COMMAND

    CISCO IOS

SYSTEMS AFFECTED

    11.3AA,  12.0  releases:  12.0(2)  up  to  and  including 12.0(6),
    12.0(7), except  that 12.0(7)S,  12.0(7)T, and  12.0(7)XE are  not
    vulnerable

PROBLEM

    Following  is  based  on  Cisco  Security  Advisory.   A defect in
    multiple Cisco IOS software versions will cause a Cisco router  to
    reload  unexpectedly  when  the  router  is  tested  for  security
    vulnerabilities  by  security  scanning  software  programs.   The
    defect can be exploited repeatedly to produce a consistent  denial
    of service (DoS) attack.   Customers using the affected Cisco  IOS
    software releases  are urged  to upgrade  as soon  as possible  to
    later versions that are not vulnerable to this defect.  Vulnerable
    products and releases are listed in detail below.

    The security scanner is testing  for the presence of two  specific
    vulnerabilities  that  affect  certain  UNIX-based  systems.   The
    vulnerabilities are unrelated to Cisco IOS software and Cisco  IOS
    software  is  not  directly  at   risk  from  them.   However,   a
    side-effect  of  the  tests  exposes  the defect described in this
    security  advisory,  and  the  router  will reload unexpectedly as
    soon  as  it  receives  any  subsequent  traffic.   This defect is
    documented as Cisco Bug ID CSCdm70743.

    Cisco customers running Cisco  IOS software versions 11.3,  11.3T,
    11.2 or  lower, and  12.0(8) or  12.1 or  higher are not affected.
    This vulnerability affects  the following Cisco  hardware products
    if they are running affected software:

        * AS5200, AS5300, and AS5800 series access servers
        * 7200 and 7500 series routers
        * ubr7200 series cable routers
        * 7100 series routers
        * 3660 series routers
        * SC3640 System Controllers (see the explanation below)
        * AS5800 series Voice Gateway products
        * AccessPath LS-3, TS-3, and VS-3 Access Solutions products

    The SC3640 System Controller is a Cisco 3640 router customized  to
    provide local management  of multiple access  servers.  The  Cisco
    SC3640 binary image contains the defect and thus is vulnerable  if
    it is possible for the attacker to telnet to the device.  However,
    the original Cisco 3640 router does not contain the defect and  is
    not vulnerable to the denial  of service attack described in  this
    notice.    No  other   Cisco  products   are  affected   by   this
    vulnerability.

    Software packages are available  from various commercial and  free
    sites that  perform automated  remote tests  for computer security
    vulnerabilities  by  scanning  computers  on  a  network for known
    security  flaws.   Two  security  vulnerabilities  associated with
    several  UNIX-based  platforms  are  the  subject  of two specific
    tests that have the same effect on vulnerable Cisco routers.   The
    scanning  program  is  asserting  the  Telnet ENVIRON option, #36,
    before the router indicates that  it is willing to accept  it, and
    this causes the router to reload unexpectedly.

    The  described  defect  can  be  used  to  mount  a consistent and
    repeatable denial of service (DoS) attack on any vulnerable  Cisco
    product,  which  may  result  in  violations  of  the availability
    aspects of a  customer's security policy.   This defect by  itself
    does  not  cause  the  disclosure  of confidential information nor
    allow unauthorized access.

SOLUTION

    For the affected  Cisco IOS software  Major Release version  shown
    in the first column of  the table below, customers should  upgrade
    to the  known invulnerable  releases listed  to the  right in  the
    same row.  In general, customers should upgrade to the release  in
    the  column  furthest  to  the  right  within  the  same row.  For
    example,  any  customer  running  12.0  "mainline" (Major Release)
    should upgrade at least  to 12.0(7.1), but preferably  to 12.0(8).
    Any release not specifically listed in the left-most column  below
    is unaffected by the vulnerability.

    The  projected  release  date  is  shown with the software release
    version number  for those  releases that  are not  yet complete or
    available on CCO.*  An "interim release" is scheduled and contains
    numerous fixes and occasional enhancements that carry forward into
    all  later  versions.**  A  "maintenance  release"  is a regularly
    scheduled  event  that  incorporates  significant enhancements and
    cumulative  fixes;  it  may  be  the  entry  point  for support of
    noteworthy new technology in Cisco IOS software.

