol (ARP) times out after a default time of four hours, and no traffic can be processed. The device must be rebooted to clear the input queue on the interface, and will not reload without user intervention. The attack may be repeated on all interfaces causing the router to be remotely inaccessible. A workaround is available, and is documented in the Workarounds section. The following two Cisco vulnerabilities are documented in DDTS. CSCea02355 ( registered customers only) affects all Cisco routers running Cisco IOS software. CSCdz71127 ( registered customers only) was introduced by an earlier code revision. Any version of software which has the fix for CSCdx02283 ( registered customers only) is vulnerable. Registered customers can find more details using the Bug Toolkit at http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl ( registered customers only) . To identify a blocked input interface, use the show interfaces command and look for the Input Queue line. If the current size (in this case, 76) is larger than the maximum size (75), the input queue is blocked. Router#show interface ethernet 0/0 Ethernet0/0 is up, line protocol is up Hardware is AmdP2, address is 0050.500e.f1e0 (bia 0050.500e.f1e0) Internet address is 172.16.1.9/24 MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 255/255, load 1/255 Encapsulation ARPA, loopback not set, keepalive set (10 sec) ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:41, output 00:00:07, output hang never Last clearing of "show interface" counters 00:07:18 Input queue: 76/75/1091/0 (size/max/drops/flushes); Total output drops: 0 ^^^^^^^^^^^^^^ ---> blocked Impact ====== A device receiving these specifically crafted IPv4 packets will force the inbound interface to stop processing traffic. The device may stop processing packets destined to the router, including routing protocol packets and ARP packets. No alarms will be triggered, nor will the router reload to correct itself. This issue can affect all Cisco devices running Cisco IOS software. This vulnerability may be exercised repeatedly resulting in loss of availability until a workaround has been applied or the device has been upgraded to a fixed version of code. Software Versions and Fixes =========================== Each row of the table describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix and the anticipated date of availability for each are listed in the Rebuild, Interim, and Maintenance columns. In some cases, no rebuild of a particular release is planned; this is marked with the label "Not scheduled." A device running any release in the given train that is earlier than the release in a specific column (less than the earliest fixed release) is known to be vulnerable, and it should be upgraded at least to the indicated release or a later version (greater than the earliest fixed release label). When selecting a release, keep in mind the following definitions: * Maintenance Most heavily tested and highly recommended release of any label in a given row of the table. * Rebuild Constructed from the previous maintenance or major release in the same train, it contains the fix for a specific vulnerability. Although it receives less testing, it contains only the minimal changes necessary to effect the repair. Cisco has made available several rebuilds of mainline trains to address this vulnerability, but strongly recommends running only the latest maintenance release on mainline trains. * Interim Built at regular intervals between maintenance releases and receives less testing. Interims should be selected only if there is no other suitable release that addresses the vulnerability, and interim images should be upgraded to the next available maintenance release as soon as possible. Interim releases are not available through manufacturing, and usually they are not available for customer download from CCO without prior arrangement with the Cisco Technical Assistance Center (TAC). In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco TAC for assistance, as shown in the section following this table. +------------------------------------------------------------------------+ |Train |Description of |Availability of Fixed Releases | | |Image or Platform| | |------------------------+-----------------------------------------------+ | 11.x based releases | Rebuild |Interim| Maintenance | |------------------------+-------------+-------+-------------------------+ |11.1CA| |11.1(36)CA4**| | | |------+-----------------+-------------+-------+-------------------------+ |11.2 | |11.2(26e)** | | | |------+-----------------+-------------+-------+-------------------------+ |11.2P | |11.2(26)P5** | | | |------+-----------------+-----------------------------------------------+ |11.3 | |Not scheduled | |------+-----------------+-----------------------------------------------+ |11.3T | |Not scheduled | |------------------------+-----------------------------------------------+ |12.0 based releases |Rebuild |Interim|Maintenance | |------------------------+-------------+-------+-------------------------+ | |General | | | | |12.0 |Deployment | | |12.0(26) | | |release for all | | | | | |platforms | | | | |------+-----------------+-----------------------------------------------+ |12.0DA|xDSL support: |Migrate to 12.2DA; 12.2(10)DA2 - Aug-15-2003, | | |6100, 6200 |12.2(12)DA3 - Aug-22-2003: Engineering | | | |Specials available on request. | |------+-----------------+-----------------------------------------------+ |12.0DB|Early Deployment |Migrate to 12.3(1a) | | |6400 UAC for NSP | | |------+-----------------+-----------------------------------------------+ |12.0DC|Early Deployment |Migrate to 12.3(1a) | | |6400 UAC for NRP | | |------+-----------------+-----------------------------------------------+ | | |12.0(24)S2 | | | | | |12.0(23)S3 | | | | | |12.0(22)S5 | | | | | |12.0(21)S7 | | | | | |12.0(19)S4 | | | | |Core/ISP support:|12.0(18)S7 | | | |12.0S |GSR, RSP, c7200, |12.0(17)S7 | |12.0(25)S | | |c10k |12.0(16)S10 | | | | | |12.0(15)S7 | | | | | |12.0(14)S8 | | | | | |12.0(13)S8 | | | | | |12.0(12)S4 | | | | | |12.0(10)S8 | | | |------+-----------------+-----------------------------------------------+ |12.0SC|Cable/broadband |Migrate to 12.1(19)EC | | |ISP: ubr7200 | | |------+-----------------+-----------------------------------------------+ |12.0SL|100000 ESR:c10k |Migrate to 12.0(23)S3, **12.0(17)SL9 - | | | |Jul-15-2003 | |------+-----------------+-----------------------------------------------+ |12.0SP|Early Deployment |Migrate to 12.0(22)S5 | |------+-----------------+-----------------------------------------------+ | |Early Deployment |12.0(21)ST7 | | | |12.0ST|release for Core/|12.0(20)ST6 | | | | |ISP support: GSR,|12.0(19)ST6 | | | | |RSP, c7200 |12.0(17)ST8 | | | |------+-----------------+-----------------------------------------------+ |12.0SX|Early Deployment |Migrate to 12.0(22)S5 | |------+-----------------+-----------------------------------------------+ |12.0SY|Early Deployment |Migrate to 12.0(23)S3 | |------+-----------------+-----------------------------------------------+ |12.0SZ|Early Deployment |Migrate to 12.0(23)S3 | |------+-----------------+-----------------------------------------------+ |12.0T |Early Deployment |12.0(7)T3** | | | |------+-----------------+-------------+-------+-------------------------+ | |85xx ls1010 | | |12.0(26)W5(28) | | |-----------------+-------------+-------+-------------------------+ | |c5atm |12.0(24)W5 | | | | | |(26a) | | | | |-----------------+-------------+-------+-------------------------+ | |Cat4232 and |12.0(25)W5 | | | | |Cat2948G-L3 |(27) | | | |12.0W5|-----------------+-------------+-------+-------------------------+ | |C6MSM,C5rsfc, |Engineering | | | | |C5rsm, |Special | | | | | |available on | | | | | |request | | | | |-----------------+-------------+-------+-------------------------+ | |C3620, C3640, | | | | | |C4500, C7200, RSP| | | | |------+-----------------+-------------+-------+-------------------------+ |12.0WC|Early deployment |12.0(05)WC8 | | | | |2900XL-LRE,2900XL| | | | | |/3500XL; 2950 | | | | | |release | | | | |------+-----------------+-------------+-------+-------------------------+ |12.0WT|Early deployment |Engineering | | | | |Catalyst |Special | | | | |switches: |Available | | | | |cat4840g, |upon request | | | |------+-----------------+-----------------------------------------------+ |12.0X |Shortlived Early |All 12.0X(any letter) releases have migrated to| |(l) |Deployment |either 12.0T or 12.1 unless otherwise | | |Releases |documented in the X release technical notes | | | |pertaining to the specific release. Please | | | |check migration paths for all 12.0X releases. | |------------------------+-----------------------------------------------+ |12.1 based releases |Rebuild |Interim|Maintenance | |------------------------+-------------+-------+-------------------------+ | |General | | | | |12.1 |Deployment | |12.1 |12.1(19) | | |release for all | |(18.4) | | | |platforms | | | | |------+-----------------+-----------------------------------------------+ |12.1AA| |Migrate to 12.2 | |------+-----------------+-----------------------------------------------+ |12.1AX|Catalyst 3750 |12.1(14)EA1 -| | | | | |Engineering | | | | | |special | | | | | |available | | | | | |upon request | | | |------+-----------------+-------------+-------+-------------------------+ |12.1AY|Catalyst 2940 | | |12.1(13)AY | |------+-----------------+-----------------------------------------------+ |12.1DA|6160 platform |Migrate to 12.2DA | |------+-----------------+-----------------------------------------------+ |12.1DB|6400 UAC |Migrate to 12.3(1a) | |------+-----------------+-----------------------------------------------+ |12.1DC|6400 UAC |Migrate to 12.3(1a) | |------+-----------------+-----------------------------------------------+ |12.1E |Core Enterprise |12.1(8b)E14 | |12.1(19)E | | |support - c7200, |12.1(13)E7 | | | | |Catalyst 6000, |12.1(14)E4 | | | | |RSP |**12.1(12c)E7| | | | | |12.1(11b)E12-| | | | | |Aug-4-2003 | | | | | |12.1(6)E12 | | | |------+-----------------+-----------------------------------------------+ |12.1EA|12.1(4)EA |Migrate to 12.1(13)EA1c | | |12.1(6)EA | | | |12.1(8)EA | | | |12.1(9)EA | | | |12.1(11)EA | | | |-----------------+-----------------------------------------------+ | |12.1(12c)EA |12.1(13)EA1c | | | | |12.1(13)EA | | | | |------+-----------------+-------------+-------+-------------------------+ |12.1EB|LS1010 | | |12.1(14)EB | |------+-----------------+-------------+-------+-------------------------+ |12.1EC|Early Deployment | | |12.1(19)EC (scheduled | | | | | |last week of July) | |------+-----------------+-------------+-------+-------------------------+ |12.1EV|Early Deployment | | |12.1(12c)EV | |------+-----------------+-------------+-------+-------------------------+ |12.1EW|Early Deployment | | |12.1(13)EW,12.1(19)EW | | |Cat4000 L3 | | | | |------+-----------------+-------------+-------+-------------------------+ |12.1EX|Early deployment |12.1(13)EX2 | | | |------+-----------------+-------------+-------+-------------------------+ |12.1EY| | |12.1(14)E4 | | | |------+--+--------------+-------------+-------+-------------------------+ |12.1YJ| | |12.1(14)EA1 -| | | | | | |Jul-28-2003 | | | |------+-----------------+-------------+-------+-------------------------+ |12.1T |Early deployment |12.1(5)T15** | | | |------+-----------------------------------------------------------------+ |12.1X |12.1X releases generally migrate to 12.1T, 12.2 or 12.2T as | |(l) |specified below. Please refer to specific train Technical notes | | |for documented migration path. | |------+-----------------------------------------------------------------+ |12.1XA|Short lived Early|Migrate to 12.1(5)T15 | | |Deployment | | | |Release | | |------+-----------------+-----------------------------------------------+ |12.1XC|Short lived Early|Migrate to12.2(17) | |12.1XD|Deployment | | |12.1XH|Releases | | |12.1XI| | | |------+-----------------+-----------------------------------------------+ |12.1XB|Short lived Early|Migrate to 12.2(15)T5 | |12.1XF|Deployment | | |12.1XG|Releases | | |12.1XJ| | | |12.1XL| | | |12.1XP| | | |12.1XR| | | |12.1XT| | | |12.1YB| | | |12.1YC| | | |12.1YD| | | |12.1YH| | | |------+-----------------+-----------------------------------------------+ |12.1XM|Short lived Early|Migrate to 12.2(2)XB11 | |12.1XQ|Deployment | | |12.1XV|Releases | | |------+-----------------+-----------------------------------------------+ |12.1XU|Short lived Early|Migrate to 12.2(4)T6 | | |Deployment | | | |Release | | |------+-----------------+-----------------------------------------------+ |12.1YE|Short lived Early|Migrate to 12.2(2)YC | |12.1YF|Deployment | | |12.1YI|Release | | |------------------------+-----------------------------------------------+ |12.2 based releases |Rebuild |Interim|Maintenance | |------------------------+-------------+-------+-------------------------+ | |General |12.2(16a) | | | |12.2 |Deployment (GD) |12.2(12e) | |12.2(17) | | |candidate for all|12.2(10d) | | | | |platforms | | | | |------+-----------------+-------------+-------+-------------------------+ |12.2B |12.2(2)B-12.2(4) |12.3(1a) | | | | |B7 | | | | | |-----------------+-------------+-------+-------------------------+ | |12.2(4)B8-12.2 |12.2(16)B1 | | | | |(16)B | | | | |------+-----------------+-------------+-------+-------------------------+ |12.2BC|Early Deployment |12.2(15)BC1 | | | | |Release |(Scheduled | | | | | |end of July) | | | |------+-----------------+-------------+-------+-------------------------+ |12.2BW|Early Deployment |Migrate to | | | | |for use with |12.3(1a) | | | | |7200, 7400, and | | | | | |7411 platforms | | | | |------+-----------------+-------------+-------+-------------------------+ |12.2BX|Broadband/Leased | | |12.2(16)BX | | |line | | | | |------+-----------------+-------------+-------+-------------------------+ |12.2BZ|Early Deployment |12.2(15)BZ1 | | | | |Release | | | | |------+-----------------+-----------------------------------------------+ |12.2CX|Early Deployment |Migrate to 12.1(15)BC1 | | |Release | | |------+-----------------+-----------------------------------------------+ |12.2CY|Early Deployment |Migrate to 12.1(15)BC1 | | |Release | | |------+-----------------+-----------------------------------------------+ |12.2DA|Early Deployment |12.2(10)DA2 -| | | | |Release |Jul-15-2003 | | | | | |12.2(12)DA3 -| | | | | |Aug-22-2003 | | | | | |Enginering | | | | | |Special | | | | | |available on | | | | | |request | | | |------+-----------------+-----------------------------------------------+ |12.2DD|Early Deployment |Migrate to 12.3(1a) | | |Release | | |------+-----------------+-----------------------------------------------+ |12.2DX|Early Deployment |Migrate to 12.3(1a) | | |Release | | |------+-----------------+-----------------------------------------------+ |12.2JA|Cisco Aironet | | |12.2(11)JA | | |hardware | | | | | |platforms: | | | | | |Introduction of | | | | | |Access Point | | | | | |feature in IOS, | | | | | |Cisco 1100 Series| | | | | |Access Point | | | | | |(802.11b) | | | | |------+-----------------+-------------+-------+-------------------------+ |12.2MB|Specific |12.2(4)MB12 | | | | |Technology ED for| | | | | |2600 7500 (GPRS/ | | | | | |PDSN/GGSN | | | | | |2600/7200/7500) | | | | |------+-----------------+-------------+-------+-------------------------+ |12.2MC|Early Deployment:|12.2(13)MC1 | | | | |IP RAN |CCO: 7/24/03 | | | |------+-----------------+-------------+-------+-------------------------+ |12.2MX| |12.2(8)YD | | | | | | | | | |------+-----------------+-------------+-------+-------------------------+ |12.2S |Core/ISP support:|12.2(14)S1 |12.2 | | | |GSR, RSP, c7200 | |(16.5)S| | |------+-----------------+-------------+-------+-------------------------+ |12.2SX|IOS Support for |12.2(14)SX1 | | | | |C6500 Supervisor | | | | | |3 | | | | |------+-----------------+-------------+-------+-------------------------+ |12.2SY|VPN feature |12.2(14)SY1, | | | | |release for c6k/ |12.2(8)YD | | | | |76xx VPN service | | | | | |module. | | | | |------+-----------------+-------------+-------+-------------------------+ |12.2SZ|7304 Platform |12.2(14)SZ2 | | | |------+-----------------+-------------+-------+-------------------------+ | | |12.2(15)T4/ | |No more maintenance | | |New Technology |5,12.2(13)T5,| |trains for 12.2T are | |12.2T |Early Deployment |12.2(11) |12.2 |planned, please migrate | | |(ED) release for |T9,12.2(8) |(16.5)T|to latest 12.3 Mainline | | |all platforms |T10, | |release. | | | |12.2(4)T6 | | | |------+-----------------+-----------------------------------------------+ |12.2X |Short lived Early|Many short lived releases migrate to the same | |(l) |Deployment |train; the trains below this point until the | |12.2Y |Releases - |following section are not grouped by strict | |(l) | |alphabetical order, but are grouped by | | | |migration path. Please review documented | | | |migration paths for your trains. | |------+-----------------+-----------------------------------------------+ |12.2XA|Short lived Early|Migrate to 12.2(11)T9 | | |Deployment | | | |Releases | | |------+-----------------+-----------------------------------------------+ |12.2XS| |12.2(2)XB11 | |------+-----------------+-----------------------------------------------+ |12.2XD|Short lived Early|Migrate to 12.2(15)T5 | |12.2XE|Deployment | | |12.2XH|Releases | | |12.2XI| | | |12.2XJ| | | |12.2XK| | | |12.2XL| | | |12.2XM| | | |12.2XQ| | | |12.2XU| | | |12.2XW| | | |12.2YA| | | |12.2YB| | | |12.2YC| | | |12.2YF| | | |12.2YG| | | |12.2YH| | | |12.2YJ| | | |12.2YT| | | |------+-----------------+-----------------------------------------------+ | |Short lived Early| | |12.2YN|Deployment |Migrate to 12.2(13)ZH | | |Releases | | |------+-----------------+-----------------------------------------------+ | |Short lived Early|Migrate to 12.2(14)SY1 available Aug-4-2003: | |12.2YO|Deployment |Engineering Special available on request | | |Releases | | |------+-----------------+-----------------------------------------------+ | |Early Deployment | | | | |12.2XB|Release with |12.2(2)XB11 | | | | |continuing | | | | | |support | | | | |------+-----------------+-----------------------------------------------+ |12.2XC|Short lived Early|Migrate to 12.2(16)B1 | | |Deployment | | | |Releases | | |------+-----------------+-----------------------------------------------+ |12.2XF|Short lived Early|Migrate to 12.2(15)BC1 | | |Deployment | | | |Release UBR10000 | | |------+-----------------+-----------------------------------------------+ |12.2XG|Short lived Early|Migrate to 12.2(8)T10 | | |Deployment | | | |Release | | |------+-----------------+-----------------------------------------------+ |12.2XN|Short lived Early|Migrate to 12.2(11)T9 | |12.2XT|Deployment | | | |Releases | | |------+-----------------+-----------------------------------------------+ |12.2YD|Short lived Early|Migrate to 12.2(8)YY | | |Deployment | | | |Release | | |------+-----------------+-----------------------------------------------+ | |Short lived Early| | | | |12.2YP|Deployment |**12.2(11)YP1| | | | |Release | | | | |------+-----------------+-----------------------------------------------+ |12.2YK| |Migrate to 12.2(13)ZC | |------+-----------------+-----------------------------------------------+ |12.2YL|Short lived Early|Migrate to 12.2(13)ZH | |12.2YM|Deployment | | |12.2YU|Releases | | |12.2YV| | | |------+-----------------+-----------------------------------------------+ |12.2YQ|Short lived Early|Migrate to 12.2(15)ZL | |12.2YR|Deployment | | | |Releases | | |------+-----------------+-----------------------------------------------+ |12.2YS|Short lived Early|12.2(15)YS/ | | | | |Deployment |1.2(1) | | | | |Release | | | | |------+-----------------+-------------+-------+-------------------------+ |12.2YW|Short lived Early|12.2(8)YW2 | | | | |Deployment | | | | | |Releases | | | | |------+-----------------+-------------+-------+-------------------------+ |12.2YX|Short lived Early|12.2(11)YX1 | | | | |Deployment | | | | | |Release | | | | | |Crypto for 7100/ | | | | | |7200 | | | | |------+-----------------+-------------+-------+-------------------------+ |12.2YY|Short lived Early|12.2(8)YY3 | | | | |Deployment | | | | | |Releases | | | | | |IOS support for | | | | | |General Packet | | | | | |Radio Service | | | | |------+-----------------+-------------+-------+-------------------------+ |12.2YZ|Short lived Early|12.2(11)YZ2 | | | | |Deployment | | | | | |Release | | | | |------+-----------------+-------------+-------+-------------------------+ |12.2ZA|Short lived Early| | |12.2(14)ZA2 | | |Deployment | | | | | |Release | | | | |------+-----------------+-------------+-------+-------------------------+ |12.2ZB|Short lived Early|12.2(8)ZB7 | | | | |Deployment | | | | | |Release | | | | |------+-----------------+-------------+-------+-------------------------+ |12.2ZC|Short lived Early| | |12.2(13)ZC | | |Deployment | | | | | |Release | | | | |------+-----------------+-------------+-------+-------------------------+ |12.2ZD|Short lived Early|Not Scheduled| | | | |Deployment | | | | | |Release | | | | |------+-----------------+-------------+-------+-------------------------+ |12.2ZE|Short lived Early|12.3(1a) | | | | |Deployment | | | | | |Release | | | | |------+-----------------+-------------+-------+-------------------------+ |12.2ZF|Short lived Early|Not | | | | |Deployment |Vulnerable | | | | |Release | | | | |------+-----------------+-------------+-------+-------------------------+ |12.2ZG|Short lived Early|Not | | | | |Deployment |Vulnerable | | | | |Release | | | | |------+-----------------+-------------+-------+-------------------------+ |12.2ZH|Short lived Early|Not | | | | |Deployment |Vulnerable | | | | |Release | | | | |------+-----------------+-------------+-------+-------------------------+ |12.2ZJ|Short lived Early|12.2(15)ZJ1 | | | | |Deployment | | | | | |Release | | | | |------+-----------------+-------------+-------+-------------------------+ |12.2ZL|Short lived Early|Not | | | | |Deployment |Vulnerable | | | | |Release | | | | |------------------------+-----------------------------------------------+ |12.3 based releases |NOT VULNERABLE | |------------------------------------------------------------------------+ |Notes: **Marked versions of code are not available on CCO. Please | |contact TAC and request the specific images you need posted. | +------------------------------------------------------------------------+ Notes: ** Marked versions of code are not available on CCO. Please contact the Cisco TAC and request the specific images you need posted. Obtaining Fixed Software ======================== Customers with contracts should obtain upgraded software free of charge through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on the Cisco worldwide website at http://www.cisco.com/tacpage/sw-center/sw-ios.html. Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with obtaining the free software upgrade(s). Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac(a)cisco.com Please have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Please do not contact either "psirt(a)cisco.com" or "security-alert(a)cisco.com" for software upgrades. See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers, instructions, and e-mail addresses for use in various languages. Workarounds =========== AFTER APPLYING THE WORKAROUND the input queue depth may be raised with the hold-queue <new value> in interface command -- the default size is 75. This will allow traffic flow on the interface until the device can be reloaded. Cisco recommends that all IOS devices which process IPv4 packets be configured to block traffic directed to the router from any unauthorized source with the use of Access Control Lists (ACLs). This can be done at multiple locations, and it is recommended that you review all methods and use the combination which fits your network best. Legitimate traffic is defined as management protocols such as telnet, snmp or ssh, and configured routing protocols from explicitly allowed peers. All other traffic destined to the device should be blocked at the input interface. Traffic entering the network should also be carefully evaluated and filtered at the network edge if destined to an infrastructure device. Although network service providers must often allow unknown traffic to transit their network, it is not necessary to allow that same traffic destined to their network infrastructure. Several white papers have been written to assist in deploying these recommended security best practices. ACLs can have performance impact on certain platforms, so care should be taken when applying the recommended workarounds. Receive ACLs For distributed platforms, receive path access lists may be an option starting in Cisco IOS software versions 12.0(21)S2 for the c12000 and 12.0 (24)S for the c7500. The receive access lists protect the device from harmful traffic before the traffic can impact the route processor. The CPU load is distributed to the line card processors and helps mitigate load on the main route processor. The white paper entitled "GSR: Receive Access Control Lists" will help you identify and allow legitimate traffic to your device and deny all unwanted packets: http://www.cisco.com/warp/customer/707/racl.html Infrastructure ACLs Although it is often difficult to block traffic transiting your network, it is possible to identify traffic which should never be allowed to target your infrastructure devices and block that