COMMAND
Cisco IOS
SYSTEMS AFFECTED
Cisco IOS 12x, 11.3AA and 11.3DB
PROBLEM
Olaf Selke found following. By using nmap (v2.0) UDP scans
you can crash Cisco routers running Cisco IOS software version
12.0. Cisco has verifed that the problem does exist. This is
very easy to exploit:
nmap -sU <router>
Certain versions of Cisco IOS software may crash or hang when they
receive invalid user datagram protocol (UDP) packets sent to their
"syslog" ports (port 514). Attackers can cause Cisco IOS devices
to crash and reload. Furthermore, an attacker can repeat the
process at will. By striking continuously, an attacker might be
able to completely disable a Cisco IOS device until that device
was reconfigured by its administrator. Some Cisco IOS devices
have been observed to hang instead of crashing when attacked.
These devices do not recover until manually restarted by reset or
power cycle. This means that it might be necessary for an
administrator to physically visit an attacked device in order to
recover from the attack, even if the attacker is no longer
actively sending any traffic. Some devices have crashed without
providing stack traces; devices crashed using this vulnerability
may indicate that they were "restarted by power-on", even when
that is not actually the case.
SOLUTION
You can work around this vulnerability by preventing any affected
Cisco IOS device from receiving or processing UDP datagrams
addressed to its port 514. This can be done either using packet
filtering on surrounding devices, or by using input access list
filtering on the affected IOS device itself. If you use an input
access list, that list should be applied to all interfaces to
which attackers may be able to send datagrams. This includes not
only physical LAN and WAN interfaces, but virtual subinterfaces of
those physical interfaces, as well as virtual interfaces and/or
interface templates corresponding to GRE, L2TP, L2F, and other
tunnelling protocols. The input access list must block traffic
destined for UDP port 514 at any of the Cisco IOS device's own IP
addresses, as well as at any broadcast or multicast addresses on
which the Cisco IOS device may be listening. It's important to
remember to block old-style "all-zeroes" broadcasts as well as
new-style "all-ones" broadcasts. It is not necessary to block
traffic being forwarded to other hosts; only traffic actually
addressed to the Cisco IOS device is of interest. There is no
single input access list that will work in all configurations. It
is very important that you understand the effect of your access
list in your specific configuration before you activate the list.
The following example shows a possible access list for a
three-interface router, along with the configuration commands
needed to apply that access list. The example assumes that there
is no need for input filtering other than as a workaround for this
vulnerability:
! Deny all multicasts, and all unspecified-net broadcasts, to port 514
access-list 101 deny udp any 224.0.0.0 31.255.255.255 eq 514
! Deny old-style unspecified-net broadcasts
access-list 101 deny udp any host 0.0.0.0 eq 514
! Deny network-specific broadcasts. This example assumes that all of
! the local interfaces are on the class B network 172.16.0.0, subnetted
! everywhere with mask 255.255.255.0. This will differ from network
! to network. Note that we block both new-style and old-style broadcasts.
access-list 101 deny udp any 172.16.0.255 0.0.255.0 eq 514
access-list 101 deny udp any 172.16.0.0 0.0.255.0 eq 514
! Deny packets sent to the addresses of our own network interfaces.
access-list 101 deny udp any host 172.16.1.1 eq 514
access-list 101 deny udp any host 172.16.2.1 eq 514
access-list 101 deny udp any host 172.16.3.3 eq 514
! Permit all other traffic (default would be to deny)
access-list 101 permit ip any any
! Apply the access list to the input side of each interface
interface ethernet 0
ip address 172.16.1.1 255.255.255.0
ip access-group 101 in
interface ethernet 2
ip address 172.16.2.1 255.255.255.0
ip access-group 101 in
interface ethernet 3
ip address 172.16.3.3 255.255.255.0
ip access-group 101 in
Input access lists have an impact on system performance, and
should be installed with a degree of caution, especially on
systems that are running very near their capacity limits. Many
Cisco software images have been or will be specially reissued to
correct this vulnerability. For example, regular released version
12.0(2) is vulnerable, as are interim versions 12.0(2.1) through
12.0(2.3) The first fixed interim version of 12.0 mainline
software is 12.0(2.4). However, a special release, 12.0(2a),
contains only the fix for this vulnerability, and does not include
any of the other bug fixes from later 12.0 interim releases. If
you were running 12.0(2), and wanted to upgrade to fix this
problem, without taking the risk of instability presented by
installing the 12.0(2.4) interim release, you could upgrade to
12.0(2a). 12.0(2a) represents a "code branch" from the 12.0(2)
base, which merges back into the 12.0 mainline at 12.0(2.4). See
