|
Table Of Contents
Release Notes for the Cisco 800 Series Routers for Cisco IOS Release 12.3(2)XA
Determining the Software Version
Upgrading to a New Software Release
New Software Features in Release 12.3(2)XA
VPN Access Control Using 802.1x Authentication
New Software Features in Release 12.3(2)T
Easy VPN Support for the AES Algorithm
VPN Access Control Using 802.1x Authentication
Resolved Caveats - Cisco IOS Release 12.3(2)XA7
Open Caveats - Cisco IOS Release 12.3(2)XA7
Resolved Caveats - Cisco IOS Release 12.3(2)XA6
Resolved Caveats - Cisco IOS Release 12.3(2)XA5
Resolved Caveats - Cisco IOS Release 12.3(2)XA4
Resolved Caveats - Cisco IOS Release 12.3(2)XA3
Resolved Caveats - Cisco IOS Release 12.3(2)XA2
Resolved Caveats - Cisco IOS Release 12.3(2)XA1
Resolved Caveats - Cisco IOS Release 12.3(2)XA
Open Caveats - Release 12.3(2)XA
Cisco IOS Software Documentation Set
Obtaining Documentation, Obtaining Support, and Security Guidelines
Release Notes for the Cisco 800 Series Routers for Cisco IOS Release 12.3(2)XA
March 21, 2008Release 12.3(2)XA7OL-4643-05 Eighth Release
These release notes describe new features and significant software components for the Cisco 831, 836, and 837 routers that support Cisco IOS Release 12.3 T, up to and including Release 12.3(2)XA7. These release notes are updated as needed to describe new memory requirements, new features, new hardware support, software platform deferrals, microcode or modem code changes, related document changes, and any other important changes. Use these release notes with the Cross-Platform Release Notes for Cisco IOS Release 12.3(2)T located on Cisco.com.
For a list of the software caveats that apply to Release 12.3(2)XA7, see the "Caveats" section, and refer to the online Caveats for Cisco IOS Release 12.3(2)T document. The caveats document is updated for every 12.3T maintenance release and is located on Cisco.com.
Contents
These release notes provide information about the following topics:
•Obtaining Documentation, Obtaining Support, and Security Guidelines
System Requirements
This section describes the system requirements for Release 12.3(2)XA7 and includes the following sections:
•Determining the Software Version
•Upgrading to a New Software Release
Memory Requirements
This section describes the memory requirements for the Cisco IOS feature sets that are supported by Cisco IOS Release 12.3(2)XA7 on the Cisco 831, 836, and 837 routers.
Hardware Supported
Cisco IOS Release 12.3(2)XA7 support the following routers:
•Cisco 831 router
•Cisco 836 router
•Cisco 837 router
For detailed descriptions of new hardware features and which features are supported on each router, see the "New and Changed Information" section. For descriptions of existing hardware features and supported modules, see the hardware installation guides, configuration and command reference guides, and additional documents specific to the Cisco 831, 836, and 837 routers, which are available on Cisco.com at the following location:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_fix/800/index.htm
This URL is subject to change without notice. If it changes, point your web browser to Cisco.com, and click the following path:
Cisco Product Documentation: Access Servers and Access Routers: Fixed Access: Cisco 800 Series Routers: <platform_name>
Determining the Software Version
To determine which version of the Cisco IOS software is currently running on your Cisco 831, 836, or 837 router, log in to the router, and enter the show version command. The following sample output from the show version command indicates the version number on the second output line.
router> show versionCisco Internetwork Operating System SoftwareIOS (tm) C836 Software (C836-K9O3SY6-M), Version 12.3(2)XA8, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)Synched to technology version 12.3(1.6)TUpgrading to a New Software Release
For general information about upgrading to a new software release, see Cisco IOS Software Releases 12.3 T Installation and Upgrade Procedures located on Cisco.com.
Feature Set Tables
Cisco IOS software is packaged in feature sets consisting of software images, depending on the platform. Each feature set contains a specific set of Cisco IOS features.Cisco IOS Release 12.3(2)XA supports the same feature sets as Cisco IOS Releases 12.3 and 12.3(2)T, but Cisco IOS Release 12.3(2)XA includes new features that are supported by the Cisco 831, 836, and 837 routers. Release 12.3(2)XA8 is a rebuild of Release 12.3(2)XA and includes only bug fixes; it does not include any new features.
Caution Cisco IOS images with strong encryption (including, but not limited to 168-bit [3DES] data encryption feature sets) are subject to United States government export controls and have limited distribution. Strong encryption images to be installed outside the United States will likely require an export license. Customer orders can be denied or subject to delay due to United States government regulations. When applicable, the purchaser/user must obtain local import and use authorizations for all encryption strengths. Please contact your sales representative or distributor for more information, or send an e-mail to export@cisco.com.
