Cisco Security Advisory
Click Icon to Copy Verbose Score
AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
-
Cisco IOS XE Software for 1000 Series Aggregation Services Routers (ASR) contains the following denial of service (DoS) vulnerabilities:
- Cisco IOS XE Software Malformed ICMP Packet Denial of Service Vulnerability
- Cisco IOS XE Software PPTP Traffic Denial of Service Vulnerability
- Cisco IOS XE Software TCP Segment Reassembly Denial of Service Vulnerability
- Cisco IOS XE Software Malformed EoGRE Packet Denial of Service Vulnerability
These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others.Cisco has released software updates that address these vulnerabilities. This advisory is available at the following link:
Successful exploitation of any of these vulnerabilities could allow an unauthenticated remote attacker to trigger a reload of the embedded services processors (ESP) card or the route processor (RP) card, causing an interruption of services.
Repeated exploitation could result in a sustained DoS condition.
Note: Cisco IOS Software and Cisco IOS-XR Software are not affected by these vulnerabilities.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131030-asr1000
-
Cisco IOS XE Software for 1000 Series ASR contains multiple DoS vulnerabilities. Affected versions of Cisco IOS XE Software for 1000 Series ASR will vary depending on the specific vulnerability. Consult the Software Versions and Fixes section of this security advisory for more information about the affected versions.
Vulnerable Products
For specific version information, refer to the Software Versions and Fixes section of this advisory.
Cisco IOS XE Software Malformed ICMP Packet Denial of Service Vulnerability
Cisco IOS XE Software contains a vulnerability that could cause an affected device to reload when processing malformed ICMP error packets that belong to a TCP or UDP connection that is inspected by a Zone-Based Firewall (ZBFW). The ZBFW is not enabled by default.
To verify if a ZBFW is configured on a device, use the show policy-map type inspect zone-pair privileged EXEC command. The presence of Match: protocol tcp or Match: protocol udp and Inspect under the configured zone pair class map in the output of show policy-map type inspect zone-pair indicates that the ZBFW inspection for TCP or UDP protocols is configured.
The following output is for show policy-map type inspect zone-pair on Cisco IOS XE Software that is configured as a ZBFW:
Note: Cisco IOS devices configured with a ZBFW are not affected by this vulnerability. Only Cisco ASR 1000 Series Aggregation Services Routers running affected versions of Cisco IOS XE Software are affected by this vulnerability.Router#show policy-map type inspect zone-pair
Zone-pair: clients-servers
Service-policy inspect : clients-servers-policy
Class-map: L4-inspect-class (match-any)
Match: protocol tcp
Match: protocol udp
Match: protocol icmp
Inspect <output suppressed>
Cisco IOS XE Software PPTP Traffic Denial of Service Vulnerability
Cisco IOS XE Software contains a vulnerability that may cause an affected device to reload while processing Point-to-Point Tunneling Protocol (PPTP) packets that undergo Network Address Translation (NAT) and PPTP application layer gateway (ALG) inspection. An attacker could exploit this vulnerability by sending a large number of PPTP packets to traverse a device that is configured for NAT.
Cisco IOS XE Software may be affected by this vulnerability if NAT and PPTP ALG are enabled on an affected device; these services are not enabled by default.
PPTP ALG is enabled on a device when NAT is enabled.
To determine whether NAT has been enabled in the Cisco IOS XE Software configuration, the ip nat inside or ip nat outside commands must be present in different interfaces and at least one ip nat global configuration command must be present in the configuration.
The show running-config | include ip nat command can be used to determine whether NAT is present in the configuration, as illustrated in the following example of a vulnerable configuration:
asr1004#show running-config | include ip nat
ip nat inside
ip nat outside
ip nat inside source static 192.168.1.100 10.0.0.1
If the output is empty, the Cisco IOS XE Software release running on a given device is not vulnerable. If the output returned is not empty, PPTP ALG services may be explicitly disabled in the NAT configuration. To determine whether PPTP ALG is disabled in the NAT configuration, use the show run | include ip nat privileged EXEC command. The presence of no ip nat service pptp in the output of show run | include ip nat indicates that PPTP ALG is disabled in the NAT configuration.
