Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.0283 -- [Cisco]
Multiple Cisco IOS Vulnerabilities
26 March 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco IOS
Publisher: Cisco Systems
Operating System: Cisco
Impact: Overwrite Arbitrary Files
Access Privileged Data
Denial of Service
Access: Remote/Unauthenticated
CVE Names: CVE-2009-0626 CVE-2009-0628 CVE-2009-0629
CVE-2009-0630 CVE-2009-0631 CVE-2009-0633
CVE-2009-0634 CVE-2009-0635 CVE-2009-0636
CVE-2009-0637
Original Bulletin:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml
Comment: This ESB contains eight (8) Cisco IOS advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS cTCP Denial of Service
Vulnerability
Advisory ID: cisco-sa-20090325-ctcp
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml
Revision 1.0
For Public Release 2009 March 25 1600 UTC (GMT)
- - ---------------------------------------------------------------------
Summary
=======
A series of TCP packets may cause a denial of service (DoS) condition
on Cisco IOS devices that are configured as Easy VPN servers with the
Cisco Tunneling Control Protocol (cTCP) encapsulation feature. Cisco
has released free software updates that address this vulnerability.
No workarounds are available; however, the IPSec NAT traversal
(NAT-T) feature can be used as an alternative.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml
Note: The March 25, 2009, Cisco IOS Security Advisory bundled
publication includes eight Security Advisories. All of the advisories
address vulnerabilities in Cisco IOS Software. Each advisory lists
the releases that correct the vulnerability or vulnerabilities in the
advisory. The following table lists releases that correct all Cisco
IOS Software vulnerabilities that have been published in Cisco
Security Advisories on March 25, 2009, or earlier.
http://www.cisco.com/warp/public/707/cisco-sa-20090325-bundle.shtml
Individual publication links are listed below:
* Cisco IOS cTCP Denial of Service Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml
* Cisco IOS Software Multiple Features IP Sockets Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml
* Cisco IOS Software Mobile IP and Mobile IPv6 Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml
* Cisco IOS Software Secure Copy Privilege Escalation Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml
* Cisco IOS Software Session Initiation Protocol Denial of Service
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml
* Cisco IOS Software Multiple Features Crafted TCP Sequence
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml
* Cisco IOS Software Multiple Features Crafted UDP Packet
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml
* Cisco IOS Software WebVPN and SSLVPN Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml
Affected Products
=================
Vulnerable Products
+------------------
Cisco IOS devices running versions 12.4(9)T or later and configured
for Cisco Tunneling Control Protocol (cTCP) encapsulation for EZVPN
server are vulnerable.
Note: The cTCP encapsulation feature was introduced in Cisco IOS
version 12.4(9)T. The cTCP encapsulation feature is disabled by
default. Cisco IOS devices configured for EZVPN client are not
affected by this vulnerability. Only devices configured as EZVPN
servers are vulnerable.
To configure the cTCP encapsulation feature for Easy VPN, use the
crypto ctcp command in global configuration mode. You can optionally
specify the port number that the device will listen to with the
crypto ctcp port <port> command. Up to ten numbers can be configured
and the port value can be from 1 through 65535. If the port keyword
is not configured, the default port number is 10000. In the following
example, the Cisco IOS device is configured to listen for cTCP
messages on port 10000.
crypto ctcp port 10000
Note: The port keyword is configured only on the Cisco IOS device
acting as an EZVPN server.
To determine the version of the Cisco IOS software running on a Cisco
product, log in to the device and issue the show version command to
display the system banner. Cisco IOS software will identify itself as
"Internetwork Operating System Software" or simply "IOS". On the next
line of output, the image name will be displayed between parentheses,
followed by "Version" and the IOS release name. Other Cisco devices
will not have the show version command or will give different output.
The following example identifies a Cisco product running Cisco IOS
Software release 12.3(26) with an installed image name of C2500-IS-L:
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE
SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 14:39 by dchih
<output truncated>
The next example shows a product running Cisco IOS Software release
12.4(20)T with an image name of C1841-ADVENTERPRISEK9-M:
Router#show version
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version
12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 20:25 by prod_rel_team
<output truncated>
Additional information on the Cisco IOS release naming conventions
can be found on the document entitled "White Paper: Cisco IOS
Reference Guide", which is available at
http://www.cisco.com/warp/public/620/1.html
Products Confirmed Not Vulnerable
+--------------------------------
Cisco IOS devices that are not configured for cTCP are not affected
by this vulnerability. The Cisco ASA and Cisco VPN 3000 series
concentrators are not vulnerable. Cisco IOS devices configured as
EZVPN clients are not affected by this vulnerability. The Cisco VPN
Client is not vulnerable. Cisco IOS-XR and Cisco IOS-XE software are
not affected by this vulnerability. No other Cisco products are
currently known to be affected by this vulnerability.
Details
=======
The Cisco Tunneling Control Protocol (cTCP) feature is used by Easy
VPN remote device operating in an environment in which standard IPSec
does not function transparently without modification to existing
firewall rules. The cTCP traffic is actually TCP traffic. Cisco IOS
cTCP packets are Internet Key Exchange (IKE) or Encapsulating
Security Payload (ESP) packets that are being transmitted over TCP.
A vulnerability exists where a series of TCP packets may cause a
Cisco IOS device that is configured as an Easy VPN server with the
cTCP encapsulation feature to run out of memory. This vulnerability
is documented in Cisco Bug IDs CSCsr16693 and CSCsu21828; and has
been assigned the Common Vulnerabilities and Exposures (CVE)
identifier CVE-2009-0635.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerability in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss.
CSCsr16693 - cTCP server may crash when processing a series of TCP
packets
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsu21828 - Cisco IOS Device may crash with cTCP enabled
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of this vulnerability may cause the affected
device to run out of memory. Repeated exploitation will result in a
denial of service (DoS) condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+-------------------------------------------------------------------+
| Major Release | Availability of Repaired Releases |
|-------------------+-----------------------------------------------|
| Affected | | |
| 12.0-Based | First Fixed Release | Recommended Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.0 based releases |
|-------------------------------------------------------------------|
| Affected | | |
| 12.1-Based | First Fixed Release | Recommended Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.1 based releases |
|-------------------------------------------------------------------|
| Affected | | |
| 12.2-Based | First Fixed Release | Recommended Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.2 based releases |
|-------------------------------------------------------------------|
| Affected | | |
| 12.3-Based | First Fixed Release | Recommended Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.3 based releases |
|-------------------------------------------------------------------|
| Affected | | |
| 12.4-Based | First Fixed Release | Recommended Release |
| Releases | | |
|-------------------+-----------------------+-----------------------|
| 12.4 | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4JA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4JDA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4JK | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4JL | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4JMA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4JMB | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4JX | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4MD | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4MR | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4SW | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| | 12.4(20)T2 | 12.4(22)T1 |
| 12.4T | | |
| | 12.4(15)T9; Available | 12.4(15)T9; Available |
| | on 29-APR-2009 | on 29-APR-2009 |
|-------------------+-----------------------+-----------------------|
| 12.4XA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XB | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XC | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XD | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XE | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XF | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XG | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XJ | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XK | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XL | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XM | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XN | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XP | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XQ | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XR | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XT | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XV | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XW | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XY | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XZ | 12.4(15)XZ2 | 12.4(15)XZ2 |
|-------------------+-----------------------+-----------------------|
| 12.4YA | 12.4(20)YA2 | 12.4(20)YA3 |
|-------------------+-----------------------+-----------------------|
| 12.4YB | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4YD | Not Vulnerable | |
+-------------------------------------------------------------------+
Workarounds
===========
No workarounds are available.
As an alternative, the IPSec NAT traversal (NAT-T) feature can be
used. The IPSec NAT-T feature introduces support for IP Security
(IPSec) traffic to travel through Network Address Translation (NAT)
or Port Address Translation (PAT) points in the network by addressing
many known incompatabilites between NAT and IPSec.
Note: The NAT-T feature was introduced in Cisco IOS version 12.2(13)
T.
NAT Traversal is a feature that is auto detected by VPN devices.
There are no configuration steps for a router running Cisco IOS
Release 12.2(13)T and later. If both VPN devices are NAT-T capable,
NAT Traversal is auto-detected and auto-negotiated.
Note: When you enable NAT-T, the Cisco IOS device automatically opens
UDP port 4500 on all IPSec enabled interfaces.
Caution: Be aware that you may need to enable IPSec over UDP on Cisco
VPN software clients to support NAT-T. Additionally, you may need to
change firewall rules to allow UDP port 500 for Internet Key Exchange
(IKE) and UDP port 4500 for NAT-T.
For more information about NAT-T, refer to the white paper at:
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_ipsec_nat_transp.html
Additional mitigations that can be deployed on Cisco devices within
the network are available in the Cisco Applied Mitigation Bulletin
companion document for this advisory, which is available at the
following link:
http://www.cisco.com/warp/public/707/cisco-amb-20090325-ctcp.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address this
vulnerability. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized
telephone numbers, and instructions and e-mail addresses for use in
various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was found during the resolution of a technical
support service request.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-March-25 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAknKUaYACgkQ86n/Gc8U/uBSWwCbBgAQRNBNdft9MYK8bC1MP/Z4
4D8AnA7qaiFqAdeWWbS+p4K601XNoo4S
=Rvhp
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Software WebVPN and SSLVPN
Vulnerabilities
Advisory ID: cisco-sa-20090325-webvpn
http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml
Revision 1.0
For Public Release 2009 March 25 1600 UTC (GMT)
- - ---------------------------------------------------------------------
Summary
=======
Cisco IOS software contains two vulnerabilities within the Cisco IOS
WebVPN or Cisco IOS SSLVPN feature (SSLVPN) that can be remotely
exploited without authentication to cause a denial of service
condition. Both vulnerabilities affect both Cisco IOS WebVPN and
Cisco IOS SSLVPN features:
1. Crafted HTTPS packet will crash device.
2. SSLVPN sessions cause a memory leak in the device.
Cisco has released free software updates that address these
vulnerabilities.
There are no workarounds that mitigate these vulnerabilities.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml
Note: The March 25, 2009, Cisco IOS Security Advisory bundled
publication includes eight Security Advisories. All of the advisories
address vulnerabilities in Cisco IOS Software. Each advisory lists
the releases that correct the vulnerability or vulnerabilities in the
advisory. The following table lists releases that correct all Cisco
IOS Software vulnerabilities that have been published in Cisco
Security Advisories on March 25, 2009, or earlier.
http://www.cisco.com/warp/public/707/cisco-sa-20090325-bundle.shtml
Individual publication links are listed below:
* Cisco IOS cTCP Denial of Service Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml
* Cisco IOS Software Multiple Features IP Sockets Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml
* Cisco IOS Software Mobile IP and Mobile IPv6 Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml
* Cisco IOS Software Secure Copy Privilege Escalation Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml
* Cisco IOS Software Session Initiation Protocol Denial of Service
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml
* Cisco IOS Software Multiple Features Crafted TCP Sequence
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml
* Cisco IOS Software Multiple Features Crafted UDP Packet
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml
* Cisco IOS Software WebVPN and SSLVPN Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml
Affected Products
=================
Vulnerable Products
+------------------
Devices running affected versions of Cisco IOS software are affected
if configured with SSLVPN.
To determine the Cisco IOS Software release that is running on a
Cisco product, administrators can log in to the device and issue the
"show version" command to display the system banner. The system
banner confirms that the device is running Cisco IOS Software by
displaying text similar to "Cisco Internetwork Operating System
Software" or "Cisco IOS Software." The image name displays in
parentheses, followed by "Version" and the Cisco IOS Software release
name. Other Cisco devices do not have the "show version" command or
may provide different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.3(26) with an installed image name of
C2500-IS-L:
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE
(fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 14:39 by dchih
<output truncated>
The following example shows a product that is running Cisco IOS
Software release 12.4(20)T with an image name of
C1841-ADVENTERPRISEK9-M:
Router#show version
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M),
Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 20:25 by prod_rel_team
<output truncated>
Additional information about Cisco IOS Software release naming
conventions is available in "White Paper: Cisco IOS Reference Guide"
at the following link: http://www.cisco.com/warp/public/620/1.html
To determine that SSLVPN is enabled on your device, log in to the
device and issue the command-line interface (CLI) command "show
running-config | include webvpn". If the device returns any output
this means that SSLVPN is configured on the device and the device may
be vulnerable. Vulnerable configurations vary depending on whether
the device is supporting Cisco IOS WebVPN (introduced in Release 12.3
(14)T) or Cisco IOS SSLVPNs (introduced in Release 12.4(6)T). The
following methods describe how to confirm if the device is
vulnerable:
If the output from "show running-config | include webvpn" contains
"webvpn enable" then the device is configured with the original Cisco
IOS WebVPN. The only way to confirm the device is vulnerable is to
examine the output of "show running-config" to confirm that webvpn is
enabled via the command "webvpn enable" and that a "ssl trustpoint"
has been configured. The following example shows a vulnerable device
configured with Cisco IOS WebVPN:
webvpn enable
!
webvpn
ssl trustpoint TP-self-signed-29742012
If the output from "show running-config | include webvpn" contains
"webvpn gateway <word>" then the device is supporting the Cisco IOS
SSLVPN feature. A device is vulnerable if it has the "inservice"
command in at least one of the "webvpn gateway" sections. The
following example shows a vulnerable device configured with Cisco IOS
SSLVPN:
Router# show running | section webvpn
webvpn gateway Gateway
ip address 10.1.1.1 port 443
ssl trustpoint Gateway-TP
inservice
!
Router#
A device that supports the Cisco IOS SSLVPN is not vulnerable if it
has no "webvpn gateways" configured or all the configured "webvpn
gateways" contain the "no inservice" "webvpn gateway" command.
Products Confirmed Not Vulnerable
+--------------------------------
The following products are not affected by this vulnerability:
* Cisco ASA 5500 Series Adaptive Security Appliances
* Cisco IOS XR Software
* Cisco IOS XE Software
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
The Cisco SSLVPN feature provides remote access to enterprise sites
by users from anywhere on the Internet. The SSLVPN provides users
with secure access to specific enterprise applications, such as
e-mail and web browsing, without requiring them to have VPN client
software installed on their end-user devices.
The WebVPN Enhancements feature (Cisco IOS SSLVPN), released in Cisco
IOS Release 12.4(6)T, obsoletes the commands and configurations
originally put forward in Cisco IOS WebVPN.
Further information about Cisco IOS WebVPN is available in the "Cisco
IOS Software Release 12.3T WebVPN feature guide" at the following
link:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/g_sslvpn.html
Further information about Cisco IOS SSLVPN is available in the "Cisco
IOS Software Release 12.4T SSLVPN feature guide" at the following
link: http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htwebvpn.html
Details regarding these two vulnerabilities in Cisco IOS devices that
are running affected versions of system software are:
Crafted HTTPS packet will crash device
+--------------------------------------
A device configured for SSLVPN may reload or hang when it receives a
specially crafted HTTPS packet. Completion of the 3-way handshake to
the associated TCP port number of the SSLVPN feature is required in
order for the vulnerability to be successfully exploited, however
authentication is "not" required. The default TCP port number for
SSLVPN is 443.
This vulnerability is documented in Cisco bug ID CSCsk62253
and Common Vulnerabilities and Exposures (CVE) identifier
CVE-2009-0626 has been assigned to this vulnerability.
SSLVPN sessions cause a memory leak in the device
+------------------------------------------------
A device configured for SSLVPN may leak transmission control blocks
(TCBs) when processing an abnormally disconnected SSL session.
Continued exploitation may result in the device depleting its memory
resources and result in a crash of the device. Authentication is
"not" required to exploit this vulnerability.
The memory leak can be detected by running the command "show tcp
brief", like in the following example:
Router#show tcp brief
TCB Local Address Foreign Address (state)
468BBDC0 192.168.0.22.443 192.168.0.33.19794 CLOSEWAIT
482D4730 192.168.0.22.443 192.168.0.33.22092 CLOSEWAIT
482779A4 192.168.0.22.443 192.168.0.33.16978 CLOSEWAIT
4693DEBC 192.168.0.22.443 192.168.0.33.21580 CLOSEWAIT
482D3418 192.168.0.22.443 192.168.0.33.17244 CLOSEWAIT
482B8ACC 192.168.0.22.443 192.168.0.33.16564 CLOSEWAIT
46954EB0 192.168.0.22.443 192.168.0.33.19532 CLOSEWAIT
468BA9B8 192.168.0.22.443 192.168.0.33.15781 CLOSEWAIT
482908C4 192.168.0.22.443 192.168.0.33.19275 CLOSEWAIT
4829D66C 192.168.0.22.443 192.168.0.33.19314 CLOSEWAIT
468A2D94 192.168.0.22.443 192.168.0.33.14736 CLOSEWAIT
4688F590 192.168.0.22.443 192.168.0.33.18786 CLOSEWAIT
4693CBA4 192.168.0.22.443 192.168.0.33.12176 CLOSEWAIT
4829ABC4 192.168.0.22.443 192.168.0.33.39629 CLOSEWAIT
4691206C 192.168.0.22.443 192.168.0.33.17818 CLOSEWAIT
46868224 192.168.0.22.443 192.168.0.33.16774 CLOSEWAIT
4832BFAC 192.168.0.22.443 192.168.0.33.39883 CLOSEWAIT
482D10CC 192.168.0.22.443 192.168.0.33.13677 CLOSEWAIT
4829B120 192.168.0.22.443 192.168.0.33.20870 CLOSEWAIT
482862FC 192.168.0.22.443 192.168.0.33.17035 CLOSEWAIT
482EC13C 192.168.0.22.443 192.168.0.33.16053 CLOSEWAIT
482901D8 192.168.0.22.443 192.168.0.33.16200 CLOSEWAIT
In the output above, those Transmission Control Blocks (TCBs) in the
state CLOSEWAIT will not go away and represent memory leaks. Please
note that only TCP connections with a local TCP port of 443 (the
well-known port for HTTPS) are relevant.
This vulnerability is documented in Cisco bug ID CSCsw24700
and Common Vulnerabilities and Exposures (CVE) identifier
CVE-2009-0628 has been assigned to this vulnerability.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsk62253 - Crafted HTTPS packet will crash device.
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsw24700 - SSLVPN sessions cause a memory leak in the device.
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of any of the two vulnerabilities may result
in the device crashing, not accepting any new SSLVPN sessions or a
memory leak. Repeated exploitation may result in an extended denial
of service (DoS) condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|------------+------------------------------------------------------|
| Affected | | Recommended |
| 12.0-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.0 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.1-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.1 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.2-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.2 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.3-Based | First Fixed Release | Release |
| Releases | | |
|------------+--------------------------------------+---------------|
| 12.3 | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3B | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3BC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3BW | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3EU | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JEA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JEB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JEC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JK | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JL | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JX | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.3T | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.3TPC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3VA | Vulnerable; contact TAC | |
|------------+--------------------------------------+---------------|
| 12.3XA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XD | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XE | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XF | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XG | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XI | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XJ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XK | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XL | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XQ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XR | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XS | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XU | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XW | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XX | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XY | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XZ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YD | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YF | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YG | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YH | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YI | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YJ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | Releases prior to 12.3(11)YK3 are | 12.4(22)T1 |
| | vulnerable, release 12.3(11)YK3 and | |
| 12.3YK | later are not vulnerable; first | 12.4(15)T9; |
| | fixed in 12.4T | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.3YM | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YQ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YS | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YT | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YU | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.3YX | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YZ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3ZA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| Affected | | Recommended |
| 12.4-Based | First Fixed Release | Release |
| Releases | | |
|------------+--------------------------------------+---------------|
| | | 12.4(18e) |
| | 12.4(18e) | |
| 12.4 | | 12.4(23a); |
| | 12.4(23a); Available on 30-APR-2009 | Available on |
| | | 30-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.4JA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JDA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JK | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JL | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JMA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JMB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JX | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4MD | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4MR | 12.4(16)MR | 12.4(19)MR2 |
|------------+--------------------------------------+---------------|
| 12.4SW | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | 12.4(15)T7 | 12.4(22)T1 |
| | | |
| 12.4T | 12.4(20)T | 12.4(15)T9; |
| | | Available on |
| | 12.4(15)T9; Available on 29-APR-2009 | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XA | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XB | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XC | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | 12.4(4)XD12; Available on | 12.4(4)XD12; |
| 12.4XD | 27-MAR-2009 | Available on |
| | | 27-MAR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XE | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.4XF | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XG | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XJ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.4XK | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XL | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XM | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XN | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XP | Vulnerable; contact TAC | |
|------------+--------------------------------------+---------------|
| 12.4XQ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XR | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XT | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.4XV | Vulnerable; contact TAC | |
|------------+--------------------------------------+---------------|
| 12.4XW | 12.4(11)XW10 | 12.4(11)XW10 |
|------------+--------------------------------------+---------------|
| 12.4XY | 12.4(15)XY4 | 12.4(22)T1 |
|------------+--------------------------------------+---------------|
| 12.4XZ | 12.4(15)XZ1 | 12.4(15)XZ2 |
|------------+--------------------------------------+---------------|
| 12.4YA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4YB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4YD | Not Vulnerable | |
+-------------------------------------------------------------------+
Workarounds
===========
There are no workarounds for the vulnerabilities described in this
advisory.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered when handling customer support
calls.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-teams@first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-March-25 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAknKUdcACgkQ86n/Gc8U/uALXwCgmcIGTSzRIHpHRbVVmMNqPFT4
+CIAn27HdwwpkhVDgEIWTMsIX6NE4BgR
=+f8D
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Software Multiple Features Crafted
UDP Packet Vulnerability
Advisory ID: cisco-sa-20090325-udp
http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml
Revision 1.0
For Public Release 2009 March 25 1600 UTC (GMT)
- - ---------------------------------------------------------------------
Summary
=======
Several features within Cisco IOS Software are affected by a crafted
UDP packet vulnerability. If any of the affected features are
enabled, a successful attack will result in a blocked input queue on
the inbound interface. Only crafted UDP packets destined for the
device could result in the interface being blocked, transit traffic
will not block the interface.
Cisco has released free software updates that address this
vulnerability.
Workarounds that mitigate this vulnerability are available.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml
Note: The March 25, 2009, Cisco IOS Security Advisory bundled
publication includes eight Security Advisories. All of the advisories
address vulnerabilities in Cisco IOS Software. Each advisory lists
the releases that correct the vulnerability or vulnerabilities in the
advisory. The following table lists releases that correct all Cisco
IOS Software vulnerabilities that have been published in Cisco
Security Advisories on March 25, 2009, or earlier.
http://www.cisco.com/warp/public/707/cisco-sa-20090325-bundle.shtml
Individual publication links are listed below:
* Cisco IOS cTCP Denial of Service Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml
* Cisco IOS Software Multiple Features IP Sockets Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml
* Cisco IOS Software Mobile IP and Mobile IPv6 Vulnerabilities
http://www.cisco.com/warp/public/707/ cisco-sa-20090325-mobileip.shtml
* Cisco IOS Software Secure Copy Privilege Escalation Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml
* Cisco IOS Software Session Initiation Protocol Denial of Service
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml
* Cisco IOS Software Multiple Features Crafted TCP Sequence
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml
* Cisco IOS Software Multiple Features Crafted UDP Packet
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml
* Cisco IOS Software WebVPN and SSLVPN Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml
Affected Products
=================
Vulnerable Products
+------------------
Devices running affected versions of Cisco IOS Software and Cisco IOS
XE Software are affected when running any of the following features:
* IP Service Level Agreements (SLA) Responder
* Session Initiation Protocol (SIP)
* H.323 Annex E Call Signaling Transport
* Media Gateway Control Protocol (MGCP)
Details on how to see if the affected feature is enabled on a device,
is provided within the details section of this advisory.
