COMMAND

    Cisco

SYSTEMS AFFECTED

    Cisco

PROBLEM

    Following is based on a  Cisco Security Advisory.  Point  to Point
    Tunneling Protocol (PPTP)  allows users to  tunnel to an  Internet
    Protocol (IP) network using a Point to Point Protocol (PPP).   The
    protocol is described in RFC2637.

    PPTP implementation using Cisco IOSŪ software releases contains  a
    vulnerability that will crash a router if it receives a  malformed
    or  crafted  PPTP  packet.    No  special  conditions  or   router
    configuration is required.   This vulnerability is present  in all
    Cisco IOS releases that  support PPTP protocol. PPTP  is supported
    in the following software releases:
    * 12.1 train, releases: T, E, EZ, YA, YD and YC
    * 12.2 train, all releases

    No other  Cisco product  is vulnerable.   To determine  if a Cisco
    product  is  running  an  affected  IOS,  log in to the device and
    issue  the  command  show  version.  Look  for  the  "Internetwork
    Operating System Software" or  "IOS (tm)" information, which  also
    will have a version number.   Other Cisco devices either will  not
    have the command "show version" or will give different output.

    By sending a crafted  PPTP packet to a  port 1723, a control  PPTP
    port, it  is possible  to crash  the router.   This  vulnerability
    does not require special  router configuration.  Enabling  PPTP is
    sufficient to  expose the  vulnerability.   The router  will crash
    after it receives a single packet.

    This vulnerability is documented as Cisco Bug ID CSCdt46181.

    By  repeaditly  exploiting  this  vulnerability  it is possible to
    cause permanent Denial of Service (DoS).  This denial is not  only
    of  the  PPTP  functionality  but  the  whole  router  will   stop
    functioning.

SOLUTION

    There is no  workaround for this  vulnerability.  Each  row of the
    table describes a release train and the platforms or products  for
    which it  is intended.   If a  given release  train is vulnerable,
    then the earliest possible releases  that contain the fix and  the
    anticipated  date  of  availability  for  each  are  listed in the
    "Rebuild",  "Interim",  and   "Maintenance"  columns.   A   device
    running a release in the  given train that is earlier  the release
    in a  specific column  (less than  the earliest  fixed release) is
    known to be vulnerable.   The release should be upgraded  at least
    to the  indicated release  or a  later version  (greater than  the
    earliest fixed release label).

    +--------+-----------------------------------------------------------------+
    |        | Description of Image                                            |
    | Train  |      or Platform             Availability of Fixed Releases*    |
    +--------+---------------------------+------------+----------+-------------+
    |      12.1-based Releases           | Rebuild    |Interim** | Maintenance |
    +--------+---------------------------+------------+----------+-------------+
    | 12.1E  |Core/ISP support: GSR,     |            |          | 12.1(8a)E   |
    |        |RSP, c7200                 |            |          |             |
    +--------+---------------------------+------------+----------+-------------+
    | 12.1EZ |Early Deployment (ED):     |12.1(6)EZ2  |          |             |
    |        |special image              |            |          |             |
    +--------+---------------------------+------------+----------+-------------+
    |        |Early Deployment(ED): VPN, |Not Scheduled                        |
    |  12.1T |Distributed Director,      +-------------------------------------+
    |        |various platforms          |Upgrade recommended to 12.2(3)       |
    +--------+---------------------------+------------+----------+-------------+
    |        |                           |Not Scheduled                        |
    | 12.1YA |Short-lived early          +-------------------------------------+
    |        |deployment release         |Upgrade recommended to 12.2(2)XB     |
    +--------+---------------------------+------------+----------+-------------+
    | 12.1YC |Short-lived early          |12.1(5)YC1  |          |             |
    |        |deployment release         |            |          |             |
    +--------+---------------------------+------------+----------+-------------+
    | 12.1YD |Short-lived early          |12.1(5)YD2  |          |             |
    |        |deployment release         |2001-June-25|          |             |
    +--------+---------------------------+------------+----------+-------------+
    |       12.2-based Releases          | Rebuild    |Interim** | Maintenance |
    +--------+---------------------------+------------+----------+-------------+
    |  12.2  |General deployment release |            |12.2(1.1) |12.2(3)      |
    |        |for all platforms          |            |          |2001-August  |
    +--------+---------------------------+------------+----------+-------------+
    |  12.2T |General deployment release |            |          |12.2(4)T     |
    |        |for all platforms          |            |          |             |
    +--------+---------------------------+------------+----------+-------------+
    | 12.2XA |SPLOB                      |            |          |12.2(2)XA    |
    +--------+---------------------------+------------+----------+-------------+
    | 12.2XD |Short-lived early          |12.2(1)XD1  |          |             |
    |        |deployment release         |            |          |             |
    +--------+---------------------------+------------+----------+-------------+
    | 12.2XE |Short-lived early          |            |          |12.2(1)XE    |
    |        |deployment release         |            |          |             |
    +--------+---------------------------+------------+----------+-------------+
    | 12.2XH |Short-lived early          |            |          |12.2(1)XH    |
    |        |deployment release         |            |          |2001-June-25 |
    +--------+---------------------------+------------+----------+-------------+
    | 12.2XQ |Short-lived early          |            |          |12.2(1)XQ    |
    |        |deployment release         |            |          |2001-June-23 |
    +--------+---------------------------+------------+----------+-------------+
    |                                   Notes                                  |
    +--------------------------------------------------------------------------+
    | * All dates are estimated and subject to change.                         |
    |                                                                          |
    | ** Interim releases are subjected to less rigorous testing than regular  |
    | maintenance releases, and may have serious bugs.                         |
    +--------------------------------------------------------------------------+