Table Of Contents
Release Notes for the Cisco 1700 Series Routers for Cisco IOS Release 12.3(2)XE
Determining the Software Version
Upgrading to a New Software Release
New Software Features in Release 12.3(2)XE5
New Software Features in Release 12.3(2)XE1
IOS VPN and Firewall Enhancements
IOS Infrastructure Security Enhancements
Conferencing and Transcoding for Voice Gateway Routers
NAT—Support for H.323 Version 3 and Version 4 in Version 2 Compatibility Mode
Modem Passthrough for SIP and MGCP
Reliable Static Routing Backup Using Object Tracking
SIP Survivable Remote Site Telephony (SRST)
Cisco CallManager Express Version 3
SRST: Survivable Remote Site Telephony Version 3.0
New Software Features in Release 12.3(2)T
Conferencing and Transcoding for Voice Gateway Routers
Modem Passthrough for SIP and MGCP
Reliable Static Routing Backup Using Object Tracking
Resolved Caveats - Release 12.3(2)XE5
Resolved Caveats - Release 12.3(2)XE1
Resolved Caveats - Release 12.3(2)XE
Open Caveats - Release 12.3(2)XE
Cisco IOS Software Documentation Set
Release 12.3 Documentation Set
Release Notes for the Cisco 1700 Series Routers for Cisco IOS Release 12.3(2)XE
Revision Date: August 3, 2007
Release Number: 12.3(2)XE5
Part Number: OL-5088-05
These release notes describe new features and significant software components for the Cisco 1700 series routers that support the Cisco IOS Release 12.3(2)T, up to and including Release 12.3(2)XE5. These release notes are updated as needed to describe new memory requirements, new features, new hardware support, software platform deferrals, microcode or modem code changes, related document changes, and any other important changes. Use these release notes with the Cross-Platform Release Notes for Cisco IOS Release 12.3(2)T located on Cisco.com
For a list of the software caveats that apply to Release 12.3(2)XE, see the "Caveats" section and Caveats for Cisco IOS Release 12.3(2)T. The online caveats document is updated for every maintenance release and is located on Cisco.com.
Contents
System Requirements
This section describes the system requirements for Release 12.3(2)XE and includes the following sections:
•
Determining the Software Version
•
Memory Requirements
Table 1 describes the memory requirements for the Cisco IOS feature sets supported by the Cisco IOS Release 12.3(2)XE on the Cisco 1700 series routers.
Hardware Supported
Cisco IOS Release 12.3(2)XE supports the following Cisco 1700 series routers:
•
•
•
•
•
•
•
•
The Cisco 1701, Cisco 1710, Cisco 1711, Cisco 1712, Cisco 1720, and Cisco 1721routers run data images only. The Cisco 1751, Cisco 1751-V, and Cisco 1760 routers run data or data-and-voice images, providing digital and analog voice support. The Cisco 1711 and Cisco 1712 routers run select IPSec Triple Data Encryption Standard (3DES) images only (the Cisco 1700 IOS IP/ADSL/IPX/AT/IBM/FW/IDS PLUS IPSEC 3DES, the Cisco 1700 IOS IP/ADSL/FW/IDS PLUS IPSEC 3DES, the Cisco 1700 Advanced Security, and the Cisco 1700 IOS ADVANCED ENTERPRISE SERVICES images).
For descriptions of existing hardware features and supported modules, see the hardware installation guides, configuration and command reference guides, and additional documents specific to the Cisco 1700 series routers, which are available on Cisco.com and the Documentation CD at the following location:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_mod/1700/index.htm
This URL is subject to change without notice. If it changes, point your web browser to Cisco.com, and click the following path:
Cisco Product Documentation: Access Servers and Access Routers: Modular Access Routers: Cisco 1700 Series Routers: <platform_name>
Determining the Software Version
To determine which version of Cisco IOS software is currently running on your Cisco 1700 series router, log in to the router and enter the show version EXEC command. The following sample output from the show version command indicates the version number.
router> show versionCisco Internetwork Operating System SoftwareIOS (tm) C1700 Software (C1700-Y7-MZ), Version 12.3(2)XE, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)Synched to technology version 12.3(3.5)TUpgrading to a New Software Release
For general information about upgrading to a new software release, refer to the Software Installation and Upgrade Procedures located at http://www.cisco.com/warp/public/130/upgrade_index.shtml.
Feature Set Tables
The Cisco IOS software is packaged in feature sets consisting of software images, depending on the platform. Each feature set contains a specific set of Cisco IOS features. Release 12.3(2)XE supports the same feature sets as Releases 12.3 and 12.3(2)T, but Release 12.3(2)XE includes new features supported by the Cisco 1700 series routers.
Caution
Table 3 through Table 6 list the feature and feature sets supported in the Cisco IOS Release 12.3(2)XE.
The tables use the following conventions:
•
•
•
Note
New and Changed Information
The following sections list the new software features supported by the Cisco 1700 series routers for Release 12.3(2)XE.