To determine the Cisco IOS Software release that is running on a
Cisco product, administrators can log in to the device and issue the
"show version" command to display the system banner. The system
banner confirms that the device is running Cisco IOS Software by
displaying text similar to "Cisco Internetwork Operating System
Software" or "Cisco IOS Software." The image name displays in
parentheses, followed by "Version" and the Cisco IOS Software release
name. Other Cisco devices do not have the "show version" command or
may provide different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.3(26) with an installed image name of
C2500-IS-L:
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE
(fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 14:39 by dchih
<output truncated>
The following example shows a product that is running Cisco IOS
Software release 12.4(20)T with an image name of
C1841-ADVENTERPRISEK9-M:
Router#show version
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M),
Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 20:25 by prod_rel_team
<output truncated>
Additional information about Cisco IOS Software release naming
conventions is available in "White Paper: Cisco IOS Reference Guide"
at the following link: http://www.cisco.com/warp/public/620/1.html
Products Confirmed Not Vulnerable
+--------------------------------
The following products and features are not affected by this
vulnerability:
* Cisco IOS XR Software
* Service Assurance Agent (SAA)
* Response Time Reporter (RTR)
* No other feature or protocol on Cisco IOS is known to be affected
No other Cisco products are currently known to be affected by this
vulnerability.
Details
=======
A device is vulnerable if any of the features outlined below is
configured and their associated UDP port number accessible. For each
feature, in addition to inspecting the Cisco IOS device for
vulnerable configurations, administrators can also use some show
commands to determine if the Cisco IOS device is running processes
that handle the UDP service, or if the device is listening on the
affected UDP ports.
Different versions of Cisco IOS Software have different methods of
showing the UDP ports on which the Cisco IOS Software device is
listening. The "show ip sockets" or "show udp" commands can be used
to determine these ports. For each feature, one example is given
using the above commands to show the affected UDP port number.
Successful exploitation of this vulnerability can block an interface
on the device. The interface type is not relevant for this
vulnerability so all Ethernet based interfaces, ATM, Serial, POS and
other types of interfaces can be affected. All defined sub interfaces
under a main physical interface are affected if the main interface is
blocked. If the attack originates over a sub interface, the main
interface will block. A blocked interface will stop receiving any
subsequent packets until it is unblocked. All other interfaces are
not affected and they will continue receiving and transmitting
packets.
Only packets destined for a reachable configured IP address on any
interface of the device can exploit this vulnerability. Transit
traffic will not exploit this vulnerability.
A symptom of this type of blocked queue is the failure of
control-plane protocols such as routing protocols (OSPF, EIGRP, BGP,
ISIS, etc.) and MPLS TDP/LDP to properly establish connections over
an affected interface. Transit traffic may be affected once protocol
timers expire on the affected device.
In order to identify a blocked input interface, issue the "show
interfaces" command, and search for the Input Queue line. The size of
the input queue can continue to increase. If the current size, which
is 76 in the example below, is equal or larger than the maximum size
(default being 75), the input queue may be blocked.
It is possible that a device receives a high rate of traffic destined
to the control plane, and the full queue is only a transient event.
In order to verify if the interface is actually blocked, shut down
the interface with the shutdown interface configuration command and
examine the input queue. If the input queue does not display 0
packets, the interface is blocked.
Router#show interface ethernet 0/0
Ethernet0/0 is up, line protocol is up
Hardware is AmdP2, address is 0050.500e.f1e0 (bia 0050.500e.f1e0)
Internet address is 192.168.0.1/24
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 255/255, load 1/255
Encapsulation ARPA, loopback not set, keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:41, output 00:00:07, output hang never
Last clearing of "show interface" counters 00:07:18
Input queue: 76/75/1091/0 (size/max/drops/flushes); Total output drops: 0
IP Service Level Agreements (SLAs) Responder
+-------------------------------------------
Devices configured with the Cisco IOS IP Service Level Agreements
(SLAs) Responder for User Datagram Protocol (UDP) echo or jitter
operations feature are vulnerable. Any device configured to act as a
responder is vulnerable. The following shows two different vulnerable
configurations. The first being a generic IP SLA responder:
ip sla responder
or
ip sla monitor responder
The following shows this second configuration with a more specific
UDP responder configured:
ip sla responder
ip sla responder udp-echo ipaddress 10.10.10.10 port 1025
Service Assurance Agent (SAA) and Response Time Reporter (RTR)
feature are "not" affected and use the "rtr" CLI command syntax. The
following example shows a configuration, which is not vulnerable:
rtr responder
The following example shows a device listening on the default IP SLA
control channel with the affected UDP port 1967.
Router#show udp
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 0.0.0.0 0 10.2.6.1 1967 0 0 211 0
Further information about Cisco IOS IP SLAs is available in "Cisco
IOS IP SLAs Configuration Guide, Release 12.4 - Cisco IOS IP SLAs
Overview" at the following link:
http://www.cisco.com/en/US/docs/ios/12_4/ip_sla/configuration/guide/hsoverv.html
Session Initiation Protocol (SIP)
+--------------------------------
Note: For customers with devices enabled with SIP, please also
consult the document "Cisco Security Advisory: Cisco IOS Session
Initiation Protocol Denial of Service Vulnerability" at the following
link: http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.html
Cisco devices that process SIP messages are affected. Recent versions
of Cisco IOS Software do not process SIP messages by default.
Creating a "dial peer" via the command "dial-peer voice" with any
option will start the SIP processes and cause Cisco IOS Software to
begin processing SIP messages. Several features within Cisco Call
Manager Express, such as ePhones, once configured will also
automatically start the SIP process and the device will begin
processing SIP messages. It is recommended if the device is running
any voice configurations to confirm the existence of the SIP process
with the "show ip socket" or "show udp" command. The following is one
example of an affected configuration:
dial-peer voice <Voice dial-peer tag> voip
...
!
Note: Older versions of Cisco IOS Software were affected by a bug
that caused Cisco IOS Software to process SIP messages even without
being configured for SIP operation. Please refer to "Cisco Security
Advisory: SIP Packets Reload IOS Devices with support for SIP" at the
following link:
http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml
The following example shows a device that will process SIP messages,
on the default affected UDP port 5060:
Router#show ip socket
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 0.0.0.0 0 192.168.0.2 5060 0 0 211 0
Further information about SIP, is available in the "Cisco IOS SIP
Configuration Guide" at the following link:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/vvfax_c/callc_c/sip_c/sipc1_c/index.htm
H.323 Annex E Call Signaling Transport
+-------------------------------------
Cisco devices that are configured to support H.323 are affected. The
affected protocol is H.323 Annex E Call Signaling Transport over UDP.
ITU-T recommendation H.323 Annex E describes the signaling framework
and wire-protocol for transporting H.225.0 call signaling messages
over UDP. Recent versions of Cisco IOS Software do not open H.225.0
UDP port by default. Creating a "dial peer" via the command
"dial-peer voice" with any option will open the H.225.0 UDP port.
Several features within Cisco Call Manager Express, such as ePhones,
once configured will also automatically start the H.323 process and
the device will begin processing H.323 packets. It is recommended if
the device is running any voice configurations to confirm the
existence of the H.323 process with the "show ip socket" or "show
udp" command. The following is one example of an affected
configuration:
dial-peer voice <Voice dial-peer tag> voip
...
!
Note: Older versions of Cisco IOS Software were affected by a bug
that caused Cisco IOS Software to listen on H.323 ports without being
configured for H.323 operation. Please refer to Cisco bug ID:
CSCsb25337
The following example shows a device that will process H.225.0
packets, on the default affected UDP port 2517:
Router#show ip socket
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 0.0.0.0 0 192.168.0.2 2517 0 0 211 0
Further information about H.323, is available in the "Cisco IOS H.323
Configuration Guide" at the following link:
http://www.cisco.com/en/US/docs/ios/12_3/vvf_c/cisco_ios_h323_configuration_guide/old_archives_h323/323confg.html
Media Gateway Control Protocol (MGCP)
+------------------------------------
Devices configured with the MGCP feature are vulnerable. MGCP is
enabled globally with the command "mgcp". The default listening port
for MGCP is UDP 2427. The following example shows a vulnerable
configuration:
mgcp
The following example shows a device that will process MGCP packets
on the affected UDP ports:
Router#show ip socket
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 192.168.0.1 2427 10.66.91.138 2427 0 0 211 0
Further information about MGCP is available in the "Configuring the
Cisco IOS MGCP Gateway reference" at the following link:
http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186a008017787b.shtml
This vulnerability is documented in the following Cisco Bug ID:
CSCsk64158 and has been assigned the Common Vulnerabilities and Exposures
(CVE) identifiers CVE-2009-0631.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerability in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsk64158: Cisco IOS Software Multiple Features Crafted UDP Packet
Vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of this vulnerability may cause the inbound
interface to be blocked and will silently drop any received traffic.
A reload of the device is required to restore normal functionality.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|------------+------------------------------------------------------|
| Affected | | Recommended |
| 12.0-Based | First Fixed Release | Release |
| Releases | | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0 | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0DA | Vulnerable; first fixed in 12.2DA | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0DB | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0DC | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.0S | 12.0(32)S12 | 12.0(32)S12 |
|------------+-------------------------------------+----------------|
| 12.0SC | Vulnerable; first fixed in 12.0S | 12.0(32)S12 |
|------------+-------------------------------------+----------------|
| 12.0SL | Vulnerable; first fixed in 12.0S | 12.0(32)S12 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0SP | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.0ST | Vulnerable; first fixed in 12.0S | 12.0(32)S12 |
|------------+-------------------------------------+----------------|
| 12.0SX | Vulnerable; first fixed in 12.0S | 12.0(32)S12 |
|------------+-------------------------------------+----------------|
| 12.0SY | 12.0(32)SY8 | 12.0(32)SY8 |
|------------+-------------------------------------+----------------|
| 12.0SZ | Vulnerable; first fixed in 12.0S | 12.0(32)S12 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0T | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.0W | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.0WC | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.0WT | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XA | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XB | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XC | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XD | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XE | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.0XF | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XG | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XH | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | Releases prior to 12.0(4)XI2 are | 12.4(18e) |
| | vulnerable, release 12.0(4)XI2 and | |
| 12.0XI | later are not vulnerable; first | 12.4(23a); |
| | fixed in 12.4 | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XJ | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XK | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XL | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XM | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XN | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XQ | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XR | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XS | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XT | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XV | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| Affected | | Recommended |
| 12.1-Based | First Fixed Release | Release |
| Releases | | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1 | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.1AA | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.1AX | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| | | 12.1(22)EA13 |
| 12.1AY | Vulnerable; first fixed in 12.1EA | |
| | | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| | | 12.1(22)EA13 |
| 12.1AZ | Vulnerable; first fixed in 12.1EA | |
| | | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.1CX | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.1DA | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.1DB | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.1DC | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.1E | Vulnerable; first fixed in 12.2SXF | 12.2(18)SXF16 |
|------------+-------------------------------------+----------------|
| 12.1EA | 12.1(22)EA13 | 12.1(22)EA13 |
|------------+-------------------------------------+----------------|
| 12.1EB | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.2(33)SCB1 |
| 12.1EC | Vulnerable; first fixed in 12.3BC | |
| | | 12.3(23)BC6 |
|------------+-------------------------------------+----------------|
| 12.1EO | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.1EU | Vulnerable; first fixed in 12.2SG | 12.2(31)SGA9 |
|------------+-------------------------------------+----------------|
| 12.1EV | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.1EW | Vulnerable; migrate to 12.2SGA | 12.2(31)SGA9 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1EX | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.1EY | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.1EZ | Vulnerable; first fixed in 12.2SXF | 12.2(18)SXF16 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1GA | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1GB | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1T | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XA | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XB | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XC | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XD | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XE | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XF | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XG | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XH | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XI | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XJ | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XL | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XM | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XP | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XQ | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XR | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XS | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XT | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XU | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XV | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XW | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XX | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XY | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XZ | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1YA | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1YB | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1YC | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1YD | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | Releases prior to 12.1(5)YE6 are | 12.4(18e) |
| | vulnerable, release 12.1(5)YE6 and | |
| 12.1YE | later are not vulnerable; first | 12.4(23a); |
| | fixed in 12.4 | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1YF | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1YH | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.1YI | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.1(22)EA13 |
| 12.1YJ | Vulnerable; first fixed in 12.1EA | |
| | | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| Affected | | Recommended |
| 12.2-Based | First Fixed Release | Release |
| Releases | | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2 | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.2B | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to 12.2SCB or | 12.2(33)SCB1 |
| 12.2BC | 12.3BC | |
| | | 12.3(23)BC6 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2BW | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2BX | Vulnerable; migrate to 12.2SB | 12.2(33)SB4 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2BY | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2BZ | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to 12.2SCB or | 12.2(33)SCB1 |
| 12.2CX | 12.3BC | |
| | | 12.3(23)BC6 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to 12.2SCB or | 12.2(33)SCB1 |
| 12.2CY | 12.3BC | |
| | | 12.3(23)BC6 |
|------------+-------------------------------------+----------------|
| 12.2CZ | Vulnerable; first fixed in 12.2SB | 12.2(33)SB4 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | 12.2(12)DA14; Available on | |
| 12.2DA | 30-JUL-2009 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2DD | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2DX | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2EW | Vulnerable; first fixed in 12.2SG | 12.2(31)SGA9 |
|------------+-------------------------------------+----------------|
| 12.2EWA | Vulnerable; first fixed in 12.2SG | 12.2(31)SGA9 |
|------------+-------------------------------------+----------------|
| 12.2EX | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2EY | 12.2(44)EY | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2EZ | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2FX | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2FY | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2FZ | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| | | 12.2(33)SRC4; |
| 12.2IRA | Vulnerable; first fixed in 12.2SRC | Available on |
| | | 18-MAY-2009 |
|------------+-------------------------------------+----------------|
| | | 12.2(33)SRC4; |
| 12.2IRB | Vulnerable; first fixed in 12.2SRC | Available on |
| | | 18-MAY-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to any release | 12.2(18)IXH; |
| 12.2IXA | in 12.2IXH | Available on |
| | | 31-MAR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to any release | 12.2(18)IXH; |
| 12.2IXB | in 12.2IXH | Available on |
| | | 31-MAR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to any release | 12.2(18)IXH; |
| 12.2IXC | in 12.2IXH | Available on |
| | | 31-MAR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to any release | 12.2(18)IXH; |
| 12.2IXD | in 12.2IXH | Available on |
| | | 31-MAR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to any release | 12.2(18)IXH; |
| 12.2IXE | in 12.2IXH | Available on |
| | | 31-MAR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to any release | 12.2(18)IXH; |
| 12.2IXF | in 12.2IXH | Available on |
| | | 31-MAR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to any release | 12.2(18)IXH; |
| 12.2IXG | in 12.2IXH | Available on |
| | | 31-MAR-2009 |
|------------+-------------------------------------+----------------|
| 12.2JA | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.2JK | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2MB | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2MC | 12.2(15)MC2m | 12.2(15)MC2m |
|------------+-------------------------------------+----------------|
| 12.2S | Vulnerable; first fixed in 12.2SB | 12.2(33)SB4 |
|------------+-------------------------------------+----------------|
| | 12.2(31)SB14 | |
| | | |
| 12.2SB | 12.2(33)SB3 | 12.2(33)SB4 |
| | | |
| | 12.2(28)SB13 | |
|------------+-------------------------------------+----------------|
| 12.2SBC | Vulnerable; first fixed in 12.2SB | 12.2(33)SB4 |
|------------+-------------------------------------+----------------|
| 12.2SCA | Vulnerable; first fixed in 12.2SCB | 12.2(33)SCB1 |
|------------+-------------------------------------+----------------|
| 12.2SCB | 12.2(33)SCB1 | 12.2(33)SCB1 |
|------------+-------------------------------------+----------------|
| | 12.2(46)SE2 | |
| | | |
| 12.2SE | 12.2(44)SE5 | 12.2(44)SE6 |
| | | |
| | 12.2(50)SE | |
|------------+-------------------------------------+----------------|
| 12.2SEA | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2SEB | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2SEC | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2SED | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2SEE | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2SEF | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2SEG | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| | | 12.2(52)SG; |
| 12.2SG | 12.2(50)SG | Available on |
| | | 15-MAY-2009 |
|------------+-------------------------------------+----------------|
| 12.2SGA | 12.2(31)SGA9 | 12.2(31)SGA9 |
|------------+-------------------------------------+----------------|
| 12.2SL | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| 12.2SM | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2SO | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2SQ | 12.2(44)SQ1 | |
|------------+-------------------------------------+----------------|
| | | 12.2(33)SRC4; |
| 12.2SRA | Vulnerable; first fixed in 12.2SRC | Available on |
| | | 18-MAY-2009 |
|------------+-------------------------------------+----------------|
| | | 12.2(33)SRC4; |
| | | Available on |
| | | 18-MAY-2009 |
| 12.2SRB | Vulnerable; first fixed in 12.2SRC | |
| | | 12.2(33)SRB5a; |
| | | Available on |
| | | 3-April-2009 |
|------------+-------------------------------------+----------------|
| | | 12.2(33)SRC4; |
| 12.2SRC | 12.2(33)SRC3 | Available on |
| | | 18-MAY-2009 |
|------------+-------------------------------------+----------------|
| 12.2SRD | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| 12.2STE | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.2SU | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2SV | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2SVA | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2SVC | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2SVD | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2SVE | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2SW | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2SX | Vulnerable; first fixed in 12.2SXF | 12.2(18)SXF16 |
|------------+-------------------------------------+----------------|
| 12.2SXA | Vulnerable; first fixed in 12.2SXF | 12.2(18)SXF16 |
|------------+-------------------------------------+----------------|
| 12.2SXB | Vulnerable; first fixed in 12.2SXF | 12.2(18)SXF16 |
|------------+-------------------------------------+----------------|
| 12.2SXD | Vulnerable; first fixed in 12.2SXF | 12.2(18)SXF16 |
|------------+-------------------------------------+----------------|
| 12.2SXE | Vulnerable; first fixed in 12.2SXF | 12.2(18)SXF16 |
|------------+-------------------------------------+----------------|
| 12.2SXF | 12.2(18)SXF16 | 12.2(18)SXF16 |
|------------+-------------------------------------+----------------|
| | 12.2(33)SXH5; Available on | 12.2(33)SXH5; |
| 12.2SXH | 20-APR-2009 | Available on |
| | | 20-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2SXI | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| 12.2SY | Vulnerable; first fixed in 12.2SB | 12.2(33)SB4 |
|------------+-------------------------------------+----------------|
| 12.2SZ | Vulnerable; first fixed in 12.2SB | 12.2(33)SB4 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2T | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2TPC | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XA | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XB | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XC | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XD | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XE | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to 12.2SCB or | 12.2(33)SCB1 |
| 12.2XF | 12.3BC | |
| | | 12.3(23)BC6 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XG | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XH | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XI | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XJ | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XK | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XL | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XM | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.2(33)SB4 |
| 12.2XN | Vulnerable; first fixed in 12.2SRC | |
| | | 12.2(33)SRD1 |
|------------+-------------------------------------+----------------|
| 12.2XNA | Vulnerable; migrate to any release | 12.2(33)SRD1 |
| | in 12.2SRD | |
|------------+-------------------------------------+----------------|
| 12.2XNB | 12.2(33)XNB1 | 12.2(33)XNB3 |
|------------+-------------------------------------+----------------|
| 12.2XNC | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| 12.2XO | 12.2(46)XO | 12.2(46)XO |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XQ | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XR | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XS | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XT | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XU | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XV | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XW | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2YA | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2YB | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YC | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YD | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YE | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YF | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YG | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YH | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YJ | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YK | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YL | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.2YM | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2YN | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YO | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2YP | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2YQ | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YR | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YS | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| 12.2YT | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YU | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YV | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YW | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YX | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YY | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YZ | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2ZA | Vulnerable; first fixed in 12.2SXF | 12.2(18)SXF16 |
|------------+-------------------------------------+----------------|
| 12.2ZB | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2ZC | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2ZD | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2ZE | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.2ZF | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.2ZG | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2ZH | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2ZJ | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2ZL | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2ZP | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.2(33)SRC4; |
| 12.2ZU | Vulnerable; first fixed in 12.2SXH | Available on |
| | | 18-MAY-2009 |
|------------+-------------------------------------+----------------|
| 12.2ZX | Vulnerable; first fixed in 12.2SB | 12.2(33)SB4 |
|------------+-------------------------------------+----------------|
| 12.2ZY | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2ZYA | 12.2(18)ZYA1 | 12.2(18)ZYA1 |
|------------+-------------------------------------+----------------|
| Affected | | Recommended |
| 12.3-Based | First Fixed Release | Release |
| Releases | | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.3 | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3B | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.3BC | 12.3(23)BC6 | 12.3(23)BC6 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3BW | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.3EU | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| 12.3JA | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.3JEA | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.3JEB | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.3JEC | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3JK | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.3JL | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.3JX | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3T | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.3TPC | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.3VA | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.3XA | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.3XB | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XC | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XD | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.3XE | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.3XF | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XG | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.3XI | Vulnerable; first fixed in 12.2SB | 12.2(33)SB4 |
|------------+-------------------------------------+----------------|
| 12.3XJ | Vulnerable; first fixed in 12.3YX | 12.3(14)YX14 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XK | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XL | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XQ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.3XR | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XS | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XU | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.3XW | Vulnerable; first fixed in 12.3YX | 12.3(14)YX14 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XX | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XY | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XZ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YA | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YD | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.3YF | Vulnerable; first fixed in 12.3YX | 12.3(14)YX14 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YG | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YH | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YI | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YJ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YK | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.3YM | 12.3(14)YM13 | 12.3(14)YM13 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YQ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YS | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YT | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.3YU | Vulnerable; first fixed in 12.4XB | 12.4(22)T1 |
|------------+-------------------------------------+----------------|
| 12.3YX | 12.3(14)YX14 | 12.3(14)YX14 |
|------------+-------------------------------------+----------------|
| 12.3YZ | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3ZA | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| Affected | | Recommended |
| 12.4-Based | First Fixed Release | Release |
| Releases | | |
|------------+-------------------------------------+----------------|
| | 12.4(23) | 12.4(18e) |
| | | |
| 12.4 | 12.4(18e) | 12.4(23a); |
| | | Available on |
| | 12.4(23a); Available on 30-APR-2009 | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.4JA | 12.4(16b)JA1 | |
|------------+-------------------------------------+----------------|
| 12.4JDA | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.4JK | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.4JL | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.4JMA | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.4JMB | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.4JX | Vulnerable; first fixed in 12.4JA | |
|------------+-------------------------------------+----------------|
| 12.4MD | 12.4(11)MD7 | 12.4(11)MD7 |
|------------+-------------------------------------+----------------|
| 12.4MR | 12.4(19)MR1 | 12.4(19)MR2 |
|------------+-------------------------------------+----------------|
| 12.4SW | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | 12.4(15)T8 | |
| | | 12.4(22)T1 |
| | 12.4(20)T2 | |
| 12.4T | | 12.4(15)T9; |
| | 12.4(22)T | Available on |
| | | 29-APR-2009 |
| | 12.4(15)T9; Available on | |
| | 29-APR-2009 | |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XA | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | 12.4(15)T8 | |
| 12.4XB | | 12.4(15)T9; |
| | 12.4(20)T2 | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XC | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | 12.4(4)XD12; Available on | 12.4(4)XD12; |
| 12.4XD | 27-MAR-2009 | Available on |
| | | 27-MAR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XE | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XF | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | 12.4(15)T8 | 12.4(22)T1 |
| | | |
| 12.4XG | 12.4(20)T2 | 12.4(15)T9; |
| | | Available on |
| | 12.4(22)T1 | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XJ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XK | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.4XL | 12.4(15)XL4 | 12.4(15)XL4 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XM | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.4XN | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.4XP | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.4XQ | 12.4(15)XQ2 | 12.4(15)XQ2 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XR | 12.4(15)XR4 | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XT | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.4XV | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.4XW | 12.4(11)XW10 | 12.4(11)XW10 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XY | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.4XZ | 12.4(15)XZ2 | 12.4(15)XZ2 |
|------------+-------------------------------------+----------------|
| 12.4YA | 12.4(20)YA2 | 12.4(20)YA3 |
|------------+-------------------------------------+----------------|
| 12.4YB | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| 12.4YD | Not Vulnerable | |
+-------------------------------------------------------------------+
Workarounds
===========
The following mitigations have been identified for this
vulnerability; only packets destined for any configured IP address on
the device can exploit this vulnerability. Transit traffic will not
exploit this vulnerability.
