AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
-
Cisco IOS XE Software for 1000 Series Aggregation Services Routers (ASR) contains the following denial of service (DoS) vulnerabilities:
- Cisco IOS XE Software IPv6 Multicast Traffic Denial of Service Vulnerability
- Cisco IOS XE Software MVPNv6 Traffic Denial of Service Vulnerability
- Cisco IOS XE Software L2TP Traffic Denial of Service Vulnerability
- Cisco IOS XE Software Bridge Domain Interface Denial of Service Vulnerability
- Cisco IOS XE Software SIP Traffic Denial of Service Vulnerability
These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others.
Successful exploitation of any of these vulnerabilities could allow an unauthenticated remote attacker to trigger a reload of the Embedded Services Processors (ESP) card or the Route Processor (RP) card, causing an interruption of services.
Repeated exploitation could result in a sustained DoS condition.
Note: Cisco IOS Software and Cisco IOS-XR Software are not affected by these vulnerabilities.
Cisco has released software updates that address these vulnerabilities.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-asr1000
-
Cisco IOS XE Software for 1000 Series ASR contains multiple DoS vulnerabilities. Affected versions of Cisco IOS XE Software for 1000 Series ASR will vary depending on the specific vulnerability. Consult the Software Versions and Fixes section of this security advisory for more information about the affected versions.
Vulnerable Products
For specific version information, refer to the Software Versions and Fixes section of this advisory.
Cisco IOS XE Software IPv6 Multicast Traffic Denial of Service Vulnerability and Cisco IOS XE Software MVPNv6 Traffic Denial of Service Vulnerability
These vulnerabilities are triggered when a fragmented multicast IP version 6 (IPv6) or a fragmented IPv6 Multicast VPN (MVPNv6) packet is received by an affected Cisco ASR device. The fragmented multicast packet processed by Cisco Multicast Leaf Recycle Elimination (MLRE) may cause a Cisco ESP card on the Cisco ASR device to reload.
Multiple features configured on the Cisco ASR 1000 may trigger this kind of processing that will lead to a crash.
Cisco IOS XE Software may be affected if IPv6 is enabled on an interface that is processing traffic and MLRE is enabled on the affected device.
To determine whether IPv6 is enabled on an interface use the show run | include ipv6.(enable|address)privileged EXEC command. The presence of ipv6 enable and ipv6 address in the output of show run | include ipv6.(enable|address) indicates that IPv6 is enabled.
The following is the output of the show run | include ipv6.(enable|address) in a Cisco IOS XE Software that shows the device is configured for IPv6:asr1004# show run | include ipv6.(enable|address)
ipv6 enable ipv6 address dhcp rapid-commit
ipv6 address autoconfig ipv6 address MANAGEMENT ::1FFF:0:0:0:3560/128
ipv6 address 2001:DB8::1/64
Note: The Cisco MLRE feature is introduced in Cisco IOS XE Software Release 3.4.1S and is enabled by default on all later versions of Cisco IOS XE Software on the Cisco ASR 1000 Series Aggregation Services Routers with Embedded Services Processor 40 (ASR1000-ESP40) or Embedded Services Processor 100 (ASR1000-ESP100). Only Cisco ASR 1000 Series Aggregation Services Routers with Embedded Services Processor 40 (ASR1000-ESP40) or Embedded Services Processor 100 (ASR1000-ESP100) are affected by this vulnerability.
To determine whether a Cisco ASR 1000 device has ASR1000-ESP40 or ASR1000-ESP100 installed, administrators can issue the show inventory command. The following is the output of the show inventory in a Cisco IOS XE Software running on a Cisco ASR 1006 Router with Embedded Services Processor 40 (ASR1000-ESP40):
asr1006#show inventory NAME: "Chassis", DESCR: "Cisco ASR1006 Chassis" PID: ASR1006 NAME: "module F1", DESCR: "Cisco ASR1000 Embedded Services Processor, 40Gbps" PID: ASR1000-ESP40 <output suppressed>Note: Cisco IOS devices configured to process multicast IPv6 or MVPNv6 traffic are not affected by this vulnerability. Only Cisco ASR 1000 Series Aggregation Services Routers running affected versions of Cisco IOS XE Software are affected by this vulnerability.
