COMMAND

    CISCO

SYSTEMS AFFECTED

    See below

PROBLEM

    Following  is  based  on  a  Cisco  Security  Advisory.  Cisco IOS
    software  releases  based  on  versions  11.x  and  12.0 contain a
    defect that allows a limited  number of SNMP objects to  be viewed
    and  modified  without  authorization  using  a  undocumented ILMI
    community string.  Some of the modifiable objects are confined  to
    the MIB-II system group, such as "sysContact", "sysLocation",  and
    "sysName", that do  not affect the  device's normal operation  but
    that may cause confusion if modified unexpectedly.  The  remaining
    objects are contained in  the LAN-EMULATION-CLIENT and PNNI  MIBs,
    and modification  of those  objects may  affect ATM configuration.
    An  affected  device  might  be  vulnerable to a denial-of-service
    attack if  it is  not protected  against unauthorized  use of  the
    ILMI community string.

    The vulnerability is only  present in certain combinations  of IOS
    releases  on  Cisco  routers  and  switches.   ILMI is a necessary
    component for ATM, and the  vulnerability is present in every  IOS
    release that  contains the  supporting software  for ATM  and ILMI
    without regard to the actual  presence of an ATM interface  or the
    physical ability of the device to support an ATM connection.

    The vulnerability is present only in certain releases of Cisco IOS
    Software versions  11.x and  12.0 for  router and  switch products
    that  include  support  for   Asynchronous  Transfer  Mode   (ATM)
    networking and Interim Local  Management Interface (ILMI), and  it
    is  present  without  regard   to  any  physical  capability   for
    supporting an ATM interface.

    Cisco  IOS  Software  versions  based  on  10.3 and earlier do not
    contain  the  vulnerability.    The  defect   was  introduced   in
    11.0(0.2).   All Cisco  IOS software  releases of  12.1 and  later
    have been repaired and are not vulnerable to the defect  described
    in this advisory.

    ILMI  (Interim  Local  Management  Interface)  is  an  independent
    industry  standard  used  for  configuration  of ATM (Asynchronous
    Transfer  Mode)  interfaces.   The  standard  specifies the use of
    mechanisms and formats previously defined by SNMP (Simple  Network
    Management  Protocol).   Although  it  is  based  on  SNMP,   ILMI
    communication  actually  occurs  using  a  transport other than IP
    (Internet Protocol)  that traverses  only the  physical ATM  link.
    ILMI is essential to functions such as ATM auto-discovery and LANE
    (LAN Emulation).

    SNMP  "objects"  are  variables  that  are  organized  into  a MIB
    (Management Information Base).  The  MIB has a tree structure  and
    contains   both   operational   (read-only)   data   as   well  as
    configuration  (read-write)  options.   By  specifying a community
    tring of  "ILMI" in  an SNMP  request, access  can be  obtained to
    read the objects in three specific parts of the overall management
    tree structure on any  device affected by this  vulnerability: the
    MIB-II system  group, the  LAN-EMULATION-CLIENT MIB,  and the PNNI
    (Private Network-to-Network Interface) MIB.   A subset of  objects
    in  each  part  can  be  modified  using the same "ILMI" community
    string.

    The  MIB-II  system  group  contains  basic  information about the
    device itself.   The number  of objects  that can  be modified  is
    limited.  Examples include:
    * system.sysContact:  The contact  information for  the person  or
      organization responsible for managing the device.
    * system.sysLocation: A description of the physical location where
      the device is installed or operating.
    * system.sysName: The  hostname of the  device, how it  identifies
      itself at the console prompt.  (This might not be the  same name
      by which the device is known to other hosts on the network).

    Most of the objects in the system MIB are read-only and cannot  be
    changed via  SNMP, such  as the  time elapsed  since the  previous
    restart  and  textual  descriptions  of  the device's hardware and
    software.

    Numerous objects can be viewed in the LAN-EMULATION-CLIENT MIB and
    PNNI MIB, and modification of  some of the read-write objects  can
    have an affect on ATM operation of the device.  The objects in the
    LAN-EMULATION-CLIENT MIB can  only be viewed  or modified if  LANE
    has already been configured on the device.