Disable Affected Listening Ports
+-------------------------------
If an affected feature is not required it can be explicitly disabled.
Once disabled confirm the listening UDP port has been closed by
entering the CLI command "show udp" or "show ip socket". Some
features may require a reload of the device after disabling the
feature in order to close the listening UDP port.
For SIP it is possible to disable UDP listening if only TCP services
are required. The following example shows how to disable SIP from
listening on its associated UDP port.
Warning: When applying this workaround to devices that are processing
MGCP or H.323 calls, the device will not allow the stopping SIP
processing while active calls are being processed. When possible,
this workaround should be implemented during a maintenance window
when active calls can be briefly stopped.
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#sip-ua
Router(config-sip-ua)#no transport udp
Router(config-sip-ua)#end
For SIP it is possible to bind the process to a privately-addressed
interface, with the command below. This will cause SIP to only listen
on the internal interface, which may assist in limiting the exposure
of this vulnerability:
voice service voip
sip
bind control source-interface <int>
bind media source-interface <int>
Infrastructure Access Control Lists
+----------------------------------
Warning: Because the features in this vulnerability utilize UDP as a
transport, it is possible to spoof the sender's IP address, which may
defeat ACLs that permit communication to these ports from trusted IP
addresses. Unicast RPF should be considered to be used in conjunction
to offer a better mitigation solution.
Although it is often difficult to block traffic that transits a
network, it is possible to identify traffic that should never be
allowed to target infrastructure devices and block that traffic at
the border of networks. Infrastructure Access Control Lists (iACLs)
are a network security best practice and should be considered as a
long-term addition to good network security as well as a workaround
for this specific vulnerability. The iACL example below should be
included as part of the deployed infrastructure access-list which
will protect all devices with IP addresses in the infrastructure IP
address range:
!--- Only sections pertaining to features enabled on the device
!--- need be configured.
!---
!---
!--- Feature: IP SLAs UDP Responder
!---
access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1967
!--- Deny IP SLAs UDP Responder traffic from all other sources
!--- destined to infrastructure addresses.
access-list 150 deny udp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1967
!---
!--- Feature: Session Initiation Protocol (SIP)
!---
access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 5060
!--- Deny SIP traffic from all other sources destined
!--- to infrastructure addresses.
access-list 150 deny udp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 5060
!---
!--- Feature: H.323 Call Signaling
!---
access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 2517
!--- Deny H.323 Call Signaling traffic from all other sources
!--- destined to infrastructure addresses.
access-list 150 deny udp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 2517
!---
!--- Feature: Media Gateway Control Protocol (MGCP)
!---
access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 2427
!--- Deny MGCP traffic from all other sources destined
!--- to infrastructure addresses.
access-list 150 deny udp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 2427
!--- Permit/deny all other Layer 3 and Layer 4 traffic in
!--- accordance with existing security policies and
!--- configurations. Permit all other traffic to transit the
!--- device.
access-list 150 permit ip any any
!--- Apply access-list to all interfaces (only one example
!--- shown)
interface serial 2/0
ip access-group 150 in
The white paper entitled "Protecting Your Core: Infrastructure
Protection Access Control Lists" presents guidelines and recommended
deployment techniques for infrastructure protection access lists and
is available at the following link
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml
Control Plane Policing
+---------------------
Warning: Because the features in this vulnerability utilizes UDP as a
transport, it is possible to spoof the sender's IP address, which may
defeat ACLs that permit communication to these ports from trusted IP
addresses. Unicast RPF should be considered to be used in conjunction
to offer better mitigation solution.
Control Plane Policing (CoPP) can be used to block untrusted UDP
traffic to the device. Cisco IOS software releases 12.0S, 12.2SX,
12.2S, 12.3T, 12.4, and 12.4T support the CoPP feature. CoPP can be
configured on a device to protect the management and control planes
and minimize the risk and effectiveness of direct infrastructure
attacks by explicitly permitting only authorized traffic that is sent
to infrastructure devices in accordance with existing security
policies and configurations. The CoPP example below should be
included as part of the deployed CoPP which will protect all devices
with IP addresses in the infrastructure IP address range.
!---
!--- Only sections pertaining to features enabled on the device
!--- need be configured.
!---
!---
!--- Feature: IP SLAs UDP Responder
!---
access-list 150 deny udp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 1967
!---
!--- Deny IP SLAs UDP Responder traffic from all other sources
!--- destined to the device control plane.
!---
access-list 150 permit udp any any eq 1967
!---
!--- Feature: Session Initiation Protocol (SIP)
!---
access-list 150 deny udp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 5060
!---
!--- Deny SIP traffic from all other sources destined
!--- to the device control plane.
!---
access-list 150 permit udp any any eq 5060
!---
!--- Feature: H.323 Call Signaling
!---
access-list 150 deny udp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 2517
!---
!--- Deny H.323 call signaling traffic from all other sources
!--- destined to the device control plane.
!---
access-list 150 permit udp any any eq 2517
!---
!--- Feature: Media Gateway Control Protocol (MGCP)
!---
access-list 150 deny udp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 2427
!---
!--- Deny MGCP traffic from all other sources destined
!--- to the device control plane.
!---
access-list 150 permit udp any any eq 2427
!---
!--- Permit (Police or Drop)/Deny (Allow) all other Layer3 and
!--- Layer4 traffic in accordance with existing security policies
!--- and configurations for traffic that is authorized to be sent
!--- to infrastructure devices
!--- Create a Class-Map for traffic to be policed by
!--- the CoPP feature
!---
class-map match-all drop-udp-class
match access-group 150
!---
!--- Create a Policy-Map that will be applied to the
!--- Control-Plane of the device.
!---
policy-map drop-udp-traffic
class drop-udp-class
drop
!---
!--- Apply the Policy-Map to the
!--- Control-Plane of the device
!---
control-plane
service-policy input drop-udp-traffic
In the above CoPP example, the access control list entries (ACEs)
that match the potential exploit packets with the "permit" action
result in these packets being discarded by the policy-map "drop"
function, while packets that match the "deny" action (not shown) are
not affected by the policy-map drop function. Please note that the
policy-map syntax is different in the 12.2S and 12.0S Cisco IOS
trains:
policy-map drop-udp-traffic
class drop-udp-class
police 32000 1500 1500 conform-action drop exceed-action drop
Additional information on the configuration and use of the CoPP
feature can be found in the documents, "Control Plane Policing
Implementation Best Practices" and "Cisco IOS Software Releases
12.2S - Control Plane Policing" at the following links:
http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html
and
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html
Additional mitigations that can be deployed on Cisco devices within
the network are available in the "Cisco Applied Mitigation Bulletin"
companion document for this advisory at the following link:
http://www.cisco.com/warp/public/707/cisco-amb-20090325-sip-and-udp.shtml
Exploit Detection
+----------------
It is possible to detect blocked interface queues with an Cisco IOS
Embedded Event Manager (EEM) policy. EEM provides event detection and
reaction capabilities on a Cisco IOS device. EEM can alert
administrators of blocked interfaces with email, a syslog message, or
a Simple Network Management Protocol (SNMP) trap.
A sample EEM policy that uses syslog to alert administrators of
blocked interfaces is available at Cisco Beyond, an online community
dedicated to EEM. A sample script is available at the following link:
http://forums.cisco.com/eforum/servlet/EEM?page=eem&fn=script&scriptId=981
Further information about EEM is available from Cisco.com at the
following link:
http://www.cisco.com/en/US/products/ps6815/products_ios_protocol_group_home.htm
Obtaining Fixed Software
========================
Cisco has released free software updates that address this
vulnerability. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was discovered by Cisco during routine internal
testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-March-25 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAknKUdAACgkQ86n/Gc8U/uB5UACfTuBFTIs6/V/FKPdLnLYCvGXF
CyIAn3XqDhmEqM24yznj0IHjMPpGQ7Y2
=mpQF
- -----END PGP SIGNATURE-----
_______________________________________________
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Software Multiple Features Crafted
TCP Sequence Vulnerability
Advisory ID: cisco-sa-20090325-tcp
http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml
Revision 1.0
For Public Release 2009 March 25 1600 UTC (GMT)
- - ---------------------------------------------------------------------
Summary
=======
Cisco IOS Software contains a vulnerability in multiple features
that could allow an attacker to cause a denial of service (DoS)
condition on the affected device. A sequence of specially crafted TCP
packets can cause the vulnerable device to reload.
Cisco has released free software updates that address this
vulnerability.
Several mitigation strategies are outlined in the workarounds section
of this advisory.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml
Note: The March 25, 2009, Cisco IOS Security Advisory bundled
publication includes eight Security Advisories. All of the advisories
address vulnerabilities in Cisco IOS Software. Each advisory lists
the releases that correct the vulnerability or vulnerabilities in the
advisory. The following table lists releases that correct all Cisco
IOS Software vulnerabilities that have been published in Cisco
Security Advisories on March 25, 2009, or earlier.
http://www.cisco.com/warp/public/707/cisco-sa-20090325-bundle.shtml
Individual publication links are listed below:
* Cisco IOS cTCP Denial of Service Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml
* Cisco IOS Software Multiple Features IP Sockets Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml
* Cisco IOS Software Mobile IP and Mobile IPv6 Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml
* Cisco IOS Software Secure Copy Privilege Escalation Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml
* Cisco IOS Software Session Initiation Protocol Denial of Service
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml
* Cisco IOS Software Multiple Features Crafted TCP Sequence
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml
* Cisco IOS Software Multiple Features Crafted UDP Packet
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml
* Cisco IOS Software WebVPN and SSLVPN Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml
Affected Products
=================
Vulnerable Products
+------------------
Devices running affected versions of Cisco IOS Software and Cisco IOS
XE Software are affected when configured to use any of the following
features within Cisco IOS:
* Airline Product Set (ALPS)
* Serial Tunnel Code (STUN) and Block Serial Tunnel Code (BSTUN)
* Native Client Interface Architecture support (NCIA)
* Data-link switching (DLSw)
* Remote Source-Route Bridging (RSRB)
* Point to Point Tunneling Protocol (PPTP)
* X.25 for Record Boundary Preservation (RBP)
* X.25 over TCP (XOT)
* X.25 Routing
Information on how to determine whether an affected feature is
enabled on a device are provided in the Details section of this
advisory.
To determine the Cisco IOS Software release that is running on a
Cisco product, administrators can log in to the device and issue the
"show version" command to display the system banner. The system
banner confirms that the device is running Cisco IOS Software by
displaying text similar to "Cisco Internetwork Operating System
Software" or "Cisco IOS Software." The image name displays in
parentheses, followed by "Version" and the Cisco IOS Software release
name. Other Cisco devices do not have the "show version" command or
may provide different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.3(26) with an installed image name of
C2500-IS-L:
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE
(fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 14:39 by dchih
<output truncated>
The following example shows a product that is running Cisco IOS
Software Release 12.4(20)T with an image name of
C1841-ADVENTERPRISEK9-M:
Router#show version
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M),
Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 20:25 by prod_rel_team
<output truncated>
Additional information about Cisco IOS Software release naming
conventions is available in "White Paper: Cisco IOS Reference Guide"
at the following link: http://www.cisco.com/warp/public/620/1.html .
Products Confirmed Not Vulnerable
+--------------------------------
The following product and feature have been confirmed not vulnerable:
* Cisco IOS XR Software
* BGP is not affected
No other Cisco products or features configured within Cisco IOS
Software are currently known to be affected by this vulnerability.
Details
=======
Completion of the 3-way handshake to the associated TCP port number
(s) of any of the features outlined below is required in order for
the vulnerability to be successfully exploited.
Airline Product Set (ALPS)
+-------------------------
Devices configured for ALPS are vulnerable. The default TCP listening
ports for ALPS are 350 and 10000. The following example shows a
vulnerable ALPS configuration:
alps local-peer <ip address>
Further information about ALPS is available in "Cisco IOS Bridging
and IBM Networking Configuration Guide, Release 12.2 - Configuring
the Airline Product Set" at the following link
http://www.cisco.com/en/US/docs/ios/12_2/ibm/configuration/guide/bcfalps_ps1835_TSD_Products_Configuration_Guide_Chapter.html
Serial Tunnel Code (STUN) and Block Serial Tunneling (BSTUN)
+-----------------------------------------------------------
Devices configured for either STUN or BSTUN are vulnerable. The
default listening TCP ports for STUN are 1990,1991 1992 and 1994. The
default listening TCP ports for BSTUN are 1963, 1976, 1977, 1978 and
1979 The following example shows a vulnerable STUN configuration:
interface serial 0/0/0
encapsulation stun
The following example shows a vulnerable BSTUN configuration:
interface serial 0/0/0
encapsulation bstun
Further information about STUN and BSTUN is available in "Cisco IOS
Bridging and IBM Networking Configuration Guide, Release 12.2 -
Configuring Serial Tunnel and Block Serial Tunnel" at the following
link
http://www.cisco.com/en/US/docs/ios/12_2/ibm/configuration/guide/bcfstun_ps1835_TSD_Products_Configuration_Guide_Chapter.html
Native Client Interface Architecture support (NCIA)
+--------------------------------------------------
Devices configured for NCIA are vulnerable, because of the underlying
transport they will use. The default listening TCP ports will be
dependent on the protocol used with NCIA, such as RSRB or DSLw. The
following examples shows a vulnerable configuration:
ncia server 1 10.66.91.138 0000.1111.2222 2222.2222.2222 1
Further information about NCIA is available in "Cisco IOS Bridging
and IBM Networking Configuration Guide, Release 12.4 - Configuring
NCIA Client/Server" at the following link
http://www.cisco.com/en/US/docs/ios/bridging/configuration/guide/br_ncia_client_svr_ps6350_TSD_Products_Configuration_Guide_Chapter.html
Data-link switching (DLSw)
+-------------------------
Devices configured for DLSw are vulnerable. The default listening TCP
ports for DSLw are 2065, 2067, 1981, 1982 and 1983. The following
example shows a vulnerable configuration:
dlsw local-peer peer-id <ip address>
Devices configured with either FST Encapsulation or Direct
Encapsulation are still vulnerable as the affected TCP ports are
opened by the "dslw local-peer peer-id ip address" command.
Further information about DLSw is available in "Cisco IOS Bridging
and IBM Networking Configuration Guide, Release 12.4 - Configuring
Data-Link Switching Plus" at the following link
http://www.cisco.com/en/US/docs/ios/bridging/configuration/guide/br_dlsw_plus_ps6350_TSD_Products_Configuration_Guide_Chapter.html
Remote Source-Route Bridging (RSRB)
+----------------------------------
Devices configured for RSRB Using IP Encapsulation over a TCP
connection are vulnerable. The default listening TCP ports for RSRB
are 1996,1987, 1988 and 1989. The following example shows a
vulnerable configuration:
source-bridge ring-group 10
source-bridge remote-peer 10 tcp <ip address>
Devices configured with either RSRB Using Direct Encapsulation or
RSRB Using IP Encapsulation over an FST Connection are not affected.
Further information about RSRB is available in "Cisco IOS Bridging
and IBM Networking Configuration Guide, Release 12.2 - Configuring
Remote Source-Route Bridging" at the following link
http://www.cisco.com/en/US/docs/ios/12_2/ibm/configuration/guide/bcfrsrb_ps1835_TSD_Products_Configuration_Guide_Chapter.html
Point to Point Tunneling Protocol (PPTP)
+---------------------------------------
Devices configured for PPTP are vulnerable. The default listening TCP
port for PPTP is 1723. The following examples shows a vulnerable
configuration:
vpdn enable
!
vpdn-group pptp
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
Or
vpdn enable
!
vpdn-group L2_Tunneling
! Default L2TP VPDN group
! Default PPTP VPDN group
accept-dialin
protocol any
virtual-template 1
Further information about PPTP is available in "Cisco IOS VPDN
Configuration Guide, Release 12.4 - Configuring Client-Initiated
Dial-In VPDN Tunneling" at the following link
http://www.cisco.com/en/US/docs/ios/vpdn/configuration/guide/client_init_dial-in_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1105140
X.25 Record Boundary Preservation (RBP)
+--------------------------------------
Devices configured for RBP are vulnerable. The listening TCP port is
configured with the "local port port_number" CLI command, as shown in
the next examples. The following examples shows vulnerable
configurations. The first leverages switched virtual circuits (SVC):
interface Serial1/0
x25 map rbp 1111 local port <port_number>
The second example, leverages a permanent virtual circuit (PVC):
interface Serial1/0
x25 map pvc <pvc_number> rbp local port <port_number>
Further information about RBP is available in "Cisco IOS Wide-Area
Networking Configuration Guide, Release 12.4 - X.25 Record Boundary
Preservation for Data Communications Networks" at the following link
http://www.cisco.com/en/US/docs/ios/wan/configuration/guide/wan_x25_rbp_dcn_ps6350_TSD_Products_Configuration_Guide_Chapter.html
X.25 over TCP (XOT)
+------------------
Devices configured for XOT are vulnerable. The default listening TCP
port for XOT is 1998. The following example shows a vulnerable
configuration.
xot access-group 1
and a corresponding access-list 1.
Further information about XOT is available in "Cisco IOS Wide-Area
Networking Configuration Guide, Release 12.4 - X.25 over TCP
Profiles" at the following link
http://www.cisco.com/en/US/docs/ios/wan/configuration/guide/wan_x25otcp_pro_ps6350_TSD_Products_Configuration_Guide_Chapter.html
X25 Routing
+----------
Devices configured with X25 are vulnerable. The default listening TCP
port for X25 Routing is 1998. The following example shows a
vulnerable configuration.
