COMMAND

    Cisco

SYSTEMS AFFECTED

    - Catalyst 4000 and 5000 images running version  4.5(2) up to 5.5(4) and 5.5(4a).
    - Catalyst 6000 images running version 5.3(1)CSX, up to and including 5.5(4), 5.5(4a).

PROBLEM

    Following is  based on  a Cisco  Security Advisory.   A series  of
    failed telnet authentication attempts to the switch can cause  the
    Catalyst  Switch  to  fail  to  pass  traffic or accept management
    connections  until  the  system  is  rebooted  or a power cycle is
    performed.   All  types  of  telnet  authentication  are affected,
    including  Kerberized  telnet,   and  AAA  authentication.    This
    vulnerability has been assigned Cisco bug ID CSCds66191.

    The complete advisory can be viewed at

        http://www.cisco.com/warp/public/707/catalyst-memleak-pub.shtml

    The  telnet  process  fails  to  release  resources  upon a failed
    authentication, or a successful login of extremely short  duration
    such as  a telnet  from within  an automated  script.  This memory
    leak eventually results  in the failure  of the switch  to perform
    any other processes, such  as forwarding traffic or  management; a
    power cycle or reboot is required for recovery.

    The  command  "show  process   memory"  will  indicate   increased
    "Holding"  memory  after  failed  telnet  authentication attempts.
    This  value  will  not  decrease  over  time except when a reboot,
    reload, or power cycle occurs.   This bug may be triggered over  a
    period of  time in  the course  of normal  operation by legitimate
    users that occasionally fail authentication.

        lt-6509-e> (enable) sh proc mem
        
        Memory Used:   3974544
               Free:  15265168
              Total:  19239712
        
        PID        TTY        Allocated  Freed      Holding    Process
        ---------- ---------- ---------- ---------- ---------- ---------------
        1          -2         1707632    3488       1704144    Kernel and Idle
        
        24         -2         16         0          16         telnetd

    This  vulnerability  enables  a  Denial  of  Service attack on the
    Catalyst switch.

SOLUTION

    Cisco  has  made  the   following  fixed  software  available   to
    customers:

        Catalyst Release 4.5(10) for Catalyst 4000 and 5000
        Catalyst Release 5.5(4b) for Catalyst 4000, 5000 and 6000

    The fix will be carried  forward into all future releases.   There
    is  no   configuration  workaround   to  eliminate   the  problem.
    However, if you  are unable to  upgrade to an  unaffected version,
    you may use other devices  to strictly control or prohibit  telnet
    access to the switch, permitting only connections from your  local
    network.

    Access  control  lists  on  the   switch  can  limit  the   remote
    exploitation of the vulnerability.  To limit access to known hosts
    use the following commands:

        set ip permit enable telnet
        set ip permit <addr> [mask]

    Remote management of the switch  can also be disabled.   The above
    workarounds are provided as an option; however, the recommendation
    is to upgrade to fixed code as soon as possible.