COMMAND

    Cisco IOS

SYSTEMS AFFECTED

    Cisco IOS 12x, 11.3AA and 11.3DB

PROBLEM

    Olaf  Selke  found  following.   By  using  nmap  (v2.0) UDP scans
    you can  crash Cisco  routers running  Cisco IOS  software version
    12.0.  Cisco  has verifed that  the problem does  exist.  This  is
    very easy to exploit:

        nmap -sU <router>

    Certain versions of Cisco IOS software may crash or hang when they
    receive invalid user datagram protocol (UDP) packets sent to their
    "syslog" ports (port 514).  Attackers can cause Cisco IOS  devices
    to crash  and reload.   Furthermore, an  attacker can  repeat  the
    process at will.  By  striking continuously, an attacker might  be
    able to completely  disable a Cisco  IOS device until  that device
    was reconfigured  by its  administrator.   Some Cisco  IOS devices
    have  been  observed  to  hang  instead of crashing when attacked.
    These devices do not recover until manually restarted by reset  or
    power  cycle.   This  means  that  it  might  be  necessary for an
    administrator to physically visit  an attacked device in  order to
    recover  from  the  attack,  even  if  the  attacker  is no longer
    actively sending any traffic.   Some devices have crashed  without
    providing stack traces;  devices crashed using  this vulnerability
    may indicate  that they  were "restarted  by power-on",  even when
    that is not actually the case.

SOLUTION

    You can work around this vulnerability by preventing any  affected
    Cisco  IOS  device  from  receiving  or  processing  UDP datagrams
    addressed to its port 514.   This can be done either using  packet
    filtering on surrounding  devices, or by  using input access  list
    filtering on the affected IOS device itself.  If you use an  input
    access list,  that list  should be  applied to  all interfaces  to
    which attackers may be able to send datagrams.  This includes  not
    only physical LAN and WAN interfaces, but virtual subinterfaces of
    those physical  interfaces, as  well as  virtual interfaces and/or
    interface templates  corresponding to  GRE, L2TP,  L2F, and  other
    tunnelling protocols.   The input access  list must block  traffic
    destined for UDP port 514 at any of the Cisco IOS device's own  IP
    addresses, as well as at  any broadcast or multicast addresses  on
    which the Cisco  IOS device may  be listening.   It's important to
    remember to  block old-style  "all-zeroes" broadcasts  as well  as
    new-style "all-ones"  broadcasts.   It is  not necessary  to block
    traffic  being  forwarded  to  other  hosts; only traffic actually
    addressed to the  Cisco IOS device  is of interest.   There is  no
    single input access list that will work in all configurations.  It
    is very important  that you understand  the effect of  your access
    list in your specific configuration before you activate the list.

    The  following  example  shows  a  possible  access  list  for   a
    three-interface  router,  along  with  the  configuration commands
    needed to apply that access list.  The example assumes that  there
    is no need for input filtering other than as a workaround for this
    vulnerability:

        ! Deny all multicasts, and all unspecified-net broadcasts, to port 514
        access-list 101 deny udp any 224.0.0.0 31.255.255.255 eq 514
        ! Deny old-style unspecified-net broadcasts
        access-list 101 deny udp any host 0.0.0.0 eq 514
        ! Deny network-specific broadcasts. This example assumes that all of
        ! the local interfaces are on the class B network 172.16.0.0, subnetted
        ! everywhere with mask 255.255.255.0. This will differ from network
        ! to network. Note that we block both new-style and old-style broadcasts.
        access-list 101 deny udp any 172.16.0.255 0.0.255.0 eq 514
        access-list 101 deny udp any 172.16.0.0   0.0.255.0 eq 514
        ! Deny packets sent to the addresses of our own network interfaces.
        access-list 101 deny udp any host 172.16.1.1 eq 514
        access-list 101 deny udp any host 172.16.2.1 eq 514
        access-list 101 deny udp any host 172.16.3.3 eq 514
        ! Permit all other traffic (default would be to deny)
        access-list 101 permit ip any any

        ! Apply the access list to the input side of each interface
        interface ethernet 0
        ip address 172.16.1.1 255.255.255.0
        ip access-group 101 in

        interface ethernet 2
        ip address 172.16.2.1 255.255.255.0
        ip access-group 101 in

        interface ethernet 3
        ip address 172.16.3.3 255.255.255.0
        ip access-group 101 in