x25 routing
Further information about X25 is available in "Cisco IOS Wide-Area
Networking Configuration Guide, Release 12.4 - Configuring X.25 and
LAPB" at the following link
http://www.cisco.com/en/US/docs/ios/wan/configuration/guide/wan_cfg_x25_lapb_ps6350_TSD_Products_Configuration_Guide_Chapter.html
This vulnerability is documented in the following Cisco Bug ID:
CSCsr29468 and has been assigned the Common Vulnerabilities and
Exposures (CVE) identifier CVE-2009-0629.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerability in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsr29468: Cisco IOS Software Multiple Features Crafted TCP Sequence
Vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of this vulnerability will cause the device
to reload. Repeated attempts to exploit this vulnerability could
result in a sustained DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|------------+------------------------------------------------------|
| Affected | | |
| 12.0-Based | First Fixed Release | Recommended Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.0 based releases |
|-------------------------------------------------------------------|
| Affected | | |
| 12.1-Based | First Fixed Release | Recommended Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.1 based releases |
|-------------------------------------------------------------------|
| Affected | | |
| 12.2-Based | First Fixed Release | Recommended Release |
| Releases | | |
|------------+-----------------------------+------------------------|
| 12.2 | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2B | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2BC | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2BW | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2BX | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2BY | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2BZ | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2CX | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2CY | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2CZ | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2DA | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2DD | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2DX | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2EW | Vulnerable; first fixed in | 12.2(31)SGA9 |
| | 12.2SG | |
|------------+-----------------------------+------------------------|
| 12.2EWA | Vulnerable; first fixed in | 12.2(31)SGA9 |
| | 12.2SG | |
|------------+-----------------------------+------------------------|
| | Releases prior to 12.2(44) | |
| | EX are vulnerable, release | |
| 12.2EX | 12.2(44)EX and later are | 12.2(44)SE6 |
| | not vulnerable; first fixed | |
| | in 12.2SE | |
|------------+-----------------------------+------------------------|
| 12.2EY | 12.2(44)EY | 12.2(44)SE6 |
|------------+-----------------------------+------------------------|
| 12.2EZ | Vulnerable; first fixed in | 12.2(44)SE6 |
| | 12.2SE | |
|------------+-----------------------------+------------------------|
| 12.2FX | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2FY | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2FZ | Vulnerable; first fixed in | 12.2(44)SE6 |
| | 12.2SE | |
|------------+-----------------------------+------------------------|
| | Vulnerable; first fixed in | 12.2(33)SRC4; |
| 12.2IRA | 12.2SRC | Available on |
| | | 18-MAY-2009 |
|------------+-----------------------------+------------------------|
| | Vulnerable; first fixed in | 12.2(33)SRC4; |
| 12.2IRB | 12.2SRC | Available on |
| | | 18-MAY-2009 |
|------------+-----------------------------+------------------------|
| 12.2IXA | Vulnerable; migrate to any | 12.2(18)IXH; Available |
| | release in 12.2IXH | on 31-MAR-2009 |
|------------+-----------------------------+------------------------|
| 12.2IXB | Vulnerable; migrate to any | 12.2(18)IXH; Available |
| | release in 12.2IXH | on 31-MAR-2009 |
|------------+-----------------------------+------------------------|
| 12.2IXC | Vulnerable; migrate to any | 12.2(18)IXH; Available |
| | release in 12.2IXH | on 31-MAR-2009 |
|------------+-----------------------------+------------------------|
| 12.2IXD | Vulnerable; migrate to any | 12.2(18)IXH; Available |
| | release in 12.2IXH | on 31-MAR-2009 |
|------------+-----------------------------+------------------------|
| 12.2IXE | Vulnerable; migrate to any | 12.2(18)IXH; Available |
| | release in 12.2IXH | on 31-MAR-2009 |
|------------+-----------------------------+------------------------|
| 12.2IXF | Vulnerable; migrate to any | 12.2(18)IXH; Available |
| | release in 12.2IXH | on 31-MAR-2009 |
|------------+-----------------------------+------------------------|
| 12.2IXG | Vulnerable; migrate to any | 12.2(18)IXH; Available |
| | release in 12.2IXH | on 31-MAR-2009 |
|------------+-----------------------------+------------------------|
| 12.2JA | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2JK | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2MB | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2MC | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2S | Vulnerable; first fixed in | 12.2(33)SB4 |
| | 12.2SB | |
|------------+-----------------------------+------------------------|
| | 12.2(33)SB3 | |
| | | |
| 12.2SB | 12.2(28)SB13 | 12.2(33)SB4 |
| | | |
| | 12.2(31)SB14 | |
|------------+-----------------------------+------------------------|
| 12.2SBC | Vulnerable; first fixed in | 12.2(33)SB4 |
| | 12.2SB | |
|------------+-----------------------------+------------------------|
| 12.2SCA | Vulnerable; first fixed in | 12.2(33)SCB1 |
| | 12.2SCB | |
|------------+-----------------------------+------------------------|
| 12.2SCB | 12.2(33)SCB1 | 12.2(33)SCB1 |
|------------+-----------------------------+------------------------|
| | 12.2(46)SE2 | |
| | | |
| 12.2SE | 12.2(50)SE | 12.2(44)SE6 |
| | | |
| | 12.2(44)SE5 | |
|------------+-----------------------------+------------------------|
| 12.2SEA | Vulnerable; first fixed in | 12.2(44)SE6 |
| | 12.2SE | |
|------------+-----------------------------+------------------------|
| 12.2SEB | Vulnerable; first fixed in | 12.2(44)SE6 |
| | 12.2SE | |
|------------+-----------------------------+------------------------|
| 12.2SEC | Vulnerable; first fixed in | 12.2(44)SE6 |
| | 12.2SE | |
|------------+-----------------------------+------------------------|
| 12.2SED | Vulnerable; first fixed in | 12.2(44)SE6 |
| | 12.2SE | |
|------------+-----------------------------+------------------------|
| 12.2SEE | Vulnerable; first fixed in | 12.2(44)SE6 |
| | 12.2SE | |
|------------+-----------------------------+------------------------|
| 12.2SEF | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| | Releases prior to 12.2(25) | |
| | SEG4 are vulnerable, | |
| 12.2SEG | release 12.2(25)SEG4 and | 12.2(44)SE6 |
| | later are not vulnerable; | |
| | first fixed in 12.2SE | |
|------------+-----------------------------+------------------------|
| 12.2SG | 12.2(50)SG | 12.2(52)SG; Available |
| | | on 15-MAY-2009 |
|------------+-----------------------------+------------------------|
| 12.2SGA | 12.2(31)SGA9 | 12.2(31)SGA9 |
|------------+-----------------------------+------------------------|
| 12.2SL | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2SM | Vulnerable; contact TAC | |
|------------+-----------------------------+------------------------|
| 12.2SO | Vulnerable; contact TAC | |
|------------+-----------------------------+------------------------|
| 12.2SQ | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| | Vulnerable; first fixed in | 12.2(33)SRC4; |
| 12.2SRA | 12.2SRC | Available on |
| | | 18-MAY-2009 |
|------------+-----------------------------+------------------------|
| | | 12.2(33)SRB5a; |
| | | Available on |
| 12.2SRB | Vulnerable; first fixed in | 3-April-2009 12.2(33) |
| | 12.2SRC | SRC4; Available on |
| | | 18-MAY-2009 12.2(33) |
| | | SRD1 |
|------------+-----------------------------+------------------------|
| | | 12.2(33)SRC4; |
| 12.2SRC | 12.2(33)SRC3 | Available on |
| | | 18-MAY-2009 12.2(33) |
| | | SRD1 |
|------------+-----------------------------+------------------------|
| 12.2SRD | 12.2(33)SRD1 | 12.2(33)SRD1 |
|------------+-----------------------------+------------------------|
| 12.2STE | Vulnerable; contact TAC | |
|------------+-----------------------------+------------------------|
| 12.2SU | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2SV | Vulnerable; contact TAC | |
|------------+-----------------------------+------------------------|
| 12.2SVA | Vulnerable; contact TAC | |
|------------+-----------------------------+------------------------|
| 12.2SVC | Vulnerable; contact TAC | |
|------------+-----------------------------+------------------------|
| 12.2SVD | Vulnerable; contact TAC | |
|------------+-----------------------------+------------------------|
| 12.2SVE | Vulnerable; contact TAC | |
|------------+-----------------------------+------------------------|
| 12.2SW | Vulnerable; migrate to any | |
| | release in 12.4SW | |
|------------+-----------------------------+------------------------|
| 12.2SX | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2SXA | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2SXB | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2SXD | Vulnerable; first fixed in | 12.2(18)SXF16 |
| | 12.2SXF | |
|------------+-----------------------------+------------------------|
| 12.2SXE | Vulnerable; first fixed in | 12.2(18)SXF16 |
| | 12.2SXF | |
|------------+-----------------------------+------------------------|
| 12.2SXF | 12.2(18)SXF16 | 12.2(18)SXF16 |
|------------+-----------------------------+------------------------|
| | 12.2(33)SXH5; Available on | 12.2(33)SXH5; |
| 12.2SXH | 20-APR-2009 | Available on |
| | | 20-APR-2009 |
|------------+-----------------------------+------------------------|
| 12.2SXI | 12.2(33)SXI1 | 12.2(33)SXI1 |
|------------+-----------------------------+------------------------|
| 12.2SY | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2SZ | Vulnerable; first fixed in | 12.2(33)SB4 |
| | 12.2SB | |
|------------+-----------------------------+------------------------|
| 12.2T | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2TPC | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XA | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XB | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XC | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XD | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XE | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XF | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XG | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XH | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XI | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XJ | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XK | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XL | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XM | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| | Vulnerable; first fixed in | 12.2(33)SB4 |
| 12.2XN | 12.2SRC | |
| | | 12.2(33)SRD1 |
|------------+-----------------------------+------------------------|
| 12.2XNA | Vulnerable; first fixed in | 12.2(33)SRD1 |
| | 12.2SRD | |
|------------+-----------------------------+------------------------|
| 12.2XNB | 12.2(33)XNB1 | 12.2(33)XNB3 |
|------------+-----------------------------+------------------------|
| 12.2XNC | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XO | 12.2(46)XO | 12.2(46)XO |
|------------+-----------------------------+------------------------|
| 12.2XQ | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XR | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XS | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XT | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XU | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XV | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XW | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YA | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YB | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YC | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YD | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YE | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YF | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YG | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YH | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YJ | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YK | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YL | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YM | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YN | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YO | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YP | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YQ | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YR | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YS | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YT | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YU | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YV | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YW | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YX | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YY | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YZ | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2ZA | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2ZB | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2ZC | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2ZD | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2ZE | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2ZF | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2ZG | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2ZH | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2ZJ | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2ZL | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2ZP | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| | Vulnerable; first fixed in | 12.2(33)SXH5; |
| 12.2ZU | 12.2SXH | Available on |
| | | 20-APR-2009 |
|------------+-----------------------------+------------------------|
| 12.2ZX | Vulnerable; first fixed in | 12.2(33)SB4 |
| | 12.2SB | |
|------------+-----------------------------+------------------------|
| 12.2ZY | Vulnerable; contact TAC | |
|------------+-----------------------------+------------------------|
| 12.2ZYA | 12.2(18)ZYA1 | 12.2(18)ZYA1 |
|------------+-----------------------------+------------------------|
| Affected | | |
| 12.3-Based | First Fixed Release | Recommended Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.3 based releases |
|-------------------------------------------------------------------|
| Affected | | |
| 12.4-Based | First Fixed Release | Recommended Release |
| Releases | | |
|------------+-----------------------------+------------------------|
| 12.4 | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4JA | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4JDA | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4JK | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4JL | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4JMA | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4JMB | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4JX | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| | 12.4(15)MD2 | |
| | | |
| 12.4MD | Releases prior to 12.4(11) | 12.4(11)MD7 |
| | MD6 are not vulnerable, | |
| | releases 12.4(15)MD and | |
| | later are vulnerable. | |
|------------+-----------------------------+------------------------|
| | 12.4(19)MR1 | |
| | | |
| 12.4MR | Releases prior to 12.4(16) | 12.4(19)MR2 |
| | MR2 are not vulnerable, | |
| | releases 12.4(19)MR and | |
| | later are vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4SW | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| | 12.4(22)T | |
| | | 12.4(22)T1 |
| 12.4T | 12.4(20)T2 | |
| | | 12.4(15)T9; Available |
| | Releases prior to 12.4(20)T | on 29-APR-2009 |
| | are NOT vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XA | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XB | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XC | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XD | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XE | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XF | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XG | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XJ | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XK | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XL | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XM | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XN | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XP | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XQ | 12.4(15)XQ2 | 12.4(15)XQ2 |
|------------+-----------------------------+------------------------|
| | | 12.4(22)T1 |
| 12.4XR | 12.4(15)XR4 | |
| | | 12.4(15)T9; Available |
| | | on 29-APR-2009 |
|------------+-----------------------------+------------------------|
| 12.4XT | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XV | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XW | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| | | 12.4(22)T1 |
| 12.4XY | 12.4(15)XY4 | |
| | | 12.4(15)T9; Available |
| | | on 29-APR-2009 |
|------------+-----------------------------+------------------------|
| 12.4XZ | 12.4(15)XZ2 | 12.4(15)XZ2 |
|------------+-----------------------------+------------------------|
| 12.4YA | 12.4(20)YA2 | 12.4(20)YA3 |
|------------+-----------------------------+------------------------|
| 12.4YB | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4YD | Not Vulnerable | |
+-------------------------------------------------------------------+
Workarounds
===========
The following mitigations have been identified for this
vulnerability, which may help protect an infrastructure until an
upgrade to a fixed version of Cisco IOS software can be scheduled:
Infrastructure Access Control Lists
+----------------------------------
Although it is often difficult to block traffic that transits a
network, it is possible to identify traffic that should never be
allowed to target infrastructure devices and block that traffic at
the border of networks. Infrastructure Access Control Lists (iACLs)
are a network security best practice and should be considered as a
long-term addition to good network security as well as a workaround
for these specific vulnerabilities. The iACL example below should be
included as part of the deployed infrastructure access-list which
will protect all devices with IP addresses in the infrastructure IP
address range:
!---
!--- Only sections pertaining to features enabled on the device
!--- need be configured.
!---
!--- Feature: ALPS
!---
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 350
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 10000
!---
!--- Deny ALPS TCP traffic from all other sources destined
!--- to infrastructure addresses.
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 350
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 10000
!---
!--- Feature: STUN
!---
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1994
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD range 1990 1992
!---
!--- Deny STUN TCP traffic from all other sources destined
!--- to infrastructure addresses.
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1994
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD range 1990 1992
!---
!--- Feature: BSTUN
!---
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1963
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD range 1976 1979
!---
!--- Deny BSTUN TCP traffic from all other sources destined
!--- to infrastructure addresses.
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1963
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD range 1976 1979
!---
!--- Feature: NCIA
!---
!---
!--- Leverage the underlying protocols, DLSw, RSRB, etc.
!---
!---
!--- Feature: DLSW
!---
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 2065
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 2067
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD range 1981 1983
!---
!--- Deny DLSW TCP traffic from all other sources destined
!--- to infrastructure addresses.
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 2065
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 2067
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD range 1981 1983
!---
!--- Feature: RSRB
!---
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD range 1987 1989
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1996
!---
!--- Deny RSRB TCP traffic from all other sources destined
!--- to infrastructure addresses.
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD range 1987 1989
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1996
!---
!--- Feature: PPTP
!---
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1723
!---
!--- Deny PPTP TCP traffic from all other sources destined
!--- to infrastructure addresses.
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1723
!---
!--- Feature: RBP
!---
!--- RBP will listen for TCP connections on the configured port
!--- as per "local port <port_number>". The following example
!--- uses port 1055
!---
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1055
!---
!--- Deny RBP traffic from all other sources destined
!--- to infrastructure addresses.
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1055
!---
!--- Feature: XOT and X.25 Routing
!---
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1998
!---
!--- Deny XOT and X25 TCP traffic from all other sources
!--- destined to infrastructure addresses.
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1998
!---
!--- Permit/deny all other Layer 3 and Layer 4 traffic in
!--- accordance with existing security policies and
!--- configurations Permit all other traffic to transit the
!--- device.
!---
access-list 150 permit ip any any
!---
!--- Apply access-list to all interfaces (only one example
!--- shown)
!---
interface serial 2/0
ip access-group 150 in
The white paper entitled "Protecting Your Core: Infrastructure
Protection Access Control Lists" presents guidelines and recommended
deployment techniques for infrastructure protection access lists.
This white paper can be obtained at the following link:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml
Receive ACLs (rACL)
+------------------
For distributed platforms, Receive ACLs may be an option starting in
Cisco IOS Software Versions 12.0(21)S2 for the 12000 (GSR), 12.0(24)S
for the 7500, and 12.0(31)S for the 10720. The Receive ACL protects
the device from harmful traffic before the traffic can impact the
route processor. Receive ACLs are designed to only protect the device
on which it is configured. On the 12000, 7500, and 10720, transit
traffic is never affected by a receive ACL. Because of this, the
destination IP address "any" used in the example ACL entries below
only refer to the router's own physical or virtual IP addresses.
Receive ACLs are considered a network security best practice, and
should be considered as a long-term addition to good network
security, as well as a workaround for this specific vulnerability.
The white paper entitled "Protecting Your Core: Infrastructure
Protection Access Control Lists" presents guidelines and recommended
deployment techniques for infrastructure protection access lists.
This white paper can be obtained at the following link
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a0a5e.shtml
The following is the receive path ACL written to permit this type of
traffic from trusted hosts:
!---
!--- Only sections pertaining to features enabled on the device
!--- need be configured.
!---
!---
!--- Permit ALPS traffic from trusted hosts allowed to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 350
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 10000
!---
!--- Deny ALPS traffic from all other sources to the RP.
!---
access-list 150 deny tcp any any eq 350
access-list 150 deny tcp any any eq 10000
!---
!--- Permit STUN traffic from trusted hosts allowed to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 1994
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any range 1990 1992
!---
!--- Deny STUN traffic from all other sources to the RP.
!---
access-list 150 deny tcp any any eq 1994
access-list 150 deny tcp any any eq range 1990 1992
!---
!--- Permit BSTUN traffic from trusted hosts allowed to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 1963
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any range 1976 1979
!---
!--- Deny BSTUN traffic from all other sources to the RP.
!---
access-list 150 deny tcp any any eq 1963
access-list 150 deny tcp any any eq range 1976 1979
!---
!--- Permit DLSw from trusted hosts allowed to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 2065
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 2067
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any range 1981 1983
!---
!--- Deny DLSw all other sources to the RP.
!---
access-list 150 deny tcp any any eq 2065
access-list 150 deny tcp any any eq 2067
access-list 150 deny tcp any any range 1981 1983
!---
!--- Permit RSRB traffic from trusted hosts allowed to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 1996
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any range 1987 1989
!---
!--- Deny RSRB traffic from all other sources to the RP.
!---
access-list 150 deny tcp any any eq 1996
access-list 150 deny tcp any any range 1987 1989
!---
!--- Permit PPTP traffic from trusted hosts allowed to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 1723
!---
!--- Deny PPTP traffic from all other sources to the RP.
!---
access-list 150 deny tcp any any eq 1723
!---
!--- Permit RBP traffic from trusted hosts allowed to the RP.
!--- RBP will listen for TCP connections on the configured port
!--- as per "local port <port_number>". The following example
!--- uses port 1055
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 1055
!---
!--- Deny RBP traffic from all other sources to the RP.
!---
access-list 150 deny tcp any any eq 1055
!---
!--- Permit XOT and X.25 Routing traffic from trusted hosts allowed
!--- to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 1998
!---
!--- Deny XOT and X.25 Routing traffic from all other sources to
!--- the RP.
!---
access-list 150 deny tcp any any eq 1998
!--- Permit all other traffic to the RP.
!--- according to security policy and configurations.
access-list 150 permit ip any any
!--- Apply this access list to the 'receive' path.
ip receive access-list 150
Control Plane Policing
+---------------------
Control Plane Policing (CoPP) can be used to block the affected
features TCP traffic access to the device. Cisco IOS software
releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support the
CoPP feature. CoPP can be configured on a device to protect the
management and control planes and minimize the risk and effectiveness
of direct infrastructure attacks by explicitly permitting only
authorized traffic that is sent to infrastructure devices in
accordance with existing security policies and configurations. The
CoPP example below should be included as part of the deployed CoPP
that will protect all devices with IP addresses in the infrastructure
IP address range.
!---
!--- Only sections pertaining to features enabled on the device
!--- need be configured.
!---
!--- Feature: ALPS
!---
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD any eq 350
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD any eq 10000
!---
!--- Permit ALPS traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so
!--- that it will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any eq 350
access-list 150 permit tcp any any eq 10000
!---
!--- Feature: STUN
!---
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any eq 1994
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any range 1990 1992
!---
!--- Permit STUN traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so
!--- that it will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any eq 1994
access-list 150 permit tcp any any range 1990 1992
!---
!--- Feature: BSTUN
!---
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any eq 1963
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any range 1976 1979
!---
!--- Permit BSTUN traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so
!--- that it will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any eq 1963
access-list 150 permit tcp any any range 1976 1979
!---
!--- Feature: NCIA
!---
!--- Leverage the underlying protocols, DLSw, RSRB, etc.
!---
!---
!--- Feature: DLSW
!---
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any eq 2065
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any eq 2067
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any range 1981 1983
!---
!--- Permit DLSW traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so
!--- that it will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any eq 2065
access-list 150 permit tcp any any eq 2067
access-list 150 permit tcp any any range 1981 1983
!---
!--- Feature: RSRB
!---
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any range 1987 1989
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any eq 1996
!---
!--- Permit RSRB traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so
!--- that it will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any range 1987 1989
access-list 150 permit tcp any any eq 1996
!---
!--- Feature: PPTP
!---
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any eq 1723
!---
!--- Permit PPTP traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so
!--- that it will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any eq 1723
!---
!--- Feature: RBP
!---
!--- RBP will listen for TCP connections on the configured port
!--- as per "local port <port_number>". The following example
!--- uses port 1055
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any eq 1055
!---
!--- Permit RBP traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so
!--- that it will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any eq 1055
!---
!--- Feature: XOT and X.25 Routing
!---
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any eq 1998
!---
!--- Permit XOT and X25 traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so
!--- that it will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any eq 1998
!---
!--- Permit (Police or Drop)/Deny (Allow) all other Layer3 and
!--- Layer4 traffic in accordance with existing security policies
!--- configurations for traffic that is authorized to be sent
!--- and to infrastructure devices
!--- Create a Class-Map for traffic to be policed by
!--- the CoPP feature
!---
class-map match-all drop-tcp-class
match access-group 150
!---
!--- Create a Policy-Map that will be applied to the
!--- Control-Plane of the device.
!---
policy-map drop-tcp-traffic
class drop-tcp-class
drop
!---
!--- Apply the Policy-Map to the
!--- Control-Plane of the device
!---
control-plane
service-policy input drop-tcp-traffic
In the above CoPP example, the access control list entries (ACEs)
that match the potential exploit packets with the "permit" action
result in these packets being discarded by the policy-map "drop"
function, while packets that match the "deny" action (not shown) are
not affected by the policy-map drop function. Please note that the
policy-map syntax is different in the 12.2S and 12.0S Cisco IOS
trains:
policy-map drop-tcp-traffic
class drop-tcp-class
police 32000 1500 1500 conform-action drop exceed-action drop
Additional information on the configuration and use of the CoPP
feature can be found in the documents, "Control Plane Policing
Implementation Best Practices" and "Cisco IOS Software Releases 12.2S
- - - Control Plane Policing" at the following links
http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html
and
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html
Additional mitigations that can be deployed on Cisco devices within
the network are available in the "Cisco Applied Mitigation Bulletin"
companion document for this advisory, at the following link
http://www.cisco.com/warp/public/707/cisco-amb-20090325-tcp-and-ip.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was found by Cisco internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-March-25 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAknKUb8ACgkQ86n/Gc8U/uCp1gCfS6aMv74rf1bDoby1JcGRFsN3
hpYAn1Oqp7nQxPwBrtptF3WM42HgGdIk
=NVYK
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Software Session Initiation
Protocol Denial of Service Vulnerability
Advisory ID: cisco-sa-20090325-sip
http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml
Revision 1.0
For Public Release 2009 March 25 1600 UTC (GMT)
- - ---------------------------------------------------------------------
Summary
=======
A vulnerability exists in the Session Initiation Protocol (SIP)
implementation in Cisco IOS Software that can be exploited remotely
to cause a reload of the Cisco IOS device.
Cisco has released free software updates that address this
vulnerability. There are no workarounds available to mitigate the
vulnerability apart from disabling SIP, if the Cisco IOS device does
not need to run SIP for VoIP services. However, mitigation techniques
are available to help limit exposure to the vulnerability.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml
Note: The March 25, 2009, Cisco IOS Security Advisory bundled
publication includes eight Security Advisories. All of the advisories
address vulnerabilities in Cisco IOS Software. Each advisory lists
the releases that correct the vulnerability or vulnerabilities in the
advisory. The following table lists releases that correct all Cisco
IOS Software vulnerabilities that have been published in Cisco
Security Advisories on March 25, 2009, or earlier.
http://www.cisco.com/warp/public/707/cisco-sa-20090325-bundle.shtml
Individual publication links are listed below:
* Cisco IOS cTCP Denial of Service Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml
* Cisco IOS Software Multiple Features IP Sockets Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml
* Cisco IOS Software Mobile IP and Mobile IPv6 Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml
* Cisco IOS Software Secure Copy Privilege Escalation Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml
* Cisco IOS Software Session Initiation Protocol Denial of Service
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml
* Cisco IOS Software Multiple Features Crafted TCP Sequence
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml
* Cisco IOS Software Multiple Features Crafted UDP Packet
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml
* Cisco IOS Software WebVPN and SSLVPN Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml
Affected Products
=================
This vulnerability only affects devices running Cisco IOS Software
with SIP voice services enabled.
Vulnerable Products
+------------------
Cisco devices running affected Cisco IOS Software versions that
process SIP messages are affected. The only requirement for this
vulnerability is that the Cisco IOS device process SIP messages as
part of configured VoIP functionality. Note that this does not apply
to the processing of SIP messages as part of the NAT and firewall
feature sets.
Recent versions of Cisco IOS Software do not process SIP messages by
default. Creating a dial peer by way of the command dial-peer voice
will start the SIP processes and cause the Cisco IOS device to start
processing SIP messages. In addition, several features within Cisco
Unified Communications Manager Express, such as ePhones, once
configured will also automatically start the SIP process, which will
cause the device to start processing SIP messages. An example of an
affected configuration is as follows:
dial-peer voice <Voice dial-peer tag> voip
...
!
Note: Older versions of Cisco IOS Software were affected by a bug
that caused Cisco IOS Software to process SIP messages without being
configured for SIP operation. Refer to http://www.cisco.com/warp/
public/707/cisco-sa-20070131-sip.shtml for additional information on
Cisco bug ID CSCsb25337.
In addition to inspecting the Cisco IOS device configuration for a
dial-peer command that causes the device to process SIP messages,
administrators can also use the command show processes | include SIP
to determine whether Cisco IOS Software is running the processes that
handle SIP messages. In the following example, the presence of the
processes CCSIP_UDP_SOCKET and CCSIP_TCP_SOCKET indicates that the
Cisco IOS device is processing SIP messages:
Router#show processes | include SIP
147 Mwe 40F46DF4 12 2 600023468/24000 0 CCSIP_SPI_CONTRO
148 Mwe 40F21244 0 1 0 5524/6000 0 CCSIP_DNS
149 Mwe 40F48254 4 1 400023108/24000 0 CCSIP_UDP_SOCKET
150 Mwe 40F48034 4 1 400023388/24000 0 CCSIP_TCP_SOCKET
Warning: Since there are several ways a device running Cisco IOS
Software can start processing SIP messages, it is recommended that
the show processes | include SIP command be used to determine whether
the device is processing SIP messages instead of relying on the
presence of specific configuration commands.