The following is the output of show run | include ip nat in Cisco IOS XE Software that has the PPTP ALG disabled under NAT configuration:asr1004#show running-config | include ip nat
ip nat inside
ip nat outside
ip nat inside source static 192.168.1.100 10.0.0.1
no ip nat service pptp
Note: A configuration command to disable PPTP ALG in the NAT configuration is available in Cisco IOS XE Software versions 3.9 and above. On Cisco IOS XE Software versions prior to 3.9, there is no capability to disable PPTP ALG in the NAT configuration.
Cisco IOS devices configured for PPTP ALG inspection are not affected by this vulnerability. Only Cisco ASR 1000 Series Aggregation Services Routers running affected versions of Cisco IOS XE Software are affected by this vulnerability.
Cisco IOS XE Software TCP Segment Reassembly Denial of Service Vulnerability
Cisco IOS XE Software contains a vulnerability that may cause an affected device to reload while processing segmented TCP packets that undergo Network Address Translation (NAT). An attacker could exploit this vulnerability by sending TCP packets that are large after the segment reassembly is complete when these packets traverse a device that is configured for NAT.
TCP reassembly is enabled when NAT is enabled.
To determine whether NAT has been enabled in the Cisco IOS XE Software configuration, the ip nat inside or ip nat outside commands must be present in different interfaces and at least one ip nat global configuration command must be present in the configuration.
The show running-config | include ip nat command can be used to determine whether NAT is present in the configuration, as illustrated in the following example of a vulnerable configuration:
asr1004#show running-config | include ip nat
ip nat inside
ip nat outside
ip nat inside source static 192.168.1.100 10.0.0.1
Only Cisco ASR 1000 Series Aggregation Services Routers with embedded services processor 100 (ASR1000-ESP100) and Cisco ASR1002-X Series Routers are affected by this vulnerability.
To determine whether a Cisco ASR 1000 device has ASR1000-ESP100 installed or is a Cisco ASR1002-X Series Router, administrators can issue the show inventory command. The following is the output of the show inventory in Cisco IOS XE Software running on a Cisco ASR 1006 Router with ASR1000-ESP100:asr1006#show inventory NAME: "Chassis", DESCR: "Cisco ASR1006 Chassis" PID: ASR1006 NAME: "module F1", DESCR: "Cisco ASR1000 Embedded Services Processor, 10 0Gbps" PID: ASR1000-ESP10 0 <output suppressed>
Note: Cisco IOS devices configured for NAT are not affected by this vulnerability. Only Cisco ASR 1000 Series Aggregation Services Routers running affected versions of Cisco IOS XE Software are affected by this vulnerability.
Cisco IOS XE Software Malformed EoGRE Packet Denial of Service Vulnerability
Cisco IOS XE Software contains a vulnerability that may cause an affected device to reload while processing malformed IP version 4 (IPv4) or IP version 6 (IPv6) Ethernet over Generic Routing Encapsulation (EoGRE) packets on an interface configured with EoGRE.
EoGRE is not enabled by default.To determine whether EoGRE has been enabled in the Cisco IOS XE Software configuration, the tunnel mode ethernet gre ipv4 or tunnel mode ethernet gre ipv6 commands must be present on a tunnel interface configuration and at least one IP address must be configured on that interface.
The show running-config | include Tunnel|(tunnel mode|ip address .) command can be used to determine whether EoGRE is present in the configuration, as illustrated in the following example of a vulnerable configuration:
asr1004#show running-config | include Tunnel|(tunnel mode|ip address .)
interface Tunnel0
ip address 192.168.1.1 255.255.255.0 tunnel mode ethernet gre ipv4
Note: Cisco IOS devices configured for EoGRE are not affected by this vulnerability. Only Cisco ASR 1000 Series Aggregation Services Routers running affected versions of Cisco IOS XE Software are affected by this vulnerability.