Cisco IOS XE Software L2TP Traffic Denial of Service Vulnerability
Cisco IOS XE Software contains a vulnerability that may cause an affected device to reload when processing of a large amount of specific Layer 2 Tunneling Protocol (L2TP) packets when L2TP Network Server (LNS) termination or L2TPv3 Ethernet Pseudowire (xconnect) is enabled. L2TP LNS termination and xconnect are not enabled by default.
To verify if L2TP LNS termination is enabled on a device use the show run | include accept-dialin privileged EXEC command. The presence of accept-dialin in the output of show run | include accept-dialin indicates that L2TP LNS termination is enabled.
The following is the output of the show run | include accept-dialin on Cisco IOS XE Software that is configured as an L2TP Network Server (LNS):asr1004#sho running-config | include accept-dialin
accept-dialin
The following is the output of the show run | include xconnect|l2tpv3 on Cisco IOS XE Software that is configured for xconnect:
asr1004#sho running-config | include xconnect|l2tpv3
encapsulation l2tpv3 xconnect 10.0.0.1 1000 encapsulation l2tpv3 pw-class my_class
Note: Cisco IOS devices configured with L2TPv3 Ethernet Pseudowire (xconnect) or as L2TP LNS are not affected by this vulnerability. Only Cisco ASR 1000 Series Aggregation Services Routers running affected versions of Cisco IOS XE Software are affected by this vulnerability.
Cisco IOS XE Software Bridge Domain Interface Denial of Service Vulnerability
Cisco IOS XE Software contains a vulnerability that may cause an affected device to reload during the processing of packets when the bridge domain interface (BDI) feature is configured.
Cisco IOS XE Software may be affected by this vulnerability if all of the following conditions are satisfied:
- The physical interface that processes the packet on the ingress path is the layer 3 interface that has the encapsulation type set to untagged.
- The incoming packet is routed through a BDI interface.
- The egress physical interface of the packet has the encapsulation set to rewrite VLAN.
To verify if the above conditions are satisfied on a device use the show run | section interface privileged EXEC command. The following is the output of show run | section interface in Cisco IOS XE software on a device configured with the vulnerable BDI setting:
asr1004#sho running-config | section interface
Note: This feature was introduced on the Cisco ASR 1000 Series Aggregation Services Routers in Cisco IOS XE Software version 3.2.0S.
interface GigabitEthernet0/0/3
ip address 192.168.2.1 255.255.255.0
! interface BDI20 ip address 192.168.1.1 255.255.255.0!interface GigabitEthernet0/0/4 no ip address negotiation auto service instance 1 ethernet encapsulation dot1q 201 rewrite egress tag pop 1 symmetric bridge-domain 20
Note: Cisco IOS devices configured for BDI are not affected by this vulnerability. Only Cisco ASR 1000 Series Aggregation Services Routers running affected versions of Cisco IOS XE Software are affected by this vulnerability.
Cisco IOS XE Software SIP Traffic Denial of Service Vulnerability
Cisco IOS XE Software contains a vulnerability that may cause an affected device to reload while processing Session Initiation Protocol (SIP) packets that undergo Network Address Translation (NAT) within Virtual Routing and Forwarding (VRF) instance and SIP Application Layer Gateway (ALG) inspection. An attacker could exploit this vulnerability by sending a large number of SIP packets traversing a device configured for NAT.
Cisco IOS XE Software may be affected by this vulnerability if VRF-aware NAT and SIP ALG is enabled on an affected device; these services are not enabled by default.
SIP ALG is enabled on a device as soon as NAT is enabled. Administrators can choose to disable SIP ALG inspection under NAT configuration.
