COMMAND
CISCO IOS
SYSTEMS AFFECTED
11.3AA, 12.0 releases: 12.0(2) up to and including 12.0(6),
12.0(7), except that 12.0(7)S, 12.0(7)T, and 12.0(7)XE are not
vulnerable
PROBLEM
Following is based on Cisco Security Advisory. A defect in
multiple Cisco IOS software versions will cause a Cisco router to
reload unexpectedly when the router is tested for security
vulnerabilities by security scanning software programs. The
defect can be exploited repeatedly to produce a consistent denial
of service (DoS) attack. Customers using the affected Cisco IOS
software releases are urged to upgrade as soon as possible to
later versions that are not vulnerable to this defect. Vulnerable
products and releases are listed in detail below.
The security scanner is testing for the presence of two specific
vulnerabilities that affect certain UNIX-based systems. The
vulnerabilities are unrelated to Cisco IOS software and Cisco IOS
software is not directly at risk from them. However, a
side-effect of the tests exposes the defect described in this
security advisory, and the router will reload unexpectedly as
soon as it receives any subsequent traffic. This defect is
documented as Cisco Bug ID CSCdm70743.
Cisco customers running Cisco IOS software versions 11.3, 11.3T,
11.2 or lower, and 12.0(8) or 12.1 or higher are not affected.
This vulnerability affects the following Cisco hardware products
if they are running affected software:
* AS5200, AS5300, and AS5800 series access servers
* 7200 and 7500 series routers
* ubr7200 series cable routers
* 7100 series routers
* 3660 series routers
* SC3640 System Controllers (see the explanation below)
* AS5800 series Voice Gateway products
* AccessPath LS-3, TS-3, and VS-3 Access Solutions products
The SC3640 System Controller is a Cisco 3640 router customized to
provide local management of multiple access servers. The Cisco
SC3640 binary image contains the defect and thus is vulnerable if
it is possible for the attacker to telnet to the device. However,
the original Cisco 3640 router does not contain the defect and is
not vulnerable to the denial of service attack described in this
notice. No other Cisco products are affected by this
vulnerability.
Software packages are available from various commercial and free
sites that perform automated remote tests for computer security
vulnerabilities by scanning computers on a network for known
security flaws. Two security vulnerabilities associated with
several UNIX-based platforms are the subject of two specific
tests that have the same effect on vulnerable Cisco routers. The
scanning program is asserting the Telnet ENVIRON option, #36,
before the router indicates that it is willing to accept it, and
this causes the router to reload unexpectedly.
The described defect can be used to mount a consistent and
repeatable denial of service (DoS) attack on any vulnerable Cisco
product, which may result in violations of the availability
aspects of a customer's security policy. This defect by itself
does not cause the disclosure of confidential information nor
allow unauthorized access.
SOLUTION
For the affected Cisco IOS software Major Release version shown
in the first column of the table below, customers should upgrade
to the known invulnerable releases listed to the right in the
same row. In general, customers should upgrade to the release in
the column furthest to the right within the same row. For
example, any customer running 12.0 "mainline" (Major Release)
should upgrade at least to 12.0(7.1), but preferably to 12.0(8).
Any release not specifically listed in the left-most column below
is unaffected by the vulnerability.
The projected release date is shown with the software release
version number for those releases that are not yet complete or
available on CCO.* An "interim release" is scheduled and contains
numerous fixes and occasional enhancements that carry forward into
all later versions.** A "maintenance release" is a regularly
scheduled event that incorporates significant enhancements and
cumulative fixes; it may be the entry point for support of
noteworthy new technology in Cisco IOS software.
==========================================================================
Major Projected Fixed Projected Fixed
Release Description Regular or Interim** Regular Maintenance
Releases Releases
==========================================================================
Unaffected Earlier Releases
--------------------------------------------------------------------------
11.2 and
earlier,
all Multiple releases Unaffected Unaffected
variants
==========================================================================
11.3-based Releases
--------------------------------------------------------------------------
AS5800 support
11.3AA and - 11.3(11a)AA
other dial
platforms
==========================================================================
12.0-based Releases
--------------------------------------------------------------------------
12.0 12.0 mainline 12.0(7.1) 12.0(8)
--------------------------------------------------------------------------
ISP support: 12.0(6.6)S 12.0(7)S
12.0S 7200, RSP, -------------------------------------------
GSR12000 12.0(7.1)S 12.0(8)S
--------------------------------------------------------------------------
12.0SC Cable ISP 12.0(6.6)SC1 12.0(8)SC***
support: ubr7200 12.0(7.1)SC or 12.0(9)SC
--------------------------------------------------------------------------
12.0 new 12.0(6.5)T3
12.0T technology early --------------------- 12.0(7)T
deployment release 12.0(6.5)T4
--------------------------------------------------------------------------
12.0W 12.0 for Catalyst 12.0(6.5)W5(16.0.9) 12.0(6.5)W5(17),
8500 and LS1010 2000/04/18*
--------------------------------------------------------------------------
Short-life
release for
12.0XE selected Unavailable 12.0(7)XE1
enterprise
features, 7200 &
7500
--------------------------------------------------------------------------
Short-life
release for
12.0XJ Dial/Voice, 5200, Unavailable 12.0(4)XJ4
5300, 5800, 2600,
& 3600
==========================================================================
12.1-based Releases
--------------------------------------------------------------------------
12.1 and
later, all Multiple releases Unaffected Unaffected
variants
==========================================================================
* All dates are tentative and subject to change
** Interim releases are subjected to less internal testing and
verification than are regular releases, may have serious
bugs, and should be installed with great care.
*** 12.0(8)SC is not vulnerable to this defect, but due to other
issues it is no longer available on CCO as of the date of this
notice. Upgrade instead to 12.0(9)SC.
Cisco is offering free software upgrades to remedy this
vulnerability for all affected customers. Customers with service
contracts may upgrade to any software version. Customers without
contracts may upgrade only within a single row of the table
above, except that any available fixed software will be provided
to any customer who can use it and for whom the standard fixed
software is not yet available. Customers may install only the
feature sets they have purchased.
The vulnerability described in this notice can only be exploited
if the Telnet service is configured on the affected system and
reachable from the attacker's computer. The following
recommendations provide an interactive login capability without
using the Telnet service, thus mitigating the threat in lieu of a
software upgrade while preserving remote access to the router for
administrative purposes:
* Prevent access using the Telnet service by defining an
appropriate access control list and applying it to the vty line
or the router's interfaces using the "access-group" keyword.
Security can be increased further by restricting both the
virtual terminal lines and the router's physical interfaces
with two access-groups, one to control who can connect to the
vtys, and the other on the interfaces to control from where
those connections can be attempted.
* Disable Telnet and use SSH (if it is available to you) to
connect to the router for administrative purposes.. After
"line vty 0 4" in the router's configuration, add "transport
input ssh". This stipulates that only the SSH protocol may be
used for interactive logins to the router. As of the date of
this notice, SSH is only available on certain products: 7200,
7500, and 12000 series running Cisco IOS software releases such
as 12.0S, 12.1S, and 12.1T.
* Disable interactive network logins to the router completely by
removing the "line" command such that virtual consoles are
never enabled. Use an out-of-band method to login to and
administer the router such as a hard-wired console. Consider
connecting the console to a terminal server which itself is
only reachable via a separate parallel network that in turn is
restricted by site policy exclusively for administrative
purposes.
The wide variety of customer configurations make it impossible to
judge the effectiveness and relative merits of these workarounds
in lieu of a software upgrade. Customers are cautioned to
evaluate these recommendations carefully with regard to their
specific network configurations.