New Software Features in Release 12.3(2)XE5
There are no new features for this release.
New Software Features in Release 12.3(2)XE1
The following sections describe the new software features supported by the Cisco 1700 series routers for Release 12.3(2)XE.
IOS VPN and Firewall Enhancements
The following sections describe IOS VPN and Firewall Enhancements feature.
Easy VPN Server
The Cisco IOS routers push enhanced Virtual Private Network (VPN) policy parameters to any remote- access VPN client (hardware or software), facilitating configuration and management of those remote clients.
This feature enhances existing support for accepting IP security (IPSec) VPN connections from Cisco VPN clients and Cisco Easy VPN remote devices on the Cisco 1700 series routers.
For more information on this feature, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t8/ftunity.htm
Real-Time Resolution for IPsec Tunnel Peer
This feature allows the user to configure IPSec peers as Domain Name System (DNS) names, instead of IP addresses. This feature also allows DNS resolution at the time of IPsec tunnel establishment, instead of using a cached entry.
Secure Shell Version 2 Support
Secure Shell (SSH) Version 2 is a standards-based protocol that provides secure Telnet capability for router configuration and administration.
The SSH Version 2 Support feature provides implementation for SSH Version 2. SSH runs on top of a reliable transport layer, such as TCP or IP, and provides strong authentication and encryption capabilities. SSH supports logging on to another computer over a network, executing commands remotely, and moving files from one host to another.
SSH Version 2 addresses the weaknesses and vulnerabilities that exist today with SSH Version 1 implementations. These include malicious man-in-the-middle (MITM) attacks and integrity violations. SSH Version 2 provides the option to use host-based authentication using digital certificates to address MITM attacks. SSH Version 2 also provides the capability for hash-based authentication, as opposed to cyclic redundancy check (CRC) in SSH Version 1, for improved integrity of the data packets.
An enterprise customer or service provider intending to use automated remote secure Telnet access for configuration and administration of router resources on a larger scale in the network will benefit from SSH Version 2. The secure Telnet session establishment with SSH Version 2 is much faster than with SSH Version 1.
For more details on this feature, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gt_ssh2.htm
Firewall ACL Bypass
The Firewall ACL Bypass feature bypasses the access control list (ACL) checks in the current session lookup scheme. As soon as a session is created, a session identifier is inserted that will be used in finding the session for the incoming packets. By doing this, redundant ACL checks will be avoided, improving the throughput performance in the Cisco IOS firewall inspection code.
IOS Syslog Enhancements
The following sections describe IOS Syslog Enhancements feature.
Embedded Syslog Manager (ESM)
The Embedded Syslog Manager (ESM) feature provides a programmable framework that allows you to filter, escalate, correlate, route, and customize system logging messages prior to delivery by the Cisco IOS system message logger.
With the introduction of the Embedded Syslog Manager, system messages can be logged independently as standard messages, XML-formatted messages, or ESM-filtered messages. These outputs can be sent to any traditional syslog target. For example, you could enable standard logging to the console connection, XML-formatted message logging to the buffer, and ESM-filtered message logging to the monitor. Similarly, each type of output could be sent to a different remote host. A benefit of separate logging processes is that if, for example, there is some problem with the ESM filter modules, standard logging will not be affected.
For more details on this feature, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_2/gt_esm.htm
IOS Infrastructure Security Enhancements
The following sections describe IOS Infrastructure Security Enhancements feature.
Image Verification
The Image Verification feature allows users to automatically verify the integrity of all Cisco IOS images. Thus, users can be sure that the image is protected from accidental corruption, which can occur at any time during transit, starting from the moment that the files are generated by Cisco until they reach the user.
For more details on this feature, refer to the following URL:
Silent Operation Mode
The Silent Mode Operation feature allows a router that is running Cisco IOS software to operate without sending any system messages. That is, if a packet that is destined for the router is discarded for any reason, users will not receive any error messages. The following are some events that will not generate error messages:
•
•
To enable your router to silently discard packets, you must configure output policing on the control plane.
For more details on how to configure this feature on your router, refer to the following URL:
Control Plane Policing
The Control Plane Policing feature allows users to configure a quality of service (QoS) filter that will manage the traffic flow of control plane packets to protect the control plane of Cisco IOS routers and switches against reconnaissance and denial-of-service (DoS) attacks. Thus, the control plane (CP) can help maintain packet forwarding and protocol states despite an attack or heavy traffic load on the router or switch.
For more details on this feature, refer to the following URL:
IOS CPU Usage Monitoring
The IOS CPU Usage Monitoring allows the users to configure CPU utilization thresholds that, when crossed, trigger a notification. Two types of CPU utilization threshold are supported:
•
A rising CPU utilization threshold specifies the percentage of CPU resources that, when exceeded for a configured period of time, triggers a CPU threshold notification.