Determine the Running Software Version
The Cisco ASR 1000 Series Aggregation Services Routers IOS XE releases correspond to the Cisco IOS Software releases. For example, Cisco IOS XE Release 3.6.2S is the software release for Cisco ASR 1000 Series Aggregation Services Routers IOS Release 15.2(2)S2.
For more information about mappings between the Cisco IOS XE releases and their associated Cisco IOS releases, see the following:
http://www.cisco.com/en/US/docs/routers/asr1000/release/notes/asr1k_rn_intro.html
To determine whether a vulnerable version of Cisco IOS XE Software is running on a device, administrators can issue the show version command. The following example shows Cisco IOS XE Software that is running IOS XE Software version 3.6.2S, which maps to Cisco IOS Software version 15.2(2)S2:
asr1004#show version
Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.2(2)S2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 07-Aug-12 13:40 by mcpre
<output suppressed>
Note: A Cisco IOS XE Software image consists of seven individual modules, also referred to as subpackages. The packages are designed to use the In-Service Software Upgrade (ISSU) capability of Cisco IOS XE Software. Customers can choose to upgrade only those packages that need to be upgraded. For more information about the Cisco IOS XE Software packaging, see the following:
http://www.cisco.com/en/US/partner/prod/collateral/routers/ps9343/product_bulletin_c25-448387.html
If the packages are upgraded individually, the output of the show version command may vary.
Products Confirmed Not Vulnerable
The products running Cisco IOS Software or Cisco IOS-XR Software are not affected by any of these vulnerabilities.
With the exception of Cisco IOS XE Software for 1000 Series Aggregation Services Routers, no other Cisco products are currently known to be affected by these vulnerabilities.
-
The following section provides additional information about each vulnerability.
Cisco IOS XE Software Malformed ICMP Packet Denial of Service Vulnerability
A vulnerability in the Zone-Based Firewall (ZBFW) TCP or UDP inspection feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.
The vulnerability is due to improper processing of malformed ICMP error packets traversing a vulnerable device that belong to a TCP or UDP connection that is inspected by a ZBFW. An attacker could exploit this vulnerability by sending a number of malformed ICMP error packets that belong to an inspected TCP or UDP session. An exploit could allow the attacker to cause a reload of the affected device, resulting in DoS condition.
This vulnerability is documented in Cisco bug ID CSCtt26470 (registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2013-5543.
Cisco IOS XE Software PPTP Traffic Denial of Service Vulnerability
A vulnerability in the PPTP ALG feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.
The vulnerability is due to the improper handling of PPTP packets that are being inspected as part of the NAT feature on Cisco IOS XE Software. An attacker could exploit this vulnerability by sending a large number of PPTP packets to traverse a vulnerable system that is configured for NAT.
A successful exploit could allow the attacker to cause a system to reload, resulting in a DoS condition. Repeated exploitation could result in a sustained DoS condition.
This vulnerability is documented in Cisco bug ID CSCuh19936 (registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2013-5545.
Cisco IOS XE Software TCP Segment Reassembly Denial of Service Vulnerability
A vulnerability in TCP segment reassembly of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.
The vulnerability is due to improper processing of large TCP reassembled packets that are being processed by NAT and ALG features on the affected device. An attacker could exploit this vulnerability by sending a TCP packet that is large after the reassembly to traverse a vulnerable device. Only packets being handled by NAT and ALG features have a potential to cause an affected device to reload. An exploit could allow the attacker to cause a reload of the affected device, resulting in a DoS condition.
This vulnerability is documented in Cisco bug ID CSCud72509 (registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2013-5546.
Cisco IOS XE Software Malformed EoGRE Packet Denial of Service Vulnerability
A vulnerability in the EoGRE feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.