Table 2 and Table 3 list the features and feature sets that are supported in Cisco IOS Release 12.3(2)XA7.
The table uses the following conventions:
•Yes—The feature is supported in the software image.
•No—The feature is not supported in the software image.
•In—The number in the "In" column indicates the Cisco IOS release in which the feature was introduced. For example, "12.3(2)XA" indicates that the feature was introduced in Cisco IOS Release 12.3(2)XA. If a cell in this column is empty, the feature was included in a previous release or in the initial base release.
Note These feature set tables contain only a selected list of features, which are cumulative for Release 12.3(2)nn early deployment releases only (nn identifies each early deployment release). The tables do not list all features in each image—additional features are listed in the Cross-Platform Release Notes for Cisco IOS Release 12.3(2)T and Release 12.3 T Cisco IOS documentation.
Table 2 Feature Set Table for the Cisco 831 and Cisco 837 Routers
New and Changed Information
The following sections list the new information about the Cisco 831, 836, and 837 routers for Release 12.3(2)XA. This information applies also to Cisco IOS Release 12.3(2)XA7.
New Software Features in Release 12.3(2)XA
The following sections describe the new software features supported by the Cisco 831, 836, and 837 routers for Release 12.3(2)XA.
VPN Access Control Using 802.1x Authentication
The 802.1x authentication feature is an Institute of Electrical and Electronics Engineers (IEEE) standards-based authentication technology. This feature enhances the Cisco IOS technology by supporting 802.1x authentication. It allows classification of authenticated and non-authenticated categories, based on the credentials provided by the 802.1x port-based authentication specification. This feature also allows separate processing of traffic coming from authenticated users and non-authenticated users.
In Cisco IOS Release 12.3(2)XA, the 802.1x user authentication will be used in conjunction with Easy VPN Server and Easy VPN Remote (also called Easy VPN Client [EZVPN Client]).
For details on Cisco Easy VPN, refer to the following URLs:
http://www.cisco.com/en/US/partner/products/sw/secursw/ps5299/index.html
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/index.htm
How to enable 802.1x authentication on PCs running Microsoft Windows 2000/XP
Step 1 Make sure that the Microsoft Windows Service Pack 3 or later is installed in the PC.
Step 2 Refer to the following URL to download and install 802.1x client on Microsoft Windows 2000 PC: http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/8021xclient.asp
If the link is not active, refer to the following link to search for Microsoft Knowledge Base Article - 313664:
http://www.microsoft.com/windows2000/downloads/recommended/q313664/default.asp
Step 3 Follow the instructions, and install the 802.1x authentication client.
Step 4 Reboot the PC after installing the 802.1x authentication client.
An alternative to Microsoft's 802.1x authentication client, AEGIS 802.1x software for Microsoft Windows, can be found at the following URL:
For more information on VPN Access Control Using 802.1x Authentication feature, refer to the following URL:
Easy VPN Server
The Cisco IOS routers push enhanced virtual private network (VPN) policy parameters to any remote access VPN client (hardware or software), facilitating configuration and management of those remote clients.
For more information on this feature, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t8/ftunity.htm
AutoSecure
AutoSecure is an innovative Cisco IOS software command-line-interface (CLI)-based feature that provides "one touch" router lockdown. A single command instantly and easily transforms the security posture of routers by disabling non-essential operating system processes, enforcing secure access, and enabling secure forwarding features.
By using a single auto secure CLI command, the AutoSecure feature allows a user to perform the following functions:
•Disable common IP services that can be exploited for network attacks
•Enable IP services and features that can aid in the defense of a network when under attack
This feature also simplifies the security configuration of a router and hardens the router configuration.
The AutoSecure feature offers following benefits:
•Simplified router security configuration
•Enhanced password security
For information on how to configure the AutoSecure feature on your Cisco router, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123_1/ftatosec.htm
Easy VPN Client Phase 3
Easy VPN Client Phase 3 includes some enhancements to Easy VPN in addition to what is already available. These enhancements include the following:
•Support for IPSec NAT transparency
•Support for IP compression
•Type 6 password
For more information on the Type 6 password feature, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/
The other enhancements appear in the Resolved Caveats - Cisco IOS Release 12.3(2)XA1 section of this document.
