-
Somebody has released a program, known as land.c, which can be used to launch denial of service attacks against various TCP implementations. The program sends a TCP SYN packet (a connection initiation), giving the target host's address as both source and destination, and using the same port on the target host as both source and destination.
-
Classic Cisco IOS software (used on Cisco routers
with product numbers greater than 1000, on the CGS/MGS/AGS+, on the CS-500,
and, in a variant form, on the Lightstream 1010 ATM switch) has been verified
to be vulnerable to this attack, depending on the software version. See the
Software Versions and Fixes section of this
document for information on affected versions.
-
Cisco IOS/700 software (used on Cisco 7xx routers)
has also been verified to be vulnerable.
-
Catalyst 5xxx and 29xx LAN switches are vulnerable
to the attack. Failures to reproduce the failure in early Cisco lab testing
were caused by errors introduced by the kernels on the machines being used to
run the attack program. Other Catalyst switches do not share any TCP code with
the Catalyst 5xxx or 29xx, and have shown no vulnerability in any
tests.
-
Cisco BPX and IGX WAN switches are vulnerable under
some circumstances. These switches can be attacked only
via their management ports, not from the transit data stream.
-
The AXIS shelf is affected by the attack. The AXIS
shelf can be attacked only via its management port.
-
The PIX firewall has been tested, and does
not appear to be affected.
-
The Centri firewall has been tested, and does
not appear to be affected.
This advisory will be posted at: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-19971121-land.
-
Classic Cisco IOS software (used on Cisco routers
with product numbers greater than 1000, on the CGS/MGS/AGS+, on the CS-500,
and, in a variant form, on the Lightstream 1010 ATM switch) has been verified
to be vulnerable to this attack, depending on the software version. See the
Software Versions and Fixes section of this
document for information on affected versions.
-
Vulnerable Products
All Cisco IOS/700 software systems that can be reached via TCP from untrusted hosts are affected. Classic Cisco IOS software systems that are running vulnerable versions and that can be reached via TCP from untrusted hosts are affected. All Cisco Catalyst 5xxx and 29xx switches that can be reached via TCP from untrusted hosts are affected. IGX and BPX WAN switches, and the AXIS shelf, are affected, but only if their management ports are exposed to the hostile packets.
In all cases, the TCP ports reachable by the attack must be ports on which services are actually being provided (such as the Telnet port, for most systems). The attack requires spoofing the target's own address, so systems behind effective anti-spoofing firewalls are safe.
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
This section provides details about these vulnerabilities.
Classic Cisco IOS Software Details
Classic Cisco IOS software versions vary in their susceptibility to the land.c attack. Releases fall into highly vulnerable, moderately vulnerable, and largely invulnerable classes. Newer releases are less vulnerable than older releases.
Cisco IOS/700 Software
All Cisco IOS/700 software versions which have been evaluated are vulnerable to this attack. A Cisco IOS/700 system subjected to this attack will hang and must be physically reset.
Cisco Catalyst 5xxx and 29xx LAN Switch
Cisco Catalyst 5xxx and Catalyst 29xx LAN switches are vulnerable to attack. Both switch types crash when attacked. The crash may be preceded by a system hang of as much as a few seconds, but no systems have been observed to hang indefinitely. Bug ID CSCdj62723 has been assigned to this problem.
Other Catalyst LAN switches have been tested, and have not shown any vulnerability to the attack. Only the 5xxx and 29xx series are affected.
-
This section provides workarounds for these vulnerabilities.
Cisco IOS Software
Classic Cisco IOS software users can use input access lists on their interfaces to prevent the attack packets from entering their TCP stacks. Input access lists are available in all Cisco IOS software versions from 9.21 onward. Using an input access list will prevent the attack entirely, but may have unacceptable performance impacts on heavily loaded high-end routers. Traffic will still be fast-switched, but higher-speed switching modes may be disabled by the use of the input access lists. Use care in deploying this workaround on heavily loaded routers.
If you have no existing input access lists, create a new IP extended access list. Use a presently-unused number between 100 and 199. The access list must have an entry for each IP address configured on the system. Deny packets from each address to itself. For example:
access-list 101 deny tcp 1.2.3.4 0.0.0.0 1.2.3.4 0.0.0.0 access-list 101 deny tcp 5.6.7.8 0.0.0.0 5.6.7.8 0.0.0.0 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
If you have existing access lists, you'll need to merge the new entries in an appropriate way, generally at the top of the list.