•
A falling CPU utilization threshold specifies the percentage of CPU resources that, when CPU usage falls below this level for a configured period of time, triggers a CPU threshold notification.
For more details on this feature, refer to the following URL:
IOS Login Enhancements
The Cisco IOS Login Enhancements feature allows users to better secure their Cisco IOS devices when creating a virtual connection, such as Telnet, Secure Shell (SSH), or HTTP. Thus, users can help slow down dictionary attacks and help protect their routers from a possible denial-of-service (DoS) attack.
For more details on this feature, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gt_login.htm
Conferencing and Transcoding for Voice Gateway Routers
The Cisco Conferencing and Transcoding for Voice Gateway Routers feature provides conference and transcode capability in Cisco 1751 and 1760 routers using packet voice/data modules (PVDMs). This feature is delivered in Cisco IOS software and operates in conjunction with Cisco CallManager.
By enabling audio conference and transcode functions in Cisco 1751 and 1760 routers, the feature provides enhanced multiservice support for Cisco routers in a Cisco CallManager network. This single-package solution simplifies deployments and eases administration. Cost savings results from locating conference resources in the branch to reduce WAN utilization. Costs are further reduced with the use of transcode services to reduce bandwidth needs.
The Conferencing and Transcoding for Voice Gateway Routers feature offers the following benefits:
•
–
–
–
–
•
–
–
–
To determine the amount of DSP resources required for a certain conferencing/transcoding configuration, please refer to the DSP Calculator in the following link:
http://www.cisco.com/cgi-bin/Support/DSP/dsp-calc.pl
For more details on this feature, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftdsp.htm
Note
NAT—Support for H.323 Version 3 and Version 4 in Version 2 Compatibility Mode
Network Address Translation (NAT) support of H.323 Version 3 and Version 4 is required by Cisco and third-party gatekeepers. It is used by applications such as NetMeeting and ViaVideo.
AutoQoS—VoIP
Cisco AutoQoS represents innovative technology that simplifies network administration challenges, reducing quality of service (QoS) complexity and deployment time and cost in enterprise networks. Cisco AutoQoS incorporates value-added intelligence in Cisco IOS software to provision and manage large-scale QoS deployments.
For more details on this feature, refer to the following URLs:
http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/autqq_ds.htm
http://www.cisco.com/en/US/tech/tk543/tk759/tk879/tech_protocol_home.html
Modem Passthrough for SIP and MGCP
The Modem Passthrough for SIP and MGCP feature delivers VoIP modem passthrough functionality over Session Initiation Protocol (SIP) and Media Gateway Control Protocol (MGCP) signaling protocols.
Modem Passthrough is the transport of modem signals through a packet network using PCM-encoded packets. Modem Passthrough in H.323 mode has been tested for Cisco 1751 and 1760 routers. In this release, modem passthrough (VoIP) has been tested for both SIP and MGCP. Configuring Modem Passthrough for SIP is identical to configuration for H.323. Configuration can be done at the global level or at the dial-peer (VoIP) level. Separate command-line interfaces are provided for configuring MGCP.
Reliable Static Routing Backup Using Object Tracking
Point-to-Point over Ethernet (PPPoE) and IP Security Protocol (IPSec) Virtual Private Networks (VPN) deployments are increasingly common. These important technologies require a reliable backup solution. The Reliable Static Routing Backup Using Object Tracking feature introduces the ability for the Cisco IOS software to use Internet Control Message Protocol (ICMP) pings to identify when a PPPoE or IPSec VPN tunnel goes down, and allows initiation of a dial-on-demand routing (DDR) connection from any alternative port. This feature is compatible with both preconfigured static routes and Dynamic Host Configuration Protocol (DHCP) configurations.
For more details on this feature, refer to the following URL:
SIP Survivable Remote Site Telephony (SRST)
The SIP Survivable Remote Site Telephony (SRST) feature provides SRST functionality for Session Initiation Protocol (SIP) networks. The SIP-SRST provides backup to an external SIP proxy server by providing basic registrar and redirect services. A SIP IP phone uses these services in the event of a WAN connection outage and the SIP phone is unable to communicate with its primary SIP proxy. The SIP-SRST device also provides PSTN gateway access for placing and receiving PSTN calls.
SIP-SRST provides four new features:
•
•
•
•
For more details on this feature, refer to the following URL:
Cisco CallManager Express Version 3
Cisco CallManager Express (Cisco CME) is the new name for the product previously known as Cisco IOS Telephony Services (Cisco ITS).