New Software Features in Release 12.3(2)T
For information regarding the features supported in Cisco IOS Release 12.3 T, refer to the Cross-Platform Release Notes and New Feature Documentation links at the following location on Cisco.com:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123relnt/xprn123/index.htm
This URL is subject to change without notice. If it changes, point your web browser to Cisco.com, and click the following path:
Service & Support: Technical Documents: Cisco IOS Software: Release 12.3: Release Notes: Cross-Platform Release Notes (Cisco IOS Release 12.3 T)
Limitations
The following sections describe limitations concerning the new software features supported by the Cisco 800 series routers for Release 12.3(2)XA. This also applies to Cisco IOS Release 12.3(2)XA7.
Easy VPN Support for the AES Algorithm
The Easy VPN Client feature will not support the AES algorithm in this release.
VPN Access Control Using 802.1x Authentication
The 802.1x authentication for VLAN interface is not supported in this release. Switches (even switches with native 802.1x authentication support) are also not supported in this release.
Caveats
Caveats describe unexpected behavior or defects in Cisco IOS software releases. Severity 1 caveats are the most serious caveats, severity 2 caveats are less serious, and severity 3 caveats are the least serious of these three severity levels.
Caveats in Release 12.3 T are also in Release 12.3(2)XA8. For information on caveats in Cisco IOS Release 12.3 T, refer to the Caveats for Cisco IOS Release 12.3(2)T document. This document lists severity 1 and 2 caveats; the documents are located on Cisco.com.
Note If you have an account with Cisco.com, you can also use the Bug Toolkit to find select caveats of any severity. To reach the Bug Toolkit, log in to Cisco.com, and click Service & Support: Technical Assistance Center: Tool Index: Bug Toolkit. Another option is to go to http://www.cisco.com/pcgi-bin/Support/Bugtool/launch_bugtool.pl.
Resolved Caveats - Cisco IOS Release 12.3(2)XA7
CSCsd95616Two crafted Protocol Independent Multicast (PIM) packet vulnerabilities exist in Cisco IOS software that may lead to a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml.
Open Caveats - Cisco IOS Release 12.3(2)XA7
There are no open caveats for Cisco IOS Release (2)XA7.
Resolved Caveats - Cisco IOS Release 12.3(2)XA6
CSCsf04754Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document.
The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044 to these vulnerabilities.
Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0960 has been assigned to these vulnerabilities.
This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml
CSCsj66513 Traceback detected at DNQueuePeersSymptom Traceback found at DNQueuePeers
Conditions While verifying the variable digit length dialing numbers for 'Type National' and 'Type International' in the numbering plan to be accepted by the network-side by using functionality/isdn/isdn_dialPlan script.
Workaround There is no workaround.
CSCdz55178 QoS profile name of more then 32 chars will crash the routerSymptom System reloads unexpectedly or other serious side-affects such as memory corruption occur.
Conditions A cable qos profile with a length greater than 32 characters is configured on the system.
For example:
cable qos profile 12 name g711@10ms_for_any_softswitch_Traa^C00000000011111111111222222222333^12345678901234567890123456789012||PROBLEM (Variable Overflowed).CSCed26739 mm/gk/gk_cli.c:CLI:gw-type-prefix possible buffer overflowSymptom The router will reload if "she run" is given after a tech-prefix terminating with a large number of '.'s is configured as follows:
conf tgatekeepergw-type-prefix 1234......................................................Conditions
conf tgatekeepergw-type-prefix1234......................................................and enter command sh runWorkaround Do not enter long tech-prefix and using the "....." pattern.
CSCsj18014 Caller ID string received with extra charactersSymptom A caller ID may be received with extra characters.
Conditions This symptom is observed when caller ID is enabled on both routers and when the station ID and station name are configured on the FXS side.
Workaround There is no workaround.
CSCsj52927 DATACORRUPTION-1-DATAINCONSISTENCY message in show logSymptom DATACORRUPTION-1-DATAINCONSISTENCY messages are seen in 'show log'
Conditions The messages are seen when the router comes up.
Workaround There is no workaround.
CSCsj66369 Traceback seen at rpmxf_dg_db_initSymptom Tracebacks seen while running metal_vpn_cases.itcl script.
Conditions A strcpy in the file 'rpmxf_dg_online.c' copies more bytes than the destination buffer size.Due to this we are getting data corruption tracebacks.
Workaround There is no workaround.
CSCse85200 Inadequate validation of TLVs in cdpSymptom Specifically crafted CDP packets can cause a router to allocate and keep extra memory. Exploitation of this behavior by sending multiple specifically crafted CDP packets could cause memory allocation problems on the router.
Since CDP is a layer-2 protocol, this issue can only be triggered by systems that are residing on the same network segment.
Workaround The workaround is to disable on interfaces where CDP is not necessary.