Once created, the access list should be applied incoming on all interfaces, so a fragment of a total router configuration might look like this:
interface ethernet 0 ip address 1.2.3.4 255.255.255.0 ip access-group 101 in ! interface ethernet 1 ip address 5.6.7.8 ip access-group 101 in ! access-list 101 deny tcp 1.2.3.4 0.0.0.0 1.2.3.4 0.0.0.0 access-list 101 deny tcp 5.6.7.8 0.0.0.0 5.6.7.8 0.0.0.0 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
Cisco recommends that you take advantage of the opportunity provided by installing this workaround to review your anti-spoofing filters, if appropriate.
Cisco IOS/700 Software
Add the following configuration command to any profile that may be active when connected to a potentially hostile network:
set ip filter tcp in source <7xx IP address> destination <7xx IP address> block
This will completely protect the 7xx system. We believe that 7xx configurations in which this command has unacceptable performance or other impact are extremely rare if they exist at all.
Catalyst 5xxx and 29xx LAN Switch
The attack may be absolutely avoided by not assigning an IP address to the Catalyst switch. However, this has the effect of disabling all remote management. Depending on its location in the network, it may be possible to protect the switch with router access lists or dedicated firewalls. An example of an appropriate Cisco router access list entry for specifically protecting an individual switch would be:
access-list 101 deny ip <switch-address> 0.0.0.0 <switch-address> 0.0.0.0
Note that this single entry is not a complete access list, and should not be used without combining it with other entries that permit desired traffic. Other, more general filters are feasible.
Using Cisco Products to Protect Other Systems
We do not believe that this attack can be used against systems behind our dedicated firewall products, the PIX and Centri firewalls, unless general-purpose tunnels have been enabled through the firewalls. Such configurations are not recommended.
Properly designed anti-spoofing access lists at border routers can be used to prevent the attack from entering a private network from the Internet. Use the access lists to filter out packets whose IP source addresses are on your internal net, but which are arriving from interfaces connected to the outside Internet. Such filters are strongly recommended not only because of this attack, but because of other known attacks which affect various network devices, and because new IP spoofing attacks are constantly surfacing. If at all possible, it's also desirable to configure access lists to prevent packets from being sent from your internal net to the Internet with source adresses that aren't actually part of your internal net. This can help to keep your network from being used as a launchpad for denial of service attacks.
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.
Cisco IOS Software
Affected Versions
There are two bugs that make Cisco IOS software vulnerable to this attack. Fixes exist in the field for both bugs. Bug ID CSCdi71085 makes systems highly vulnerable to the attack. Bug ID CSCdi87533 makes systems moderately vulnerable. Bug ID CSCdj61324 is a newly-created bug ID that is being used as a tag for integration of the fix for CSCdi87533, plus a largely cosmetic change that prevents even the temporary creation of a half-open connection.The fix for CSCdj61324 has not yet been integrated into any released code, but is not necessary if the fix for CSCdi87533 is present.
CSCdi71085 and CSCdj87533 divide Cisco IOS software versions into three vulnerability classes. Versions that do not have the fix for bug ID CSCdi71085 are highly vulnerable, and may hang indefinitely, requiring hardware resets, when attacked. This includes all releases before release 10.3, as well as early 10.3, 11.0, 11.1, and 11.2 versions. CSCdi71085 was fixed in 11.2(2), 11.2(2)P, and 11.2(2)F, as well as in the 10.3, 11.0, and 11.1 releases listed in the table below.
Versions in which CSCdi71085 has been fixed, but in which CSCdi87533 is still present, are moderately vulnerable to the attack. These versions will not accept any new TCP connections for about 30 seconds after any attack packet is received, but will not hang completely, will continue to forward packets without interruption, and will recover with no long-term effects. CSCdi87533 has thus far been fixed only in 11.2-based releases; the fix was integrated in 11.2(3.4), 11.2(3.4)F, and 11.2(3.4)P.
Versions in which both CSCdi71085 and CSCdi87533 have been fixed are largely invulnerable to this attack. These versions will create half-open TCP connections upon receiving attack packets, but will continue to accept legitimate TCP connections, and will delete the half-open connections within about 30 seconds. The performance impact of such a half-open connection during its lifetime is believed to be negligible.
Future versions in which CSCdj61324 has been fixed will be invulnerable to the attack, and will not create half-open connections in response to attack packets. We believe the security advantage of the CSCdj61324 fix over the CSCdj87533 fix to be negligible; CSCdj61324 is largely a placeholder to be used for integrating fixes in future non-11.2 releases.