To determine the Cisco IOS Software release that is running on a
Cisco product, administrators can log in to the device and issue the
show version command to display the system banner. The system banner
confirms that the device is running Cisco IOS Software by displaying
text similar to "Cisco Internetwork Operating System Software" or
"Cisco IOS Software." The image name displays in parentheses,
followed by "Version" and the Cisco IOS Software release name. Other
Cisco devices do not have the show version command or may provide
different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.3(26) with an installed image name of
C2500-IS-L:
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26),
RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 14:39 by dchih
!--- output truncated
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.4(20)T with an installed image name of
C1841-ADVENTERPRISEK9-M:
Router#show version
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M),
Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 20:25 by prod_rel_team
!--- output truncated
Additional information about Cisco IOS Software release naming
conventions is available in "White Paper: Cisco IOS Reference Guide"
at the following link: http://www.cisco.com/warp/public/620/1.html
Products Confirmed Not Vulnerable
+--------------------------------
The SIP Application Layer Gateway (ALG), which is used by the Cisco
IOS NAT and firewall features of Cisco IOS Software, is not affected
by this vulnerability.
Cisco devices that are running Cisco IOS XE Software and Cisco IOS XR
Software are not affected.
No other Cisco products are currently known to be affected by this
vulnerability.
Details
=======
SIP is a popular signaling protocol that is used to manage voice and
video calls across IP networks such as the Internet. SIP is
responsible for handling all aspects of call setup and termination.
Voice and video are the most popular types of sessions that SIP
handles, but the protocol has the flexibility to accommodate other
applications that require call setup and termination. SIP call
signaling can use UDP (port 5060), TCP (port 5060), or TLS (TCP port
5061) as the underlying transport protocol.
A denial of service (DoS) vulnerability exists in the SIP
implementation in Cisco IOS Software. This vulnerability is triggered
by processing a specific and valid SIP message.
This vulnerability is documented in Cisco Bug ID CSCsu11522 and has
been assigned Common Vulnerabilities and Exposures (CVE) ID
CVE-2009-0636.
Note: The vulnerabilities described in the advisories Cisco IOS
Software Multiple Features IP Sockets Vulnerability and Cisco IOS
Software Multiple Features Crafted UDP Packet Vulnerability, both
part of this bundle of Cisco IOS advisories, may also impact SIP
operations.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsu11522 - A voice gateway may crash when processing valid SIP
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability described in this
document may result in a reload of the device. The issue could be
repeatedly exploited to cause an extended DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
Note: In addition to CSCsu11522 and because of its impact on SIP
operation, this table of fixed software takes into consideration the
vulnerability tracked by Cisco Bug CSCsk64158 , from "Cisco Security
Advisory: Crafted UDP Packet Affects Multiple Cisco IOS Features"
(http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml)
The table does not take into consideration the vulnerability
disclosed by "Cisco Security Advisory: Cisco IOS IP Sockets
Vulnerability Affecting Multiple Cisco IOS Features", which may
impact SIP over TLS.
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|------------+------------------------------------------------------|
| Affected | | Recommended |
| 12.0-Based | First Fixed Release | Release |
| Releases | | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0 | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0DA | Vulnerable; first fixed in 12.2DA | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0DB | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0DC | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.0S | 12.0(32)S12 | 12.0(32)S12 |
|------------+-------------------------------------+----------------|
| 12.0SC | Vulnerable; first fixed in 12.0S | 12.0(32)S12 |
|------------+-------------------------------------+----------------|
| 12.0SL | Vulnerable; first fixed in 12.0S | 12.0(32)S12 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0SP | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.0ST | Vulnerable; first fixed in 12.0S | 12.0(32)S12 |
|------------+-------------------------------------+----------------|
| 12.0SX | Vulnerable; first fixed in 12.0S | 12.0(32)S12 |
|------------+-------------------------------------+----------------|
| 12.0SY | 12.0(32)SY8 | 12.0(32)SY8 |
|------------+-------------------------------------+----------------|
| 12.0SZ | Vulnerable; first fixed in 12.0S | 12.0(32)S12 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0T | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.0W | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.0WC | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.0WT | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XA | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XB | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XC | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XD | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XE | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.0XF | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XG | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XH | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | Releases prior to 12.0(4)XI2 are | 12.4(18e) |
| | vulnerable, release 12.0(4)XI2 and | |
| 12.0XI | later are not vulnerable; first | 12.4(23a); |
| | fixed in 12.4 | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XJ | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XK | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XL | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XM | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XN | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XQ | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XR | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XS | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XT | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XV | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| Affected | | Recommended |
| 12.1-Based | First Fixed Release | Release |
| Releases | | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1 | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.1AA | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.1AX | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| | | 12.1(22)EA13 |
| 12.1AY | Vulnerable; first fixed in 12.1EA | |
| | | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| | | 12.1(22)EA13 |
| 12.1AZ | Vulnerable; first fixed in 12.1EA | |
| | | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.1CX | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.1DA | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.1DB | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.1DC | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.1E | Vulnerable; first fixed in 12.2SXF | 12.2(18)SXF16 |
|------------+-------------------------------------+----------------|
| 12.1EA | 12.1(22)EA13 | 12.1(22)EA13 |
|------------+-------------------------------------+----------------|
| 12.1EB | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.2(33)SCB1 |
| 12.1EC | Vulnerable; first fixed in 12.3BC | |
| | | 12.3(23)BC6 |
|------------+-------------------------------------+----------------|
| 12.1EO | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.1EU | Vulnerable; first fixed in 12.2SG | 12.2(31)SGA9 |
|------------+-------------------------------------+----------------|
| 12.1EV | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.1EW | Vulnerable; migrate to 12.2SGA | 12.2(31)SGA9 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1EX | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.1EY | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.1EZ | Vulnerable; first fixed in 12.2SXF | 12.2(18)SXF16 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1GA | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1GB | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1T | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XA | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XB | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XC | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XD | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XE | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XF | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XG | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XH | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XI | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XJ | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XL | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XM | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XP | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XQ | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XR | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XS | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XT | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XU | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XV | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XW | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XX | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XY | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XZ | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1YA | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1YB | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1YC | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1YD | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | Releases prior to 12.1(5)YE6 are | 12.4(18e) |
| | vulnerable, release 12.1(5)YE6 and | |
| 12.1YE | later are not vulnerable; first | 12.4(23a); |
| | fixed in 12.4 | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1YF | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1YH | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.1YI | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.1(22)EA13 |
| 12.1YJ | Vulnerable; first fixed in 12.1EA | |
| | | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| Affected | | Recommended |
| 12.2-Based | First Fixed Release | Release |
| Releases | | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2 | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.2B | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to 12.2SCB or | 12.2(33)SCB1 |
| 12.2BC | 12.3BC | |
| | | 12.3(23)BC6 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2BW | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2BX | Vulnerable; migrate to 12.2SB | 12.2(33)SB4 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2BY | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2BZ | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to 12.2SCB or | 12.2(33)SCB1 |
| 12.2CX | 12.3BC | |
| | | 12.3(23)BC6 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to 12.2SCB or | 12.2(33)SCB1 |
| 12.2CY | 12.3BC | |
| | | 12.3(23)BC6 |
|------------+-------------------------------------+----------------|
| 12.2CZ | Vulnerable; first fixed in 12.2SB | 12.2(33)SB4 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | 12.2(12)DA14; Available on | |
| 12.2DA | 30-JUL-2009 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2DD | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2DX | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2EW | Vulnerable; first fixed in 12.2SG | 12.2(31)SGA9 |
|------------+-------------------------------------+----------------|
| 12.2EWA | Vulnerable; first fixed in 12.2SG | 12.2(31)SGA9 |
|------------+-------------------------------------+----------------|
| 12.2EX | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2EY | 12.2(44)EY | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2EZ | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2FX | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2FY | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2FZ | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| | | 12.2(33)SRC4; |
| 12.2IRA | Vulnerable; first fixed in 12.2SRC | Available on |
| | | 18-MAY-2009 |
|------------+-------------------------------------+----------------|
| | | 12.2(33)SRC4; |
| 12.2IRB | Vulnerable; first fixed in 12.2SRC | Available on |
| | | 18-MAY-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to any release | 12.2(18)IXH; |
| 12.2IXA | in 12.2IXH | Available on |
| | | 31-MAR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to any release | 12.2(18)IXH; |
| 12.2IXB | in 12.2IXH | Available on |
| | | 31-MAR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to any release | 12.2(18)IXH; |
| 12.2IXC | in 12.2IXH | Available on |
| | | 31-MAR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to any release | 12.2(18)IXH; |
| 12.2IXD | in 12.2IXH | Available on |
| | | 31-MAR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to any release | 12.2(18)IXH; |
| 12.2IXE | in 12.2IXH | Available on |
| | | 31-MAR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to any release | 12.2(18)IXH; |
| 12.2IXF | in 12.2IXH | Available on |
| | | 31-MAR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to any release | 12.2(18)IXH; |
| 12.2IXG | in 12.2IXH | Available on |
| | | 31-MAR-2009 |
|------------+-------------------------------------+----------------|
| 12.2JA | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.2JK | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2MB | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2MC | 12.2(15)MC2m | 12.2(15)MC2m |
|------------+-------------------------------------+----------------|
| 12.2S | Vulnerable; first fixed in 12.2SB | 12.2(33)SB4 |
|------------+-------------------------------------+----------------|
| | 12.2(28)SB13 | |
| | | |
| 12.2SB | 12.2(31)SB14 | 12.2(33)SB4 |
| | | |
| | 12.2(33)SB3 | |
|------------+-------------------------------------+----------------|
| 12.2SBC | Vulnerable; first fixed in 12.2SB | 12.2(33)SB4 |
|------------+-------------------------------------+----------------|
| 12.2SCA | Vulnerable; first fixed in 12.2SCB | 12.2(33)SCB1 |
|------------+-------------------------------------+----------------|
| 12.2SCB | 12.2(33)SCB1 | 12.2(33)SCB1 |
|------------+-------------------------------------+----------------|
| | 12.2(50)SE | |
| | | |
| 12.2SE | 12.2(46)SE2 | 12.2(44)SE6 |
| | | |
| | 12.2(44)SE5 | |
|------------+-------------------------------------+----------------|
| 12.2SEA | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2SEB | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2SEC | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2SED | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2SEE | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2SEF | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2SEG | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| | | 12.2(52)SG; |
| 12.2SG | 12.2(50)SG | Available on |
| | | 15-MAY-2009 |
|------------+-------------------------------------+----------------|
| 12.2SGA | 12.2(31)SGA9 | 12.2(31)SGA9 |
|------------+-------------------------------------+----------------|
| 12.2SL | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| 12.2SM | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2SO | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2SQ | 12.2(44)SQ1 | |
|------------+-------------------------------------+----------------|
| | | 12.2(33)SRD1 |
| | | |
| 12.2SRA | Vulnerable; first fixed in 12.2SRC | 12.2(33)SRC4; |
| | | Available on |
| | | 18-MAY-2009 |
|------------+-------------------------------------+----------------|
| | | 12.2(33)SRC4; |
| | | Available on |
| | | 18-MAY-2009 |
| | | |
| 12.2SRB | Vulnerable; first fixed in 12.2SRC | 12.2(33)SRD1 |
| | | |
| | | 12.2(33)SRB5a; |
| | | Available on |
| | | 3-April-2009 |
|------------+-------------------------------------+----------------|
| | 12.2(33)SRC4; Available on | 12.2(33)SRC4; |
| 12.2SRC | 18-MAY-2009 | Available on |
| | | 18-MAY-2009 |
|------------+-------------------------------------+----------------|
| 12.2SRD | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| 12.2STE | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.2SU | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2SV | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2SVA | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2SVC | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2SVD | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2SVE | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2SW | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2SX | Vulnerable; first fixed in 12.2SXF | 12.2(18)SXF16 |
|------------+-------------------------------------+----------------|
| 12.2SXA | Vulnerable; first fixed in 12.2SXF | 12.2(18)SXF16 |
|------------+-------------------------------------+----------------|
| 12.2SXB | Vulnerable; first fixed in 12.2SXF | 12.2(18)SXF16 |
|------------+-------------------------------------+----------------|
| 12.2SXD | Vulnerable; first fixed in 12.2SXF | 12.2(18)SXF16 |
|------------+-------------------------------------+----------------|
| 12.2SXE | Vulnerable; first fixed in 12.2SXF | 12.2(18)SXF16 |
|------------+-------------------------------------+----------------|
| 12.2SXF | 12.2(18)SXF16 | 12.2(18)SXF16 |
|------------+-------------------------------------+----------------|
| | 12.2(33)SXH5; Available on | 12.2(33)SXH5; |
| 12.2SXH | 20-APR-2009 | Available on |
| | | 20-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2SXI | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| 12.2SY | Vulnerable; first fixed in 12.2SB | 12.2(33)SB4 |
|------------+-------------------------------------+----------------|
| 12.2SZ | Vulnerable; first fixed in 12.2SB | 12.2(33)SB4 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2T | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2TPC | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XA | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XB | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XC | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XD | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XE | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to 12.2SCB or | 12.2(33)SCB1 |
| 12.2XF | 12.3BC | |
| | | 12.3(23)BC6 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XG | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XH | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XI | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XJ | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XK | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XL | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XM | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.2(33)SB4 |
| 12.2XN | Vulnerable; first fixed in 12.2SRC | |
| | | 12.2(33)SRD1 |
|------------+-------------------------------------+----------------|
| 12.2XNA | Vulnerable; migrate to any release | 12.2(33)SRD1 |
| | in 12.2SRD | |
|------------+-------------------------------------+----------------|
| 12.2XNB | 12.2(33)XNB1 | 12.2(33)XNB3 |
|------------+-------------------------------------+----------------|
| 12.2XNC | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| 12.2XO | 12.2(46)XO | 12.2(46)XO |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XQ | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XR | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XS | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XT | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XU | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XV | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XW | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2YA | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2YB | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YC | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YD | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YE | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YF | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YG | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YH | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YJ | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YK | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YL | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.2YM | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2YN | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YO | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2YP | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2YQ | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YR | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YS | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| 12.2YT | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YU | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YV | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YW | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YX | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YY | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YZ | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2ZA | Vulnerable; first fixed in 12.2SXF | 12.2(18)SXF16 |
|------------+-------------------------------------+----------------|
| 12.2ZB | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2ZC | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2ZD | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2ZE | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.2ZF | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.2ZG | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2ZH | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2ZJ | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2ZL | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2ZP | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.2(33)SXH5; |
| 12.2ZU | Vulnerable; first fixed in 12.2SXH | Available on |
| | | 20-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2ZX | Vulnerable; first fixed in 12.2SB | 12.2(33)SB4 |
|------------+-------------------------------------+----------------|
| 12.2ZY | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2ZYA | 12.2(18)ZYA1 | 12.2(18)ZYA1 |
|------------+-------------------------------------+----------------|
| Affected | | Recommended |
| 12.3-Based | First Fixed Release | Release |
| Releases | | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.3 | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3B | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.3BC | 12.3(23)BC6 | 12.3(23)BC6 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3BW | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.3EU | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| 12.3JA | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.3JEA | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.3JEB | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.3JEC | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3JK | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.3JL | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.3JX | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3T | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.3TPC | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.3VA | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.3XA | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.3XB | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XC | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XD | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.3XE | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.3XF | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XG | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.3XI | Vulnerable; first fixed in 12.2SB | 12.2(33)SB4 |
|------------+-------------------------------------+----------------|
| 12.3XJ | Vulnerable; first fixed in 12.3YX | 12.3(14)YX14 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XK | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XL | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XQ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.3XR | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XS | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XU | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.3XW | Vulnerable; first fixed in 12.3YX | 12.3(14)YX14 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XX | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XY | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XZ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YA | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YD | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.3YF | Vulnerable; first fixed in 12.3YX | 12.3(14)YX14 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YG | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YH | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YI | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YJ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YK | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.3YM | 12.3(14)YM13 | 12.3(14)YM13 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YQ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YS | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YT | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YU | Vulnerable; first fixed in 12.4XB | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.3YX | 12.3(14)YX14 | 12.3(14)YX14 |
|------------+-------------------------------------+----------------|
| 12.3YZ | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3ZA | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| Affected | | Recommended |
| 12.4-Based | First Fixed Release | Release |
| Releases | | |
|------------+-------------------------------------+----------------|
| | 12.4(18e) | 12.4(18e) |
| | | |
| 12.4 | 12.4(23) | 12.4(23a); |
| | | Available on |
| | 12.4(23a); Available on 30-APR-2009 | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.4JA | 12.4(16b)JA1 | |
|------------+-------------------------------------+----------------|
| 12.4JDA | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.4JK | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.4JL | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.4JMA | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.4JMB | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.4JX | Vulnerable; first fixed in 12.4JA | |
|------------+-------------------------------------+----------------|
| 12.4MD | 12.4(11)MD7 | 12.4(11)MD7 |
|------------+-------------------------------------+----------------|
| 12.4MR | 12.4(19)MR1 | 12.4(19)MR2 |
|------------+-------------------------------------+----------------|
| 12.4SW | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | 12.4(20)T2 | |
| | | 12.4(22)T1 |
| | 12.4(15)T8 | |
| 12.4T | | 12.4(15)T9; |
| | 12.4(22)T | Available on |
| | | 29-APR-2009 |
| | 12.4(15)T9; Available on | |
| | 29-APR-2009 | |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XA | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | 12.4(15)T8 | 12.4(22)T1 |
| | | |
| 12.4XB | 12.4(20)T2 | 12.4(15)T9; |
| | | Available on |
| | 12.4(15)T9; Available on | 29-APR-2009 |
| | 29-APR-2009 | |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XC | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | 12.4(4)XD12; Available on | 12.4(4)XD12; |
| 12.4XD | 27-MAR-2009 | Available on |
| | | 27-MAR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XE | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XF | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | 12.4(15)T8 | |
| 12.4XG | | 12.4(15)T9; |
| | 12.4(20)T2 | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XJ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XK | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.4XL | 12.4(15)XL4 | 12.4(15)XL4 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XM | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.4XN | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.4XP | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.4XQ | 12.4(15)XQ2 | 12.4(15)XQ2 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XR | 12.4(15)XR4 | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XT | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.4XV | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.4XW | 12.4(11)XW10 | 12.4(11)XW10 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XY | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.4XZ | 12.4(15)XZ2 | 12.4(15)XZ2 |
|------------+-------------------------------------+----------------|
| 12.4YA | 12.4(20)YA2 | 12.4(20)YA3 |
|------------+-------------------------------------+----------------|
| 12.4YB | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| 12.4YD | Not Vulnerable | |
+-------------------------------------------------------------------+
Workarounds
===========
If the affected Cisco IOS device requires SIP for VoIP services, SIP
cannot be disabled, and therefore, no workarounds are available.
Users are advised to apply mitigation techniques to help limit
exposure to the vulnerability. Mitigation consists of allowing only
legitimate devices to connect to the routers. To increase
effectiveness, the mitigation must be coupled with anti-spoofing
measures on the network edge. This action is required because SIP can
use UDP as the transport protocol.
Additional mitigations that can be deployed on Cisco devices within
the network are available in the companion document "Cisco Applied
Mitigation Bulletin: Identifying and Mitigating Exploitation of the
Cisco IOS SIP and Crafted UDP Vulnerabilities", which is available at
the following location:
http://www.cisco.com/warp/public/707/cisco-amb-20090325-sip-and-udp.shtml
Disable SIP Listening Ports
+--------------------------
For devices that do not require SIP to be enabled, the simplest and
most effective workaround is to disable SIP processing on the device.
Some versions of Cisco IOS Software allow administrators to
accomplish this with the following commands:
sip-ua
no transport udp
no transport tcp
Warning: When applying this workaround to devices that are processing
Media Gateway Control Protocol (MGCP) or H.323 calls, the device will
not stop SIP processing while active calls are being processed. Under
these circumstances, this workaround should be implemented during a
maintenance window when active calls can be briefly stopped.
After applying this workaround, administrators are advised to use the
show commands, as discussed in the Affected Products section of this
advisory, to confirm that the Cisco IOS device is no longer
processing SIP messages.
Control Plane Policing
+---------------------
For devices that need to offer SIP services it is possible to use
Control Plane Policing (CoPP) to block SIP traffic to the device from
untrusted sources. Cisco IOS Releases 12.0S, 12.2SX, 12.2S, 12.3T,
12.4, and 12.4T support the CoPP feature. CoPP may be configured on a
device to protect the management and control planes to minimize the
risk and effectiveness of direct infrastructure attacks by explicitly
permitting only authorized traffic sent to infrastructure devices in
accordance with existing security policies and configurations. The
following example can be adapted to the network:
!-- The 192.168.1.0/24 network and the 172.16.1.1 host are trusted.
!-- Everything else is not trusted. The following access list is used
!-- to determine what traffic needs to be dropped by a control plane
!-- policy (the CoPP feature.) If the access list matches (permit)
!-- then traffic will be dropped and if the access list does not
!-- match (deny) then traffic will be processed by the router.
access-list 100 deny udp 192.168.1.0 0.0.0.255 any eq 5060
access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 5060
access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 5061
access-list 100 deny udp host 172.16.1.1 any eq 5060
access-list 100 deny tcp host 172.16.1.1 any eq 5060
access-list 100 deny tcp host 172.16.1.1 any eq 5061
access-list 100 permit udp any any eq 5060
access-list 100 permit tcp any any eq 5060
access-list 100 permit tcp any any eq 5061
!-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4
!-- traffic in accordance with existing security policies and
!-- configurations for traffic that is authorized to be sent
!-- to infrastructure devices.
!-- Create a Class-Map for traffic to be policed by
!-- the CoPP feature.
class-map match-all drop-sip-class
match access-group 100
!-- Create a Policy-Map that will be applied to the
!-- Control-Plane of the device.
policy-map drop-sip-traffic
class drop-sip-class
drop
!-- Apply the Policy-Map to the Control-Plane of the
!-- device.
control-plane
service-policy input drop-sip-traffic
Warning: Because SIP can use UDP as a transport protocol, it is
possible to easily spoof the IP address of the sender, which may
defeat access control lists that permit communication to these ports
from trusted IP addresses.
In the above CoPP example, the access control entries (ACEs) that
match the potential exploit packets with the "permit" action result
in these packets being discarded by the policy-map "drop" function,
while packets that match the "deny" action (not shown) are not
affected by the policy-map drop function. Additional information on
the configuration and use of the CoPP feature can be found at
http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html
and
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was discovered during handling of customer service
requests.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-March-25 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAknKUboACgkQ86n/Gc8U/uCi+gCfZaAw0PuDJWKg2K42vzfdJe+h
XHwAnRRdQQTeuhmW0liolMtU1ZzKg+Ke
=VvxT
- -----END PGP SIGNATURE-----
_______________________________________________
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Software Multiple Features IP
Sockets Vulnerability
Advisory ID: cisco-sa-20090325-ip
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml
Revision 1.0
For Public Release 2009 March 25 1600 UTC (GMT)
- - ---------------------------------------------------------------------
Summary
=======
A vulnerability in the handling of IP sockets can cause devices to be
vulnerable to a denial of service attack when any of several features
of Cisco IOS Software are enabled. A sequence of specially crafted
TCP/IP packets could cause any of the following results:
* The configured feature may stop accepting new connections or
sessions.