SIP ALG can also be enabled under Zone-Based Policy Firewall (ZBFW) configuration. Devices configured for SIP ALG under ZBFW are not affected by this vulnerability.
To determine whether VRF-aware NAT has been enabled in the Cisco IOS XE Software configuration, either ip nat inside or ip nat outside commands must be present in different interfaces, and at least one ip nat global configuration command must have a vrf keyword.
The show running-config | include ip (nat | .* vrf .*) command can be used to determine whether VRF-aware NAT is present in the configuration, as illustrated in the following example of a vulnerable configuration:
asr1004#show running-config | include ip (nat | .* vrf .*)
ip nat inside
ip nat outside
ip nat inside source static 192.168.1.100 10.0.0.1 vrf VRF-SIP
If the output is empty, the Cisco IOS XE Software release running on a given device is not vulnerable. If the output returned is not empty, SIP ALG services may be explicitly disabled under NAT configuration. To determine whether SIP ALG is disabled under NAT configuration, use the show run | include ip nat privileged EXEC command. The presence of no ip nat service sip in the output of show run | include ip nat indicates that SIP ALG is disabled under NAT configuration.
The following is the output of show run | include ip nat in Cisco IOS XE Software that has the SIP ALG disabled under NAT configuration:
asr1004#show running-config | include ip nat
ip nat inside
ip nat outside
ip nat inside source static 192.168.1.100 10.0.0.1 vrf sip
no ip nat service sip udp port 5060
no ip nat service sip tcp port 5060
If no ip nat service sip is not present in the output of show run | include ip nat, the Cisco IOS XE Software release running on the device is vulnerable.
Note: Cisco IOS devices configured for SIP ALG inspection are not affected by this vulnerability. Only Cisco ASR 1000 Series Aggregation Services Routers running affected versions of Cisco IOS XE Software are affected by this vulnerability.
Determine the Running Software Version
Cisco ASR 1000 Series Aggregation Services Routers IOS XE Software releases correspond to the Cisco IOS Software releases. For example, Cisco IOS XE Software Release 3.6.2S is the software release for Cisco ASR 1000 Series Aggregation Services Routers IOS Software Release 15.2(2)S2.
For more information about mappings between the Cisco IOS XE Software releases and their associated Cisco IOS Software releases, see:
http://www.cisco.com/en/US/docs/routers/asr1000/release/notes/asr1k_rn_intro.html
To determine whether a vulnerable version of Cisco IOS XE Software is running on a device, administrators can issue the show version command. The following example shows a Cisco IOS XE Software that is running IOS XE software version 3.6.2S, IOS version 15.2(2)S2:
asr1004#show version
Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.2(2)S2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 07-Aug-12 13:40 by mcpre
<output suppressed>
Note: A Cisco IOS XE Software image consists of seven individual modules, also referred to as subpackages. The packages are designed to use the In Service Software Upgrade (ISSU) capability of the Cisco IOS XE Software. Customers have the capability to upgrade only those packages that need to be upgraded. For more information about the Cisco IOS XE Software packaging, see:
http://www.cisco.com/en/US/partner/prod/collateral/routers/ps9343/product_bulletin_c25-448387.html
If packages are upgraded individually, the output of the show version command may vary.Products Confirmed Not Vulnerable
Products running Cisco IOS Software or Cisco IOS-XR Software are not affected by any of these vulnerabilities.
With the exception of the Cisco IOS XE Software for 1000 Series ASR, no other Cisco products are currently known to be affected by these vulnerabilities.
-
The following section provides additional information about each vulnerability.
Cisco IOS XE Software IPv6 Multicast Traffic Denial of Service Vulnerability
Cisco IOS XE Software contains a vulnerability that could allow an unauthenticated remote attacker to cause a DoS condition.
The vulnerability is due to improper handling of fragmented IPv6 multicast traffic by Cisco 1000 Series ASR with ASR1000-ESP40 or ASR1000-ESP100. An attacker could exploit this vulnerability by sending fragmented IPv6 multicast packets either traversing or destined to a vulnerable system.
