COMMAND
CISCO
SYSTEMS AFFECTED
See below
PROBLEM
Following is based on a Cisco Security Advisory. Cisco IOS
software releases based on versions 11.x and 12.0 contain a
defect that allows a limited number of SNMP objects to be viewed
and modified without authorization using a undocumented ILMI
community string. Some of the modifiable objects are confined to
the MIB-II system group, such as "sysContact", "sysLocation", and
"sysName", that do not affect the device's normal operation but
that may cause confusion if modified unexpectedly. The remaining
objects are contained in the LAN-EMULATION-CLIENT and PNNI MIBs,
and modification of those objects may affect ATM configuration.
An affected device might be vulnerable to a denial-of-service
attack if it is not protected against unauthorized use of the
ILMI community string.
The vulnerability is only present in certain combinations of IOS
releases on Cisco routers and switches. ILMI is a necessary
component for ATM, and the vulnerability is present in every IOS
release that contains the supporting software for ATM and ILMI
without regard to the actual presence of an ATM interface or the
physical ability of the device to support an ATM connection.
The vulnerability is present only in certain releases of Cisco IOS
Software versions 11.x and 12.0 for router and switch products
that include support for Asynchronous Transfer Mode (ATM)
networking and Interim Local Management Interface (ILMI), and it
is present without regard to any physical capability for
supporting an ATM interface.
Cisco IOS Software versions based on 10.3 and earlier do not
contain the vulnerability. The defect was introduced in
11.0(0.2). All Cisco IOS software releases of 12.1 and later
have been repaired and are not vulnerable to the defect described
in this advisory.
ILMI (Interim Local Management Interface) is an independent
industry standard used for configuration of ATM (Asynchronous
Transfer Mode) interfaces. The standard specifies the use of
mechanisms and formats previously defined by SNMP (Simple Network
Management Protocol). Although it is based on SNMP, ILMI
communication actually occurs using a transport other than IP
(Internet Protocol) that traverses only the physical ATM link.
ILMI is essential to functions such as ATM auto-discovery and LANE
(LAN Emulation).
SNMP "objects" are variables that are organized into a MIB
(Management Information Base). The MIB has a tree structure and
contains both operational (read-only) data as well as
configuration (read-write) options. By specifying a community
tring of "ILMI" in an SNMP request, access can be obtained to
read the objects in three specific parts of the overall management
tree structure on any device affected by this vulnerability: the
MIB-II system group, the LAN-EMULATION-CLIENT MIB, and the PNNI
(Private Network-to-Network Interface) MIB. A subset of objects
in each part can be modified using the same "ILMI" community
string.
The MIB-II system group contains basic information about the
device itself. The number of objects that can be modified is
limited. Examples include:
* system.sysContact: The contact information for the person or
organization responsible for managing the device.
* system.sysLocation: A description of the physical location where
the device is installed or operating.
* system.sysName: The hostname of the device, how it identifies
itself at the console prompt. (This might not be the same name
by which the device is known to other hosts on the network).
Most of the objects in the system MIB are read-only and cannot be
changed via SNMP, such as the time elapsed since the previous
restart and textual descriptions of the device's hardware and
software.
Numerous objects can be viewed in the LAN-EMULATION-CLIENT MIB and
PNNI MIB, and modification of some of the read-write objects can
have an affect on ATM operation of the device. The objects in the
LAN-EMULATION-CLIENT MIB can only be viewed or modified if LANE
has already been configured on the device.
Access to SNMP in Cisco IOS software can be limited by applying
access control lists (ACLs), by modifying or removing the SNMP
view, by removing the community string from the running
configuration, or by disabling the SNMP service. Any SNMP query
that does not meet the criteria for access is promptly discarded
when such protective measures are in place. If a query does meet
the criteria for access, then a response is formulated and sent.