    Input  access  lists  have  an  impact  on system performance, and
    should  be  installed  with  a  degree  of  caution, especially on
    systems that are  running very near  their capacity limits.   Many
    Cisco software images have been  or will be specially reissued  to
    correct this vulnerability. For example, regular released  version
    12.0(2) is vulnerable, as  are interim versions 12.0(2.1)  through
    12.0(2.3)  The  first  fixed  interim  version  of  12.0  mainline
    software  is  12.0(2.4).  However,  a  special  release, 12.0(2a),
    contains only the fix for this vulnerability, and does not include
    any of the other bug fixes  from later 12.0 interim releases.   If
    you  were  running  12.0(2),  and  wanted  to  upgrade to fix this
    problem,  without  taking  the  risk  of  instability presented by
    installing the  12.0(2.4) interim  release, you  could upgrade  to
    12.0(2a). 12.0(2a)  represents a  "code branch"  from the  12.0(2)
    base, which merges back into the 12.0 mainline at 12.0(2.4).   See
    the following  table for  information about  affected and repaired
    software  versions.   All  dates  in  the  table are tentative and
    subject to change:

    +----------+-------------+---------------+---------------+-----------------+
    |          |             |    Special    |  First fixed  |                 |
    |          |             | one-time spot |    interim    |   First fixed   |
    | Cisco IOS|             |  fix release; | release** (fix|     regular     |
    |   Major  | Description |  most stable  |   will carry  |   maintenance   |
    | Release  |             |   immediate   |  forward into |release (or other|
    |          |             |  upgrade path |   all later   |long term upgrade|
    |          |             |  (see above)  |   versions)   |      path)      |
    +----------+-------------+---------------+---------------+-----------------+
    |                           Unaffected releases                            |
    +----------+-------------+---------------+---------------+-----------------+
    |11.2 and  |Unaffected   |               |               |                 |
    |earlier,  |early        |               |               |                 |
    |all       |releases (no |Unaffected     |Unaffected     |Unaffected       |
    |variants  |syslog       |               |               |                 |
    |          |server)      |               |               |                 |
    +----------+-------------+---------------+---------------+-----------------+
    |11.3,     |             |               |               |                 |
    |11.3T,    |             |               |               |                 |
    |11.3DA,   |11.3 releases|               |               |                 |
    |11.3MA,   |without      |Unaffected     |Unaffected     |Unaffected       |
    |11.3NA,   |syslog       |               |               |                 |
    |11.3WA,   |servers      |               |               |                 |
    |11.3(2)XA |             |               |               |                 |
    |          |             |               |               |                 |
    +----------+-------------+---------------+---------------+-----------------+
    |                           11.3-based releases                            |
    +----------+-------------+---------------+---------------+-----------------+
    |          |11.3 early   |               |               |                 |
    |11.3AA    |deployment   |11.3(7)AA2,    |11.3(7.2)AA    |11.3(8)AA,       |
    |          |for AS58xx   |8-JAN-1999*    |               |15-FEB-1999*     |
    +----------+-------------+---------------+---------------+-----------------+
    |          |11.3 for     |               |               |                 |
    |          |Cisco NRP    |               |               |                 |
    |11.3DB    |routing blade|       -       |       -       |11.3(7)DB2,      |
    |          |in Cisco 6400|               |               |18-JAN-1999*     |
    |          |xDSL DSLAM   |               |               |                 |
    +----------+-------------+---------------+---------------+-----------------+
    |                           12.0-based releases                            |
    +----------+-------------+---------------+---------------+-----------------+
    |12.0      |12.0 mainline|12.0(2a),      |12.0(2.4)      |12.0(3),         |
    |          |             |8-JAN-1999*    |               |1-FEB-1999*      |
    +----------+-------------+---------------+---------------+-----------------+
    |          |12.0 new     |               |               |                 |
    |12.0T     |technology   |12.0(2a)T1,    |12.0(2.4)T     |12.0(3)T,        |
    |          |early        |11-JAN-1999*   |               |15-FEB-1999*     |
    |          |deployment   |               |               |                 |
    +----------+-------------+---------------+---------------+-----------------+
    |          |ISP support: |               |               |                 |
    |12.0S     |7200, RSP,   |       -       |12.0(2.3)S     |12.0(2)S***,     |
    |          |GSR          |               |27-DEC-1998    |18-JAN-1999*     |
    +----------+-------------+---------------+---------------+-----------------+
    |          |12.0 for     |               |               |                 |
