When considering software upgrades, also consult
and any subsequent advisories to determine exposure and a complete upgrade
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current hardware and
software configurations will continue to be supported properly by the new
release. If the information is not clear, contact the Cisco Technical
Assistance Center ("TAC") or your contracted maintenance provider for
Cisco IOS Software
There are two bugs that make Cisco IOS software vulnerable to this
attack. Fixes exist in the field for both bugs. Bug ID CSCdi71085 makes systems
highly vulnerable to the attack. Bug ID CSCdi87533 makes systems moderately
vulnerable. Bug ID CSCdj61324 is a newly-created bug ID that is being used as a
tag for integration of the fix for CSCdi87533, plus a largely cosmetic change
that prevents even the temporary creation of a half-open connection.The fix for
CSCdj61324 has not yet been integrated into any released code, but is not
necessary if the fix for CSCdi87533 is present.
CSCdi71085 and CSCdj87533 divide Cisco IOS software versions into three
vulnerability classes. Versions that do not have the fix for bug ID CSCdi71085
are highly vulnerable, and may hang indefinitely, requiring hardware resets,
when attacked. This includes all releases before release 10.3, as well as early
10.3, 11.0, 11.1, and 11.2 versions. CSCdi71085 was fixed in 11.2(2), 11.2(2)P,
and 11.2(2)F, as well as in the 10.3, 11.0, and 11.1 releases listed in the
Versions in which CSCdi71085 has been fixed, but in which CSCdi87533 is
still present, are moderately vulnerable to the attack. These versions will not
accept any new TCP connections for about 30 seconds after any attack packet is
received, but will not hang completely, will continue to forward packets
without interruption, and will recover with no long-term effects. CSCdi87533
has thus far been fixed only in 11.2-based releases; the fix was integrated in
11.2(3.4), 11.2(3.4)F, and 11.2(3.4)P.
Versions in which both CSCdi71085 and CSCdi87533 have been fixed are
largely invulnerable to this attack. These versions will create half-open TCP
connections upon receiving attack packets, but will continue to accept
legitimate TCP connections, and will delete the half-open connections within
about 30 seconds. The performance impact of such a half-open connection during
its lifetime is believed to be negligible.
Future versions in which CSCdj61324 has been fixed will be invulnerable
to the attack, and will not create half-open connections in response to attack
packets. We believe the security advantage of the CSCdj61324 fix over the
CSCdj87533 fix to be negligible; CSCdj61324 is largely a placeholder to be used
for integrating fixes in future non-11.2 releases.
If you believe that there is any possibility of hostile attack against
your system, and if you cannot protect yourself using the configuration
workaround given above, we strongly recommend that you update your software to
a version containing the fix for CSCdi71085, since the impact of CSCdi71085
under this attack is very high. The fix for CSCdi71085 is available for
releases based on 10.3, 11.0, 11.1, and 11.2, and has been in the field for
quite some time. Users of 11.2-based releases should install post-11.2(4)
versions, thereby getting the fix for CSCdi87533 as well.
At the time of this writing, the following releases are recommended:
First released versions with all existing fixes (*= fix for
Recommended for most installations
11.1(7), 11.1(7)AA, 11.1(7)CA, 11.1(9)IA
11.1(15), 11.1(15)AA, 11.1(15)CA, 11.1(15)IA
11.2(4)*, 11.2(4)F*, 11.2
11.2(10), 11.2(9)P, 11.2(4)F1
End of engineering
As with any software update, you should make sure your system
configuration is supported by the new software before installing it. It's
especially important to make sure that your system has sufficient memory to
support the new software. Update planning assistance is available from Cisco's
Worldwide Web site at http://www.cisco.com/.
Cisco intends to release fixes for CSCdj61324 (equivalent to
CSCdi87533) on non-11.2 releases. Because the impact of CSCdj61324/CSCdi87533
is moderate, and because a configuration workaround exists, we do not intend to
create special software releases for these fixes. The fixes will appear in
regularly scheduled maintenance releases of 11.0 and 11.1 software. For more
information on the workaround for this issue, see the
Workarounds section of this
Release 10.3 is at end of engineering, and will not be fixed. Customers
who absolutely must run 10.3 or older code, and who absolutely cannot install
the workarounds described below, and who believe they are likely to be subject
to attack, should contact the Cisco TAC.
The fixed code for 11.0 and 11.1 has been written and subjected to unit
testing, and is now being scheduled for integration in future maintenance
releases. These fixes are being treated as priority items.
Cisco IOS/700 Software
Cisco plans to release a software fix for IOS/700. The fix code has
been written, and is being tested for integration and release. Because there is
a low-impact configuration workaround that provides complete protection against
the attack, Cisco does not plan to expedite release of this software fix. The
fix will appear in regularly scheduled IOS/700 maintenance releases.
Catalyst 5xxx and 29xx LAN Switch
A software fix has been developed for the Catalyst 5xxx and 29xx switch
software. Because the impact of land.c attack on these switches is severe, and
because the available configuration workarounds are not practical for many
customers, Cisco has produced interim software builds incorporating these
fixes. Two interim versions are available: 2.1(1102) and 2.4(401).
Interim versions receive less testing than regular software releases,
and Cisco's support resources for interim versions are more limited than
support resources for regular releases. We ask that customers install these
releases only if they believe their networks are at genuine risk of disruptive
attack. Customers may obtain the interim software by contacting the Cisco TAC
at +1 800 553 24HR.
The fix will be incorporated in the next regularly scheduled
maintenance releases of both 2.1 and 2.4 Catalyst 5xxx and 29xx software.