It is possible to configure the device so that the ILMI community
string is unavailable in all IOS 11.1 and higher releases. The
particular method selected to accomplish this depends on the
specific IOS release and configuration. This defect is documented
as CSCdp11863. The vulnerability is repaired by imposing a test
such that an SNMP request using the "ILMI" community string will
only be recognized if it has been transported by ILMI.
ATM functionality was added in various 10.x releases of Cisco IOS
software. However, the function containing the defect was
introduced when support for ILMI and other ATM features was added
in IOS release 11.0(0.2). Therefore, all prior releases are not
vulnerable.
If SNMP requests can be received by an affected device, then
certain MIB objects can be viewed without proper authorization,
causing a violation of confidentiality. A subset of the readable
MIB objects can be modified without authorization to cause a
failure of integrity. For example, the hostname can be modified
so as to confuse network adminstrators, or the contact and
location information could be changed with a goal of disrupting
operations or embarassing whoever is responsible for the device.
Objects in the LAN-EMULATION-CLIENT and PNNI MIBs can be viewed
and modified, thus resulting in changes to the operation of ATM
functions. If ATM is in use on the device, this may result in a
failure of availability.
Any affected device that is not otherwise protected against the
receipt of SNMP packets is vulnerable to a denial-of-service (DoS)
attack by flooding the SNMP port with read or write requests.
SOLUTION
To remove this vulnerability, Cisco is offering free software
upgrades for all affected platforms. The defect is documented in
DDTS record CSCdp11863.
The following table summarizes the known affected Cisco IOS
software releases and the earliest estimated dates of availability
for fixed releases. All dates are tentative and subject to
change. In all cases, customers should exercise caution to be
certain the devices to be upgraded contain sufficient memory and
that current hardware and software configurations will continue
to be supported properly by the new release. If the information
is not clear, contact the Cisco TAC for assistance as shown in
the following section.
+===========================================================================+
| Train | Description of | Availability of Fixed Releases* |
| | Image or Platform | |
+===========================================================================+
| 10.3-based Releases and | | | |
| Earlier | Rebuild | Interim** | Maintenance |
+===========================================================================+
| 10.3 and | | |
| earlier |All |Not affected |
+===========================================================================+
| 11.0-based Releases | Rebuild | Interim** | Maintenance |
+===========================================================================+
| | |11.0(22a) | | |
| 11.0 |Major GD release | | | |
| |for all platforms |2001-Mar-05 | | |
+===========================================================================+
| 11.1-based Releases | Rebuild | Interim** | Maintenance |
+===========================================================================+
| | |11.1(24a) | | |
| 11.1 |Major release for | | | |
| |all platforms |2001-Mar-05 | | |
+----------+-------------------+------------+---------------+---------------+
| |ED release for | | |12.1(7) |
| 11.1AA |access servers: | | | |
| |1600, 3200, and | | | |
| |5200 series. | | |2001-Feb-26 |
+----------+-------------------+------------+---------------+---------------+
| |Platform-specific |11.1(36)CA1 | | |
| 11.1CA |support for 7500, | | | |
| |7200, 7000, and RSP|2001-Mar-02 | | |
+----------+-------------------+------------+---------------+---------------+
| |ISP train: added | | | |
| |support for FIB, |11.1(36)CC1 | | |