If you believe that there is any possibility of hostile attack against your system, and if you cannot protect yourself using the configuration workaround given above, we strongly recommend that you update your software to a version containing the fix for CSCdi71085, since the impact of CSCdi71085 under this attack is very high. The fix for CSCdi71085 is available for releases based on 10.3, 11.0, 11.1, and 11.2, and has been in the field for quite some time. Users of 11.2-based releases should install post-11.2(4) versions, thereby getting the fix for CSCdi87533 as well.
At the time of this writing, the following releases are recommended:
Base Release
First released versions with all existing fixes (*= fix for CSCdi87533)
Recommended for most installations
10.3
10.3(16)
10.3(19a)
11.0
11.0(12), 11.0(12a)BT
11.0(17), 11.0(17)BT
11.1
11.1(7), 11.1(7)AA, 11.1(7)CA, 11.1(9)IA
11.1(15), 11.1(15)AA, 11.1(15)CA, 11.1(15)IA
11.2
11.2(4)*, 11.2(4)F*, 11.2
11.2(10), 11.2(9)P, 11.2(4)F1
Before 10.3
End of engineering
10.3(19a)
As with any software update, you should make sure your system configuration is supported by the new software before installing it. It's especially important to make sure that your system has sufficient memory to support the new software. Update planning assistance is available from Cisco's Worldwide Web site at http://www.cisco.com/.
Planned Fixes
Cisco intends to release fixes for CSCdj61324 (equivalent to CSCdi87533) on non-11.2 releases. Because the impact of CSCdj61324/CSCdi87533 is moderate, and because a configuration workaround exists, we do not intend to create special software releases for these fixes. The fixes will appear in regularly scheduled maintenance releases of 11.0 and 11.1 software. For more information on the workaround for this issue, see the Workarounds section of this document.
Release 10.3 is at end of engineering, and will not be fixed. Customers who absolutely must run 10.3 or older code, and who absolutely cannot install the workarounds described below, and who believe they are likely to be subject to attack, should contact the Cisco TAC.
The fixed code for 11.0 and 11.1 has been written and subjected to unit testing, and is now being scheduled for integration in future maintenance releases. These fixes are being treated as priority items.
Cisco IOS/700 Software
Cisco plans to release a software fix for IOS/700. The fix code has been written, and is being tested for integration and release. Because there is a low-impact configuration workaround that provides complete protection against the attack, Cisco does not plan to expedite release of this software fix. The fix will appear in regularly scheduled IOS/700 maintenance releases.
Catalyst 5xxx and 29xx LAN Switch
A software fix has been developed for the Catalyst 5xxx and 29xx switch software. Because the impact of land.c attack on these switches is severe, and because the available configuration workarounds are not practical for many customers, Cisco has produced interim software builds incorporating these fixes. Two interim versions are available: 2.1(1102) and 2.4(401).
Interim versions receive less testing than regular software releases, and Cisco's support resources for interim versions are more limited than support resources for regular releases. We ask that customers install these releases only if they believe their networks are at genuine risk of disruptive attack. Customers may obtain the interim software by contacting the Cisco TAC at +1 800 553 24HR.
The fix will be incorporated in the next regularly scheduled maintenance releases of both 2.1 and 2.4 Catalyst 5xxx and 29xx software.
-
Cisco has had multiple reports of this vulnerability.
Most exploitation seems to be using the original program, which sends one packet at a time. A similar program, latierra.c, which is capable of flooding and of scanning port and address ranges, has been released, and it is reasonable to expect some flooding attacks.
This issue has been widely discussed in a variety of Internet forums. Exploitation code is widely available to the public.
Cisco first heard of this problem on the morning of Friday, November 21.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 6.0
1997-DEC-10
Catalyst 5000 fix information. More detailed information about other fixes. General reformatting.
Revision 5.0
1997-NOV- 28
Editing and typographical error correction
Revision 4.0
1997-NOV-28
The Catalyst 5000 is vulnerable; so is the 2900. Failures to reproduce the problem in house were caused by errors in the test setup. Other Catalyst switches were tested using the same setup, and may be vulnerable.
Revision 3.0
1997-NOV-26
Retract the claim that the Catalyst 5000 is vulnerable. Add information about IGX and BPX WAN switches and about the AXIS shelf.
Revision 2.0
1997-NOV-22
Add information about highly vulnerable Cisco IOS versions.
Add detailed information about affected version numbers.
Add specific bug IDs.
Add upgrade recommendations.
Add first information about Catalyst LAN switches.
General editing and reformatting.
Revision 1.0
1997-NOV-21
Initial revision
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.