The Cisco CME supports the following features:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
There are 35 new and modified commands that are described in the Command Reference at the following URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122limit/122z/122zj15/cme30cr/index.htm
For more information, refer to the Cisco ITS System Administrator Guide Version 3.0 at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122limit/122z/122zj15/itsv30/index.htm
SRST: Survivable Remote Site Telephony Version 3.0
The Cisco SRST Version 3.0 feature supports the following enhancements:
•
•
•
•
•
•
•
•
•
•
•
•
•
There are 10 new and modified commands described in the Command Reference at the following URL:
For further information about the SRST Version 3.0 features, refer to the Cisco SRST System Administrator Guide Version 3.0 at the following URL:
New Software Features in Release 12.3(2)T
For information regarding the features supported in the Cisco IOS Release 12.3(2)T, refer to the Cross-Platform Release Notes and New Feature Documentation links at the following location on Cisco.com:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123relnt/xprn123/index.htm
This URL is subject to change without notice. If it changes, point your web browser to Cisco.com, and click the following path:
Service & Support: Technical Documents: Cisco IOS Software: Release 12.3: Release Notes: Cross-Platform Release Notes (Cisco IOS Release 12.3(2)T)
Limitations and Restrictions
The following sections describe limitations concerning the new hardware and software features supported by the Cisco 1700 series routers for Release 12.3(2)XE.
CSCec48183
Cannot configure RTR base with IPbase image.
Conferencing and Transcoding for Voice Gateway Routers
•
•
•
•
•
Modem Passthrough for SIP and MGCP
A maximum of 16 Modem Passthrough calls can be configured on the gateway. Although the gateway allows configuration of more than 16 calls, we recommends configuring only 16 calls when redundancy is enabled. Configuring more than 16 calls can result in poor voice quality and the disconnection of call.
Important Notes
Reliable Static Routing Backup Using Object Tracking
The following new commands are modified in this release.
ip address dhcp hostname <hostname>
ip dhcp client hostname <hostname>
ip address dhcp client-id <interface-name>
ip dhcp client client-id <interface-name>
The following commands are not supported in this release:
ip dhcp client class-id {<ASCII string> | hex <hexadecimal string>}
ip dhcp client lease time <day> <hour><minutes>
[no] ip dhcp client request <option-name>
Caveats
Caveats describe unexpected behavior or defects in the Cisco IOS software releases. Severity 1 caveats are the most serious caveats, severity 2 caveats are less serious, and severity 3 caveats are the least serious of these three severity levels.
Caveats in Cisco IOS Release 12.3(2)T are also in Release 12.3(2)XE. For information on caveats in Cisco IOS Release 12.3(2)T, refer to the Caveats for Cisco IOS Release 12.3(2)T document. This document lists severity 1 and 2 caveats; the documents are located on Cisco.com and the Documentation CD.
Note
Resolved Caveats - Release 12.3(2)XE5
This section describes unexpected behavior that is fixed in Cisco IOS Release 12.3(2)XE5. Only severity level 1 through level 3 are listed.
•
Symptom: System reloads unexpectedly or other serious side-affects such as memory corruption occur.
Conditions: A cable qos profile with a length greater than 32 characters is configured on
the system.
Workaround: Change the QOS profile name to a value less that 32 characters.
•
Cisco routers and switches running Cisco IOS or Cisco IOS XR software may be vulnerable to a remotely exploitable crafted IP option Denial of Service (DoS) attack. Exploitation of the vulnerability may potentially allow for arbitrary code execution. The vulnerability may be exploited after processing an Internet Control Message Protocol (ICMP) packet, Protocol Independent Multicast version 2 (PIMv2) packet, Pragmatic General Multicast (PGM) packet, or URL Rendezvous Directory (URD) packet containing a specific crafted IP option in the packet's IP header. No other IP protocols are affected by this issue.
Cisco has made free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability. This vulnerability was discovered during internal testing.
This advisory is available at:
http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
•
Symptom: The router will reload if the show run command is enteredafter a tech-prefix terminating with several periods (.) as follows.:
conf tgatekeepergw-type-prefix 1234......................................................Condition:
conf tgatekeepergw-type-prefix1234......................................................and enter the show run command.
Workaround: None. Do not enter long tech-prefix using the "....." pattern.
•
Certain release trains of Cisco Internetwork Operating System (IOS), when configured to use the IOS Secure Shell (SSH) server in combination with Terminal Access Controller Access Control System Plus (TACACS+) as a means to perform remote management tasks on IOS devices, may contain two vulnerabilities that can potentially cause IOS devices to exhaust resources and reload. Repeated exploitation of these vulnerabilities can result in a Denial of Service (DoS) condition. Use of SSH with Remote Authentication Dial In User Service (RADIUS) is not affected by these vulnerabilities.
Cisco has made free software available to address these vulnerabilities for all affected customers. There are workarounds available to mitigate the effects of the vulnerability (see the "Workarounds" section of the full advisory for details.)
This advisory will be posted at: http://www.cisco.com/warp/public/707/cisco-sa-20050406-ssh.shtml
•
Multiple Cisco products contain vulnerabilities in the processing of IPSec IKE (Internet Key Exchange) messages. These vulnerabilities were identified by the University of Oulu Secure Programming Group (OUSPG) "PROTOS" Test Suite for IPSec and can be repeatedly exploited to produce a denial of service.
