-
The Service Assurance Agent (SAA) is the new name for the Response Time Reporter (RTR) feature.
The router is vulnerable only if the RTR responder is enabled. When the router receives a malformed RTR packet, it will crash. RTR is disabled by default. Although RTR was introduced in Cisco IOSĀ® Software Release 11.2, only the following main releases are vulnerable:
- 12.0S, SC, ST, SL, SP, SX
- 12.1, E, EA, EC, EX, EY
- 12.2, DA, S
For the complete list please see the Software Versions and Fixes section.
No other Cisco product is vulnerable.
There is no workaround short of disabling the RTR responder. It is possible to mitigate the vulnerability by applying the access control list (ACL) on the router.
This advisory is available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20030515-saa
-
Vulnerable Products
This vulnerability affects the following main Cisco IOS Software releases (some X releases are also affected, and those details are in the Software Version and Fixes section).
Major Release
Vulnerable Releases
12.0S
15, 16, 17, 18, 19, 21
12.0SC
15, 16
12.0SL
15, 17, 19
12.0ST
16, 17, 18, 19, 20, 21
12.0SP
19, 20
12.0SX
21
12.1
10, 10a, 11, 11a, 11b, 12, 12a, 12b, 12c, 13, 14, 14.5
12.1E
10, 11b, 11.5
12.1EA
8, 9
12.1EC
10, 10.5
12.1EX
10
12.1EY
10
12.2
6.8a, 7, 7a, 7b, 7c
12.2DA
7, 9.4
12.2S
9, 10.5
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
The RTR feature allows you to monitor network performance, network resources, and applications by measuring response times and availability. With this feature you can perform troubleshooting, problem notifications, and problem analysis based on response time reporter statistics.
A router is vulnerable only if the RTR responder is enabled. In order to verify this, check the router's configuration. Execute the following command while logged on a router:
Router>show rtr responder RTR Responder is: Enabled Number of control messages received: 0 Number of errors: 0 Recent sources: Recent error sources:
If you notice the line "RTR Responder is: Enabled," then you are vulnerable.
Alternatively, you can use this procedure:
Router>show ip socket show ip socket Proto Remote Port Local Port In Out Stat TTY OutputIF .... 17 0.0.0.0 0 10.0.0.1 1967 0 0 89 0
If you notice a line as in the example above where the router is listening to the port 1967, then you are vulnerable.
For Cisco IOS Software, this vulnerability is documented as two Cisco Bug IDs: CSCdx17916 and CSCdx61997.
-
There is no workaround short of disabling the RTR responder. It is possible to mitigate the vulnerability by applying the ACL on the router.
If you want to disable the RTR, you need to execute the following commands:
Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#no rtr responder Router(config)#exit Router#copy running-config startup-config
If you want to block all offending packets on your network edge, then you should create an ACL, or modify an existing one, to contain an entry resembling:
Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#access-list 101 deny udp any any eq 1967 Router(config)#interface eth0 Router(config)#ip access-group 101 in
In this example the interface eth0 is assumed to be facing toward the network edge. You will have to substitute it for the correct interface on your router.
This will prevent any packet that is destined to the port 1967/UDP from entering your network. If you need to enable these packets to traverse your network, then the ACL must exclude only your internal routers.
In addition to filtering packets at the network edge, you may apply filtering on the device itself and permit packets only from known good sources. This will contribute to the overall mitigation of this issue.
Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#access-list 101 permit udp 10.0.0.1 10.0.0.10 eq 1967 Router(config)#access-list 101 deny udp any 10.0.0.10 eq 1967 Router(config)#interface eth0 Router(config-if)#ip access-group 101 in
In this example, 10.0.0.1 is the legitimate source and 10.0.0.10 is the address of the router itself.
-
Each row of the Cisco IOS software table (below) describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix (the "First Fixed Release") and the anticipated date of availability for each are listed in the "Rebuild," "Interim," and "Maintenance" columns. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label). When selecting a release, keep in mind the following definitions.
- Maintenance - The most heavily tested, stable, and highly recommended release of a release train in any given row of the table.
- Rebuild - Constructed from the previous maintenance or major release in the same train, it contains the fix for a specific defect. Although it receives less testing, it contains only the minimal changes necessary to repair the vulnerability.
- Interim - Built at regular intervals between maintenance releases and receives less testing. Interims should be selected only if there is no other suitable release that addresses the vulnerability. Interim images should be upgraded to the next available maintenance release as soon as possible. Interim releases are not available through manufacturing, and usually they are not available for customer download from http://www.cisco.com without prior arrangement with the Cisco TAC.
In all cases, customers should exercise caution to confirm that the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new software release. If the information is not clear, contact the Cisco TAC for assistance as shown in the Obtaining Fixed Software section below.
More information on Cisco IOS software release names and abbreviations is available at http://www.cisco.com/web/about/security/intelligence/ios-ref.html.
