Advisory ID: cisco-sa-20100812-tcp
For Public Release 2010 August 12 21:30 UTC (GMT)
Cisco IOS® Software Release, 15.1(2)T is
affected by a denial of service (DoS) vulnerability during the TCP
establishment phase. The vulnerability could cause embryonic TCP connections to
remain in a SYNRCVD or SYNSENT state. Enough embryonic TCP connections in these
states could consume system resources and prevent an affected device from
accepting or initiating new TCP connections, including any TCP-based remote
management access to the device.
No authentication is required to exploit this vulnerability. An
attacker does not need to complete a three-way handshake to trigger this
vulnerability; therefore, this vulnerability can be exploited using spoofed
packets. This vulnerability may be triggered by normal network traffic.
Cisco has released Cisco IOS Software Release 15.1(2)T0a to address
This advisory is posted at
This vulnerability affects only Cisco IOS Software Release 15.1(2)T. No
other Cisco IOS Software Releases are affected. Cisco IOS XE Software, Cisco
IOS XR Software, and Cisco NX-OS Software are not affected by this
A Cisco device is vulnerable when it is running Cisco IOS Software
Release 15.1(2)T. To determine the Cisco IOS Software Release that is running
on a Cisco product, administrators can log in to the device and issue the
show version command to display the system banner. The system
banner confirms that the device is running Cisco IOS Software by displaying
text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS
Software." The image name displays in parentheses, followed by "Version" and
the Cisco IOS Software Release name. Other Cisco devices do not have the
show version command or may provide different output.
The following example identifies a Cisco product that is running Cisco
IOS Software Release 15.1(2)T with an installed image name of
Cisco IOS Software, 2800 Software (C2800NM-ENTSERVICES-M), Version 15.1(2)T,
RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright ©) 1986-2010 by Cisco Systems, Inc.
Compiled Mon 19-Jul-10 16:38 by prod_rel_team
Additional information about Cisco IOS Software Release naming
conventions is available in the
Paper: Cisco IOS Reference Guide.
No other Cisco IOS Software versions are affected by this
No other Cisco products are currently known to be affected by this
TCP provides reliable data transmission services in packet-switched
network environments. TCP corresponds to the transport layer (Layer 4) of the
OSI reference model. Among the services TCP provides are stream data transfer,
reliability, efficient flow control, full-duplex operation, and
When TCP connections are terminated in Cisco IOS Software, they are
allocated a transmission control block (TCB). All allocated TCBs, associated
TCP port numbers, and the TCP state are displayed in the output of the
show tcp brief all command-line interface (CLI) command.
Cisco IOS Software version 15.1(2)T contains a vulnerability that could
cause an embryonic TCP connection to remain in SYNRCVD or SYNSENT state without
a further TCP state transition. Examining the output of the show tcp
brief all command multiple times will indicate if TCP sessions remain
in one of these states.
This vulnerability is triggered only by TCP traffic that is terminated
by or originated from the device. Transit traffic will not trigger this
Both connections to and from the router could trigger this
vulnerability. An example of a connection to the router is that you may still
be able to ping the device, but fail to establish a TELNET or SSH connection to
the device. For example, an administrator may still be able to ping the device
but fail to establish a Telnet or SSH connection to the device. Administrators
who attempt a Telnet or a SSH connection to a remote device from the CLI prompt
will encounter a hung session and the "Trying <ip address|hostname> ..."
prompt. The connection that is initiated or terminated by the router can be
removed from the socket table by clearing the associated TCB with the
clear tcp tcb 0x<address> command.
Devices could be vulnerable if examining the output of the CLI command
debug ip tcp transactions, displays the error messages
connection queue limit reached: port <port
number> or No wild listener: port <port
Devices could also be vulnerable if output from repetitive show tcp
brief all CLI commands indicates many TCBs in the state SYNRCVD or SYNSENT.
The following example shows a device that has several HTTP, SSH, and
Telnet sessions in the TCP SYNRCVD state:
Example#show tcp brief all
TCB Local Address Foreign Address (state)
07C2D6C8 192.168.0.2.443 192.168.0.5.11660 SYNRCVD
07C38128 192.168.0.2.23 192.168.0.5.35018 SYNRCVD
07C2DD60 192.168.0.2.443 192.168.0.5.19316 SYNRCVD
07C2A8A0 192.168.0.2.80 192.168.0.5.13818 SYNRCVD
Any TCP sessions can be cleared by clearing the associated TCB with
clear tcp tcb 0x<address>
Alternatively Administrators can clear all TCBs at once by issuing
clear tcp tcb *.
Note: This will clear all active and hung TCP connections.
This vulnerability is documented in the Cisco bug ID
registered customers only)
. This vulnerability has
been assigned Common Vulnerabilities and Exposures (CVE) ID
Some TCP application specific information is provided in the following
Telnet and SSH
Telnet can not be explicitly disabled on a Cisco IOS device.