| 11.1CC |CEF, and NetFlow on| | | |
| |7500, 7200, 7000, |2001-Mar-02 | | |
| |and RSP | | | |
+----------+-------------------+------------+---------------+---------------+
| |Added support for |12.0(11)ST2 | | |
| 11.1CT |Tag Switching on | | | |
| |7500, 7200, 7000, | | | |
| |and RSP |2001-Feb-26 | | |
+----------+-------------------+------------+---------------+---------------+
| | |11.1(28)IA1 | | |
| 11.1IA |DistributedDirector| | | |
| |only |2001-Feb-26 | | |
+===========================================================================+
| 11.2-based Releases | Rebuild | Interim** | Maintenance |
+===========================================================================+
| | |11.2(25a) | | |
| 11.2 |Major release, | | | |
| |general deployment |2001-Mar-05 | | |
+----------+-------------------+------------+---------------+---------------+
| |Platform-specific | | | |
| |support for IBM | | |12.1(7) |
| 11.2BC |networking, CIP, | | | |
| |and TN3270 on 7500,| | |2001-Feb-26 |
| |7000, and RSP | | | |
+----------+-------------------+------------+---------------+---------------+
| |Early deployment |12.0(15)S1 | | |
| 11.2GS |release to support | | | |
| |12000 GSR |2001-Feb-20 | | |
+----------+-------------------+------------+---------------+---------------+
| | |11.2(25a)P | | |
| 11.2P |New platform | | | |
| |support |2001-Mar-05 | | |
+----------+-------------------+------------+---------------+---------------+
| | | | |12.1WC |
| 11.2SA |Catalyst 2900XL | | | |
| |switch only | | |2001-Apr-12 |
+----------+-------------------+------------+---------------+---------------+
| | | | |12.0(10)W5(18c)|
| 11.2WA3 |LS1010 ATM switch | | | |
| | | | |Available |
+----------+-------------------+------------+---------------+---------------+
| | |11.2(25a)P | | |
|11.2(4)XA |Initial release for| | | |
| |the 1600 and 3600 |2001-Mar-05 | | |
+----------+-------------------+------------+---------------+---------------+
| |Initial release for| | | |
| |the 5300 and |11.2(9)XA1 | | |
|11.2(9)XA |digital modem | | | |
| |support for the |Unscheduled | | |
| |3600 | | | |
+===========================================================================+
| 11.3-based Releases | Rebuild | Interim** | Maintenance |
+===========================================================================+
| | |11.3(11b) | | |
| 11.3 |Major release for | | | |
| |all platforms |2001-Mar-05 | | |
+----------+-------------------+------------+---------------+---------------+
| |ED for dial | | | |
| |platforms and |11.3(11a)AA | | |
| 11.3AA |access servers: | | | |
| |5800, 5200, 5300, |2001-Mar-05 | | |
| |7200 | | | |
+----------+-------------------+------------+---------------+---------------+
| |Early deployment |12.1(5)DA1 | | |
| 11.3DA |train for ISP DSLAM| | | |
| |6200 platform |2001-Feb-28 | | |
+----------+-------------------+------------+---------------+---------------+
| |Early deployment | | | |
| |train for |12.1(4)DB1 | | |
| |ISP/Telco/PTT xDSL | | | |
| 11.3DB |broadband | | | |
| |concentrator | | | |
| |platform, (NRP) for|2001-Feb-26 | | |
| |6400 | | | |
+----------+-------------------+------------+---------------+---------------+
| |Short-lived ED | |
| 11.3HA |release for ISR |Not Vulnerable |
| |3300 (SONET/SDH | |
| |router) | |
+----------+-------------------+------------+---------------+---------------+
| | |11.3(1)MA8 | | |
| 11.3MA |MC3810 | | | |
| |functionality only |Unscheduled | | |
+----------+-------------------+------------+---------------+---------------+
| |Voice over IP, |12.1(7) | | |
| 11.3NA |media convergence, | | | |
| |various platforms |2001-Mar-05 | | |
+----------+-------------------+------------+---------------+---------------+
| |Early deployment |11.3(11b)T1 | | |
| 11.3T |major release, | | | |
| |feature-rich for | | | |
| |early adopters |2001-Mar-05 | | |
