COMMAND

    Concentrator IP Options

SYSTEMS AFFECTED

    Cisco VPN3000

PROBLEM

    Following is based on a Cisco Security Advisory.  If a crafted  IP
    packet, with an invalid IP Option setting is transmitted to a  VPN
    3000 series concentrator on  the same network segment  (no routers
    in between),  it can  cause the  VPN 3000  series concentrator  to
    hang  with  a  100%  CPU  Utilization. The concentrator would then
    have to be  reset. After rebooting,  the equipment would  function
    normally  until  the  crafted  IP  packet  is received again.  The
    defect  can  be  exploited  to  produce  a denial of service (DoS)
    attack.

    The vulnerability is described in  Cisco bug id CSCds92460.   This
    notice will be posted at

        http://www.cisco.com/warp/public/707/vpn3k-ipoptions-vuln-pub.shtml

    Cisco VPN 3000 series  concentrators running software releases  up
    to  but  not  including  revision  2.5.2  (F) are affected by this
    vulnerability.   This  series  includes  models  3005, 3015, 3030,
    3060,  and  3080.   Any  VPN  3000  series  concentrators  running
    revision 2.5.2 (F) or later are unaffected by this vulnerability.

    If a  crafted IP  packet, with  an invalid  IP Option  setting, is
    transmitted to a VPN 3000 series concentrator on the same  network
    segment  (no  routers  in  between),  on  either the Inside or the
    Outside interface, it can  cause the VPN 3000  series concentrator
    to hang with a 100 % CPU Utilization.  The concentrator would then
    have to be reset  via the console port  as no SNMP or  HTTP remote
    management  control  would  be  possible.   After  rebooting,  the
    equipment would function normally  until the crafted IP  packet is
    received again.

    In order  to exploit  this vulnerability  the attacker  must be on
    the same network segment  as the concentrator without  any routers
    in  between.   A  crafted  IP  packet  traversing  a  router would
    typically get  its invalid  IP Options  dropped and  would not  be
    able to affect the VPN 3000 series concentrator.

    When this  crafted IP  packet is  received by  the VPN 3000 series
    concentrator, the concentrator will stop passing traffic and  will
    not respond to any management inquiries via SNMP, Telnet or  HTTP.
    However management via the console port is possible.

    For  VPN  3000  series  concentrator  models 3015, 3030, 3060, and
    3080 the CPU  Utilization bar graph  indicator on the  front panel
    will go to 100%.

SOLUTION

    This  vulnerability   does  not   affect  the   VPN  5000   series
    concentrators.  No other Cisco product is known to be affected  by
    this  vulnerability.   To  determine  if  a  Cisco VPN 3000 series
    concentrator is running affected software, check the revision  via
    the web interface or the console menu.

    The vulnerability has been fixed in revision 2.5.2 (E) code.   The
    fix will be carried forward into all future releases.  However due
    to the another advisory the recommended revision to upgrade to  is
    2.5.2 (F).   Upgrade can be  done via the  remote software upgrade
    feature  using  the  VPN  3000  series  concentrator's  web  based
    management interface.

    There are no system configuration workarounds.  Please upgrade  to
    revision 2.5.2 (F) code.