Configuring transport input none on the vty lines of a
vulnerable device will prevent it from being exploited on TCP port 23. However,
if the Cisco IOS SSH server feature is configured on the device,
transport input none will not prevent the device from being
exploited on TCP port 22.
Configuration of vty access control lists can partially mitigate this
vulnerability because the vulnerability can be exploited using spoofed IP
Border Gateway Protocol
Routers that are configured with Border Gateway Protocol (BGP) can be
protected further by using the Generalized Time to Live (TTL) Security
Mechanism (GTSM) feature. GTSM allows users to configure the expected TTL of a
packet between a source and destination address. Packets that fail the GTSM
check will be dropped before TCP processing occurs, which prevents an attacker
from exploiting this vulnerability through BGP. GTSM is implemented with the
command ttl-security hops.
Further information on protecting BGP can be found in
Border Gateway Protocol for the Enterprise.
TCP MD5 Authentication for BGP does not prevent this vulnerability from
Cisco has provided a score for the vulnerability in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this
Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys
vulnerability severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can
then compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions
regarding CVSS at
Cisco has also provided a CVSS calculator to help compute
the environmental impact for individual networks at
registered customers only)
: Cisco IOS Software TCP
Denial of Service Vulnerability
Calculate the environmental score of
CVSS Base Score - 7.8
CVSS Temporal Score - 6.4
Successful exploitation of this vulnerability may prevent some TCP
applications on Cisco IOS Software from accepting any new connections.
Exploitation could also prevent remote access to the affected system via the
vtys. Remote access to the affected device via out-of-band connectivity to the
console port should still be available.
When considering software upgrades, also consult
and any subsequent advisories to determine exposure and a complete upgrade
In all cases, customers should exercise caution to be
certain the devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported properly by
the new release. If the information is not clear, contact the Cisco Technical
Assistance Center (TAC) or your contracted maintenance provider for assistance.
Each row of the Cisco IOS Software table (below) names a
Cisco IOS release train. If a release train is vulnerable, then the earliest
possible releases that contain the fix (along with the anticipated date of
availability for each, if applicable) are listed in the "First Fixed Release"
column of the table. The "Recommended Release" column indicates the releases
which have fixes for all the published vulnerabilities at the time of this
Advisory. A device running a release in the given train that is earlier than
the release in a specific column (less than the First Fixed Release) is known
to be vulnerable. Cisco recommends upgrading to a release equal to or later
than the release in the "Recommended Releases" column of the table.
Availability of Repaired Releases
Affected 12.x-Based Releases
First Fixed Release
12.0 - 12.4
12.0 through 12.4 based releases are not affected
Affected 15.0-Based Releases
First Fixed Release
There are no affected 15.0 based releases
Affected 15.1-Based Releases
First Fixed Release
15.1(2)T1; available on 20-AUG-2010
Releases prior to 15.1(2)T are not vulnerable. The vulnerability
is first fixed in release 15.1(2)T0a.
The only complete workaround to mitigate this vulnerability is to
disable the specific features that make a device vulnerable, if this action is
Allowing only legitimate devices to connect to affected devices will
help limit exposure to this vulnerability. Refer to the following Control Plane
Policing and Configuring Infrastructure Access Lists subsections for further
details. Because a TCP three-way handshake is not required, the mitigation must
be combined with anti-spoofing measures on the network edge to increase
Additional mitigations that can be deployed on Cisco devices within the
network are available in the Cisco Applied Mitigation Bulletin companion
document for this advisory, which is available at the following link:
Cisco Guide to Harden Cisco IOS Devices
The Cisco Guide to Harden Cisco IOS Devices provides examples of many
useful techniques to mitigate TCP state manipulation vulnerabilities. These
Infrastructure Access Control Lists (iACL)
Receive Access Control Lists (rACL)
Transit Access Control Lists (tACL)
vty Access Control Lists
Control Plane Policing (CoPP)
Control Plane Protection (CPPr)
For more information on these topics, consult
Guide to Harden Cisco IOS Devices.
For devices that need to offer TCP services, administrators can use
CoPP to block TCP traffic from untrusted sources that is destined to the
affected device. Cisco IOS Software Releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4,
and 12.4T support the CoPP feature. CoPP may be configured on a device to
protect the management and control planes and minimize the risk and
effectiveness of direct infrastructure attacks by explicitly permitting only
authorized traffic sent to infrastructure devices in accordance with existing
security policies and configurations. The following example can be adapted to
specific network configurations:
!-- The 192.168.1.0/24 network and the 172.16.1.1 host are trusted.
!-- Everything else is not trusted. The following access list is used
!-- to determine what traffic needs to be dropped by a control plane
!-- policy (the CoPP feature.) If the access list matches (permit),
!-- then traffic will be dropped. If the access list does not
!-- match (deny), then traffic will be processed by the router.