+----------+-------------------+------------+---------------+---------------+
| |Multilayer | | | |
| |Switching and | | |12.0(14)W5(20) |
| |Multiprotocol over | | | |
| 11.3WA4 |ATM functionality | | | |
| |for Catalyst 5000 | | | |
| |RSM, 4500, 4700, | | |2001-Feb-28 |
| |7200, 7500, LS1010 | | | |
+----------+-------------------+------------+---------------+---------------+
| | |11.3(11b)T1 | | |
|11.3(2)XA |Introduction of | | | |
| |ubr7246 and 2600 |2001-Mar-05 | | |
+===========================================================================+
| 12.0-based Releases | Rebuild | Interim** | Maintenance |
+===========================================================================+
| |General deployment | |12.0(7.1) |12.0(16) |
| 12.0 |release for all | | | |
| |platforms | |Available |2001-Feb-20 |
+----------+-------------------+------------+---------------+---------------+
| | | |12.0(7.1)T | |
| 12.0DA |xDSL support: 6100,| | | |
| |6200 | |Available | |
+----------+-------------------+------------+---------------+---------------+
| |ISP/Telco/PTT xDSL |12.1(4)DB1 | | |
| 12.0DB |broadband | | | |
| |concentrator | | | |
| |platforms |2001-Feb-26 | | |
+----------+-------------------+------------+---------------+---------------+
| | |12.1(4)DC2 | | |
| 12.0DC |6400 Access | | | |
| |Concentrator |2001-Feb-26 | | |
+----------+-------------------+------------+---------------+---------------+
| | |12.0(15)S1 | | |
| 12.0S |Core/ISP support: | | | |
| |GSR, RSP, c7200 |2001-Feb-20 | | |
+----------+-------------------+------------+---------------+---------------+
| | |12.0(15)SC1 | | |
| 12.0SC |Cable/broadband | | | |
| |ISP: ubr7200 |2001-Feb-26 | | |
+----------+-------------------+------------+---------------+---------------+
| | |12.0(14)SL1 | | |
| 12.0SL |10000 ESR: c10k | | | |
| | |2001-Feb-26 | | |
+----------+-------------------+------------+---------------+---------------+
| |General deployment |12.0(11)ST2 | | |
| 12.0ST |release for all | | | |
| |platforms |2001-Feb-26 | | |
+----------+-------------------+------------+---------------+---------------+
| | |12.1(5c)E8 | | |
| 12.0SX |Early Deployment | | | |
| |(ED) |2001-Feb-26 | | |
+----------+-------------------+------------+---------------+---------------+
| |Early | | | |
| |Deployment(ED): | | |12.1(7) |
| 12.0T |VPN, Distributed | | | |
| |Director, various | | |2001-Feb-26 |
| |platforms | | | |
+----------+-------------------+------------+---------------+---------------+
| |cat8510c, cat8540c,| | | |
| |ls1010, cat8510m, | |12.0(10)W5(18c)|12.0(14)W5(20) |
| |cat8540m, c5atm, | | | |
| |c5atm, c3620, | | | |
| |c3640, c4500, | | | |
| 12.0W5 |c5rsfc, c5rsm, | |Available |2001-Feb-28 |
| |c7200, rsp, | | | |
| |cat2948g, cat4232 | | | |
| +-------------------+------------+---------------+---------------+
| | | |12.0(10)W5(18d)|12.0(14)W5(20) |
| |c6msm | | | |
| | | |Available |2001-Feb-28 |
+----------+-------------------+------------+---------------+---------------+
| |General deployment | | |12.0(13)WT6(1) |
| 12.0WT |release for all | | | |
| |platforms | | |2001-Feb-20 |
+----------+-------------------+------------+---------------+---------------+
| |Early Deployment | | |12.1(7) |
| 12.0XA |(ED): limited | | | |
| |platforms | | |2001-Feb-26 |
+----------+-------------------+------------+---------------+---------------+
| | | | |12.1(7) |
| 12.0XB |Short-lived early | | | |
| |deployment release | | |2001-Feb-26 |
+----------+-------------------+------------+---------------+---------------+
| |Early Deployment | | |12.1(7) |
| 12.0XC |(ED): limited | | | |
| |platforms | | |2001-Feb-26 |
+----------+-------------------+------------+---------------+---------------+
| |Early Deployment | | |12.1(7) |
| 12.0XD |(ED): limited | | | |
| |platforms | | |2001-Feb-26 |
+----------+-------------------+------------+---------------+---------------+
| |Early Deployment |12.1(5c)E8 | | |