Cisco has made free software available to address this vulnerability for affected customers. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.
This advisory is posted at: http://www.cisco.com/warp/customer/707/cisco-sa-20051114-ipsec.shtml.
•
Symptom: An IOS device may crash when processing a malformed Resource ReSerVation Protocol (RSVP) packet.
Conditions: A device using an affected software version is configured for RSVP and a certain malformed RSVP packet is received.
Workaround:If RSVP is required, no workaround exists.
If RSVP is not required, disabling RSVP on all interfaces removes any exposure to this issue.
RSVP can be disabled using the no ip rsvp bandwidth interface configuration command. The show ip rsvp EXEC command can be used on an IOS device to determine if RSVP functionality has been enabled. The show ip rsvp interface EXEC command may be used to identify the specific interfaces on which RSVP has been enabled.
•
Remote Authentication Dial In User Service (RADIUS) authentication on a device that is running certain versions of Cisco Internetworking Operating System (IOS) and configured with a fallback method to none can be bypassed.
Systems that are configured for other authentication methods or that are not configured with a fallback method to none are not affected.
Only the systems that are running certain versions of Cisco IOS are affected. Not all configurations using RADIUS and none are vulnerable to this issue. Some configurations using RADIUS, none and an additional method are not affected.
Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects of the vulnerability.
•
OSPF is a routing protocol defined by RFC 2328. It is designed to manage IP routing inside an Autonomous System (AS). OSPF packets use IP protocol number 89.
A vulnerability exists in the processing of an OSPF packet that can be exploited to cause the reload of a system.
Since OSPF needs to process unicast packets as well as multicast packets, this vulnerability can be exploited remotely. It is also possible for an attacker to target multiple systems on the local segment at a time.
Using OSPF Authentication can be used to mitigate the effects of this vulnerability. Using OSPF Authentication is a highly recommended security best practice.
A Cisco device receiving a malformed OSPF packet will reset and may take several minutes to become fully functional. This vulnerability may be exploitedrepeatedly resulting in an extended DOS attack.
Workarounds:
Using OSPF Authentication:OSPF authentication may be used as a workaround. OSPF packets without a valid key will not be processed. MD5 authentication is highly recommended, due to inherent weaknesses in plain text authentication. With plain text authentication, the authentication key will be sent unencrypted over the network, which can allow an attacker on a local network segment to capture the key by sniffing packets.
Infrastructure Access Control Lists: Although it is often difficult to block traffic transiting your network, it is possible to identify traffic which should never be allowed to target your infrastructure devices and block that traffic at the border of your network. Infrastructure ACLs are considered a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The white paper "Protecting Your Core: Infrastructure Protection Access Control Lists" presents guidelines and recommended deployment techniques for infrastructure protection ACLs:
http://www.cisco.com/warp/public/707/iacl.html
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
a.
b.
c.
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Cisco has made free software available to address these vulnerabilities. Insome cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
•
Cisco Internetwork Operating System (IOS®) Software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation.
Cisco has made free software available to address this vulnerability for all affected customers.
•
Symptom: A vulnerability exists within the Cisco IOS Authentication, Authorization, and Accounting (AAA) command authorization feature, where command authorization checks are not performed on commands executed from the Tool Command Language (Tcl) exec shell. This may allow authenticated users to bypass command authorization checks in some configurations resulting in unauthorized privilege escalation.
Conditions:Devices that are not running AAA command authorization feature, or do not support Tcl functionality are not affected by this vulnerability. This vulnerability is present in all versions of Cisco IOS that support the tclsh command.
•
Cisco IOS may permit arbitrary code execution after exploitation of a heap-based buffer overflow vulnerability. Cisco has included additional integrity checks in its software, as further described below, that are intended to reduce the likelihood of arbitrary code execution.
CSCek26492
Conditions: This bug resolves a symptom of CSCec71950. Cisco IOS with this specific Bug are not at risk of crash if CSCec71950 has been resolved in the software.
•
The Cisco IOS Transmission Control Protocol (TCP) listener in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable memory leak that may lead to a denial of service condition.
This vulnerability only applies to traffic destined to the Cisco IOS device. Traffic transiting the Cisco IOS device will not trigger this vulnerability. Cisco has made free software available to address this vulnerability for affected customers.
There are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml
•
Symptoms: A Cisco IOS device configured for NHRP may restart.
Workarounds: None.
•
The Cisco IOS Firewall Authentication Proxy for FTP and/or Telnet Sessions feature in specific versions of Cisco IOS software is vulnerable to a remotely-exploitable buffer overflow condition. Devices that do not support, or are not configured for Firewall Authentication Proxy for FTP and/or Telnet Services are not affected.
•
Symptom:CoPP policy configured to drop packets with IP options will ignore packets with malformed IP options.
Conditions: CoPP configured to filter ip packets with IP options.
