-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.1355
       Cisco Products IPv6 Neighbor Discovery Crafted Packet Denial
                         of Service Vulnerability
                                31 May 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco 12000 Series Routers
                   Cisco ASR 9000 Series Aggregation Services Routers
                   Cisco Carrier Routing System
                   Cisco Network Convergence System 4000 Series
                   Cisco Network Convergence System 6000 Series Routers
                   Cisco 4300 Series Integrated Services Routers
                   Cisco 4400 Series Integrated Services Routers
                   Cisco ASR 1000 Series Aggregation Services Routers
                   Cisco products running Cisco NX-OS Software
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-1409  

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160525-ipv6

Comment: Cisco has stated that fixes for this vulnerability are not yet 
         available, however for the vulnerability to be exploited on vulnerable
         devices, IPv6 must be enabled, and is not enabled by default.
         
         Cisco has also stated that they are currently aware of some 
         disruptions caused by exploitation of affected devices.

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Security Advisory

Cisco Products IPv6 Neighbor Discovery Crafted Packet Denial of Service 
Vulnerability

High

Advisory ID:

cisco-sa-20160525-ipv6

Last Updated:

2016 May 26 15:00 GMT

Published:

2016 May 25 16:00 GMT

Version 1.1:

Interim

CVSS Score:

Base - 5.0

Workarounds:

No workarounds available

Cisco Bug IDs:

CSCuz66542

CSCuz79330

CSCuz80276

CVE-2016-1409

Summary

A vulnerability in the IP Version 6 (IPv6) packet processing functions of
Cisco IOS XR Software, Cisco IOS XE Software, and Cisco NX-OS Software could 
allow an unauthenticated, remote attacker to cause an affected device to stop
processing IPv6 traffic, leading to a denial of service (DoS) condition on the
device.

The vulnerability is due to insufficient processing logic for crafted IPv6
packets that are sent to an affected device. An attacker could exploit this 
vulnerability by sending crafted IPv6 Neighbor Discovery packets to an 
affected device for processing. A successful exploit could allow the attacker
to cause the device to stop processing IPv6 traffic, leading to a DoS 
condition on the device.

Cisco will release software updates that address this vulnerability. There
are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160525-ipv6

Affected Products

Cisco is currently investigating its product line to determine which 
products may be affected by this vulnerability and the impact of the 
vulnerability on each affected product. As the investigation progresses, Cisco
will update this advisory with information about affected products, including
the ID of the Cisco bug for each affected product. The bugs will be accessible
through the Cisco Bug Search Tool and will contain additional 
platform-specific information, including any available workarounds and fixed 
software releases.

The following Cisco products are under active investigation to determine 
whether they are affected by the vulnerability that is described in this 
advisory:

        Cisco Adaptive Security Appliance (ASA) Software

        Cisco switches running Cisco IOS XE Software

        Products running Cisco IOS Software

    Vulnerable Products

Cisco has confirmed that Cisco IOS XR Software, Cisco IOS XE Software, and
Cisco NX-OS Software are affected by the vulnerability described in this 
advisory.

Note: Affected devices that are configured with a global IPv6 address on 
at least one interface and are processing traffic can be exploited by a remote
attacker. Affected devices that are configured with only a link-local address
on interfaces and are processing IPv6 traffic can be exploited with crafted 
packets only by a Layer 2 adjacent attacker.

For information about which software releases are affected, see the "Fixed
Software" section of this advisory.

    Cisco IOS XR Software

The following Cisco products are affected by this vulnerability if they 
are running an affected release of Cisco IOS XR Software and IPv6 is enabled 
on one or more interfaces:

        Cisco 12000 Series Routers

        Cisco ASR 9000 Series Aggregation Services Routers

        Cisco Carrier Routing System

        Cisco Network Convergence System 4000 Series

        Cisco Network Convergence System 6000 Series Routers

All types of line cards on those platforms are affected by this 
vulnerability.

If a device is running an affected release of Cisco IOS XR Software and 
IPv6 is enabled, administrators can identify interfaces that have assigned 
IPv6 addresses by using the show ipv6 interface brief command in the 
command-line interface (CLI). The following example shows the output of the 
command on a device that is running Cisco IOS XR Software with IPv6 enabled:

        RP/0/RP0/CPU0:router# show ipv6 interface brief

         <!output omitted>
         GigabitEthernet0/2/0/0 [Up/Up]
         fe80::212:daff:fe62:c150
         202::1

In addition, if IPv6 is enabled, the ipv6 enable interface configuration 
command is present in the configuration. The following example shows the 
output of a vulnerable configuration:

        RP/0/RP0/CPU0:router(config)# interface GigabitEthernet0/2/0/0

          RP/0/RP0/CPU0:router(config-if)# ipv6 enable

If IPv6 is not supported by the Cisco IOS XR Software release that is 
running on a device, use of the show ipv6 interface brief command produces an
error message. If IPv6 is not enabled on the device, use of the show ipv6 
interface brief command does not show any interfaces with IPv6 addresses. In 
either scenario, the device is not affected by this vulnerability.