    |          |Cisco 6400   |               |               |                 |
    |          |universal    |               |               |                 |
    |12.0DB    |access       |       -       |       -       |12.0(2)DB,       |
    |          |concentrator |               |               |18-JAN-1999*     |
    |          |node switch  |               |               |                 |
    |          |processor    |               |               |                 |
    |          |(lab use)    |               |               |                 |
    +----------+-------------+---------------+---------------+-----------------+
    |          |             |12.0(1)W5(5a)  |               |12.0(1)W5(6)     |
    |          |12.0 for     |and            |               |(platform support|
    |12.0(1)W  |Catalyst 8500|12.0(1a)W5(5b) |12.0(1)W5(5.15)|for Catalyst     |
    |          |and LS1010   |(LS1010        |               |8540M will be in |
    |          |             |platform only) |               |12.0(1)W5(7))    |
    +----------+-------------+---------------+---------------+-----------------+
    |          |One-time     |               |               |                 |
    |          |early        |               |               |                 |
    |          |deployment   |               |               |Unaffected;      |
    |          |for CH-OC12  |Unaffected;    |               |general upgrade  |
    |12.0(0.6) |in Catalyst  |one-time       |Unaffected     |path is via      |
    |W5        |8500 series  |release        |               |12.0(1)W5        |
    |          |switches     |               |               |releases.        |
    |          |             |               |               |                 |
    |          |             |               |               |                 |
    +----------+-------------+---------------+---------------+-----------------+
    |          |Short-life   |               |               |                 |
    |          |release;     |               |               |Upgrade to       |
    |12.0(1)XA3|merged to    |Obsolete       |Merged         |12.0(2a)T1and/or |
    |          |12.0T at     |               |               |to 12.0(3)T      |
    |          |12.0(2)T     |               |               |                 |
    +----------+-------------+---------------+---------------+-----------------+
    |          |Short-life   |               |               |                 |
    |          |release for  |               |               |                 |
    |          |Cisco 800    |               |               |                 |
    |12.0(1)XB |series;      |12.0(1)XB1     |Merged         |Upgrade to       |
    |          |merged to    |               |               |12.0(3)T         |
    |          |12.0T at     |               |               |                 |
    |          |12.0(3)T     |               |               |                 |
    +----------+-------------+---------------+---------------+-----------------+
    |          |Short-life   |               |               |                 |
    |          |release for  |               |               |                 |
    |          |new features |               |               |                 |
    |          |in Cisco     |               |               |                 |
    |          |2600, Cisco  |               |               |                 |
    |12.0(2)XC |3600,        |12.0(2)XC1,    |Merged         |Upgrade to       |
    |          |ubr7200,     |7-JAN-1999*    |               |12.0(3)T         |
    |          |ubr900       |               |               |                 |
    |          |series;      |               |               |                 |
    |          |merged to    |               |               |                 |
    |          |12.0T at     |               |               |                 |
    |          |12.0(3)T     |               |               |                 |
    +----------+-------------+---------------+---------------+-----------------+
    |          |Short-life   |               |               |                 |
    |          |release for  |               |               |                 |
    |          |ISDN voice   |               |               |                 |
    |12.0(2)XD |features;    |12.0(2)XD1,    |Merged         |Upgrade to       |
    |          |merged to    |18-JAN-1999*   |               |12.0(3)T         |
    |          |12.0T at     |               |               |                 |
    |          |12.0(3)T.    |               |               |                 |
    +----------+-------------+---------------+---------------+-----------------+
    |12.0(1)XE |Short-life   |12.0(2)XE,     |Merged         |Upgrade to       |
    |          |release      |18-JAN-1999*   |               |12.0(3)T         |
    +----------+-------------+---------------+---------------+-----------------+

        * All projected dates are estimates, and are subject to change
       ** Interim  releases  are  subjected  to less rigorous  testing
          than  regular  maintenance  releases,  and  may have serious
          bugs.
      *** The  vulnerability  is  fixed  in  12.0(2)S. The  12.0(2.3)S
          interim  release  is  available  to  the  field  before  the
          12.0(2)S  regular  release   because  of  internal   process
          considerations.  This entry is not a misprint.