The vulnerability is due to improper processing of malformed EoGRE packets. An attacker could exploit this vulnerability by sending malformed IPv4 or IPv6 EoGRE packets to an affected device configured with an EoGRE interface; this vulnerability cannot be exploited by sending malformed EoGRE packets to traverse a vulnerable system. An exploit could allow the attacker to cause a reload of the affected device, resulting in a DoS condition.
This vulnerability is documented in Cisco bug ID CSCuf08269 (registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2013-5547.
-
No workarounds are available to mitigate these vulnerabilities.
-
When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Each Cisco IOS XE Software release is classified as either a Standard Support or an Extended Support release. A Standard Support release has a total engineering support lifetime of one year, with two scheduled rebuilds. The Extended Support release provides a total engineering support lifetime of two years, with four scheduled rebuilds.
For more information about the Cisco IOS XE Software End-of-Life policy and associated support milestones for specific Cisco IOS XE Software releases, see:
Cisco IOS XE Software Support Timeline up to IOS XE 3.9S and Cisco IOS XE Software Support Timeline Starting with Cisco IOS XE Software Release 3.10S
Cisco IOS XE Software Malformed ICMP Packet Denial of Service Vulnerability
Vulnerability Major Release
Extended Release First Fixed Release CSCtt26470
2.x -
Not affected
3.1 Yes Not affected 3.2 No
Not affected
3.3 No
Not affected 3.4 Yes
3.4.2S 3.5 No
3.5.1S
3.6 No Not affected
3.7 Yes
Not affected
3.8 No Not affected
3.9 No Not affected 3.10 Yes Not affected
Cisco IOS XE Software PPTP Traffic Denial of Service Vulnerability
Vulnerability Major Release
Extended Release First Fixed Release CSCuh19936
2.x -
Not affected
3.1 Yes Not affected 3.2 No
Not affected
3.3 No
Not affected 3.4 Yes
Not affected
3.5 No
Not affected
3.6 No Not affected
3.7 Yes
Not affected
3.8 No Not affected
3.9 No 3.9.2S 3.10 Yes Not affected
Cisco IOS XE Software TCP Segment Reassembly Denial of Service Vulnerability
Vulnerability Major Release
Extended Release First Fixed Release CSCud72509
2.x -
Not affected
3.1 Yes Not affected 3.2 No
Not affected
3.3 No
Not affected 3.4 Yes
Not affected 3.5 No
Not affected
3.6 No Not affected
3.7 Yes
3.7.3S 3.8 No 3.8.1S
3.9 No Not affected 3.10 Yes Not affected
Cisco IOS XE Software Malformed EoGRE Packet Denial of Service Vulnerability
Vulnerability Major Release
Extended Release First Fixed Release CSCuf08269
2.x -
Not affected
3.1 Yes Not affected 3.2 No
Not affected
3.3 No
Not affected 3.4 Yes
Not affected 3.5 No
Not affected
3.6 No Not affected
3.7 Yes
Not affected
3.8 No Not affected
3.9 No 3.9.2S 3.10 Yes Not affected Recommended Releases
The Recommended Release table lists the releases that have fixes for all the published vulnerabilities at the time of this advisory. Cisco recommends upgrading to a release equal to or later than the release in the following table.
Affected Release
Recommended Release
Extended Release
2.x Not vulnerable
- 3.1 Not vulnerable
Yes 3.2 Not vulnerable
No 3.3 Not vulnerable
No 3.4 3.4.2S
Yes 3.5 3.5.1S
No 3.6 Not vulnerable
No 3.7 3.7.3S Yes 3.8 3.8.1S No 3.9 3.9.2S No 3.10 Not vulnerable
Yes
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.
Cisco IOS XE Software Malformed ICMP Packet Denial of Service Vulnerability and Cisco IOS XE Software TCP Segment Reassembly Denial of Service Vulnerability were discovered during the resolution of customer support cases.
The remaining vulnerabilities described in this security advisory were discovered during internal security testing.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show LessRevision 1.0 2013-October-30 Initial public release
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.