    ==========================================================================
       Major                          Projected Fixed      Projected Fixed
      Release      Description     Regular or Interim**  Regular Maintenance
                                         Releases              Releases
    ==========================================================================
                           Unaffected Earlier Releases
    --------------------------------------------------------------------------
     11.2 and
     earlier,
        all     Multiple releases       Unaffected            Unaffected
     variants
    ==========================================================================
                               11.3-based Releases
    --------------------------------------------------------------------------
                 AS5800 support
      11.3AA          and                    -               11.3(11a)AA
                   other dial
                    platforms
    ==========================================================================
                               12.0-based Releases
    --------------------------------------------------------------------------
       12.0       12.0 mainline          12.0(7.1)             12.0(8)
    --------------------------------------------------------------------------
                  ISP support:          12.0(6.6)S             12.0(7)S
       12.0S       7200, RSP,      -------------------------------------------
                    GSR12000            12.0(7.1)S             12.0(8)S
    --------------------------------------------------------------------------
      12.0SC        Cable ISP          12.0(6.6)SC1          12.0(8)SC***
                support: ubr7200        12.0(7.1)SC          or 12.0(9)SC
    --------------------------------------------------------------------------
                    12.0 new            12.0(6.5)T3
       12.0T    technology early   ---------------------       12.0(7)T
               deployment release       12.0(6.5)T4
    --------------------------------------------------------------------------
       12.0W    12.0 for Catalyst   12.0(6.5)W5(16.0.9)    12.0(6.5)W5(17),
                 8500 and LS1010                             2000/04/18*
    --------------------------------------------------------------------------
                   Short-life
                   release for
      12.0XE        selected            Unavailable           12.0(7)XE1
                   enterprise
                features, 7200 &
                      7500
    --------------------------------------------------------------------------
                   Short-life
                   release for
      12.0XJ    Dial/Voice, 5200,       Unavailable           12.0(4)XJ4
                5300, 5800, 2600,
                     & 3600
    ==========================================================================
                               12.1-based Releases
    --------------------------------------------------------------------------
     12.1 and
    later, all  Multiple releases       Unaffected            Unaffected
     variants
    ==========================================================================

      * All dates are tentative and subject to change
     ** Interim releases  are subjected to  less internal testing  and
        verification  than  are  regular  releases,  may  have serious
        bugs, and should be installed with great care.
    *** 12.0(8)SC is not vulnerable  to this defect, but due  to other
        issues it is no longer available on CCO as of the date of this
        notice.  Upgrade instead to 12.0(9)SC.

    Cisco  is  offering   free  software  upgrades   to  remedy   this
    vulnerability for all affected customers.  Customers with  service
    contracts may upgrade to any software version.  Customers  without
    contracts  may  upgrade  only  within  a  single  row of the table
    above, except that any  available fixed software will  be provided
    to any customer  who can use  it and for  whom the standard  fixed
    software is  not yet  available.   Customers may  install only the
    feature sets they have purchased.

    The vulnerability described in  this notice can only  be exploited
    if the  Telnet service  is configured  on the  affected system and
    reachable   from   the   attacker's   computer.    The   following
    recommendations provide  an interactive  login capability  without
    using the Telnet service, thus mitigating the threat in lieu of  a
    software upgrade while preserving remote access to the router  for
    administrative purposes:

    * Prevent  access  using  the  Telnet  service  by  defining    an
      appropriate access control list and applying it to the vty  line
      or  the  router's  interfaces  using the "access-group" keyword.
      Security  can  be  increased  further  by  restricting  both the
      virtual  terminal  lines  and  the  router's physical interfaces
      with two access-groups,  one to control  who can connect  to the
      vtys, and  the other  on the  interfaces to  control from  where
      those connections can be attempted.

    * Disable  Telnet  and  use  SSH  (if  it is available to you)  to
      connect  to  the  router  for  administrative  purposes..  After
      "line vty  0 4"  in the  router's configuration,  add "transport
      input ssh".  This stipulates  that only the SSH protocol  may be
      used for interactive logins  to the router.   As of the date  of
      this notice, SSH  is only available  on certain products:  7200,
      7500, and 12000 series running Cisco IOS software releases  such
      as 12.0S, 12.1S, and 12.1T.

    * Disable interactive network  logins to the router  completely by
      removing  the  "line"  command  such  that  virtual consoles are
      never  enabled.   Use  an  out-of-band  method  to  login to and
      administer the router  such as a  hard-wired console.   Consider
      connecting  the  console  to  a  terminal server which itself is
      only reachable via a separate  parallel network that in turn  is
      restricted  by  site   policy  exclusively  for   administrative
      purposes.

    The wide variety of customer configurations make it impossible  to
    judge the effectiveness and  relative merits of these  workarounds
    in  lieu  of  a  software  upgrade.  Customers  are  cautioned  to
    evaluate  these  recommendations  carefully  with  regard to their
    specific network configurations.