| 12.0XE |(ED): limited | | | |
| |platforms |2001-Feb-26 | | |
+----------+-------------------+------------+---------------+---------------+
| |Early Deployment | | |12.1(7) |
| 12.0XF |(ED): limited | | | |
| |platforms | | |2001-Feb-26 |
+----------+-------------------+------------+---------------+---------------+
| |Early Deployment | | |12.1(7) |
| 12.0XG |(ED): limited | | | |
| |platforms | | |2001-Feb-26 |
+----------+-------------------+------------+---------------+---------------+
| |Early Deployment |12.0(4)XH5 | | |
| 12.0XH |(ED): limited | | | |
| |platforms |2001-Mar-05 | | |
+----------+-------------------+------------+---------------+---------------+
| |Early Deployment | | |12.1(7) |
| 12.0XI |(ED): limited | | | |
| |platforms | | |2001-Feb-26 |
+----------+-------------------+------------+---------------+---------------+
| |Early Deployment | | |12.1(7) |
| 12.0XJ |(ED): limited | | | |
| |platforms | | |2001-Feb-26 |
+----------+-------------------+------------+---------------+---------------+
| |Early Deployment |12.0(7)XK4 | | |
| 12.0XK |(ED): limited | | | |
| |platforms |Unscheduled | | |
+----------+-------------------+------------+---------------+---------------+
| |Early Deployment |12.0(4)XH5 | | |
| 12.0XL |(ED): limited | | | |
| |platforms |2001-Mar-05 | | |
+----------+-------------------+------------+---------------+---------------+
| | | | |12.1(7) |
| 12.0XM |Short-lived early | | | |
| |deployment release | | |2001-Feb-26 |
+----------+-------------------+------------+---------------+---------------+
| |Early Deployment | | | |
| 12.0XN |(ED): limited | | | |
| |platforms | | | |
+----------+-------------------+------------+---------------+---------------+
| |Early Deployment | | |12.1WC |
| 12.0XP |(ED): limited | | | |
| |platforms | | |2001-Apr-12 |
+----------+-------------------+------------+---------------+---------------+
| | | | |12.1(7) |
| 12.0XQ |Short-lived early | | | |
| |deployment release | | |2001-Feb-26 |
+----------+-------------------+------------+---------------+---------------+
| | |12.1(5)T5 | | |
| 12.0XR |Short-lived early | | | |
| |deployment release |2001-Mar-05 | | |
+----------+-------------------+------------+---------------+---------------+
| | |12.1(5c)E8 | | |
| 12.0XS |Short-lived early | | | |
| |deployment release |2001-Feb-26 | | |
+----------+-------------------+------------+---------------+---------------+
| |Early Deployment | | |12.1WC |
| 12.0XU |(ED): limited | | | |
| |platforms | | |2001-Apr-12 |
+----------+-------------------+------------+---------------+---------------+
| | |12.1(5)T5 | | |
| 12.0XV |Short-lived early | | | |
| |deployment release |2001-Mar-05 | | |
+===========================================================================+
|12.1-based and Later Releases | Rebuild | Interim** | Maintenance |
+===========================================================================+
| All 12.1 | | |
| Releases |Various platforms |Not Vulnerable |
+===========================================================================+
| Notes |
+===========================================================================+
| * All dates are estimated and Subject to change. |
| |
|** Interim releases are subjected to less rigorous testing than regular |
| maintenance releases, and may have serious bugs. |
+===========================================================================+
Several workarounds are available based on customer needs,
equipment, and software features. The usefulness and practicality
of each workaround depends on the IOS release running on the
device and many variables in the customer's environment.
Customers are urged to consider each of the following alternatives
carefully before deploying. These workarounds are only needed if
it is not possible to upgrade to an unaffected release of IOS
software. For these workarounds, see original CISCO adcisory.