    Access to SNMP  in Cisco IOS  software can be  limited by applying
    access control  lists (ACLs),  by modifying  or removing  the SNMP
    view,  by  removing   the  community  string   from  the   running
    configuration, or by disabling the  SNMP service.  Any SNMP  query
    that does not meet the  criteria for access is promptly  discarded
    when such protective measures are in place.  If a query does  meet
    the criteria for access, then a response is formulated and sent.

    It is possible to configure the device so that the ILMI  community
    string is unavailable  in all IOS  11.1 and higher  releases.  The
    particular  method  selected  to  accomplish  this  depends on the
    specific IOS release and configuration.  This defect is documented
    as CSCdp11863.  The vulnerability  is repaired by imposing a  test
    such that an SNMP request  using the "ILMI" community string  will
    only be recognized if it has been transported by ILMI.

    ATM functionality was added in various 10.x releases of Cisco  IOS
    software.   However,  the  function  containing  the  defect   was
    introduced when support for ILMI and other ATM features was  added
    in IOS release 11.0(0.2).   Therefore, all prior releases are  not
    vulnerable.

    If  SNMP  requests  can  be  received  by an affected device, then
    certain MIB  objects can  be viewed  without proper authorization,
    causing a violation of confidentiality.  A subset of the  readable
    MIB  objects  can  be  modified  without  authorization to cause a
    failure of integrity.  For  example, the hostname can be  modified
    so  as  to  confuse  network  adminstrators,  or  the  contact and
    location information could  be changed with  a goal of  disrupting
    operations or embarassing whoever is responsible for the device.

    Objects in the  LAN-EMULATION-CLIENT and PNNI  MIBs can be  viewed
    and modified, thus  resulting in changes  to the operation  of ATM
    functions.  If ATM is in use  on the device, this may result in  a
    failure of availability.

    Any affected device  that is not  otherwise protected against  the
    receipt of SNMP packets is vulnerable to a denial-of-service (DoS)
    attack by flooding the SNMP port with read or write requests.

SOLUTION

    To  remove  this  vulnerability,  Cisco  is offering free software
    upgrades for all affected platforms.  The defect is documented  in
    DDTS record CSCdp11863.

    The  following  table  summarizes  the  known  affected  Cisco IOS
    software releases and the earliest estimated dates of availability
    for  fixed  releases.   All  dates  are  tentative  and subject to
    change.   In all  cases, customers  should exercise  caution to be
    certain the devices to  be upgraded contain sufficient  memory and
    that current  hardware and  software configurations  will continue
    to be supported properly by  the new release.  If  the information
    is not  clear, contact  the Cisco  TAC for  assistance as shown in
    the following section.