Workaround: Do not use IP option ACL filtering with CoPP. Instead configure CoPP to filter IP packets by source or destination address.
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml
•
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml
•
Symptom: %SYS-3-TIMERNEG errors and tracebacks are observed while making MGCP RSVP calls on a analog (RGW) setups. This is observed in 12.4(3.9)T1 IOS version.
Workaround: None.
•
Symptoms: When H323 call service stops, the router still listens on TCP port 1720 and completes connection attempts.
Conditions: This symptom occurs after H323 is disabled using the following configuration commands:
voice service voip
h323
call service stop
Workaround: Access can be blocked by deploying an interface access list that blocks access to TCP port 1720 for traffic that is destined for any of the IP addresses of the router.
•
A vulnerability exists in the IOS HTTP server in which HTML code inserted into dynamically generated output, such as the output from a show buffers command, will be passed to the browser requesting the page. This HTML code could be interpreted by the client browser and potentially execute malicious commands against the device or other possible cross-site scripting attacks. Successful exploitation of this vulnerability requires that a user browse a page containing dynamic content in which HTML commands have been injected.
Cisco will be making free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051201-http.shtml
•
Symptoms: TCP connections that are opened through a Cisco IOS Firewall (CBAC) may not timeout.
Conditions: With Cisco IOS Firewall (CBAC) enabled, the TCP idle timer for a session may be reset even by TCP packets that fail TCP inspection and are subsequently dropped. This could lead to the TCP session not timing out.
Workaround: None.
•
A vulnerability has been discovered in a third party cryptographic library which is used by a number of Cisco products. This vulnerability may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to trigger thisvulnerability without a valid certificate or valid application-layer credentials (such as a valid username or password).
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
The vulnerable cryptographic library is used in the following Cisco products:
–
–
–
–
–
This vulnerability is also being tracked by CERT/CC as VU#754281.
Cisco has made free software available to address this vulnerability for affected customers. There are no workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml.
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.
•
Symptoms: A router that is running RCP can be reloaded by a specific packet.
Conditions: This symptom is seen under the following conditions:
–
–
–
Workaround: Put access lists on the edge of your network blocking RCP packets to prevent spoofed RSH packets. Use another protocol such as SCP. Use VTY ACLs.
•
Symptoms: Malformed SSH version 2 packets may cause a memory leak, causing the platform to operate under a degraded condition. Under rare circumstances, the platform may reload to recover itself.
Conditions: This symptom is observed on a Cisco platform that is configured for SSH version 2 after it has received malformed SSHv2 packets.
Workaround: As an interim solution until the affected platform can be upgraded to a Cisco IOS software image that contains the fix for caveat CSCse24889, configure SSH version 1 from the global configuration mode.
•
Symptom: Specifically crafted CDP packets can cause a router to allocate and keep extra memory. Exploitation of this behaviour by sending multiple specifically crafted CDP packets could cause memory allocation problems on the router. Since CDP is a layer-2 protocol, this issue can only be triggered by systems that are residing on the same network segment.
Workaround: Disable CDP on interfaces where it is not necessary.
•
Multiple vulnerabilities exist in the Cisco IOS File Transfer Protocol (FTP) Server feature. These vulnerabilities include Denial of Service, improper verification of user credentials and the ability to read or write any file in the device's filesystem, including the device's saved configuration, which may include passwords or other sensitive information.
The IOS FTP Server is an optional service that is disabled by default. Devices that are not specifically configured to enable the IOS FTP Server service are unaffected by these vulnerabilities.
This vulnerability does not apply to the IOS FTP Client feature.
This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070509-iosftp.shtml.
•
Symptoms: Malformed SSL packets may cause a router to leak multiple memory blocks.
Conditions: This symptom is observed on a Cisco router that has the ip http secure server command enabled.
Workaround: Disable the ip http secure server command.
•
Symptoms: Following an upgrade to Cisco IOS Release 12.2(18)SXF9, the following message may be displayed:
%DATACORRUPTION-1-DATAINCONSISTENCY: copy error -Traceback=Conditions: This message may appear as a result of SNMP polling of PAgP variables, but does not appear to be service impacting.
Workaround: There is no workaround.
•
Symptoms: A caller ID may be received with extra characters.
Conditions: This symptom is observed when caller ID is enabled on both routers and when the station ID and station name are configured on the FXS side.
Workaround: There is no workaround.
•
Symptom:DATACORRUPTION-1-DATAINCONSISTENCY messages are seen in the show log command output.
Workaround: None
•
Symptom:Tracebacks seen while running metal_vpn_cases.itcl script.
Condition: A strcpy in the file 'rpmxf_dg_online.c' copies more bytes than the destination buffer size.Due to this we are getting data corruption tracebacks.
Workaround: None.
•
Symptom:Traceback found at DNQueuePeers
Conditions: While verifying the variable digit length dialing numbers for 'Type National' and 'Type International' in the numbering plan to be accepted by the network-side by using functionality/isdn/isdn_dialPlan script.