A successful exploit could allow the attacker to cause a system to reload, resulting in a DoS condition. Repeated exploitation could result in a sustained DoS condition.
This vulnerability is documented in Cisco bug ID CSCtz97563 (registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2013-1164
Cisco IOS XE Software MVPNv6 Traffic Denial of Service Vulnerability
Cisco IOS XE Software contains a vulnerability that could allow an unauthenticated remote attacker to cause a DoS condition.
The vulnerability is due to improper handling of fragmented IPv6 MVPN traffic by Cisco 1000 Series ASR with ASR1000-ESP40 or ASR1000-ESP100. An attacker could exploit this vulnerability by sending fragmented IPv6 MVPN packets either traversing or destined to a vulnerable system.
A successful exploit could allow the attacker to cause a system to reload, resulting in a DoS condition. Repeated exploitation could result in a sustained DoS condition.
This vulnerability is documented in Cisco bug ID CSCub34945 (registered customers only) and has been assigned CVE ID CVE-2013-2779
Cisco IOS XE Software L2TP Traffic Denial of Service Vulnerability
Cisco IOS XE Software contains a vulnerability that could allow an unauthenticated remote attacker to cause a DoS condition.
The vulnerability is due to improper handling of specific L2TP packets by Cisco 1000 ASR. An attacker could exploit this vulnerability by sending a large number of specific L2TP packets to a vulnerable system; this vulnerability cannot be triggered by L2TP traffic transiting a vulnerable device.
A successful exploit could allow the attacker to cause a system to reload, resulting in a DoS condition. Repeated exploitation could result in a sustained DoS condition.
This vulnerability is documented in Cisco bug ID CSCtz23293 (registered customers only) and has been assigned CVE ID CVE-2013-1165
Cisco IOS XE Software Bridge Domain Interface Denial of Service Vulnerability
Cisco IOS XE Software contains a vulnerability that could allow an unauthenticated remote attacker to cause a denial of service (DoS) condition.
The vulnerability is due to improper handling of packets by Cisco 1000 Series ASR configured for bridge domain interface (BDI). An attacker could exploit this vulnerability by sending packets that will traverse a vulnerable system. This vulnerability cannot be triggered by sending traffic to a vulnerable device.
A successful exploit could allow the attacker to cause a system to reload, resulting in a DoS condition. Repeated exploitation could result in a sustained DoS condition.
This vulnerability is documented in Cisco bug ID CSCtt11558 (registered customers only) and has been assigned CVE ID CVE-2013-1167
Cisco IOS XE Software SIP Traffic Denial of Service Vulnerability
Cisco IOS XE Software contains a vulnerability that could allow an unauthenticated, remote attacker to cause a DoS condition.
The vulnerability is due to improper handling of SIP packets by Cisco 1000 Series ASR when configured for VRF-aware NAT and SIP ALG. An attacker could exploit this vulnerability by sending a large number of SIP packets traversing a device configured for NAT; this vulnerability cannot be triggered by SIP traffic destined to a vulnerable device.
A successful exploit could allow the attacker to cause a system to reload, resulting in a DoS condition. Repeated exploitation could result in a sustained DoS condition.
This vulnerability is documented in Cisco bug ID CSCuc65609 (registered customers only) and has been assigned CVE ID CVE-2013-1166
-
No workarounds are available to mitigate these vulnerabilities.
-
When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Each Cisco IOS XE Software release is classified as either a Standard Support or an Extended Support release. A Standard Support release has a total engineering support lifetime of one year, with two scheduled rebuilds. The Extended Support release provides a total engineering support lifetime of two years, with four scheduled rebuilds.