    +===========================================================================+
    |  Train   |  Description of   |       Availability of Fixed Releases*      |
    |          | Image or Platform |                                            |
    +===========================================================================+
    |   10.3-based Releases and    |            |               |               |
    |           Earlier            |  Rebuild   |   Interim**   |  Maintenance  |
    +===========================================================================+
    | 10.3 and |                   |                                            |
    | earlier  |All                |Not affected                                |
    +===========================================================================+
    |     11.0-based Releases      |  Rebuild   |   Interim**   |  Maintenance  |
    +===========================================================================+
    |          |                   |11.0(22a)   |               |               |
    |   11.0   |Major GD release   |            |               |               |
    |          |for all platforms  |2001-Mar-05 |               |               |
    +===========================================================================+
    |     11.1-based Releases      |  Rebuild   |   Interim**   |  Maintenance  |
    +===========================================================================+
    |          |                   |11.1(24a)   |               |               |
    |   11.1   |Major release for  |            |               |               |
    |          |all platforms      |2001-Mar-05 |               |               |
    +----------+-------------------+------------+---------------+---------------+
    |          |ED release for     |            |               |12.1(7)        |
    |  11.1AA  |access servers:    |            |               |               |
    |          |1600, 3200, and    |            |               |               |
    |          |5200 series.       |            |               |2001-Feb-26    |
    +----------+-------------------+------------+---------------+---------------+
    |          |Platform-specific  |11.1(36)CA1 |               |               |
    |  11.1CA  |support for 7500,  |            |               |               |
    |          |7200, 7000, and RSP|2001-Mar-02 |               |               |
    +----------+-------------------+------------+---------------+---------------+
    |          |ISP train: added   |            |               |               |
    |          |support for FIB,   |11.1(36)CC1 |               |               |
    |  11.1CC  |CEF, and NetFlow on|            |               |               |
    |          |7500, 7200, 7000,  |2001-Mar-02 |               |               |
    |          |and RSP            |            |               |               |
    +----------+-------------------+------------+---------------+---------------+
    |          |Added support for  |12.0(11)ST2 |               |               |
    |  11.1CT  |Tag Switching on   |            |               |               |
    |          |7500, 7200, 7000,  |            |               |               |
    |          |and RSP            |2001-Feb-26 |               |               |
    +----------+-------------------+------------+---------------+---------------+
    |          |                   |11.1(28)IA1 |               |               |
    |  11.1IA  |DistributedDirector|            |               |               |
    |          |only               |2001-Feb-26 |               |               |
    +===========================================================================+
    |     11.2-based Releases      |  Rebuild   |   Interim**   |  Maintenance  |
    +===========================================================================+
    |          |                   |11.2(25a)   |               |               |
    |   11.2   |Major release,     |            |               |               |
    |          |general deployment |2001-Mar-05 |               |               |
    +----------+-------------------+------------+---------------+---------------+
    |          |Platform-specific  |            |               |               |
    |          |support for IBM    |            |               |12.1(7)        |
    |  11.2BC  |networking, CIP,   |            |               |               |
    |          |and TN3270 on 7500,|            |               |2001-Feb-26    |
    |          |7000, and RSP      |            |               |               |
    +----------+-------------------+------------+---------------+---------------+
    |          |Early deployment   |12.0(15)S1  |               |               |
    |  11.2GS  |release to support |            |               |               |
    |          |12000 GSR          |2001-Feb-20 |               |               |
    +----------+-------------------+------------+---------------+---------------+
    |          |                   |11.2(25a)P  |               |               |
    |  11.2P   |New platform       |            |               |               |
    |          |support            |2001-Mar-05 |               |               |
    +----------+-------------------+------------+---------------+---------------+
    |          |                   |            |               |12.1WC         |
    |  11.2SA  |Catalyst 2900XL    |            |               |               |
    |          |switch only        |            |               |2001-Apr-12    |
    +----------+-------------------+------------+---------------+---------------+
    |          |                   |            |               |12.0(10)W5(18c)|
    | 11.2WA3  |LS1010 ATM switch  |            |               |               |
    |          |                   |            |               |Available      |
    +----------+-------------------+------------+---------------+---------------+
    |          |                   |11.2(25a)P  |               |               |