CSCsb79076 MGCP RSVP enabled calls fails due to spurious error @ qosmodule_mainSymptom %SYS-3-TIMERNEG errors and tracebacks are observed while making MGCP RSVP calls on a analog (RGW) setups. Observed in 12.4(3.9)T1 IOS version.
Workaround No workaround currently available.
CSCsb33172 short-circuit crypto engine operations when faking AM2Symptom A vulnerability exists in the way some Cisco products handle IKE phase I messages which allows an attacker to discover which group names are configured and valid on the device.
A Cisco Security Notice has been published on this issue and can be found at the following URL:
http://www.cisco.com/warp/public/707/cisco-sn-20050624-vpn-grpname.shtml
CSCek37177 malformed tcp packets deplete processor memory.The Cisco IOS Transmission Control Protocol (TCP) listener in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable memory leak that may lead to a denial of service condition.
This vulnerability only applies to traffic destined to the Cisco IOS device. Traffic transiting the Cisco IOS device will not trigger this vulnerability.
Cisco has made free software available to address this vulnerability for affected customers.
This issue is documented as Cisco bug ID CSCek37177
There are workarounds available to mitigate the effects of the vulnerability. This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml
CSCef46191 Unable to telnetSymptom A specifically crafted Transmission Control Protocol (TCP) connection to a telnet or reverse telnet port of a Cisco device running Internetwork Operating System (IOS) may block further telnet, reverse telnet, Remote Shell (RSH), Secure Shell (SSH), and in some cases Hypertext Transport Protocol (HTTP) access to the Cisco device. Telnet, reverse telnet, RSH and SSH sessions established prior to exploitation are not affected. All other device services will operate normally.
Conditions User initiated specially crafted TCP connection to a telnet or reverse telnet port results in blocking further telnet sessions. Whereas, services such as packet forwarding, routing protocols and all other communication to and through the device remains unaffected.
Workaround The detail advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040827-telnet.shtml
CSCed93836 modifications needed to syn rst packet responseA vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the
application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
CSCed38527 TCP checks should verify syn sequence numberA vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the
application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
CSCed27956 TCP checks should verify ack sequence numberA vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the
application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
CSCeh73049 tclsh mode bypasses aaa command authorization checkSymptom A vulnerability exists within the Cisco IOS Authentication, Authorization, and Accounting (AAA) command authorization feature, where command authorization checks are not performed on commands executed from the Tool Command Language (Tcl) exec shell. This may allow authenticated users to bypass command authorization checks in some configurations resulting in unauthorized privilege escalation.
Conditions Devices that are not running AAA command authorization feature, or do not support Tcl functionality are not affected by this vulnerability. This vulnerability is present in all versions of Cisco IOS that support the tclsh command.
Workaround This advisory with appropriate workarounds is posted at http://www.cisco.com/warp/public/707/cisco-response-20060125-aaatcl.shtml
CSCsd92405 router crashed by repeated SSL connection with malformed finished messageCisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
•Processing ClientHello messages, documented as Cisco bug ID CSCsb12598
•Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304
•Processing Finished messages, documented as Cisco bug ID CSCsd92405
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml
Note Note: Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
CSCsb12598 Router forced crash on receiving fragmented TLS ClientHelloCisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
•* Processing ClientHello messages, documented as Cisco bug ID CSCsb12598
• * Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304
• * Processing Finished messages, documented as Cisco bug ID CSCsd92405
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml
Note Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
CSCsb40304 Router crash on sending repetitive SSL ChangeCipherSpecCisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, A malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
•Processing ClientHello messages, documented as Cisco bug ID CSCsb12598
•Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304
•Processing Finished messages, documented as Cisco bug ID CSCsd92405
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml
Note Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
CSCsb11124 SGBP Crafted Packet Denial of ServiceThe Cisco IOS Stack Group Bidding Protocol (SGBP) feature in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable denial of service condition.
Devices that do not support or have not enabled the SGBP protocol are not affected by this vulnerability. Cisco has made free software available to address this vulnerability for affected customers.
There are workarounds available to mitigate the effects of the vulnerability.
Cisco has published a Security Advisory on this issue; it is available at http://www.cisco.com/warp/public/707/cisco-sa-20060118-sgbp.shtml
CSCse05736 A router running RCP can be reloaded with a specific packetSymptom A router that is running RCP can be reloaded by a specific packet.
Conditions This symptom is seen under the following conditions: - The router must have RCP enabled.
•The packet must come from the source address of the designated system configured to send RCP packets to the router.
•The packet must have a specific data content.
Workaround Put access lists on the edge of your network blocking RCP packets to prevent spoofed RSH packets. Use another protocol such as SCP. Use VTY ACLs.