traffic at the border of your network. The white paper entitled "GSR: Receive Access Control Lists" presents guidelines and recommended deployment techniques for infrastructure protection ACLs: http://www.cisco.com/warp/customer/707/iacl.html Transit ACLs The two techniques described above protect infrastructure devices. This IP protocol ACL can also be used to filter transit traffic passing through a network. The ACL will need to permit all protocols used by end users, not just those destined to routers. Since end users can run a wide array of protocols, often unexpected or uncommon protocols, these protocol requirements must be well understood prior to deploying this ACL. The provided list is not a complete list of permissible protocols. This access-list is applied inbound on edge facing interfaces. For complete protection this access-list needs to be implemented on the edge router. For basic TCP,UDP and ICMP, the following ACL will provide protection: access-list 101 permit tcp any any access-list 101 permit udp any any !! GRE tunnel if required access-list 101 permit gre any any !! IPSec ESP if required access-list 101 permit esp any any !! IPSec AH if required access-list 101 permit ah any any access-list 101 permit icmp any any access-list 101 deny ip any any The last statement of the Transit ACL should be a deny any any for IP traffic. Prior to deploying ACLs that filter transit traffic, a classification ACL can be used to help identify required permit statements. A classification ACL is an ACL that permits a series of protocols. Displaying access-list entry hit counters helps determine required protocols: entries with zero packets counted are likely not required. Classification access-lists are detailed in the above link for infrastructure access-lists. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. If PSIRT becomes aware of any sign of public announcement of the crafted packet, or there is any sign of exploitation of this vulnerability, a follow-up announcement will be sent to our standard distribution list immediately with further details to assist network administrators in mitigation. Status of This Notice: INTERIM ====================== This is an INTERIM notice. Although Cisco cannot guarantee the accuracy of all statements in this notice, all of the facts have been checked to the best of our ability. Cisco does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Cisco will update this advisory. Distribution ============ This notice will be posted on the Cisco worldwide website at http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml at 21:00 GMT on July 17th, 2003. In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and will be posted to the following e-mail and Usenet news recipients at the public release date and time: * cust-security-announce(a)cisco.com * bugtraq(a)securityfocus.com * full-disclosure(a)lists.netsys.com * first-teams(a)first.org (includes CERT/CC) * cisco(a)spot.colorado.edu * cisco-nsp(a)puck.nether.net * nanog(a)merit.edu * sanog(a)sanog.org * comp.dcom.sys.cisco * Various internal Cisco mailing lists Future updates of this advisory, if any, will be placed on the Cisco worldwide web server. Users concerned about this problem are encouraged to check the URL given above for any updates. Revision History ================ +-------------------------------------------+ | Revision | 17-July-2003 | Initial public | | 1.0 | 0:00 GMT | release | +-------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on the Cisco worldwide website at http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This includes instructions for press inquiries regarding Cisco security notices. All Cisco Security Advisories are available at http://www.cisco.com/go/psirt. - -------------------------------------------------------------------------- This notice is Copyright 2003 by Cisco Systems, Inc. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, and include all date and version information. - -------------------------------------------------------------------------- All contents are Copyright © 1992-2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.2 iQA/AwUBPxYP5XsxqM8ytrWQEQJOfwCg04JnuUYEIYQZyfHAeClX5p2SpngAoNMn t2zHq5JVCmsChl0DrSN9jMFq =6bis -----END PGP SIGNATURE-----