* The memory of the device may be consumed.
* The device may experience prolonged high CPU utilization.
* The device may reload.
Cisco has released free software updates that address this
vulnerability.
Several mitigation strategies are outlined in the "Workarounds"
section of this advisory.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml
Note: The March 25, 2009, Cisco IOS Security Advisory bundled
publication includes eight Security Advisories. All of the advisories
address vulnerabilities in Cisco IOS Software. Each advisory lists
the releases that correct the vulnerability or vulnerabilities in the
advisory. The following table lists releases that correct all Cisco
IOS Software vulnerabilities that have been published in Cisco
Security Advisories on March 25, 2009, or earlier.
http://www.cisco.com/warp/public/707/cisco-sa-20090325-bundle.shtml
Individual publication links are listed below:
* Cisco IOS cTCP Denial of Service Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml
* Cisco IOS Software Multiple Features IP Sockets Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml
* Cisco IOS Software Mobile IP and Mobile IPv6 Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml
* Cisco IOS Software Secure Copy Privilege Escalation Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml
* Cisco IOS Software Session Initiation Protocol Denial of Service
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml
* Cisco IOS Software Multiple Features Crafted TCP Sequence
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml
* Cisco IOS Software Multiple Features Crafted UDP Packet
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml
* Cisco IOS Software WebVPN and SSLVPN Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml
Affected Products
=================
Vulnerable Products
+------------------
Devices that are running affected versions of Cisco IOS Software and
Cisco IOS XE Software are affected if they are running any of the
following features. Details about confirming whether the affected
feature is enabled on a device are in the "Details" section of this
advisory.
* Cisco Unified Communications Manager Express
* SIP Gateway Signaling Support Over Transport Layer Security (TLS)
Transport
* Secure Signaling and Media Encryption
* Blocks Extensible Exchange Protocol (BEEP)
* Network Admission Control HTTP Authentication Proxy
* Per-user URL Redirect for EAPoUDP, Dot1x, and MAC Authentication
Bypass
* Distributed Director with HTTP Redirects
* DNS (TCP mode only)
To determine the Cisco IOS Software release that is running on a
Cisco product, administrators can log in to the device and issue the
"show version" command to display the system banner. The system
banner confirms that the device is running Cisco IOS Software by
displaying text similar to "Cisco Internetwork Operating System
Software" or "Cisco IOS Software." The image name displays in
parentheses, followed by "Version" and the Cisco IOS Software release
name. Other Cisco devices do not have the "show version" command or
may provide different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.3(26) with an installed image name of
C2500-IS-L:
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE
(fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 14:39 by dchih
<output truncated>
The following example shows a product that is running Cisco IOS
Software Release 12.4(20)T with an image name of
C1841-ADVENTERPRISEK9-M:
Router#show version
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M),
Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 20:25 by prod_rel_team
<output truncated>
Additional information about Cisco IOS Software release naming
conventions is available in "White Paper: Cisco IOS Reference Guide"
at the following link: http://www.cisco.com/warp/public/620/1.html
Products Confirmed Not Vulnerable
+--------------------------------
The following product is not affected by this vulnerability:
* Cisco IOS XR Software
No other Cisco products or features configured in Cisco IOS or Cisco
IOS XE Software are currently known to be affected by this
vulnerability.
Details
========
For successful exploitation of this vulnerability, the TCP three-way
handshake must be completed to the associated TCP port number(s) for
any of the features described in this section.
Cisco Unified Communications Manager Express
+-------------------------------------------
The following configurations are vulnerable for different Cisco
Unified Communications Manager Express services:
A certificate authority proxy function (CAPF) server has been
configured.
The following example shows a vulnerable CAPF server configuration:
capf-server
auth-mode null-string
cert-enroll-trustpoint root password 1 104D000A061843595F
trustpoint-label cme_cert
source-addr 10.0.0.1
The default TCP port used for CAPF server is 3804.
Further information about CAPF-server is in the Cisco Unified
Communications Manager Express System Administrator Guide at
http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/admin/configuration/guide/cmeauth.html#wp1085744
Telephony-service security parameters have been configured.
If the telephony-service security parameters have been configured
with "device-security-mode", the device is vulnerable. The following
example shows three vulnerable configurations for telephony-service
security parameters:
ephone 1
device-security-mode encrypted
ephone 2
device-security-mode authenticated
ephone 3
device-security-mode none
The TCP port used is defined with the "ip source-address <address>
port <port-number>" telephony-service configuration command.
Further information about Telephony-service security parameters is in
the Cisco Unified Communications Manager Express System Administrator
Guide at
http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/admin/configuration/guide/cmeauth.html#wp1080079
The global telephony-service or call-manager-fallback command has
been configured.
Any Cisco IOS configuration with the global "telephony-service" or
"call-manager-fallback" command is vulnerable if any subcommands are
in the telephony-service or call-manager-fallback configuration mode.
The following examples show vulnerable configurations:
telephony-service
ip source-address 192.168.0.1 port 2011
or
call-manager-fallback
ip source-address 192.168.0.1 port 2011
The TCP port used is defined with the "ip source-address <address>
port <port-number>" configuration command.
Further information about telephony service and call-manager-fallback
is in the Cisco Unified Communications Manager Express System
Administrator Guide at
http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/admin/configuration/guide/cmesystm.html
SIP Gateway Signaling Support over TLS Transport
+----------------------------------------------
Note: For customers with devices enabled with SIP, also consult the
document "Cisco Security Advisory: Cisco IOS Session Initiation
Protocol Denial of Service Vulnerability" at the following link
http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.html
Devices that are configured for SIP gateway signaling support over
TLS transport are vulnerable. The following examples show vulnerable
configurations:
voice service voip
sip
session transport tcp tls
url sips
- - -- or --
dial-peer voice 3456 voip
voice-class sip url sips
session protocol sipv2
session transport tcp tls
For the SIP gateway signaling support over TLS transport to function
correctly, administrators must first configure a trustpoint using the
following configuration:
sip-ua
crypto signaling default trustpoint example_trustpoint_name
The default TCP port used for the SIP gateway signaling support over
TLS transport feature is 5061.
Further information about Cisco IOS SIP gateway signaling support
over TLS transport is in the Cisco IOS Software Release 12.4T feature
guide at
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/FeatTLS.html
Secure Signaling and Media Encryption
+------------------------------------
A device is vulnerable if it is configured with the Media and
Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing feature or
with Secure Signaling and Media Encryption for analog phones with
Skinny Call Control Protocol (SCCP).
The following examples show three different vulnerable secure DSP
farm configurations. Several other parts are required for a full
configuration, such as certificates and SCCP configuration, but these
parts have been excluded for brevity.
dspfarm profile 2 transcode security
trustpoint 2851ClientMina
codec g711ulaw
codec g711alaw
codec g729ar8
codec g729abr8
codec gsmfr
codec g729r8
codec g729br8
maximum sessions 3
associate application SCCP
dspfarm profile 3 conference security
trustpoint sec2800-cfb
codec g711ulaw
codec g711alaw
codec g729ar8
codec g729abr8
codec g729r8
codec g729br8
maximum sessions 2
associate application SCCP
dspfarm profile 5 mtp security
trustpoint 2851ClientMina
codec g711alaw
maximum sessions hardware 1
associate application SCCP
The default TCP port used for the Media and Signaling Encryption on
DSP Farm Conferencing feature is 2443.
Further information about the Media and Signaling Encryption on DSP
Farm Conferencing feature is in the "Cisco IOS Software Release 12.4
Special and Early Deployments feature guide" at the following link
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t15/itsdsp.html
The following output shows the relevant section of Secure Signaling
and Media Encryption for analog phones and is a vulnerable
configuration (Several other parts are required for a full
configuration, such as certificates, SCCP configuration, and dial
peers):
!--- The following lines show SCCP Telephony Control Application
!--- (STCAPP) security enabled at the system level:
stcapp ccm-group 1
stcapp security trustpoint analog
stcapp security mode encrypted
stcapp
<-- output removed for brevity -->
dial-peer voice 5002 pots
service stcapp
!--- The following line shows the security mode configured on the
!--- dial peer.
security mode authenticated
port 2/1
The default TCP port used for Media and Signaling Encryption for
analog phones is 2443.
Further information about Media and Signaling Encryption for analog
phones is in the "Supplementary Services Features for FXS Ports on
Cisco IOS Voice Gateways Configuration Guide, Release 12.4T" at the
following link
http://www.cisco.com/en/US/docs/ios/voice/fxs/configuration/guide/fsxsecur.html
Blocks Extensible Exchange Protocol
+----------------------------------
Any configuration or executable command that leverages Blocks
Extensible Exchange Protocol (BEEP) as a transport protocol is
vulnerable. The following example shows the vulnerable configuration
of the feature NETCONF over BEEP. NETCONF over BEEP using SASL is
also vulnerable.
crypto key generate rsa general-keys
crypto pki trustpoint my_trustpoint
enrollment url http://10.2.3.3:80
subject-name CN=dns_name_of_host.com
revocation-check none
crypto pki authenticate my_trustpoint
crypto pki enroll my_trustpoint
line vty 0 15
netconf lock-time 60
netconf max-sessions 16
netconf beep initiator host1 23 user my_user password
my_password encrypt my_trustpoint
reconnect-time 60
netconf beep listener 23 sasl user1 encrypt my_trustpoint
The TCP port used is defined with the "netconf beep initiator" and
"netconf beep listener" configuration commands.
Further information about NETCONF over BEEP is in the "Cisco IOS
Software Release 12.4T feature guide" at the following link
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htnetbe.html#wp1049404
The BEEP executable commands "bingd" and "bingng" could cause this
vulnerability to be triggered when they are invoked. The following
shows an example of these commands being executed:
bingng device 192.168.0.1 23
bingd device 23
Network Admission Control HTTP Authentication Proxy
+--------------------------------------------------
Devices configured with Network Admission Control HTTP Authentication
Proxy are vulnerable. For the device to be vulnerable the
authentication proxy rule must exist and be applied to an interface.
The following configuration creates an authentication proxy rule.
ip admission name example-ap-rule-name proxy http
The following configuration attaches the authentication proxy rule
(created in the previous example) to an interface.
interface GigabitEthernet 0/0
ip admission example-ap-rule-name
The default TCP port used for Network Admission Control HTTP
Authentication Proxy is 80.
Further information about Network Admission Control HTTP
Authentication Proxy is in the "Cisco IOS Security Configuration
Guide, Release 12.4" at the following link
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_net_admssn_ctrl_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1053957
Per-user URL Redirect for EAPoUDP, Dot1x, and MAC Authentication Bypass
+----------------------------------------------------------------------
Devices that have URL redirect feature configured are vulnerable. URL
redirect is supported for EAP over UDP (EAPoUDP), Dot1x and MAC
Authentication Bypass (MAB) authentication mechanisms. The URL
redirect configuration can either be on the server or set up as part
of a locally defined profile or policy. Both configurations are
vulnerable. A device is vulnerable with either of the following
configurations.
URL Redirect Feature Enabled for EAPoUDP
+---------------------------------------
The URL redirect feature is enabled for EAPoUDP with the following
global configuration command:
ip admission name <EAPoUDP-rule-name> eapoudp
The following configuration attaches the EAPoUDP rule (created in the
previous example) to an interface.
ip admission name <EAPoUDP-rule-name>
URL Redirect Feature Enabled for Dot1x and MAB
+---------------------------------------------
The URL redirect feature for both Dot1x and MAB are vulnerable and
will have a URL redirect AV pair on the RADIUS server defined in a
method that is similar to the following:
url-redirect="http://example.com"
url-redirect="urlacl"
For the Dot1x and MAB URL redirect feature to work successfully on
the switch, the minimum following configuration would also be
required. There is no interface-specific configuration for URL
redirect. Basically the interface has to be configured for Dot1x/MAB.
ip http {server | secure-server}
ip device tracking
The default TCP port used for per-user URL redirect for EAPoUDP,
Dot1x, and MAB is 80 and 443.
Further information about per-user URL redirect for EAPoUDP, Dot1x,
and MAB is in the "Catalyst 4500 Series Switch Software Configuration
Guide, 12.2(50)SG" at the following link
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/50sg/configuration/guide/dot1x.html#wp1311079
Distributed Director with HTTP Redirects
+---------------------------------------
A device is vulnerable if Distributed Director is configured with
HTTP redirects. The following example shows a vulnerable
configuration:
ip director ip-address 192.168.0.1
The default TCP port used for distributed director with HTTP redirect
is 53.
Further information about Distributed Director with HTTP redirects is
in "Distributed Director Configuration Example Overview" at the
following link
http://www.cisco.com/en/US/products/hw/contnetw/ps813/products_tech_note09186a00801fa9dd.shtml#topic8b
DNS
+--
Devices that are configured with the Cisco IOS DNS feature are
vulnerable. A pure DNS over UDP implementation is not vulnerable. See
the "Workarounds" section of this advisory for information about
filtering DNS over TCP traffic to the device. If any of the commands
in the following example appear in the device configuration, the
device is vulnerable:
ip dns server
ip dns primary example.com soa www.example.com admin@example.com
ip dns spoofing 192.168.0.1
The default TCP port used for DNS is 53.
Further information about Cisco IOS DNS is in the "Cisco IOS IP
Addressing Services Configuration Guide, Release 12.4" at the
following link
http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iad_config_dns_ps6350_TSD_Products_Configuration_Guide_Chapter.html
This vulnerability is documented in the following Cisco Bug ID:
CSCsm27071 and has been assigned the Common Vulnerabilities and
Exposures (CVE) identifiers CVE-2009-0630.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsm27071: Cisco IOS Software Multiple Features IP Sockets
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability may result in the any of
the following occurring:
* The configured feature may stop accepting new connections or
sessions.
* The memory of the device may be consumed.
* The device may experience prolonged high CPU utilization.
* The device may reload.
Repeated attempts to exploit this vulnerability could result in a
sustained DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|------------+------------------------------------------------------|
| Affected | | Recommended |
| 12.0-Based | First Fixed Release | Release |
| Releases | | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0 | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0DA | Vulnerable; first fixed in 12.2DA | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0DB | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0DC | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.0S | 12.0(32)S12 | 12.0(32)S12 |
|------------+-------------------------------------+----------------|
| 12.0SC | Vulnerable; first fixed in 12.0S | 12.0(32)S12 |
|------------+-------------------------------------+----------------|
| 12.0SL | Vulnerable; first fixed in 12.0S | 12.0(32)S12 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0SP | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.0ST | Vulnerable; first fixed in 12.0S | 12.0(32)S12 |
|------------+-------------------------------------+----------------|
| 12.0SX | Vulnerable; first fixed in 12.0S | 12.0(32)S12 |
|------------+-------------------------------------+----------------|
| 12.0SY | 12.0(32)SY8 | 12.0(32)SY8 |
|------------+-------------------------------------+----------------|
| 12.0SZ | Vulnerable; first fixed in 12.0S | 12.0(32)S12 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0T | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.0W | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.0WC | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.0WT | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XA | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XB | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XC | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XD | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XE | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.0XF | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XG | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XH | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | Releases prior to 12.0(4)XI2 are | 12.4(18e) |
| | vulnerable, release 12.0(4)XI2 and | |
| 12.0XI | later are not vulnerable; first | 12.4(23a); |
| | fixed in 12.4 | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XJ | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XK | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XL | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XM | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XN | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XQ | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XR | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XS | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XT | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XV | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| Affected | | Recommended |
| 12.1-Based | First Fixed Release | Release |
| Releases | | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1 | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.1AA | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.1AX | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| | | 12.1(22)EA13 |
| 12.1AY | Vulnerable; first fixed in 12.1EA | |
| | | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| | | 12.1(22)EA13 |
| 12.1AZ | Vulnerable; first fixed in 12.1EA | |
| | | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.1CX | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1DA | Vulnerable; first fixed in 12.2DA | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.1DB | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.1DC | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.1E | Vulnerable; first fixed in 12.2SXF | 12.2(18)SXF16 |
|------------+-------------------------------------+----------------|
| 12.1EA | 12.1(22)EA13 | 12.1(22)EA13 |
|------------+-------------------------------------+----------------|
| 12.1EB | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.2(33)SCB1 |
| 12.1EC | Vulnerable; first fixed in 12.3BC | |
| | | 12.3(23)BC6 |
|------------+-------------------------------------+----------------|
| 12.1EO | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.1EU | Vulnerable; first fixed in 12.2SG | 12.2(31)SGA9 |
|------------+-------------------------------------+----------------|
| 12.1EV | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.1EW | Vulnerable; migrate to 12.2SGA | |
|------------+-------------------------------------+----------------|
| 12.1EX | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.1EY | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.1EZ | Vulnerable; first fixed in 12.2SXF | 12.2(18)SXF16 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1GA | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1GB | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1T | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XA | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XB | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XC | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XD | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XE | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XF | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XG | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XH | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XI | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XJ | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XL | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XM | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XP | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XQ | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XR | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XS | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XT | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XU | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XV | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XW | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XX | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XY | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XZ | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1YA | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1YB | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1YC | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1YD | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | Releases prior to 12.1(5)YE6 are | 12.4(18e) |
| | vulnerable, release 12.1(5)YE6 and | |
| 12.1YE | later are not vulnerable; first | 12.4(23a); |
| | fixed in 12.4 | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1YF | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1YH | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.1YI | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.1(22)EA13 |
| 12.1YJ | Vulnerable; first fixed in 12.1EA | |
| | | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| Affected | | Recommended |
| 12.2-Based | First Fixed Release | Release |
| Releases | | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2 | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.2B | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to 12.2SCB1 or | 12.2(33)SCB1 |
| 12.2BC | 12.3BC | |
| | | 12.3(23)BC6 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2BW | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2BX | Vulnerable; migrate to 12.2SB4 | 12.2(33)SB4 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2BY | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2BZ | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to 12.2SCB or | 12.2(33)SCB1 |
| 12.2CX | 12.3BC | |
| | | 12.3(23)BC6 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to 12.2SCB or | 12.2(33)SCB1 |
| 12.2CY | 12.3BC | |
| | | 12.3(23)BC6 |
|------------+-------------------------------------+----------------|
| 12.2CZ | Vulnerable; first fixed in 12.2SB | 12.2(33)SB4 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | 12.2(12)DA14; Available on | |
| 12.2DA | 30-JUL-2009 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2DD | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2DX | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2EW | Vulnerable; first fixed in 12.2SG | 12.2(31)SGA9 |
|------------+-------------------------------------+----------------|
| 12.2EWA | Vulnerable; first fixed in 12.2SG | 12.2(31)SGA9 |
|------------+-------------------------------------+----------------|
| 12.2EX | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2EY | 12.2(44)EY | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2EZ | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2FX | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2FY | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2FZ | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| | | 12.2(33)SRC4; |
| 12.2IRA | Vulnerable; first fixed in 12.2SRC | Available on |
| | | 18-MAY-2009 |
|------------+-------------------------------------+----------------|
| | | 12.2(33)SRC4; |
| 12.2IRB | Vulnerable; first fixed in 12.2SRC | Available on |
| | | 18-MAY-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to any release | 12.2(18)IXH; |
| 12.2IXA | in 12.2IXH | Available on |
| | | 31-MAR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to any release | 12.2(18)IXH; |
| 12.2IXB | in 12.2IXH | Available on |
| | | 31-MAR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to any release | 12.2(18)IXH; |
| 12.2IXC | in 12.2IXH | Available on |
| | | 31-MAR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to any release | 12.2(18)IXH; |
| 12.2IXD | in 12.2IXH | Available on |
| | | 31-MAR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to any release | 12.2(18)IXH; |
| 12.2IXE | in 12.2IXH | Available on |
| | | 31-MAR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to any release | 12.2(18)IXH; |
| 12.2IXF | in 12.2IXH | Available on |
| | | 31-MAR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to any release | 12.2(18)IXH; |
| 12.2IXG | in 12.2IXH | Available on |
| | | 31-MAR-2009 |
|------------+-------------------------------------+----------------|
| 12.2JA | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.2JK | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2MB | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2MC | 12.2(15)MC2m | 12.2(15)MC2m |
|------------+-------------------------------------+----------------|
| 12.2S | Vulnerable; first fixed in 12.2SB | 12.2(33)SB4 |
|------------+-------------------------------------+----------------|
| | 12.2(31)SB14 | |
| | | |
| 12.2SB | 12.2(33)SB1 | 12.2(33)SB4 |
| | | |
| | 12.2(28)SB13 | |
|------------+-------------------------------------+----------------|
| 12.2SBC | Vulnerable; first fixed in 12.2SB | 12.2(33)SB4 |
|------------+-------------------------------------+----------------|
| 12.2SCA | 12.2(33)SCA2 | 12.2(33)SCB1 |
|------------+-------------------------------------+----------------|
| 12.2SCB | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| | 12.2(50)SE | |
| | | |
| 12.2SE | 12.2(46)SE2 | 12.2(44)SE6 |
| | | |
| | 12.2(44)SE5 | |
|------------+-------------------------------------+----------------|
| 12.2SEA | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2SEB | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2SEC | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2SED | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2SEE | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2SEF | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2SEG | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| | | 12.2(52)SG; |
| 12.2SG | 12.2(50)SG | Available on |
| | | 15-MAY-2009 |
|------------+-------------------------------------+----------------|
| 12.2SGA | 12.2(31)SGA9 | 12.2(31)SGA9 |
|------------+-------------------------------------+----------------|
| 12.2SL | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| 12.2SM | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2SO | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2SQ | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| | | 12.2(33)SRC4; |
| 12.2SRA | Vulnerable; first fixed in 12.2SRC | Available on |
| | | 18-MAY-2009 |
|------------+-------------------------------------+----------------|
| | | 12.2(33)SRB5a; |
| | | Available on |
| | | 3-April-2009 |
| 12.2SRB | Vulnerable; first fixed in 12.2SRC | |
| | | 12.2(33)SRC4; |
| | | Available on |
| | | 18-MAY-2009 |
|------------+-------------------------------------+----------------|
| | | 12.2(33)SRC4; |
| 12.2SRC | 12.2(33)SRC1 | Available on |
| | | 18-MAY-2009 |
|------------+-------------------------------------+----------------|
| 12.2SRD | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| 12.2STE | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.2SU | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2SV | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2SVA | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2SVC | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2SVD | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2SVE | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2SW | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2SX | Vulnerable; first fixed in 12.2SXF | 12.2(18)SXF16 |
|------------+-------------------------------------+----------------|
| 12.2SXA | Vulnerable; first fixed in 12.2SXF | 12.2(18)SXF16 |
|------------+-------------------------------------+----------------|
| 12.2SXB | Vulnerable; first fixed in 12.2SXF | 12.2(18)SXF16 |
|------------+-------------------------------------+----------------|
| 12.2SXD | Vulnerable; first fixed in 12.2SXF | 12.2(18)SXF16 |
|------------+-------------------------------------+----------------|
| 12.2SXE | Vulnerable; first fixed in 12.2SXF | 12.2(18)SXF16 |
|------------+-------------------------------------+----------------|
| 12.2SXF | 12.2(18)SXF16 | 12.2(18)SXF16 |
|------------+-------------------------------------+----------------|
| | 12.2(33)SXH5; Available on | 12.2(33)SXH5; |
| 12.2SXH | 20-APR-2009 | Available on |
| | | 20-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2SXI | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| 12.2SY | Vulnerable; first fixed in 12.2SB | 12.2(33)SB4 |
|------------+-------------------------------------+----------------|
| 12.2SZ | Vulnerable; first fixed in 12.2SB | 12.2(33)SB4 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2T | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2TPC | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XA | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XB | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XC | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XD | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XE | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to 12.2SCB or | 12.2(33)SCB1 |
| 12.2XF | 12.3BC | |
| | | 12.3(23)BC6 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XG | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XH | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XI | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XJ | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XK | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XL | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XM | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.2(33)SB4 |
| 12.2XN | Vulnerable; first fixed in 12.2SRC | |
| | | 12.2(33)SRD1 |
|------------+-------------------------------------+----------------|
| 12.2XNA | Vulnerable; migrate to any release | 12.2(33)SRD1 |
| | in 12.2SRD | |
|------------+-------------------------------------+----------------|
| 12.2XNB | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| 12.2XNC | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| 12.2XO | 12.2(46)XO | 12.2(46)XO |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XQ | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XR | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XS | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XT | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XU | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XV | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XW | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2YA | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2YB | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YC | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YD | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YE | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YF | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YG | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YH | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YJ | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YK | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YL | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.2YM | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2YN | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YO | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2YP | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2YQ | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YR | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YS | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| 12.2YT | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YU | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YV | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YW | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YX | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YY | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2YZ | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2ZA | Vulnerable; first fixed in 12.2SXF | 12.2(18)SXF16 |
|------------+-------------------------------------+----------------|
| 12.2ZB | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2ZC | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2ZD | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2ZE | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.2ZF | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.2ZG | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2ZH | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2ZJ | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2ZL | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2ZP | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.2(33)SXH5; |
| 12.2ZU | Vulnerable; first fixed in 12.2SXH | Available on |
| | | 20-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2ZX | Vulnerable; first fixed in 12.2SB | 12.2(33)SB4 |
|------------+-------------------------------------+----------------|
| 12.2ZY | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2ZYA | 12.2(18)ZYA1 | 12.2(18)ZYA1 |
|------------+-------------------------------------+----------------|
| Affected | | Recommended |
| 12.3-Based | First Fixed Release | Release |
| Releases | | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.3 | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3B | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.3BC | 12.3(23)BC6 | 12.3(23)BC6 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3BW | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.3EU | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| 12.3JA | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.3JEA | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.3JEB | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.3JEC | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3JK | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.3JL | Vulnerable; first fixed in 12.4JK | |
|------------+-------------------------------------+----------------|
| 12.3JX | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3T | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.3TPC | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.3VA | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.3XA | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.3XB | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XC | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XD | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.3XE | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.3XF | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XG | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.3XI | Vulnerable; first fixed in 12.2SB | 12.2(33)SB4 |
|------------+-------------------------------------+----------------|
| 12.3XJ | Vulnerable; first fixed in 12.3YX | 12.3(14)YX14 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XK | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XL | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XQ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.3XR | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XS | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XU | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.3XW | Vulnerable; first fixed in 12.3YX | 12.3(14)YX14 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XX | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XY | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XZ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YA | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YD | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.3YF | Vulnerable; first fixed in 12.3YX | 12.3(14)YX14 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YG | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YH | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YI | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YJ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YK | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.3YM | 12.3(14)YM13 | 12.3(14)YM13 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YQ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YS | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YT | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YU | Vulnerable; first fixed in 12.4XB | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.3YX | 12.3(14)YX14 | 12.3(14)YX14 |
|------------+-------------------------------------+----------------|
| 12.3YZ | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3ZA | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| Affected | | Recommended |
| 12.4-Based | First Fixed Release | Release |
| Releases | | |
|------------+-------------------------------------+----------------|
| | 12.4(19) | 12.4(18e) |
| | | |
| 12.4 | 12.4(18a) | 12.4(23a); |
| | | Available on |
| | 12.4(23a); Available on 30-APR-2009 | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.4JA | 12.4(16b)JA1 | |
|------------+-------------------------------------+----------------|
| 12.4JDA | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.4JK | 12.4(3)JK4 | |
|------------+-------------------------------------+----------------|
| 12.4JL | 12.4(3)JL1 | |
|------------+-------------------------------------+----------------|
| 12.4JMA | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.4JMB | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.4JX | Vulnerable; first fixed in 12.4JA | |
|------------+-------------------------------------+----------------|
| 12.4MD | 12.4(11)MD7 | 12.4(11)MD7 |
|------------+-------------------------------------+----------------|
| 12.4MR | 12.4(19)MR | 12.4(19)MR2 |
|------------+-------------------------------------+----------------|
| 12.4SW | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | 12.4(20)T | 12.4(22)T1 |
| | | |
| 12.4T | 12.4(15)T8 | 12.4(15)T9; |
| | | Available on |
| | 12.4(15)T9; Available on | 29-APR-2009 |
| | 29-APR-2009 | |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XA | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | 12.4(15)T8 | |
| 12.4XB | | 12.4(15)T9; |
| | 12.4(20)T | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XC | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | 12.4(4)XD12; Available on | 12.4(4)XD12; |
| 12.4XD | 27-MAR-2009 | Available on |
| | | 27-MAR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XE | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XF | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XG | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XJ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XK | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.4XL | 12.4(15)XL4 | 12.4(15)XL4 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XM | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.4XN | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.4XP | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.4XQ | 12.4(15)XQ2 | 12.4(15)XQ2 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XR | 12.4(15)XR4 | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XT | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.4XV | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.4XW | 12.4(11)XW10 | 12.4(11)XW10 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XY | 12.4(15)XY4 | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.4XZ | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| 12.4YA | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| 12.4YB | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| 12.4YD | Not Vulnerable | |
+-------------------------------------------------------------------+
Workarounds
===========
The following mitigations have been identified for this
vulnerability:
Infrastructure Access Control Lists
+----------------------------------
Although it is often difficult to block traffic that transits a
network, it is possible to identify traffic that should never be
allowed to target infrastructure devices and block that traffic at
the border of networks. Infrastructure Access Control Lists (iACLs)
are a network security best practice and should be considered as a
long-term addition to good network security as well as a workaround
for these specific vulnerabilities. The iACL example below should be
included as part of the deployed infrastructure access-list which
will protect all devices with IP addresses in the infrastructure IP
address range:
!--- Only sections pertaining to features enabled on the device
!--- need be configured.