    Cisco IOS XE Software

The following Cisco products are affected by this vulnerability if they 
are running an affected release of Cisco IOS XE Software and IPv6 is enabled 
on one or more interfaces that process traffic:

        Cisco 4300 Series Integrated Services Routers

        Cisco 4400 Series Integrated Services Routers

        Cisco ASR 1000 Series Aggregation Services Routers

    By default, IPv6 is not enabled.

This vulnerability does not depend on any specific combination of Embedded
Services Processor (ESP) and Route Processor (RP) installations on the 
chassis. Any combination of ESP and RP chassis installations is affected by 
this vulnerability.

To determine whether IPv6 is enabled on one or more interfaces, 
administrators can use the show running-config | include ipv6.(enable|address)
privileged EXEC command in the CLI. If IPv6 is enabled, ipv6 enable and ipv6 
address appear in the output of the command.

The following example shows the output of the show running-config | 
include ipv6.(enable|address) command on a device that is running Cisco IOS XE
Software with IPv6 configured:

        Router# show running-config | include ipv6.(enable|address)
         ipv6 enable
         ipv6 address dhcp rapid-commit
         ipv6 address autoconfig
         ipv6 address MANAGEMENT ::1FFF:0:0:0:3560/128
         ipv6 address 2001:DB8::1/64

    Cisco NX-OS Software

All Cisco products running Cisco NX-OS Software are affected by this 
vulnerability if IPv6 is enabled on one or more interfaces that process 
traffic. By default, IPv6 is not enabled.

To determine whether IPv6 is enabled on one or more interfaces, 
administrators can use the show running-config | include ipv6.address 
privileged EXEC command in the CLI. If IPv6 is enabled, ipv6 address appears 
in the output of the command.

The following example shows the output of the show running-config | 
include ipv6.address command on a device that is running Cisco NX-OS Software
with IPv6 enabled:

        Router# show running-config | include ipv6.address
         ipv6 address 2001:DB8::1/64

    Determining the Cisco IOS XR Software Release

To determine which Cisco NX-OS Software release is running on a device, 
administrators can log in to the device and use the show version command in 
the CLI. If the device is running Cisco NX-OS Software, Cisco Nexus Operating 
System (NX-OS) Software or similar text appears in the system banner.

The following example shows the output of the show version command on a 
device that is running Cisco IOS XR Software Release 4.1.0 with an installed 
image name of mbihfr-rp.vm:

        RP/0/RP0/CPU0:router# show version
         Mon May 31 02:14:12.722 DST

         Cisco IOS XR Software, Version 4.1.0
         Copyright (c) 2010 by Cisco Systems, Inc.

         ROM: System Bootstrap, Version 2.100(20100129:213223) [CRS-1 ROMMON],

         router uptime is 1 week, 6 days, 4 hours, 22 minutes
         System image file is "bootflash:disk0/hfr-os-mbi-4.1.0/mbihfr-rp.vm"

         cisco CRS-8/S (7457) processor with 4194304K bytes of memory. 
         7457 processor at 1197Mhz, Revision 1.2

    Determining the Cisco IOS XE Software Release

To determine which Cisco IOS XE Software release is running on a device, 
administrators can log in to the device and use the show version command in 
the CLI. If the device is running Cisco IOS XE Software, Cisco IOS XE Software
or similar text appears in the system banner.

The following example shows the output of the show version command on a 
device that is running Cisco IOS XE Software Release 3.6.2S, which maps to 
Cisco IOS Software Release 15.2(2)S2:

        Router# show version
        Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.2(2)S2, RELEASE SOFTWARE (fc1)
        Technical Support: http://www.cisco.com/techsupport
        Copyright (c) 1986-2012 by Cisco Systems, Inc.
        Compiled Tue 07-Aug-12 13:40 by mcpre

    Determining the Cisco NX-OS Software Release

To determine which Cisco NX-OS Software release is running on a device, 
administrators can log in to the device and use the show version command in 
the CLI. If the device is running Cisco NX-OS Software, Cisco Nexus Operating
System (NX-OS) Software or similar text appears in the system banner.