the following table for information about affected and repaired
software versions. All dates in the table are tentative and
subject to change:
+----------+-------------+---------------+---------------+-----------------+
| | | Special | First fixed | |
| | | one-time spot | interim | First fixed |
| Cisco IOS| | fix release; | release** (fix| regular |
| Major | Description | most stable | will carry | maintenance |
| Release | | immediate | forward into |release (or other|
| | | upgrade path | all later |long term upgrade|
| | | (see above) | versions) | path) |
+----------+-------------+---------------+---------------+-----------------+
| Unaffected releases |
+----------+-------------+---------------+---------------+-----------------+
|11.2 and |Unaffected | | | |
|earlier, |early | | | |
|all |releases (no |Unaffected |Unaffected |Unaffected |
|variants |syslog | | | |
| |server) | | | |
+----------+-------------+---------------+---------------+-----------------+
|11.3, | | | | |
|11.3T, | | | | |
|11.3DA, |11.3 releases| | | |
|11.3MA, |without |Unaffected |Unaffected |Unaffected |
|11.3NA, |syslog | | | |
|11.3WA, |servers | | | |
|11.3(2)XA | | | | |
| | | | | |
+----------+-------------+---------------+---------------+-----------------+
| 11.3-based releases |
+----------+-------------+---------------+---------------+-----------------+
| |11.3 early | | | |
|11.3AA |deployment |11.3(7)AA2, |11.3(7.2)AA |11.3(8)AA, |
| |for AS58xx |8-JAN-1999* | |15-FEB-1999* |
+----------+-------------+---------------+---------------+-----------------+
| |11.3 for | | | |
| |Cisco NRP | | | |
|11.3DB |routing blade| - | - |11.3(7)DB2, |
| |in Cisco 6400| | |18-JAN-1999* |
| |xDSL DSLAM | | | |
+----------+-------------+---------------+---------------+-----------------+
| 12.0-based releases |
+----------+-------------+---------------+---------------+-----------------+
|12.0 |12.0 mainline|12.0(2a), |12.0(2.4) |12.0(3), |
| | |8-JAN-1999* | |1-FEB-1999* |
+----------+-------------+---------------+---------------+-----------------+
| |12.0 new | | | |
|12.0T |technology |12.0(2a)T1, |12.0(2.4)T |12.0(3)T, |
| |early |11-JAN-1999* | |15-FEB-1999* |
| |deployment | | | |
+----------+-------------+---------------+---------------+-----------------+
| |ISP support: | | | |
|12.0S |7200, RSP, | - |12.0(2.3)S |12.0(2)S***, |
| |GSR | |27-DEC-1998 |18-JAN-1999* |
+----------+-------------+---------------+---------------+-----------------+
| |12.0 for | | | |
| |Cisco 6400 | | | |
| |universal | | | |
|12.0DB |access | - | - |12.0(2)DB, |
| |concentrator | | |18-JAN-1999* |
| |node switch | | | |
| |processor | | | |
| |(lab use) | | | |
+----------+-------------+---------------+---------------+-----------------+
| | |12.0(1)W5(5a) | |12.0(1)W5(6) |
| |12.0 for |and | |(platform support|
|12.0(1)W |Catalyst 8500|12.0(1a)W5(5b) |12.0(1)W5(5.15)|for Catalyst |
| |and LS1010 |(LS1010 | |8540M will be in |
| | |platform only) | |12.0(1)W5(7)) |
+----------+-------------+---------------+---------------+-----------------+
| |One-time | | | |
| |early | | | |
| |deployment | | |Unaffected; |
| |for CH-OC12 |Unaffected; | |general upgrade |
|12.0(0.6) |in Catalyst |one-time |Unaffected |path is via |
|W5 |8500 series |release | |12.0(1)W5 |
| |switches | | |releases. |
| | | | | |
| | | | | |
+----------+-------------+---------------+---------------+-----------------+
| |Short-life | | | |
| |release; | | |Upgrade to |
|12.0(1)XA3|merged to |Obsolete |Merged |12.0(2a)T1and/or |
| |12.0T at | | |to 12.0(3)T |
| |12.0(2)T | | | |
+----------+-------------+---------------+---------------+-----------------+
| |Short-life | | | |
| |release for | | | |
| |Cisco 800 | | | |
|12.0(1)XB |series; |12.0(1)XB1 |Merged |Upgrade to |
| |merged to | | |12.0(3)T |
| |12.0T at | | | |
| |12.0(3)T | | | |
+----------+-------------+---------------+---------------+-----------------+
| |Short-life | | | |
| |release for | | | |
| |new features | | | |
| |in Cisco | | | |
| |2600, Cisco | | | |
|12.0(2)XC |3600, |12.0(2)XC1, |Merged |Upgrade to |
| |ubr7200, |7-JAN-1999* | |12.0(3)T |
| |ubr900 | | | |
| |series; | | | |
| |merged to | | | |
| |12.0T at | | | |
| |12.0(3)T | | | |
+----------+-------------+---------------+---------------+-----------------+
| |Short-life | | | |
| |release for | | | |
| |ISDN voice | | | |
|12.0(2)XD |features; |12.0(2)XD1, |Merged |Upgrade to |
| |merged to |18-JAN-1999* | |12.0(3)T |
| |12.0T at | | | |
| |12.0(3)T. | | | |
+----------+-------------+---------------+---------------+-----------------+
|12.0(1)XE |Short-life |12.0(2)XE, |Merged |Upgrade to |
| |release |18-JAN-1999* | |12.0(3)T |
+----------+-------------+---------------+---------------+-----------------+
* All projected dates are estimates, and are subject to change
** Interim releases are subjected to less rigorous testing
than regular maintenance releases, and may have serious
bugs.
*** The vulnerability is fixed in 12.0(2)S. The 12.0(2.3)S
interim release is available to the field before the
12.0(2)S regular release because of internal process
considerations. This entry is not a misprint.