!---
!--- Feature: Cisco Unified Communications Manager Express
!---
!--- CAPF server configuration
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 3804
!---
!--- Telephony-Service configuration
!--- The TCP port is as per the ip source-address
!--- <ip-address> port <port-number> telephony
!--- service configuration command. Example below 2999
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 2999
!---
!--- Deny Cisco Unified Communications Manager Express traffic
!--- from all other sources destined to infrastructure addresses.
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 3804
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 2999
!---
!--- Feature: SIP Gateway Signaling Support Over TLS Transport
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 5061
!--- Deny SIP Gateway Signaling Support Over TLS Transport
!--- traffic from all other sources destined to infrastructure
!--- addresses.
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 5061
!---
!--- Feature: Secure Signaling and Media Encryption
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 2443
!--- Deny Secure Signaling and Media Encryption traffic from all
!--- other sources destined to infrastructure addresses.
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 2443
!---
!--- Feature: Blocks Extensible Exchange Protocol (BEEP)
!--- The TCP port used is defined with the netconf beep initiator
!--- and netconf beep listener configuration
!--- commands. This example uses 3001
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 3001
!--- Deny BEEP traffic from all other sources destined to
!--- infrastructure addresses.
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 3001
!---
!--- Feature: Network Admission Control HTTP Authentication Proxy
!--- and
!--- Per-user URL Redirect for EAP over UDP, Dot1x and MAC
!--- Authentication Bybass
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 80
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 443
!---
!--- Deny Network Admission Control HTTP Authentication Proxy
!--- and
!--- Per-user URL Redirect for EAP over UDP, Dot1x and MAC
!--- Authentication Bybass traffic to infrastructue
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 80
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 443
!---
!--- Features: Distributed Director with HTTP Redirects and DNS
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 53
!--- Deny Distributed Director with HTTP Redirects traffic and DNS
!--- from all other sources destined to infrastructure addresses.
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 53
!--- Permit/deny all other Layer 3 and Layer 4 traffic in
!--- accordance with existing security policies and configurations
!--- Permit all other traffic to transit the device.
access-list 150 permit ip any any
!--- Apply access-list to all interfaces (only one example shown)
interface serial 2/0
ip access-group 150 in
The white paper entitled "Protecting Your Core: Infrastructure
Protection Access Control Lists" presents guidelines and recommended
deployment techniques for infrastructure protection access lists.
This white paper can be obtained at the following link
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml
Receive ACLs (rACL)
+------------------
For distributed platforms, Receive ACLs may be an option starting in
Cisco IOS Software Versions 12.0(21)S2 for the 12000 (GSR), 12.0(24)S
for the 7500, and 12.0(31)S for the 10720. The Receive ACL protects
the device from harmful traffic before the traffic can impact the
route processor. Receive ACLs are designed to only protect the device
on which it is configured. On the 12000, 7500, and 10720, transit
traffic is never affected by a receive ACL. Because of this, the
destination IP address "any" used in the example ACL entries below
only refer to the router's own physical or virtual IP addresses.
Receive ACLs are considered a network security best practice, and
should be considered as a long-term addition to good network
security, as well as a workaround for this specific vulnerability.
The white paper entitled "GSR: Receive Access Control Lists" will
help you identify and allow legitimate traffic to your device and
deny all unwanted packets. This white paper is available at the
following link
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a0a5e.shtml
The following is the receive path ACL written to permit this type of
traffic from trusted hosts:
!---
!--- Only sections pertaining to features enabled on the device
!--- need be configured.
!---
!---
!--- Feature: Cisco Unified Communications Manager Express
!---
!---
!---
!--- Permit CAPF server traffic from trusted hosts allowed to
!--- the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 3804
!---
!--- Telephony-Service configuration
!---
!---
!--- The TCP port is as per the ip source-address
!--- <address> port <port-number> telephony-service
!--- configuration command. Example below 2999
!---
!--- Permit Telephony-Service traffic from trusted hosts allowed
!--- to the RP.
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 2999
!---
!--- Deny Cisco Unified Communications Manager Express
!--- traffic from all other sources to the RP.
!---
access-list 150 deny tcp any any eq 3804
access-list 150 deny tcp any any eq 2999
!---
!--- Permit SIP Gateway Signaling Support Over TLS Transport
!--- traffic from trusted hosts allowed to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 5061
!---
!--- Deny SIP Gateway Signaling Support Over TLS Transport
!--- traffic from all other sources to the RP.
!---
access-list 150 deny tcp any any eq 5061
!---
!--- Permit Secure Signaling and Media Encryption traffic
!--- from trusted hosts allowed to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 2443
!---
!--- Deny Secure Signaling and Media Encryption traffic from
!--- all other sources to the RP.
!---
access-list 150 deny tcp any any eq 2443
!---
!--- Feature: Blocks Extensible Exchange Protocol (BEEP)
!--- The TCP port used is defined with the netconf beep initiator
!--- and netconf beep listener configuration commands.
!--- This example uses 3001
!---
!---
!--- Permit BEEP traffic from trusted hosts allowed to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 3001
!---
!--- Deny BEEP traffic from all other sources to the RP.
!---
access-list 150 deny tcp any any eq 3001
!---
!--- Feature: Network Admission Control HTTP Authentication Proxy
!--- and
!--- Per-user URL Redirect for EAP over UDP, Dot1x and MAC
!--- Authentication Bybass
!---
!---
!--- Permit Per-user URL Redirect for EAP over UDP, Dot1x and MAC
!--- Authentication Bybass traffic from trusted hosts allowed to
!--- the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 80
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 443
!---
!--- Deny Network Admission Control HTTP Authentication Proxy
!--- and
!--- Per-user URL Redirect for EAP over UDP, Dot1x and MAC
!--- Authentication Bybass traffic from all other sources to
!--- the RP.
!---
access-list 150 deny tcp any any eq 80
access-list 150 deny tcp any any eq 443
!---
!--- Features: Distributed Director with HTTP Redirects and DNS
!---
!---
!--- Permit Distribute Director and DNS traffic from trusted hosts
!--- allowed to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 53
!---
!--- Deny distributed director and DNS traffic from all other
!--- sources to the RP.
!---
access-list 150 deny tcp any any eq 53
!---
!--- Permit all other traffic to the RP.
!--- according to security policy and configurations.
!---
access-list 150 permit ip any any
!---
!--- Apply this access list to the 'receive' path.
!---
ip receive access-list 150
Control Plane Policing
+---------------------
Control Plane Policing (CoPP) can be used to block the affected
features TCP traffic access to the device. Cisco IOS software
releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support the
CoPP feature. CoPP can be configured on a device to protect the
management and control planes and minimize the risk and effectiveness
of direct infrastructure attacks by explicitly permitting only
authorized traffic that is sent to infrastructure devices in
accordance with existing security policies and configurations. The
CoPP example below should be included as part of the deployed CoPP
which will protect all devices with IP addresses in the
infrastructure IP address range.
!---
!--- Only sections pertaining to features enabled on the device
!--- need be configured.
!---
!--- Feature: Cisco Unified Communications Manager Express
!---
!--- CAPF Server configuration
!---
access-list 150 deny tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 3804
!---
!--- Telephony-Service configuration
!--- The TCP port is as per the ip source-address
!--- <address> port <port-number> telephony-service
!--- configuration command. Example below 2999
!---
access-list 150 deny tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 2999
!---
!--- Permit Cisco Unified Communications Manager Express traffic
!--- sent to all IP addresses configured on all interfaces of
!--- the affected device so that it will be policed and dropped
!--- by the CoPP feature
!---
!--- CAPF server configuration
!---
access-list 150 permit tcp any any eq 3804
!---
!--- Telephony-Service configuration
!---
access-list 150 permit tcp any any eq 2999
!---
!--- Feature: SIP Gateway Signaling Support Over TLS Transport
!---
access-list 150 deny tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 5061
!---
!--- Permit SIP Gateway Signaling Support Over TLS Transport
!--- traffic sent to all IP addresses configured on all interfaces
!--- of the affected device so that it will be policed and
!--- dropped by the CoPP feature
!---
access-list 150 permit tcp any any eq 5061
!---
!--- Feature: Secure Signaling and Media Encryption
!---
access-list 150 deny tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 2443
!---
!--- Permit Secure Signaling and Media Encryption traffic sent to
!--- all IP addresses configured on all interfaces of the affected
!--- device so that it will be policed and dropped by the CoPP
!--- feature
!---
access-list 150 permit tcp any any eq 2443
!---
!--- Feature: Blocks Extensible Exchange Protocol (BEEP)
!--- The TCP port used is defined with the netconf beep initiator
!--- and netconf beep listener configuration commands.
!--- This example uses 3001
!---
access-list 150 deny tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 3001
!---
!--- Permit BEEP traffic sent to all IP addresses configured
!--- on all interfaces of the affected device so that it
!--- will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any eq 3001
!---
!--- Feature: Network Admission Control HTTP Authentication Proxy
!--- and
!--- Per-user URL Redirect for EAP over UDP, Dot1x and MAC
!--- Authentication Bybass
!---
access-list 150 deny tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 80
access-list 150 deny tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 443
!---
!--- Permit Network Admission Control HTTP Authentication Proxy
!--- and Per-user URL Redirect for EAP over UDP, Dot1x and MAC
!--- Authentication Bybass traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so that it
!--- will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any eq 80
access-list 150 permit tcp any any eq 443
!---
!--- Features: Distributed Director with HTTP Redirects and DNS
!---
access-list 150 deny tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 53
!---
!--- Permit Distributed Director with HTTP Redirects and DNS
!--- traffic sent to all IP addresses configured on all interfaces
!--- of the affected device so that it will be policed and dropped
!--- by the CoPP feature
!---
access-list 150 permit tcp any any eq 53
!---
!--- Permit (Police or Drop)/Deny (Allow) all other Layer3 and
!--- Layer4 traffic in accordance with existing security policies
!--- and configurations for traffic that is authorized to be sent
!--- to infrastructure devices
!---
!---
!--- Create a Class-Map for traffic to be policed by
!--- the CoPP feature
!---
class-map match-all drop-tcpip-class
match access-group 150
!---
!--- Create a Policy-Map that will be applied to the
!--- Control-Plane of the device.
!---
policy-map drop-tcpip-traffic
class drop-tcpip-class
drop
!---
!--- Apply the Policy-Map to the
!--- Control-Plane of the device
!---
control-plane
service-policy input drop-tcpip-traffic
In the above CoPP example, the access control list entries (ACEs)
that match the potential exploit packets with the "permit" action
result in these packets being discarded by the policy-map "drop"
function, while packets that match the "deny" action (not shown) are
not affected by the policy-map drop function. Please note that the
policy-map syntax is different in the 12.2S and 12.0S Cisco IOS
trains:
policy-map drop-tcpip-traffic
class drop-tcpip-class
police 32000 1500 1500 conform-action drop exceed-action drop
Additional information on the configuration and use of the CoPP
feature can be found in the documents, "Control Plane Policing
Implementation Best Practices" and "Cisco IOS Software Releases 12.2
S - Control Plane Policing" at the following links
http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html and
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html
Additional mitigations that can be deployed on Cisco devices within
the network are available in the "Cisco Applied Mitigation Bulletin"
companion document for this advisory at the following link
http://www.cisco.com/warp/public/707/cisco-amb-20090325-tcp-and-ip.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was discovered by Cisco when performing internal
vulnerability testing. We would also like to thank Jens Link,
freelance consultant, for also reporting this vulnerability to us.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcpip.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-March-25 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAknKUasACgkQ86n/Gc8U/uBbjACeIwNWs1Rt18l5RAnnaMCvg4GA
kK0AnjoeX6PBI/y6tro0tjJUCfrAAr30
=Ijff
- -----END PGP SIGNATURE-----
_______________________________________________
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Software Secure Copy Privilege
Escalation Vulnerability
Advisory ID: cisco-sa-20090325-scp
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml
Revision 1.0
For Public Release 2009 March 25 1600 UTC (GMT)
- - ---------------------------------------------------------------------
Summary
=======
The server side of the Secure Copy (SCP) implementation in Cisco IOS
software contains a vulnerability that could allow authenticated
users with an attached command-line interface (CLI) view to transfer
files to and from a Cisco IOS device that is configured to be an SCP
server, regardless of what users are authorized to do, per the CLI
view configuration. This vulnerability could allow valid users to
retrieve or write to any file on the device's file system, including
the device's saved configuration and Cisco IOS image files, even if
the CLI view attached to the user does not allow it. This
configuration file may include passwords or other sensitive
information.
The Cisco IOS SCP server is an optional service that is disabled by
default. CLI views are a fundamental component of the Cisco IOS
Role-Based CLI Access feature, which is also disabled by default.
Devices that are not specifically configured to enable the Cisco IOS
SCP server, or that are configured to use it but do not use
role-based CLI access, are not affected by this vulnerability.
This vulnerability does not apply to the Cisco IOS SCP client
feature.
Cisco has released free software updates that address this
vulnerability.
There are no workarounds available for this vulnerability apart from
disabling either the SCP server or the CLI view feature if these
services are not required by administrators.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml
Note: The March 25, 2009, Cisco IOS Security Advisory bundled
publication includes eight Security Advisories. All of the advisories
address vulnerabilities in Cisco IOS Software. Each advisory lists
the releases that correct the vulnerability or vulnerabilities in the
advisory. The following table lists releases that correct all Cisco
IOS Software vulnerabilities that have been published in Cisco
Security Advisories on March 25, 2009, or earlier.
http://www.cisco.com/warp/public/707/cisco-sa-20090325-bundle.shtml
Individual publication links are listed below:
* Cisco IOS cTCP Denial of Service Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml
* Cisco IOS Software Multiple Features IP Sockets Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml
* Cisco IOS Software Mobile IP and Mobile IPv6 Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml
* Cisco IOS Software Secure Copy Privilege Escalation Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml
* Cisco IOS Software Session Initiation Protocol Denial of Service
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml
* Cisco IOS Software Multiple Features Crafted TCP Sequence
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml
* Cisco IOS Software Multiple Features Crafted UDP Packet
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml
* Cisco IOS Software WebVPN and SSLVPN Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml
Affected Products
=================
Vulnerable Products
+------------------
Cisco devices running an affected Cisco IOS software release,
configured to offer SCP server functionality, and configured to use
role-based ACL access are affected by this issue.
A device running a vulnerable Cisco IOS software release is affected
if its configuration is similar to the following:
parser view <view name>
<Definition of the CLI view>
!
username <user ID> view <view name> secret <some secret>
!
ip scp server enable
In the above configuration snippet, the parser view command defines a
view that specifies what commands users in that view can execute. The
username command defines a local user and attaches, via the view
keyword, the previously defined view to the user. And finally, the ip
scp server enable command enables the Cisco IOS SCP server.
The absence of the username command does not guarantee that the
device's configuration is not affected by this vulnerability because
the name of a CLI view can be supplied by means of an Authentication,
Authorization, and Accounting (AAA) server by using the cli-view-name
attribute.
Note: The CLI view attached to a user can be supplied by a AAA
server. When inspecting a device's configuration to determine if it
is affected by this vulnerability it is better to check if the SCP
service is enabled (ip scp server enabled command) and whether there
are any CLI views defined (parser view command).
The Cisco IOS SCP server and role-based CLI access features are
disabled by default.
The SCP server functionality is only available on encryption-capable
images. Encryption-capable images are those that contain either a
"k8" or "k9" in the image name, for example, "C7200-ADVSECURITYK9-M".
Devices that do not run encryption-capable images are not vulnerable.
If a device is running an encryption-capable image, the presence in
the configuration of the ip scp server enable command, the existence
of CLI views (parser view command), and whether there are users
(local or remote) attached to these views will determine if the
device is affected.
To determine the Cisco IOS Software release that is running on a
Cisco product, administrators can log in to the device and issue the
show version command to display the system banner. The system banner
confirms that the device is running Cisco IOS Software by displaying
text similar to "Cisco Internetwork Operating System Software" or
"Cisco IOS Software." The image name displays in parentheses,
followed by "Version" and the Cisco IOS Software release name. Other
Cisco devices do not have the show version command or may provide
different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.3(26) with an installed image name of
C2500-IS-L:
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26),
RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 14:39 by dchih
!--- output truncated
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.4(20)T with an installed image name of
C1841-ADVENTERPRISEK9-M:
Router#show version
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M),
Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 20:25 by prod_rel_team
!--- output truncated
Additional information about Cisco IOS Software release naming
conventions is available in "White Paper: Cisco IOS Reference Guide"
at the following link: http://www.cisco.com/warp/public/620/1.html
Cisco IOS XE Software is also affected by this vulnerability.
Products Confirmed Not Vulnerable
+--------------------------------
Cisco devices that do not run Cisco IOS software are not affected.
Cisco IOS devices that do not have the SCP server feature enabled, or
that make use of the feature but do not have the role-based CLI
feature enabled, are not affected.
Cisco IOS XR Software is not affected.
No other Cisco products are currently known to be affected by this
vulnerability.
Details
=======
SCP is a protocol similar to the Remote Copy (RCP) protocol, which
allows the transfer of files between systems. The main difference
between SCP and RCP is that in SCP, all aspects of the file transfer
session, including authentication, occur in encrypted form, which
makes SCP a more secure alternative than RCP. SCP relies on the
Secure Shell (SSH) protocol, which uses TCP port 22 by default.