Workaround: None.
Resolved Caveats - Release 12.3(2)XE1
The following sections list the resolved caveats for the Cisco IOS release 12.3(2)XE1.
CSCeb56909
Cisco Routers running Internetwork Operating System (IOS) that supports Multi Protocol Label Switching (MPLS) are vulnerable to a Denial of Service (DoS) attack on MPLS disabled interfaces.
The vulnerability is only present in Cisco IOS release trains based on 12.1T, 12.2, 12.2T, 12.3 and 12.3T. Releases based on 12.1 mainline, 12.1E and all releases prior to 12.1 are not vulnerable.
More details can be found in the security advisory which is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050126-les.shtml.
CSCec86420
Symptoms: When you enter the undebug all privileged EXEC command on a Cisco router, all traffic that passes through an encrypted generic routing encapsulation (GRE) tunnel may stop.
Conditions: This symptom is observed on a Ciscorouter that is configured with a GRE tunnel that is secured via IP Security (IPSec) and that is using Cisco Express Forwarding (CEF) switching.
Workaround: Reinitialize CEF switching by entering the no ip cef global configuration command followed by the ip cef global configuration command.
Alternate Workaround: Do not enter the undebug all privileged EXEC command. Rather, individually disable each debug command.
CSCed40933
Cisco Internetwork Operating System (IOS) Software is vulnerable to a Denial of Service (DoS) attack from crafted IPv6 packets when the device has been configured to process IPv6 traffic. This vulnerability requires multiple crafted packets to be sent to the device which may result in a reload upon successful exploitation.
More details can be found in the security advisory, which is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050126-ipv6.shtml.
CSCee67450
A Cisco device running Cisco IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DoS) attack from a malformed BGP packet. Only devices with the command `bgp log-neighbor-changes' configured are vulnerable. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet.
If a misformed packet is received and queued up on the interface, this bug may also be triggered by other means which are not considered remotely exploitable such as the use of the command `show ip bgp neighbors' or running the command `debug ip bgp <neighbor> updates' for a configured bgp neighbor.
Cisco has made free software available to address this problem.
For more details, please refer to this advisory, available at http://www.cisco.com/warp/public/707/cisco-sa-20050126-bgp.shtml
CSCin82407
Cisco Internetwork Operating System (IOS) Software release trains 12.2T, 12.3 and 12.3T may contain vulnerabilities in processing certain Internet Key Exchange (IKE) Xauth messages when configured to be an Easy VPN Server.
Successful exploitation of these vulnerabilities may permit an unauthorized user to complete authentication and potentially access network resources.
This advisory will be posted to http://www.cisco.com/warp/public/707/cisco-sa-20050406-xauth.shtml
CSCed78149
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
Resolved Caveats - Release 12.3(2)XE
The following sections list the resolved caveats for the Cisco IOS release 12.3(2)XE.
CSCec40620
sh run causes FR interface flap using MFT with speed 56K on 1760.
The line protocol on the Frame relay interface drops whenever any of the following occurs:
•
•
•
The line protocol comes up after about 2 minutes. The serial link consistently fails after every show run/show tech command, no matter if the command is issued via Telnet or if it is entered through a console into the router.
Workaround
Use a 64-kbps circuit, if possible, or a different router.
CSCee08584
Cisco Internetwork Operating System (IOS) Software release trains 12.1YD, 12.2T, 12.3 and 12.3T, when configured for Cisco's IOS Telephony Service (ITS), Cisco CallManager Express (CME) or Survivable Remote Site Telephony (SRST) may contain a vulnerability in processing certain malformed control protocol messages.
A successful exploitation of this vulnerability may cause a reload of the device and could be exploited repeatedly to produce a Denial of Service (DoS). This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20050119-itscme.shtml
Cisco has made free software upgrades available to address this vulnerability for all affected customers.
This vulnerability is documented by Cisco bug ID CSCee08584.
Open Caveats - Release 12.3(2)XE
The following sections list the open caveats for the Cisco IOS release 12.3(2)XE.
CSCeb75869
Transfer not feasible with g723-xcode-g711(u)-g711(u) call.
When a call is made from the G723R63 gateway to an IP phone and transfer is initiated from the IP phone to a same type endpoint gateway with the same packetization period as the IP phone, the audio path is not established.
This behavior is observed in Cisco CallManager version 3.3.
CSCec10171
No audio when 1st codec doesnt support a codec and 2nd used.
When the selected transcoder does not support a codec and the call is diverted to the second transcoder, the call is not heard on either side when dial-peer is not configured in the terminating gateway for the calling number.
When a dial-peer is configured in the terminating gateway for the calling number, one-way audio is heard.
CSCec17790
One DSP channel used with no wait for far end TCS.
When the transcoding session is opened with one codec and a stream for different codec replaces the same, one-way audio connection is established.