    |11.2(4)XA |Initial release for|            |               |               |
    |          |the 1600 and 3600  |2001-Mar-05 |               |               |
    +----------+-------------------+------------+---------------+---------------+
    |          |Initial release for|            |               |               |
    |          |the 5300 and       |11.2(9)XA1  |               |               |
    |11.2(9)XA |digital modem      |            |               |               |
    |          |support for the    |Unscheduled |               |               |
    |          |3600               |            |               |               |
    +===========================================================================+
    |     11.3-based Releases      |  Rebuild   |   Interim**   |  Maintenance  |
    +===========================================================================+
    |          |                   |11.3(11b)   |               |               |
    |   11.3   |Major release for  |            |               |               |
    |          |all platforms      |2001-Mar-05 |               |               |
    +----------+-------------------+------------+---------------+---------------+
    |          |ED for dial        |            |               |               |
    |          |platforms and      |11.3(11a)AA |               |               |
    |  11.3AA  |access servers:    |            |               |               |
    |          |5800, 5200, 5300,  |2001-Mar-05 |               |               |
    |          |7200               |            |               |               |
    +----------+-------------------+------------+---------------+---------------+
    |          |Early deployment   |12.1(5)DA1  |               |               |
    |  11.3DA  |train for ISP DSLAM|            |               |               |
    |          |6200 platform      |2001-Feb-28 |               |               |
    +----------+-------------------+------------+---------------+---------------+
    |          |Early deployment   |            |               |               |
    |          |train for          |12.1(4)DB1  |               |               |
    |          |ISP/Telco/PTT xDSL |            |               |               |
    |  11.3DB  |broadband          |            |               |               |
    |          |concentrator       |            |               |               |
    |          |platform, (NRP) for|2001-Feb-26 |               |               |
    |          |6400               |            |               |               |
    +----------+-------------------+------------+---------------+---------------+
    |          |Short-lived ED     |                                            |
    |  11.3HA  |release for ISR    |Not Vulnerable                              |
    |          |3300 (SONET/SDH    |                                            |
    |          |router)            |                                            |
    +----------+-------------------+------------+---------------+---------------+
    |          |                   |11.3(1)MA8  |               |               |
    |  11.3MA  |MC3810             |            |               |               |
    |          |functionality only |Unscheduled |               |               |
    +----------+-------------------+------------+---------------+---------------+
    |          |Voice over IP,     |12.1(7)     |               |               |
    |  11.3NA  |media convergence, |            |               |               |
    |          |various platforms  |2001-Mar-05 |               |               |
    +----------+-------------------+------------+---------------+---------------+
    |          |Early deployment   |11.3(11b)T1 |               |               |
    |  11.3T   |major release,     |            |               |               |
    |          |feature-rich for   |            |               |               |
    |          |early adopters     |2001-Mar-05 |               |               |
    +----------+-------------------+------------+---------------+---------------+
    |          |Multilayer         |            |               |               |
    |          |Switching and      |            |               |12.0(14)W5(20) |
    |          |Multiprotocol over |            |               |               |
    | 11.3WA4  |ATM functionality  |            |               |               |
    |          |for Catalyst 5000  |            |               |               |
    |          |RSM, 4500, 4700,   |            |               |2001-Feb-28    |
    |          |7200, 7500, LS1010 |            |               |               |
    +----------+-------------------+------------+---------------+---------------+
    |          |                   |11.3(11b)T1 |               |               |
    |11.3(2)XA |Introduction of    |            |               |               |
    |          |ubr7246 and 2600   |2001-Mar-05 |               |               |
    +===========================================================================+
    |     12.0-based Releases      |  Rebuild   |   Interim**   |  Maintenance  |
    +===========================================================================+
    |          |General deployment |            |12.0(7.1)      |12.0(16)       |
    |   12.0   |release for all    |            |               |               |
    |          |platforms          |            |Available      |2001-Feb-20    |
    +----------+-------------------+------------+---------------+---------------+
    |          |                   |            |12.0(7.1)T     |               |
    |  12.0DA  |xDSL support: 6100,|            |               |               |
    |          |6200               |            |Available      |               |
    +----------+-------------------+------------+---------------+---------------+
    |          |ISP/Telco/PTT xDSL |12.1(4)DB1  |               |               |