The following example shows the output of the show version command for a 
Cisco Nexus 5000 Series Switch running Cisco NX-OS Software Release 
7.1(1)N1(1):

        # show version
        Cisco Nexus Operating System (NX-OS) Software
        TAC support: http://www.cisco.com/tac
        Documents: http://www.cisco.com/en/US/products/ps9372/tsd_products_support_series_home.html
        Copyright (c) 2002-2012, Cisco Systems, Inc. All rights reserved.
        The copyrights to certain works contained herein are owned by
        other third parties and are used and distributed under license.
        Some parts of this software are covered under the GNU Public
        License. A copy of the license is available at
        http://www.gnu.org/licenses/gpl.html.
        Software
        BIOS: version 3.6.0
        loader: version N/A
        kickstart: version 7.1(1)N1(1)
        system: version 7.1(1)N1(1)

    Products Confirmed Not Vulnerable

Cisco has confirmed that the vulnerability described in this advisory does
not affect the following Cisco products:

        Cisco ASR 900 Series Aggregation Services Routers

        Cisco Cloud Services Router 1000V Series

No other Cisco products are currently known to be affected by this 
vulnerability.

Indicators of Compromise

Exploitation of this vulnerability could cause high CPU usage on an 
affected platform. It could also cause an affected device to stop processing 
all IPv6 traffic. On some devices, exploitation of this vulnerability could 
cause a temporary loss of services for traffic that terminates on the device,
in addition to IPv6 traffic.

Workarounds

    There are no workarounds that address this vulnerability.

Fixed Software

All releases of Cisco IOS XR Software, Cisco IOS XE Software, and Cisco 
NX-OS Software are affected by the vulnerability described in this advisory.

Currently, there are no software updates that address this vulnerability.
Updates for affected software releases will be published when they are 
available and information about those updates will be documented in Cisco 
bugs, which are accessible from the Cisco Bug Search Tool.

When considering software upgrades, customers are advised to consult the 
Cisco Security Advisories and Responses archive at 
http://www.cisco.com/go/psirt and review subsequent advisories to determine 
exposure and a complete upgrade solution.

In all cases, customers should ensure that the devices to upgrade contain
sufficient memory and confirm that current hardware and software 
configurations will continue to be supported properly by the new release. If 
the information is not clear, customers are advised to contact the Cisco 
Technical Assistance Center (TAC) or their contracted maintenance providers.

Exploitation and Public Announcements

As of May 26, 2016, the Cisco Product Security Incident Response Team 
(PSIRT) is aware of disruptions for some Cisco customers who are running the 
affected platforms.

Source

    This vulnerability was found during the resolution of a support case.

URL

    
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160525-ipv6

Revision History

Version 	Description 						Section 					Status 	Date

1.1 		Updated information about products under 		Affected Products, Indicators of Compromise,  	Interim 2016-May-26
		investigation and confirmed as vulnerable. 		Exploitation and Public Announcements
		Added information about possible indicators of 
		compromise and service disruption. 		

1.0 		Initial public release. 										Interim 2016-May-25

Legal Disclaimer

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR 
FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR 
MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE 
RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE 
THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE.

A standalone copy or paraphrase of the text of this document that omits 
the distribution URL is an uncontrolled copy and may lack important 
information or contain factual errors. The information in this document is 
intended for end users of Cisco products.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBV0zbun6ZAP0PgtI9AQKJJhAAqdjDCnXU8g0ANG4aezitZksuhCO05cJO
8UH5u6moEHxpOX8sr+XNJ2KtQcMvM1j5hwLLHgM1o5fOy21DrIwthn0eXe8Em7A/
YyBB2ezxLr2+YEcB1PzFlcZY+In2J8kAnWdAGUuA3oBgSFcoZpHIXF7/WpT5GSiH
8PHRBKm/heT+6cwB2bSFuIMoBH4FmD2TIo/LTeV9dECfCnlQjpFCC4ksLf3qYOxD
50CuvME2gimgJ9NXuibQv5iDt1NUm8dwRVb4Vq0jbkVhzhhbeKdA+T8mq9vnBcsg
Hpz79Ga6Y890McP5o+DXmDaW8y2M3bb25KZ/65mpxzHpSwWjf9jaGrZTKd6bZUdN
hlg2zRGS/Y4Khf5EzQQlCucfgrk5R2DplHk+JIKRg1mQZ4pgIavSCqZQSMSUaOwD
vZ+EdX5Gsra1hiaPZfxso+JSDBx1pYD64aPVlFNjSahzWxIHtf7hA0JPlEpeyeDz
1AyNfgPxR/PZ/7YMFbeBlodj/tQsaTG2Bx2QWq8MitTzxPt1katKatryNuxH3q6Z
PFQuUmXhmCGTYcZZyzj25xv8OzAXZycSwGFSgnDYEbwWrnWrGoyxDscrPq5qBRfF
LkfAzwpZ2VtnUWkXwee4619Y5ylBZ71atEdH4a7SlToWwxC/xqrglSjKBt60+BrM
fRh5Dsv75fU=
=tlXR
-----END PGP SIGNATURE-----