For more information about the Cisco IOS XE Software end-of-life policy and associated support milestones for specific Cisco IOS XE Software releases, see:
http://www.cisco.com/en/US/prod/collateral/routers/ps9343/product_bulletin_c25-448258.html
Cisco IOS XE Software IPv6 Multicast Traffic Denial of Service Vulnerability
Vulnerability Major Release
Extended Release First Fixed Release CSCtz97563
2.x -
Not affected
3.1 Yes Not affected 3.2 No
Not affected
3.3 No
Not affected 3.4 Yes
3.4.4S 3.5 No
Vulnerable; migrate to one of the extended releases
3.6 No Vulnerable; migrate to one of the extended releases
3.7 Yes
Not affected
3.8 No Not affected
Cisco IOS XE Software MVPNv6 Traffic Denial of Service Vulnerability
Vulnerability Major Release
Extended Release
First Fixed Release CSCub34945
2.x -
Not affected 3.1 Yes Not affected 3.2 No
Not affected 3.3 No
Not affected 3.4 Yes
3.4.5S 3.5 No
Vulnerable; migrate to one of the extended releases
3.6 No Vulnerable; migrate to one of the extended releases
3.7 Yes
3.7.1S 3.8 No Not affected
Cisco IOS XE Software L2TP Traffic Denial of Service Vulnerability
Vulnerability Major Release
Extended Release
First Fixed Release CSCtz23293
2.x -
Vulnerable; migrate to one of the extended releases
3.1 Yes Vulnerable; migrate to one of the extended releases
3.2 No
Vulnerable; migrate to one of the extended releases
3.3 No
Vulnerable; migrate to one of the extended releases
3.4 Yes
3.4.5S 3.5 No
Vulnerable; migrate to one of the extended releases
3.6 No Vulnerable; migrate to one of the extended releases
3.7 Yes 3.7.1S 3.8 No Not affected
Cisco IOS XE Software Bridge Domain Interface Denial of Service Vulnerability
Vulnerability Major Release
Extended Release
First Fixed Release CSCtt11558
2.x -
Not affected 3.1 Yes Not affected 3.2 No
Vulnerable; migrate to one of the extended releases
3.3 No
Vulnerable; migrate to one of the extended releases
3.4 Yes
3.4.2S 3.5 No
Vulnerable; migrate to one of the extended releases
3.6 No Not affected 3.7 Yes
Not affected 3.8 No Not affected
Cisco IOS XE Software SIP Traffic Denial of Service Vulnerability
Vulnerability Major Release
Extended Release
First Fixed Release CSCuc65609
2.x -
Not affected 3.1 Yes Not affected 3.2 No Not affected
3.3 No
Not affected
3.4 Yes
3.4.5S 3.5 No
Not affected
3.6 No Not affected
3.7 Yes Not affected 3.8 No Not affected
When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Recommended Releases
The Recommended Release table lists the releases that have fixes for all the published vulnerabilities at the time of this advisory. Cisco recommends upgrading to a release equal to or later than the release in the following table.
Affected Release
Recommended Release
Extended Release
2.x Vulnerable; migrate to one of the recommended extended releases
- 3.1 Vulnerable; migrate to one of the recommended extended releases
Yes 3.2 Vulnerable; migrate to one of the recommended extended releases
No 3.3 Vulnerable; migrate to one of the recommended extended releases
No 3.4 3.4.5S
Yes 3.5 Vulnerable; migrate to one of the recommended extended releases
No 3.6 Vulnerable; migrate to one of the recommended extended releases
No 3.7 3.7.1S Yes 3.8 Not vulnerable; No
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.
Cisco IOS XE Software Bridge Domain Interface Denial of Service Vulnerability was found during the troubleshooting of customer service requests.Other vulnerabilities were found during internal testing.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.3 2013-April-17 Updated CVE assignment. MITRE reassigned CVE-2013-2779 to the MVPNv6 vulnerability. Revision 1.2 2013-April-15 Updated software table for SIP vulnerability Revision 1.1 2013-April-10 Added xconnect to L2TP traffic section of "Vulnerable Products." Revision 1.0 2013-April-10 Initial public release
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.