    |  12.0DB  |broadband          |            |               |               |
    |          |concentrator       |            |               |               |
    |          |platforms          |2001-Feb-26 |               |               |
    +----------+-------------------+------------+---------------+---------------+
    |          |                   |12.1(4)DC2  |               |               |
    |  12.0DC  |6400 Access        |            |               |               |
    |          |Concentrator       |2001-Feb-26 |               |               |
    +----------+-------------------+------------+---------------+---------------+
    |          |                   |12.0(15)S1  |               |               |
    |  12.0S   |Core/ISP support:  |            |               |               |
    |          |GSR, RSP, c7200    |2001-Feb-20 |               |               |
    +----------+-------------------+------------+---------------+---------------+
    |          |                   |12.0(15)SC1 |               |               |
    |  12.0SC  |Cable/broadband    |            |               |               |
    |          |ISP: ubr7200       |2001-Feb-26 |               |               |
    +----------+-------------------+------------+---------------+---------------+
    |          |                   |12.0(14)SL1 |               |               |
    |  12.0SL  |10000 ESR: c10k    |            |               |               |
    |          |                   |2001-Feb-26 |               |               |
    +----------+-------------------+------------+---------------+---------------+
    |          |General deployment |12.0(11)ST2 |               |               |
    |  12.0ST  |release for all    |            |               |               |
    |          |platforms          |2001-Feb-26 |               |               |
    +----------+-------------------+------------+---------------+---------------+
    |          |                   |12.1(5c)E8  |               |               |
    |  12.0SX  |Early Deployment   |            |               |               |
    |          |(ED)               |2001-Feb-26 |               |               |
    +----------+-------------------+------------+---------------+---------------+
    |          |Early              |            |               |               |
    |          |Deployment(ED):    |            |               |12.1(7)        |
    |  12.0T   |VPN, Distributed   |            |               |               |
    |          |Director, various  |            |               |2001-Feb-26    |
    |          |platforms          |            |               |               |
    +----------+-------------------+------------+---------------+---------------+
    |          |cat8510c, cat8540c,|            |               |               |
    |          |ls1010, cat8510m,  |            |12.0(10)W5(18c)|12.0(14)W5(20) |
    |          |cat8540m, c5atm,   |            |               |               |
    |          |c5atm, c3620,      |            |               |               |
    |          |c3640, c4500,      |            |               |               |
    |  12.0W5  |c5rsfc, c5rsm,     |            |Available      |2001-Feb-28    |
    |          |c7200, rsp,        |            |               |               |
    |          |cat2948g, cat4232  |            |               |               |
    |          +-------------------+------------+---------------+---------------+
    |          |                   |            |12.0(10)W5(18d)|12.0(14)W5(20) |
    |          |c6msm              |            |               |               |
    |          |                   |            |Available      |2001-Feb-28    |
    +----------+-------------------+------------+---------------+---------------+
    |          |General deployment |            |               |12.0(13)WT6(1) |
    |  12.0WT  |release for all    |            |               |               |
    |          |platforms          |            |               |2001-Feb-20    |
    +----------+-------------------+------------+---------------+---------------+
    |          |Early Deployment   |            |               |12.1(7)        |
    |  12.0XA  |(ED): limited      |            |               |               |
    |          |platforms          |            |               |2001-Feb-26    |
    +----------+-------------------+------------+---------------+---------------+
    |          |                   |            |               |12.1(7)        |
    |  12.0XB  |Short-lived early  |            |               |               |
    |          |deployment release |            |               |2001-Feb-26    |
    +----------+-------------------+------------+---------------+---------------+
    |          |Early Deployment   |            |               |12.1(7)        |
    |  12.0XC  |(ED): limited      |            |               |               |
    |          |platforms          |            |               |2001-Feb-26    |
    +----------+-------------------+------------+---------------+---------------+
    |          |Early Deployment   |            |               |12.1(7)        |
    |  12.0XD  |(ED): limited      |            |               |               |
    |          |platforms          |            |               |2001-Feb-26    |
    +----------+-------------------+------------+---------------+---------------+
    |          |Early Deployment   |12.1(5c)E8  |               |               |
    |  12.0XE  |(ED): limited      |            |               |               |
    |          |platforms          |2001-Feb-26 |               |               |
    +----------+-------------------+------------+---------------+---------------+
    |          |Early Deployment   |            |               |12.1(7)        |
    |  12.0XF  |(ED): limited      |            |               |               |
    |          |platforms          |            |               |2001-Feb-26    |
    +----------+-------------------+------------+---------------+---------------+