CSCec31705
DSP status DOWN after issuing no dspfarm and dspfarm.
CSCec78105
SSHv2: SSH does not follow username privilege level.
When the user tries to make a connection through SSHv2, with the router running 12.3(2)XE or 12.3(03.05)T image, it does not go to "enable" mode by default. The user has to type "enable" and enter password at the prompt.
Workaround
Use SSHv1 or enable aaa.
Related Documentation
The following sections describe the documentation available for the Cisco 1700 series routers. Typically, these documents consist of hardware and software installation guides, Cisco IOS configuration and command references, system error messages, feature modules, and other documents. Documentation is available as printed manuals or electronic documents, except for feature modules, which are available online on Cisco.com and the Documentation CD.
Use these release notes with the documents listed in the following sections:
Release-Specific Documents
The following documents are specific to Release 12.3 and apply to Release 12.3(2)XE. They are located on Cisco.com and the Documentation CD (under the heading Service & Support):
•
Technical Documents: Cisco IOS Software: Release 12.3: Release Notes: Cisco IOS Release 12.3(2)T
•
Technical Documents: Product Bulletins
•
Technical Documents: Cisco IOS Software: Release 12.3: Caveats
Note
Platform-Specific Documents
Hardware installation guides, configuration and command reference guides, and additional documents specific to the Cisco 1700 series routers are available on Cisco.com and the Documentation CD at the following location:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_mod/1700/index.htm
This URL is subject to change without notice. If it changes, point your web browser to Cisco.com, and click the following path:
Cisco Product Documentation: Access Servers and Access Routers: Modular Access Routers: Cisco 1700 Series Routers: <platform_name>
Feature Navigator
Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a particular set of features and which features are supported in a particular Cisco IOS image. Feature Navigator is available 24 hours a day, 7 days a week.
To access Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, e-mail the Contact Database Administration group at cdbadmin@cisco.com. If you do not have an account on Cisco.com, go to http://www.cisco.com/register and follow the directions to set up an account.
To use Feature Navigator, you must have a JavaScript-enabled web browser such as Netscape 3.0 or later, or Internet Explorer 4.0 or later. Internet Explorer 4.0 always has JavaScript enabled. To enable JavaScript for Netscape 3.x or Netscape 4.x, follow the instructions provided with the web browser. For JavaScript support and enabling instructions for other browsers, check with the browser vendor.
Feature Navigator is updated when major Cisco IOS software releases and technology releases occur. You can access Feature Navigator at the following URL:
Cisco IOS Software Documentation Set
The Cisco IOS software documentation set consists of the Cisco IOS configuration guides, Cisco IOS command references, and several other supporting documents that are shipped with your order in electronic form on the Documentation CD-ROM—unless you specifically ordered printed versions.
Documentation Modules
Each module in the Cisco IOS documentation set consists of one or more configuration guides and one or more corresponding command references. Chapters in a configuration guide describe protocols, configuration tasks, and Cisco IOS software functionality, and contain comprehensive configuration examples. Chapters in a command reference provide complete command syntax information. Use each configuration guide with its corresponding command reference. The Cisco IOS software documentation set is available on Cisco.com and on the Documentation CD-ROM.
On Cisco.com:
Products & Services: IOS Software: Cisco IOS Software Releases 12.3 Mainline: Technical Documentation: Master Indices
On the Documentation CD-ROM at:
Product Documentation: Cisco IOS Software: Cisco IOS Release 12.3: Configuration Guides and Command References
Release 12.3 Documentation Set
Table 7 describes the contents of the Cisco IOS Release 12.3 software documentation set, which is available in both electronic and printed form.
Note
Note
Service and Support
Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from online tools by using the Cisco Technical Assistance Center (TAC) Web Site. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC Web Site.
Cisco.com
Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.
Cisco.com is a highly integrated Internet application and a powerful, easy-to-use tool that provides a broad range of features and services to help you with these tasks:
•
•
•
•
•
If you want to obtain customized information and service, you can self-register on Cisco.com. To access Cisco.com, go to this URL:
Technical Assistance Center
The Cisco Technical Assistance Center (TAC) is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two levels of support are available: the Cisco TAC Web Site and the Cisco TAC Escalation Center.
Cisco TAC inquiries are categorized according to the urgency of the issue:
•
•
•
•
The Cisco TAC resource that you choose is based on the priority of the problem and the conditions of service contracts, when applicable.
Cisco TAC Web Site
You can use the Cisco TAC Web Site to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC Web Site, go to this URL:
All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register:
http://www.cisco.com/register/
If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC Web Site, you can open a case online by using the TAC Case Open tool at this URL:
http://www.cisco.com/tac/caseopen
If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC Web Site.
Cisco TAC Escalation Center
The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case.
To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
Before calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). When you call the center, please have available your service agreement number and your product serial number.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
Copyright © 2003-2005, Cisco Systems, Inc. All rights reserved.