CSCsd85587 7200 Router crashes with ISAKMP Codenomicon test suiteA vulnerability has been discovered in a third party cryptographic library which is used by a number of Cisco products. This vulnerability may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to trigger this vulnerability without a valid certificate or valid application-layer credentials (such as a valid username or password).
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
The vulnerable cryptographic library is used in the following Cisco products:
•Cisco IOS, documented as Cisco bug ID CSCsd85587
•Cisco IOS XR, documented as Cisco bug ID CSCsg41084
•Cisco PIX and ASA Security Appliances, documented as Cisco bug ID CSCse91999
•Cisco Unified CallManager, documented as Cisco bug ID CSCsg44348
•Cisco Firewall Service Module (FWSM) CSCsi97695
This vulnerability is also being tracked by CERT/CC as VU#754281.
Cisco has made free software available to address this vulnerability for affected customers. There are no workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml .
Note Another related advisory is posted together with this Advisory. It also describes vulnerabilities related to cryptography that affect Cisco IOS. A combined software table for Cisco IOS only is available at http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml and can be used to choose a software release which fixes all security vulnerabilities published as of May 22, 2007. The related advisory is published at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml
CSCse56501A device running Cisco IOS software that has Internet Protocol version 6 (IPv6) enabled may be subject to a denial of service (DoS) attack. For the device to be affected by this vulnerability the device also has to have certain Internet Protocol version 4 (IPv4) User Datagram Protocol (UDP) services enabled. To exploit this vulnerability an offending IPv6 packet must be targeted to the device. Packets that are routed throughout the router can not trigger this vulnerability. Successful exploitation will prevent the interface from receiving any additional traffic. The only exception is Resource Reservation Protocol (RSVP) service, which if exploited, will cause the device to crash. Only the interface on which the vulnerability was exploited will be affected.
Cisco is providing fixed software to address this issue. There are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml.
CSCsi01470A vulnerability in the Cisco implementation of Multicast Virtual Private Network (MVPN) is subject to exploitation that can allow a malicious user to create extra multicast states on the core routers or receive multicast traffic from other Multiprotocol Label Switching (MPLS) based Virtual Private Networks (VPN) by sending specially crafted messages.
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml.
CSCee41508 RSVP red zone crashSymptom An IOS device may crash when processing a malformed Resource ReSerVation Protocol (RSVP) packet.
Conditions A device using an affected software version is configured for RSVP and a certain malformed RSVP packet is received.
Workaround If RSVP is required, no workaround exists.
If RSVP is not required, disabling RSVP on all interfaces removes any exposure to this issue.
RSVP can be disabled using the no ip rsvp bandwidth interface configuration command. The show ip rsvp EXEC command can be used on an IOS device to determine if RSVP functionality has been enabled. The show ip rsvp interface EXEC command may be used to identify the specific interfaces on which RSVP has been enabled.
CSCef48336 Corrupted OSPF Hello packets caused software forced crashSymptom OSPF is a routing protocol defined by RFC 2328. It is designed to manage IP routing inside an Autonomous System (AS). OSPF packets use IP protocol number 89.
A vulnerability exists in the processing of an OSPF packet that can be exploited to cause the reload of a system.
Since OSPF needs to process unicast packets as well as multicast packets, this vulnerability can be exploited remotely. It is also possible for an attacker to target multiple systems on the local segment at a time.
Using OSPF Authentication can be used to mitigate the effects of this vulnerability. Using OSPF Authentication is a highly recommended security best practice.
A Cisco device receiving a malformed OSPF packet will reset and may take several minutes to become fully functional. This vulnerability may be exploited repeatedly resulting in an extended DOS attack.
Workaround
Using OSPF Authentication
OSPF authentication may be used as a workaround. OSPF packets without a valid key will not be processed. MD5 authentication is highly recommended, due to inherent weaknesses in plain text authentication. With plain text authentication, the authentication key will be sent unencrypted over the network, which can allow an attacker on a local network segment to capture the key by sniffing packets.
Refer to http://www.cisco.com/en/US/products/products_security_advisory09186a00803be77c.shtml for more information about OSPF authentication.
Infrastructure Access Control Lists
Although it is often difficult to block traffic transiting your network, it is possible to identify traffic which should never be allowed to target your infrastructure devices and block that traffic at the border of your network.
Infrastructure ACLs are considered a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The white paper "Protecting Your Core: Infrastructure Protection Access Control Lists" presents guidelines and recommended deployment techniques for infrastructure protection ACLs: http://www.cisco.com/warp/public/707/iacl.html
CSCec16481 Software forced crash when router receives corrupted OSPF HelloA Cisco device running Internetwork Operating System (IOS) and enabled for the Open Shortest Path First (OSPF) Protocol is vulnerable to a Denial of Service (DoS) attack from a malformed OSPF packet. The OSPF protocol is not enabled by default.