!-- Note that TCP ports 22 and 23 are examples; this
!-- configuration needs to be expanded to include all used
!-- TCP ports.
access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 22
access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 23
access-list 100 deny tcp host 172.16.1.1 any eq 22
access-list 100 deny tcp host 172.16.1.1 any eq 23
access-list 100 permit tcp any any
!-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4
!-- traffic in accordance with existing security policies and
!-- configurations for traffic that is authorized to be sent
!-- to infrastructure devices.
!-- Create a class map for traffic that will be policed by
!-- the CoPP feature.
class-map match-all drop-tcp-class
match access-group 100
!-- Create a policy map that will be applied to the
!-- Control Plane of the device, and add the "drop-tcp-traffic"
!-- class map.
!-- Apply the policy map to the control plane of the
service-policy input control-plane-policy
Warning: Because a TCP three-way handshake is not required to exploit this
vulnerability, it is possible to spoof the IP address of the sender, which
could defeat access control lists (ACLs) that permit communication to these
ports from trusted IP addresses.
In the preceding CoPP example, the access control entries (ACEs) that
match the potential exploit packets with the "permit" action result in these
packets being discarded by the policy-map "drop" function, while packets that
match the "deny" action (not shown) are not affected by the policy-map drop
function. Additional information on the configuration and use of the CoPP
feature can be found at
Plane Policing Implementation Best Practices and
Although it is often difficult to block traffic that transits a
network, it is possible to identify traffic that should never be allowed to
target infrastructure devices and block that traffic at the border of your
network. Infrastructure ACLs are considered a network security best practice
and should be considered as a long-term addition to good network security as
well as a workaround for this specific vulnerability. The white paper
Your Core: Infrastructure Protection Access Control Lists presents
guidelines and recommended deployment techniques for infrastructure protection
GTSM can help prevent exploitation of this vulnerability by means of
the BGP port because packets that originate from devices that do not pass the
TTL check configured by GTSM are dropped before any TCP processing occurs. For
information on GTSM refer to
Support for TTL Security Check and
Time To Live Security Check.
Embedded Event Manager (EEM)
A Cisco IOS Embedded Event Manager (EEM) policy that is based on Tool
Command Language (Tcl) can be used on vulnerable Cisco IOS devices to identify
and detect a hung, extended, or indefinite TCP connection that is caused by
this vulnerability. The policy allows administrators to monitor TCP connections
on a Cisco IOS device. When Cisco IOS EEM detects potential exploitation of
this vulnerability, the policy can trigger a response by sending a syslog
message or a Simple Network Management Protocol (SNMP) trap to clear the TCP
connection. The example policy provided in this document is based on a Tcl
script that monitors and parses the output from two commands at defined
intervals, produces a syslog message when the monitor threshold reaches its
configured value, and can reset the TCP connection.
The Tcl script is available for download at the
Cisco Beyond: Embedded Event
Manager (EEM) Scripting Community at the following link
and the device sample configuration is provided below.
!-- Location where the Tcl script will be stored
event manager directory user policy disk0:/eem
!-- Define variable and set the monitoring interval
!-- as an integer (expressed in seconds)
event manager environment EEM_MONITOR_INTERVAL 60
!-- Define variable and set the threshold value as
!-- an integer for the number of retransmissions
!-- that determine if the TCP connection is hung
!-- (a recommended value to use is 15)
event manager environment EEM_MONITOR_THRESHOLD 15
!-- Define variable and set the value to "yes" to
!-- enable the clearing of hung TCP connections
event manager environment EEM_MONITOR_CLEAR yes
!-- Define variable and set to the TCP connection
!-- state or states that script will monitor, which
!-- can be a single state or a space-separated list
!-- of states
event manager environment EEM_MONITOR_STATES SYNRCVD SYNSENT
!-- Register the script as a Cisco EEM policy
event manager policy monitor-sockets.tcl
Cisco has released free software updates that address this
vulnerability. Prior to deploying software, customers should consult their
maintenance provider or check the software for feature set compatibility and
known issues specific to their environment.
Customers may only install and expect support for the
feature sets they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound by the
terms of Cisco's software license terms found at
, or as otherwise set forth at Cisco.com Downloads at
Do not contact email@example.com or firstname.lastname@example.org
for software upgrades.
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades should be
obtained through the Software Center on Cisco's worldwide website at
Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such as Cisco
Partners, authorized resellers, or service providers should contact that
support organization for guidance and assistance with the appropriate course of
action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on
specific customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected products
and releases, customers should consult with their service provider or support
organization to ensure any applied workaround or fix is the most appropriate
for use in the intended network before it is deployed.
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale should
acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC
contacts are as follows.
+1 800 553 2447 (toll free from within North America)
+1 408 526 7209 (toll call from anywhere in the world)
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a free
upgrade. Free upgrades for non-contract customers must be requested through the
for additional TAC contact information, including localized telephone numbers,
and instructions and e-mail addresses for use in various languages.
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was reported to Cisco by a customer.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.
This advisory is posted on Cisco's worldwide website at :
In addition to worldwide web posting, a text version of
this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.
Initial public release.