The Role-Based CLI Access feature allows the network administrator to
define "views". Views are sets of operational commands and
configuration capabilities that provide selective or partial access
to Cisco IOS software EXEC and configuration (Config) mode commands.
Views restrict user access to Cisco IOS command-line interface (CLI)
and configuration information; that is, a view can define what
commands are accepted and what configuration information is visible.
For more information about the Role-Based CLI Access feature,
reference
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html
The server side of the SCP implementation in Cisco IOS software
contains a vulnerability that allows authenticated users with an
attached command-line interface (CLI) view to transfer files to and
from a Cisco IOS device that is configured to be a SCP server,
regardless of what users are authorized to do, per the CLI view
configuration. This vulnerability could allow authenticated users to
retrieve or write to any file on the device's file system, including
the device's saved configuration and Cisco IOS image files. This
configuration file may include passwords or other sensitive
information.
In the affected configuration presented in the Affected Products
section, users confined to a CLI view can elevate their privileges by
using SCP to write to the device's configuration. Note that a view
can be attached to a user when defining the user in the local
database (via the username <user name> view ... command), or by
passing the attribute cli-view-name from an AAA server.
This vulnerability does not allow for authentication bypass; login
credentials are verified and access is only granted if a valid
username and password is provided. This vulnerability may cause
authorization to be bypassed.
This vulnerability is documented in the Cisco Bug ID CSCsv38166
and has been assigned Common Vulnerabilities and Exposures (CVE) ID
CVE-2009-0637.
Vulnerability Scoring Details
==============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsv38166 - SCP + views (role-based CLI) allows privilege escalation
CVSS Base Score - 9.0
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability described in this
advisory may allow valid but unauthorized users to retrieve or write
to any file on the device's file system, including the device's saved
configuration and Cisco IOS image files. This configuration file may
include passwords or other sensitive information.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|------------+------------------------------------------------------|
| Affected | | Recommended |
| 12.0-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.0 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.1-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.1 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.2-Based | First Fixed Release | Release |
| Releases | | |
|------------+------------------------------------+-----------------|
| 12.2 | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2B | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2BC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2BW | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2BX | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2BY | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2BZ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2CX | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2CY | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2CZ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2DA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2DD | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2DX | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2EW | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2EWA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2EX | Vulnerable; migrate to any release | 12.2(44)SE6 |
| | in 12.2SEG | |
|------------+------------------------------------+-----------------|
| 12.2EY | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+------------------------------------+-----------------|
| 12.2EZ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2FX | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2FY | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2FZ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| | | 12.2(33)SRC4; |
| 12.2IRA | Vulnerable; first fixed in 12.2SRC | Available on |
| | | 18-MAY-2009 |
|------------+------------------------------------+-----------------|
| | | 12.2(33)SRC4; |
| 12.2IRB | Vulnerable; first fixed in 12.2SRC | Available on |
| | | 18-MAY-2009 |
|------------+------------------------------------+-----------------|
| 12.2IXA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2IXB | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2IXC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2IXD | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2IXE | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2IXF | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2IXG | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2JA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2JK | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2MB | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2MC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2S | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SB | 12.2(33)SB4 | 12.2(33)SB4 |
|------------+------------------------------------+-----------------|
| 12.2SBC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SCA | Vulnerable; first fixed in 12.2SCB | 12.2(33)SCB1 |
|------------+------------------------------------+-----------------|
| 12.2SCB | 12.2(33)SCB1 | 12.2(33)SCB1 |
|------------+------------------------------------+-----------------|
| | 12.2(50)SE | |
| 12.2SE | | 12.2(44)SE6 |
| | 12.2(44)SE6 | |
|------------+------------------------------------+-----------------|
| 12.2SEA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SEB | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SEC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SED | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SEE | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SEF | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SEG | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| | 12.2(52)SG; Available on | 12.2(52)SG; |
| 12.2SG | 15-MAY-2009 | Available on |
| | | 15-MAY-2009 |
|------------+------------------------------------+-----------------|
| 12.2SGA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SL | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SM | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SO | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SQ | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.2SRA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| | | 12.2(33)SRC4; |
| | | Available on |
| | | 18-MAY-2009 |
| 12.2SRB | Vulnerable; first fixed in 12.2SRC | |
| | | 12.2(33)SRB5a; |
| | | Available on |
| | | 3-April-2009 |
|------------+------------------------------------+-----------------|
| | 12.2(33)SRC4; Available on | 12.2(33)SRC4; |
| 12.2SRC | 18-MAY-2009 | Available on |
| | | 18-MAY-2009 |
|------------+------------------------------------+-----------------|
| 12.2SRD | 12.2(33)SRD1 | 12.2(33)SRD1 |
|------------+------------------------------------+-----------------|
| 12.2STE | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.2SU | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SV | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SVA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SVC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SVD | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SVE | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SW | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SX | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SXA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SXB | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SXD | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SXE | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SXF | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SXH | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SXI | 12.2(33)SXI1 | 12.2(33)SXI1 |
|------------+------------------------------------+-----------------|
| 12.2SY | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SZ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2T | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2TPC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XB | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XD | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XE | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XF | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XG | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XH | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XI | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XJ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XK | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XL | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XM | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| | | 12.2(33)SB4 |
| | | |
| | | 12.2(33)SRD1 |
| 12.2XN | Vulnerable; first fixed in 12.2SRC | |
| | | 12.2(33)SRC4; |
| | | Available on |
| | | 18-MAY-2009 |
|------------+------------------------------------+-----------------|
| | | 12.2(33)SRD1 |
| | | |
| 12.2XNA | Vulnerable; first fixed in 12.2SRD | 12.2(33)SRC4; |
| | | Available on |
| | | 18-MAY-2009 |
|------------+------------------------------------+-----------------|
| 12.2XNB | 12.2(33)XNB3 | 12.2(33)XNB3 |
|------------+------------------------------------+-----------------|
| 12.2XNC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XO | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XQ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XR | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XS | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XT | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XU | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XV | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XW | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YB | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YD | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YE | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YF | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YG | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YH | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YJ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YK | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YL | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YM | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YN | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YO | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YP | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YQ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YR | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YS | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YT | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YU | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YV | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YW | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YX | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YY | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YZ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZB | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZD | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZE | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZF | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZG | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZH | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZJ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZL | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZP | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZU | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZX | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZY | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZYA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| Affected | | Recommended |
| 12.3-Based | First Fixed Release | Release |
| Releases | | |
|------------+------------------------------------+-----------------|
| 12.3 | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3B | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3BC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3BW | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3EU | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3JA | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.3JEA | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.3JEB | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.3JEC | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3JK | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.3JL | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3JX | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3T | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.3TPC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3VA | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.3XA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3XB | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3XC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3XD | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3XE | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3XF | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XG | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.3XI | Vulnerable; first fixed in 12.2SB | 12.2(33)SB4 |
|------------+------------------------------------+-----------------|
| 12.3XJ | Vulnerable; first fixed in 12.3YX | 12.3(14)YX14 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XK | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XL | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XQ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(18e) |
| | | |
| 12.3XR | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XS | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XU | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.3XW | Vulnerable; first fixed in 12.3YX | 12.3(14)YX14 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XX | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XY | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.3XZ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YA | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YD | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.3YF | Vulnerable; first fixed in 12.3YX | 12.3(14)YX14 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YG | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YH | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YI | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YJ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YK | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.3YM | 12.3(14)YM13 | 12.3(14)YM13 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YQ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YS | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YT | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YU | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.3YX | 12.3(14)YX14 | 12.3(14)YX14 |
|------------+------------------------------------+-----------------|
| 12.3YZ | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3ZA | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| Affected | | Recommended |
| 12.4-Based | First Fixed Release | Release |
| Releases | | |
|------------+------------------------------------+-----------------|
| | 12.4(18e) | 12.4(18e) |
| | | |
| 12.4 | 12.4(23a); Available on | 12.4(23a); |
| | 30-APR-2009 | Available on |
| | | 30-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.4JA | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.4JDA | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.4JK | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.4JL | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.4JMA | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.4JMB | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.4JX | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.4MD | 12.4(11)MD7 | 12.4(11)MD7 |
|------------+------------------------------------+-----------------|
| 12.4MR | 12.4(19)MR2 | 12.4(19)MR2 |
|------------+------------------------------------+-----------------|
| 12.4SW | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| | 12.4(24)T | |
| | | 12.4(22)T1 |
| | 12.4(20)T2 | |
| 12.4T | | 12.4(15)T9; |
| | 12.4(22)T1 | Available on |
| | | 29-APR-2009 |
| | 12.4(15)T9; Available on | |
| | 29-APR-2009 | |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XA | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XB | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XC | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | 12.4(4)XD12; Available on | 12.4(4)XD12; |
| 12.4XD | 27-MAR-2009 | Available on |
| | | 27-MAR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XE | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XF | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | 12.4(20)T2 | |
| 12.4XG | | 12.4(15)T9; |
| | 12.4(22)T1 | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XJ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XK | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | Releases prior to 12.4(15)XL4 are | |
| 12.4XL | vulnerable, release 12.4(15)XL4 | 12.4(15)XL4 |
| | and later are not vulnerable; | |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XM | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.4XN | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.4XP | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.4XQ | 12.4(15)XQ2 | 12.4(15)XQ2 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XR | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XT | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.4XV | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.4XW | 12.4(11)XW10 | 12.4(11)XW10 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XY | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.4XZ | 12.4(15)XZ2 | 12.4(15)XZ2 |
|------------+------------------------------------+-----------------|
| 12.4YA | 12.4(20)YA2 | 12.4(20)YA3 |
|------------+------------------------------------+-----------------|
| 12.4YB | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.4YD | Not Vulnerable | |
+-------------------------------------------------------------------+
Workarounds
===========
If the Cisco IOS SCP server functionality is not needed then the
vulnerability described in this document can be mitigated by
disabling the SCP server or the CLI view feature. The SCP server can
be disabled by executing the following command in global
configuration mode:
no ip scp server enable
If the SCP server cannot be disabled due to operational concerns,
then no workarounds exist. The risk posed by this vulnerability can
be mitigated by following the best practices detailed in "Cisco Guide
to Harden Cisco IOS Devices" at
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
Please refer to the Obtaining Fixed Software section of this advisory
for appropriate solutions to resolve this vulnerability.
Due to the nature of this vulnerability, networking best practices
like access control lists (ACLs) and Control Plane Policing (CoPP)
that restrict access to a device to certain IP addresses or
subnetworks may not be effective. If access is already granted to a
specific IP address or subnetwork, a user with low privileges will be
able to establish an SCP session with the device, which would allow
the user to exploit this vulnerability.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as
otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was reported to Cisco by Kevin Graham. Cisco would
like to thank Mr. Graham for reporting this vulnerability and working
with us towards coordinated disclosure of the vulnerability.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-March-25 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAknKUbQACgkQ86n/Gc8U/uBoggCdGbEAh9pGrV/ApbhENou5MF4M
vTIAn03h9J//T0V6BZBxwwS2hKs/JIXi
=JGEE
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Software Mobile IP and Mobile IPv6
Vulnerabilities
Advisory ID: cisco-sa-20090325-mobileip
http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml
Revision 1.0
For Public Release 2009 March 25 1600 UTC (GMT)
- - ---------------------------------------------------------------------
Summary
=======
Devices that are running Cisco IOS Software and configured for Mobile
IP Network Address Translation (NAT) Traversal feature or Mobile IPv6
are vulnerable to a denial of service (DoS) attack that may result in
a blocked interface.
Cisco has released free software updates that address these
vulnerabilities.
This advisory is posted at the following link
http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml
Note: The March 25, 2009, Cisco IOS Security Advisory bundled
publication includes eight Security Advisories. All of the advisories
address vulnerabilities in Cisco IOS Software. Each advisory lists
the releases that correct the vulnerability or vulnerabilities in the
advisory. The following table lists releases that correct all Cisco
IOS Software vulnerabilities that have been published in Cisco
Security Advisories on March 25, 2009, or earlier.
http://www.cisco.com/warp/public/707/cisco-sa-20090325-bundle.shtml
Individual publication links are listed below:
* Cisco IOS cTCP Denial of Service Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml
* Cisco IOS Software Multiple Features IP Sockets Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml
* Cisco IOS Software Mobile IP and Mobile IPv6 Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml
* Cisco IOS Software Secure Copy Privilege Escalation Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml
* Cisco IOS Software Session Initiation Protocol Denial of Service
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml
* Cisco IOS Software Multiple Features Crafted TCP Sequence
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml
* Cisco IOS Software Multiple Features Crafted UDP Packet
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml
* Cisco IOS Software WebVPN and SSLVPN Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml
Affected Products
=================
Devices that are running an affected version of Cisco IOS Software
and configured for Mobile IP NAT Traversal feature or Mobile IPv6 are
vulnerable.
Vulnerable Products
+------------------
Devices running Cisco IOS Software and configured for Mobile IP NAT
Traversal feature will have a line similar to the following in the
output of the show running-config command:
ip mobile home-agent nat traversal [...]
or
ip mobile foreign-agent nat traversal [...]
or
ip mobile router-service collocated registration nat traversal [...]
Devices running Cisco IOS Software and configured for Mobile IPv6
will have a line similar to the following in the output of the show
running-config command:
ipv6 mobile home-agent
To determine the Cisco IOS Software release that is running on a
Cisco product, administrators can log in to the device and issue the
show version command to display the system banner. The system banner
confirms that the device is running Cisco IOS Software by displaying
text similar to "Cisco Internetwork Operating System Software" or
"Cisco IOS Software." The image name displays in parentheses,
followed by "Version" and the Cisco IOS Software release name. Other
Cisco devices do not have the show version command or may provide
different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.3(26) with an installed image name of
C2500-IS-L:
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26),
RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 14:39 by dchih
!--- output truncated
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.4(20)T with an installed image name of
C1841-ADVENTERPRISEK9-M:
Router#show version
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M),
Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 20:25 by prod_rel_team
!--- output truncated
Additional information about Cisco IOS Software release naming
conventions is available in "White Paper: Cisco IOS Reference Guide"
at the following link: http://www.cisco.com/warp/public/620/1.html
Products Confirmed Not Vulnerable
+--------------------------------
Cisco IOS XR is not affected by these vulnerabilities.
Cisco IOS XE is not affected by these vulnerabilities.
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
Mobile IP is part of both IPv4 and IPv6 standards. Mobile IP allows a
host device to be identified by a single IP address even though the
device may move its physical point of attachment from one network to
another. Regardless of movement between different networks,
connectivity at the different points is achieved seamlessly without
user intervention. Roaming from a wired network to a wireless or
wide-area network is also possible.
More information on Mobile IPv6 can be found at the following link:
http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-mobile.html
The Mobile IP Support NAT Traversal feature is documented in RFC
3519. It introduces an alternative method for tunneling Mobile IP
data traffic. New extensions in the Mobile IP registration request
and reply messages have been added for establishing User Datagram
Protocol (UDP) tunneling. This feature allows mobile devices in
collocated mode that use a private IP address (RFC 1918) or foreign
agents (FAs) that use a private IP address for the care-of address
(CoA) to establish a tunnel and traverse a NAT-enabled router with
mobile node (MN) data traffic from the home agent (HA).
More information on Mobile IP NAT Traversal feature can be found at
the following link:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gtnatmip.html
Devices that are running an affected version of Cisco IOS Software
and configured for Mobile IPv6 or Mobile IP NAT Traversal feature are
affected by a DoS vulnerability. A successful exploitation of this
vulnerability could cause an interface to stop processing traffic
until the system is restarted. Offending packets need to be destined
to the router for a successful exploit.
These vulnerabilities are documented in the Cisco Bug IDs CSCsm97220
and CSCso05337 and have been assigned Common Vulnerabilities and
Exposures (CVE) IDs CVE-2009-0633 and CVE-2009-0634.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsm97220 - Input queue wedged by MIPv6 packets
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCso05337 - HA: Input queue wedged by ICMP packet
CVSS Base Score - 7.1
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 5.9
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability may result in an
interface to stop processing traffic, causing a DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|------------+------------------------------------------------------|
| Affected | | Recommended |
| 12.0-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.0 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.1-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.1 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.2-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.2 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.3-Based | First Fixed Release | Release |
| Releases | | |
|------------+--------------------------------------+---------------|
| 12.3 | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3B | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3BC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3BW | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3EU | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JEA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JEB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JEC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JK | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JL | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JX | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.3T | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.3TPC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3VA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XD | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XE | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XF | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XG | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XI | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XJ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XK | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XL | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XQ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XR | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XS | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XU | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XW | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XX | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XY | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XZ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YD | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YF | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YG | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YH | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YI | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YJ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | Releases prior to 12.3(11)YK3 are | 12.4(22)T1 |
| | vulnerable, release 12.3(11)YK3 and | |
| 12.3YK | later are not vulnerable; first | 12.4(15)T9; |
| | fixed in 12.4T | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.3YM | 12.3(14)YM13 | 12.3(14)YM13 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YQ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YS | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YT | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YU | Vulnerable; migrate to 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | Releases prior to 12.3(14)YX10 are | |
| 12.3YX | vulnerable, release 12.3(14)YX10 and | 12.3(14)YX14 |
| | later are not vulnerable; | |
|------------+--------------------------------------+---------------|
| 12.3YZ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3ZA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| Affected | | Recommended |
| 12.4-Based | First Fixed Release | Release |
| Releases | | |
|------------+--------------------------------------+---------------|
| | | 12.4(18e) |
| | 12.4(18e) | |
| 12.4 | | 12.4(23a); |
| | 12.4(23a); Available on 30-APR-2009 | Available on |
| | | 30-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.4JA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JDA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JK | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JL | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JMA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JMB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JX | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4MD | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4MR | 12.4(19)MR | 12.4(19)MR2 |
|------------+--------------------------------------+---------------|
| 12.4SW | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | 12.4(20)T | 12.4(22)T1 |
| | | |
| 12.4T | 12.4(15)T8 | 12.4(15)T9; |
| | | Available on |
| | 12.4(15)T9; Available on 29-APR-2009 | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XA | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | 12.4(15)T8 | 12.4(22)T1 |
| | | |
| 12.4XB | 12.4(20)T | 12.4(15)T9; |
| | | Available on |
| | 12.4(15)T9; Available on 29-APR-2009 | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XC | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | 12.4(4)XD12; Available on | 12.4(4)XD12; |
| 12.4XD | 27-MAR-2009 | Available on |
| | | 27-MAR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XE | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XF | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.4XG | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XJ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.4XK | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XL | 12.4(15)XL4 | 12.4(15)XL4 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XM | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.4XN | Vulnerable; contact TAC | |
|------------+--------------------------------------+---------------|
| 12.4XP | Vulnerable; contact TAC | |
|------------+--------------------------------------+---------------|
| 12.4XQ | 12.4(15)XQ2 | 12.4(15)XQ2 |
|------------+--------------------------------------+---------------|
| 12.4XR | 12.4(15)XR4 | 12.4(22)T1 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XT | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.4XV | Vulnerable; contact TAC | |
|------------+--------------------------------------+---------------|
| 12.4XW | 12.4(11)XW10 | 12.4(11)XW10 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XY | 12.4(15)XY4 | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.4XZ | 12.4(15)XZ1 | 12.4(15)XZ2 |
|------------+--------------------------------------+---------------|
| 12.4YA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4YB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4YD | Not Vulnerable | |
+-------------------------------------------------------------------+
Workarounds
===========
The following mitigation and identification methods have been
identified for these vulnerabilities:
Infrastructure Access Control Lists
+----------------------------------
Although it is often difficult to block traffic that transits a
network, it is possible to identify traffic that should never be
allowed to target infrastructure devices and block that traffic at
the border of networks. Infrastructure Access Control Lists (iACLs)
are a network security best practice and should be considered as a
long-term addition to good network security as well as a workaround
for these specific vulnerabilities. The iACL example below should be
included as part of the deployed infrastructure access-list which
will protect all devices with IP addresses in the infrastructure IP
address range:
IPv4 example:
!--- Anti-spoofing entries are shown here.
!--- Deny special-use address sources.
!--- Refer to RFC 3330 for additional special use addresses.
access-list 110 deny ip host 0.0.0.0 any
access-list 110 deny ip 127.0.0.0 0.255.255.255 any
access-list 110 deny ip 192.0.2.0 0.0.0.255 any
access-list 110 deny ip 224.0.0.0 31.255.255.255 any
!--- Filter RFC 1918 space.
access-list 110 deny ip 10.0.0.0 0.255.255.255 any
access-list 110 deny ip 172.16.0.0 0.15.255.255 any
access-list 110 deny ip 192.168.0.0 0.0.255.255 any
!--- Deny your space as source from entering your AS.
!--- Deploy only at the AS edge.
access-list 110 deny ip YOUR_CIDR_BLOCK any
!--- Permit BGP.
access-list 110 permit tcp host bgp_peer host router_ip eq bgp
access-list 110 permit tcp host bgp_peer eq bgp host router_ip
!--- Deny access to internal infrastructure addresses.
access-list 110 deny ip any INTERNAL_INFRASTRUCTURE_ADDRESSES
!--- Permit transit traffic.
access-list 110 permit ip any any
IPv6 example:
!--- Configure the access-list.
ipv6 access-list iacl
!--- Deny your space as source from entering your AS.
!--- Deploy only at the AS edge.
deny ipv6 YOUR_CIDR_BLOCK_IPV6 any
!--- Permit multiprotocol BGP.
permit tcp host bgp_peer_ipv6 host router_ipv6 eq bgp
permit tcp host bgp_peer_ipv6 eq bgp host router_ipv6
!--- Deny access to internal infrastructure addresses.
deny ipv6 any INTERNAL_INFRASTRUCTURE_ADDRESSES_IPV6
!--- Permit transit traffic.
permit ipv6 any any
The white paper entitled "Protecting Your Core: Infrastructure
Protection Access Control Lists" presents guidelines and recommended
deployment techniques for infrastructure protection access lists.
This white paper can be obtained at the following link
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml
Cisco IOS Embedded Event Manager
+-------------------------------
It is possible to detect blocked interface queues with a Cisco IOS
Embedded Event Manager (EEM) policy. EEM provides event detection and
reaction capabilities on a Cisco IOS device. EEM can alert
administrators of blocked interfaces with email, a syslog message, or
a Simple Network Management Protocol (SNMP) trap.
A sample EEM policy that uses syslog to alert administrators of
blocked interfaces is available at Cisco Beyond, an online community
dedicated to EEM. A sample script is available at the following link:
http://forums.cisco.com/eforum/servlet/EEM?page=eem&fn=script&scriptId=981
More information about EEM is available from Cisco.com at the
following link:
http://www.cisco.com/en/US/products/ps6815/products_ios_protocol_group_home.html
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was reported to Cisco by a customer.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-Mar-25 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAknKUa8ACgkQ86n/Gc8U/uBD0ACfYblb5Nscx1zIWMLeihiaZAe7
TtsAoIGgf8/ubiolVwSDmu/tCTgH8skm
=YxAj
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFJyxOXNVH5XJJInbgRAoitAJ92xC0si5jKiOQI1Znoz0g38VP10wCePD9r
AnMdnagBRDHDlRql2WMWUt0=
=rCr8
-----END PGP SIGNATURE-----