    |          |Early Deployment   |            |               |12.1(7)        |
    |  12.0XG  |(ED): limited      |            |               |               |
    |          |platforms          |            |               |2001-Feb-26    |
    +----------+-------------------+------------+---------------+---------------+
    |          |Early Deployment   |12.0(4)XH5  |               |               |
    |  12.0XH  |(ED): limited      |            |               |               |
    |          |platforms          |2001-Mar-05 |               |               |
    +----------+-------------------+------------+---------------+---------------+
    |          |Early Deployment   |            |               |12.1(7)        |
    |  12.0XI  |(ED): limited      |            |               |               |
    |          |platforms          |            |               |2001-Feb-26    |
    +----------+-------------------+------------+---------------+---------------+
    |          |Early Deployment   |            |               |12.1(7)        |
    |  12.0XJ  |(ED): limited      |            |               |               |
    |          |platforms          |            |               |2001-Feb-26    |
    +----------+-------------------+------------+---------------+---------------+
    |          |Early Deployment   |12.0(7)XK4  |               |               |
    |  12.0XK  |(ED): limited      |            |               |               |
    |          |platforms          |Unscheduled |               |               |
    +----------+-------------------+------------+---------------+---------------+
    |          |Early Deployment   |12.0(4)XH5  |               |               |
    |  12.0XL  |(ED): limited      |            |               |               |
    |          |platforms          |2001-Mar-05 |               |               |
    +----------+-------------------+------------+---------------+---------------+
    |          |                   |            |               |12.1(7)        |
    |  12.0XM  |Short-lived early  |            |               |               |
    |          |deployment release |            |               |2001-Feb-26    |
    +----------+-------------------+------------+---------------+---------------+
    |          |Early Deployment   |            |               |               |
    |  12.0XN  |(ED): limited      |            |               |               |
    |          |platforms          |            |               |               |
    +----------+-------------------+------------+---------------+---------------+
    |          |Early Deployment   |            |               |12.1WC         |
    |  12.0XP  |(ED): limited      |            |               |               |
    |          |platforms          |            |               |2001-Apr-12    |
    +----------+-------------------+------------+---------------+---------------+
    |          |                   |            |               |12.1(7)        |
    |  12.0XQ  |Short-lived early  |            |               |               |
    |          |deployment release |            |               |2001-Feb-26    |
    +----------+-------------------+------------+---------------+---------------+
    |          |                   |12.1(5)T5   |               |               |
    |  12.0XR  |Short-lived early  |            |               |               |
    |          |deployment release |2001-Mar-05 |               |               |
    +----------+-------------------+------------+---------------+---------------+
    |          |                   |12.1(5c)E8  |               |               |
    |  12.0XS  |Short-lived early  |            |               |               |
    |          |deployment release |2001-Feb-26 |               |               |
    +----------+-------------------+------------+---------------+---------------+
    |          |Early Deployment   |            |               |12.1WC         |
    |  12.0XU  |(ED): limited      |            |               |               |
    |          |platforms          |            |               |2001-Apr-12    |
    +----------+-------------------+------------+---------------+---------------+
    |          |                   |12.1(5)T5   |               |               |
    |  12.0XV  |Short-lived early  |            |               |               |
    |          |deployment release |2001-Mar-05 |               |               |
    +===========================================================================+
    |12.1-based and Later Releases |  Rebuild   |   Interim**   |  Maintenance  |
    +===========================================================================+
    | All 12.1 |                   |                                            |
    | Releases |Various platforms  |Not Vulnerable                              |
    +===========================================================================+
    |                                   Notes                                   |
    +===========================================================================+
    | * All dates are estimated and Subject to change.                          |
    |                                                                           |
    |** Interim releases are subjected to less rigorous testing than regular    |
    |   maintenance releases, and may have serious bugs.                        |
    +===========================================================================+

    Several  workarounds  are  available  based  on  customer   needs,
    equipment, and software features.  The usefulness and practicality
    of  each  workaround  depends  on  the  IOS release running on the
    device  and   many  variables   in  the   customer's  environment.
    Customers are urged to consider each of the following alternatives
    carefully before deploying.  These workarounds are only needed  if
    it is  not possible  to upgrade  to an  unaffected release  of IOS
    software.  For these workarounds, see original CISCO adcisory.