The vulnerability is only present in IOS release trains based on 12.0S, 12.2, and 12.3. Releases based on 12.0, 12.1 mainlines and all IOS images prior to 12.0 are not affected. Refer to the Security Advisory for a complete list of affected release trains.
Further details and the workarounds to mitigate the effects are explained in the Security Advisory which is available at the following URL: http://www.cisco.com/warp/public/707/cisco-sa-20040818-ospf.shtml
CSCeb56909 Crafted packet causes reload on Cisco routersCisco Routers running Internetwork Operating System (IOS) that supports Multi Protocol Label Switching (MPLS) are vulnerable to a Denial of Service (DoS) attack on MPLS disabled interfaces.
The vulnerability is only present in Cisco IOS release trains based on 12.1T, 12.2, 12.2T, 12.3 and 12.3T. Releases based on 12.1 mainline, 12.1E and all releases prior to 12.1 are not vulnerable.
More details can be found in the security advisory which is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050126-les.shtml
CSCed40933 Multiple crafted IPv6 packets cause reloadCisco Internetwork Operating System (IOS) Software is vulnerable to a Denial of Service (DoS) attack from crafted IPv6 packets when the device has been configured to process IPv6 traffic. This vulnerability requires multiple crafted packets to be sent to the device which may result in a reload upon successful exploitation.
More details can be found in the security advisory which is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050126-ipv6.shtml.
CSCsc72722 CBAC - firewall resets TCP idle timer upon receiving invalid TCP packetsSymptom TCP connections that are opened through a Cisco IOS Firewall (CBAC) may not timeout.
Conditions With Cisco IOS Firewall (CBAC) enabled, the TCP idle timer for a session may be reset even by TCP packets that fail TCP inspection and are subsequently dropped. This could lead to the TCP session not timing out.
Workaround There is no workaround.
CSCsg16908 IOS FTP Server DeprecationMultiple vulnerabilities exist in the Cisco IOS File Transfer Protocol (FTP) Server feature. These vulnerabilities include Denial of Service, improper verification of user credentials and the ability to read or write any file in the device's file system, including the device's saved configuration, which may include passwords or other sensitive information. The IOS FTP Server is an optional service that is disabled by default. Devices that are not specifically configured to enable the IOS FTP Server service are unaffected by these vulnerabilities. This vulnerability does not apply to the IOS FTP Client feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070509-iosftp.shtml.
CSCsc64976 HTTP server should scrub embedded HTML tags from cmd outputA vulnerability exists in the IOS HTTP server in which HTML code inserted into dynamically generated output, such as the output from a show buffers command, will be passed to the browser requesting the page. This HTML code could be interpreted by the client browser and potentially execute malicious commands against the device or other possible cross-site scripting attacks. Successful exploitation of this vulnerability requires that a user browse a page containing dynamic content in which HTML commands have been injected. Cisco will be making free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051201-http.shtml
CSCsb93407 H323 port tcp 1720 still listening after call service stopSymptom When H323 call service stops, the router still listens on TCP port 1720 and completes connection attempts.
Conditions This symptom occurs after H323 is disabled using the following configuration commands:
voice service voip
h323call service stopWorkaround Access can be blocked by deploying an interface access list that blocks access to TCP port 1720 for traffic that is destined for any of the IP addresses of the router.
CSCsf28840 Crash due to configured peer type control vectorA vulnerability exists in the Data-link Switching (DLSw) feature in Cisco IOS where an invalid value in a DLSw message could result in a reload of the DLSw device. Successful exploitation of this vulnerability requires that an attacker be able to establish a DLSw connection to the device. There are workarounds available for this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070110-dlsw.shtml
CSCee08584 ITS/CME: aberrant data may trigger reloadCisco Internetwork Operating System (IOS®) Software release trains 12.1YD, 12.2T, 12.3 and 12.3T, when configured for the Cisco IOS Telephony Service (ITS), Cisco CallManager Express (CME) or Survivable Remote Site Telephony (SRST) may contain a vulnerability in processing certain malformed control protocol messages.
A successful exploitation of this vulnerability may cause a reload of the device and could be exploited repeatedly to produce a Denial of Service (DoS). This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20050119-itscme.shtml
Cisco has made free software upgrades available to address this vulnerability for all affected customers. There are workarounds available to mitigate the effects of the vulnerability.
This vulnerability is documented by Cisco bug ID CSCee08584.