The fixes will be available at the Software Center located at http://www.cisco.com/tacpage/sw-center/.
Major Release
Description or Platform
Availability of Repaired Releases*
Affected Earlier Releases
Rebuild
Interim**
Maintenance
11.1 and earlier, all variants
Numerous
Not vulnerable
Affected 11.2-Based Releases
Rebuild
Interim**
Maintenance
11.2 variants
Numerous
Not vulnerable
Affected 11.3-Based Releases
Rebuild
Interim**
Maintenance
11.3 variants
Numerous
Not vulnerable
Affected 12.0-Based Releases
Rebuild
Interim**
Maintenance
12.0S
Core/ISP Support: GSR, RSP, c7200, Cat6000
12.0(21)S3
12.0(21.03)S
12.0SC
Cable/Broadband ISP: ubr7200
Not planned
Migrate to 12.1EC release
12.0SL
10000 ESR: c10k
If using Pre1 card, then migrate to 12.0ST or 12.0S.
For Pre card the date is not yet determined.
12.0SP
c10720
12.0(20)SP3
12.0(20.04)SP2
12.0ST
MPLS/Tag Switching, GSR 12000, 7200, 7500
12.0(19)ST5
12.0(21)ST2
12.0SX
Short-lived early deployment release 10000 ESR: c10k
To be determined
12.0SY
12.0(21.03)SY
12.0(22)SY
12.0WC
Short-lived early deployment release for 2900XL and 3500XL
12.0(5)WCa
12.0XE
Short-lived early deployment release
Not planned
Migrate to 12.2 release or later
Affected 12.1-Based Releases
Rebuild
Interim**
Maintenance
12.1
General Deployment (GD) candidate: all platforms
12.1(18.1)
12.1(18)
12.1E
Core/ISP Support: GSR, RSP, c7200
12.1(12.5)E
12.1(13)E
12.1EA
Catalyst 2950
12.1(8)EA1c
12.1EC
Early Deployment (ED): ubr7200, UBR Headend platforms
12.1(12c)EC
12.1EW
Early Deployment release, limited platforms
12.1(11b)EW
12.1EW
Early Deployment release, limited platforms
12.1(11b)EW(0.46)
12.1EX
Catalyst 6000
12.1(11b)EX
12.1XF
Short-lived early deployment release
Not planned Migrate to 12.1(5)T or later
12.1XG
Short-lived early deployment release
Not planned Migrate to 12.1(1)T or later
12.1YB
Short-lived early deployment release
Not planned Migrate to 12.1(2)T or later
12.1YC
Short-lived early deployment release
Not planned Migrate to 12.1(4)T or later
Affected 12.2-Based Releases
Rebuild
Interim**
Maintenance
12.2
General Deployment (GD) candidate: all platforms
12.2(10.4)
12.2(10)
12.2(4)B
Early Deployment for 6400, 7200 and 7400
12.2(13.3)B
12.2BC
Early Deployment for uBR7000 and uBR10000
To be determined
12.2BY
Early Deployment release
Not planned
Migrate to 12.2B releases
12.2BZ
Early Deployment release
12.2(15)BZ
12.2DA
Early deployment release xDSL support: 6100, 6200
12.2(11.4)DA
12.2(12)DA
12.2MB
Early deployment release for 2600 and 7500
12.2(4)MB5
12.2S
Core ISP support
12.2(11.1)S
12.2XC
Early deployment release
12.2(1a)XC5
12.2XD
ICS7750/820/soho70
Not planned
Migrate to 12.2(8)YN or later
12.2XE
806, 828, soho78
Not planned
Migrate to 12.2(8)T or later
12.2XH
1700 820/800/soho70
Not planned
Migrate to 12.2(8)T or later
12.2XI
820/soho
Not planned
Migrate to 12.2(12)T or later
12.2XJ
1700
Not planned
Migrate to 12.2(4)YB or later
12.2XK
820/soho
12.2(2)XK3
12.2XL
1700 820/800/soho70
12.2(4)XL5
12.2XM
Short-lived early deployment release
Not planned
Migrate to 12.2(8)YB or later
12.2YA
Short-lived early deployment release
12.2(4)YA3
12.2YB
Short-lived early deployment release
Not planned
Migrate to 12.2(8)YB or later
12.2YC
Short-lived early deployment release
12.2(4)YC4
12.2YF
Cisco Packet Data Serving Node ics7700
Release date to be decided
12.2YG
Short-lived early deployment release
12.2(4)YG
12.2YH
Short-lived early deployment release
12.2(4)YH
Notes
* All dates are estimated and subject to change.
** Interim releases are subjected to less rigorous testing than regular maintenance releases, and may have serious bugs.
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.0
2003- May-15, 15:00 UTC (GMT)
Initial public release.
Revision 1.1
2003-December-12
Changed Router(config)#ip access-group 101 in to Router(config-if)#ip access-group 101 in in the Exploitation and Public Announcements section.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.