CSCsa54608 IOS Firewall Auth-Proxy for FTP/Telnet Sessions buffer overflowThe Cisco IOS Firewall Authentication Proxy for FTP and/or Telnet Sessions feature in specific versions of Cisco IOS software is vulnerable to a remotely-exploitable buffer overflow condition.
Devices that do not support, or are not configured for Firewall Authentication Proxy for FTP and/or Telnet Services are not affected.
Devices configured with only Authentication Proxy for HTTP and/or HTTPS are not affected. Only devices running certain versions of Cisco IOS are affected.
Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects of the vulnerability.
This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20050907-auth_proxy.shtml
CSCee45312 Radius authentication bypass when configured with a none fallback methodRemote Authentication Dial In User Service (RADIUS) authentication on a device that is running certain versions of Cisco Internetworking Operating System (IOS) and configured with a fallback method to none can be bypassed.
Systems that are configured for other authentication methods or that are not configured with a fallback method to none are not affected.
Only the systems that are running certain versions of Cisco IOS are affected. Not all configurations using RADIUS and none are vulnerable to this issue.
Some configurations using RADIUS, none and an additional method are not affected. Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects of the vulnerability.
More details can be found in the security advisory which posted at the following URL http://www.cisco.com/warp/public/707/cisco-sa-20050629-aaa.shtml
SCin95836 Buffer overflow in NHRP protocolSymptom A Cisco IOS device configured for NHRP may restart.
Workaround There is no workaround.
CSCei61732 Additional data integrity check in system timerCisco IOS may permit arbitrary code execution after exploitation of a heap-based buffer overflow vulnerability. Cisco has included additional integrity checks in its software, as further described below, that are intended to reduce the likelihood of arbitrary code execution.
Cisco has made free software available that includes the additional integrity checks for affected customers.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml
CSCef68324 ICMPv6 pkt tracebackCisco Internetwork Operating System (IOS®) Software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation.
Cisco has made free software available to address this vulnerability for all affected customers.
More details can be found in the security advisory that is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml
CSCek26492 Enhancements to Packet Input PathSymptom A router may crash if it receives a packet with a specific crafted IP option as detailed in Cisco Security Advisory: Crafted IP Option Vulnerability:
http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
Conditions This Bug resolves a symptom of CSCec71950. Cisco IOS with this specific Bug are not at risk of crash if CSCec71950 has been resolved in the software.
Workaround Cisco IOS versions with the fix for CSCec71950 are not at risk for this issue and no workaround is required. If CSCec71950 is not resolved, see the following Cisco Security Advisory: Crafted IP Option Vulnerability for workaround information:
http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
CSCec71950 Crafted IP Option may cause DoS or code executionCisco routers and switches running Cisco IOS or Cisco IOS XR software may be vulnerable to a remotely exploitable crafted IP option Denial of Service (DoS) attack. Exploitation of the vulnerability may potentially allow for arbitrary code execution. The vulnerability may be exploited after processing an Internet Control Message Protocol (ICMP) packet, Protocol Independent Multicast version 2 (PIMv2) packet, Pragmatic General Multicast (PGM) packet, or URL Rendezvous Directory (URD) packet containing a specific crafted IP option in the packet's IP header. No other IP protocols are affected by this issue.
Cisco has made free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability. This vulnerability was discovered during internal testing.
This advisory is available at:
http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
CSCsf07847 cdp may fail to discover neighbor information in releases wh CSCse85200Symptom Specifically crafted CDP packets can cause a router to allocate and keep extra memory. Exploitation of this behavior by sending multiple specifically crafted CDP packets could cause memory allocation problems on the router. Since CDP is a layer-2 protocol, this issue can only be triggered by systems that are residing on the same network segment.
Conditions When the cdp packet header length is lesser than predefined header length( 4 bytes).
Workaround Workaround is to disable on interfaces where CDP is not necessary.
CSCsj44081 Improvements in diagnostics and instrumentationCisco IOS Software has been enhanced with the introduction of additional software checks to signal improper use of internal data structures. This enhancement was introduced in select Cisco IOS Software releases published after April 5, 2007.
Details: With the new enhancement in place, IOS will emit a %DATACORRUPTION-1-DATAINCONSISTENCY error message whenever it detects an inconsistency in its internal data structures. This is a new error message. The following is an example.
The %DATACORRUPTION-1-DATAINCONSISTENCY error message is preceded by a timestamp
May 17 10:01:27.815 UTC: %DATACORRUPTION-1-DATAINCONSISTENCY: copy errorThe error message is then followed by a traceback.
It is important to note that this error message does not imply that packet data is being corrupted. It does, however provide an early indicator of other conditions that can eventually lead to poor system performance or an IOS restart.
Recommended Action Collect "show tech-support" command output and open a service request with the Technical Assistance Center (TAC) or designated support organization. Pay particular attention to any other error messages or error symptoms that accompany the %DATACORRUPTION-1-DATAINCONSISTENCY message and note those to your support contact.
CSCsg40567 Memory leak found with malformed tls/ssl packets in http core processSymptom Malformed SSL packets may cause a router to leak multiple memory blocks.
Conditions This symptom is observed on a Cisco router that has the ip http secure server command enabled.
Workaround Disable the ip http secure server command.
CSCse56501 two sockets(IP V4 and V6) bound to the same UDP port not workingSymptom When the partner did IPv4 port scanning to DHCPv6 port (UDP/547), the result of port scanning was open although it is used for IPv6.
Conditions Using the port for IPv6 and scan it with IPv4.
Workaround Use different socket for different IP version.
CSCec86420Undebug all stops traffic with IPsec+GRE+CEF (Also see CSCeb56909)Cisco Routers running Internetwork Operating System (IOS) that supports Multi Protocol Label Switching (MPLS) are vulnerable to a Denial of Service (DoS) attack on MPLS disabled interfaces. The vulnerability is only present in Cisco IOS release trains based on 12.1T, 12.2, 12.2T, 12.3 and 12.3T. Releases based on 12.1 mainline, 12.1E and all releases prior to 12.1 are not vulnerable. This bug is a complementary fix to CSCeb56909 which addresses this vulnerability. More details can be found in the security advisory which is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050126-les.shtml
CSCeb56909 Crafted packet causes reload on Cisco routersCisco Routers running Internetwork Operating System (IOS) that supports Multi Protocol Label Switching (MPLS) are vulnerable to a Denial of Service (DoS) attack on MPLS disabled interfaces. The vulnerability is only present in Cisco IOS release trains based on 12.1T, 12.2, 12.2T, 12.3 and 12.3T. Releases based on 12.1 mainline, 12.1E and all releases prior to 12.1 are not vulnerable. More details can be found in the security advisory which is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050126-les.shtml
CSCef61610 Incorrect handling of ICMPv6 messages can cause TCP performance problemsA document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messages
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the
vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at:
CSCsj06951Traceback @ createCNF_file while configuring user-localeSymptom Traceback seen on terminal.
Conditions When config user-locale and generate CNF file under telephony-service.
Workaround There is no workaround.
Resolved Caveats - Cisco IOS Release 12.3(2)XA5
This section describes unexpected behavior that is fixed in Cisco IOS Release 12.3(2)XA5. Only severity level 1 through 3 are listed.
•CSCdz32659
Symptoms: Many memory allocation failure (MALLOCFAIL) messages may occur for a Cisco Discovery Protocol (CDP) process
Conditions: The symptom is observed on a Cisco 7513 router that runs Cisco IOS Release 12.0(17)ST. The symptom may also occur on other Cisco 7500 series routers that run Release 12.0 S, 12.2 S, 12.3, or 12.3 T.
Workaround: Disable CDP by entering the no cdp run global configuration command.
•CSCdz84583
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer), and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, the attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain a TCP stack are susceptible to this vulnerability.
This advisory is available at the following URL:
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml, and it describes this vulnerability as it applies to Cisco products that do not run Cisco IOSÆ software.
A companion advisory that describes this vulnerability for products that run Cisco IOS software is available at the following URL: http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml.
•CSCeb16876
Symptoms: A Cisco router may generate a "SYS-2-GETBUF" message during the "Tag Input" process, and may subsequently reload unexpectedly.
Conditions: This symptom is observed when the router fragments a Multiprotocol Label Switching (MPLS) packet.
Workaround: There is no workaround.
•CSCeb52066
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer), and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, the attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain a TCP stack are susceptible to this vulnerability.
This advisory is available at the following URL: http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml, and it describes this vulnerability as it applies to Cisco products that do not run Cisco IOS software.
A companion advisory that describes this vulnerability for products that run Cisco IOS software is available at the following URL: http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml.
•CSCeb78836
Symptoms: Cisco IOS software may cause a Cisco router to reload unexpectedly when the router receives a malformed H.225 setup message.
Conditions: This symptom is observed on a Cisco 1700 series that runs Cisco IOS Release 12.2(13c). The symptom occurs when the following debug privileged EXEC commands are enabled:
- debug h225 asn1 - debug h225 events - debug h225 q931
Workaround: There is no workaround.
•CSCeb85136
Symptoms: An IP packet that is sent with an invalid IP checksum might not be dropped.
Conditions: This symptom is observed when the IP checksum is calculated with a decreased time-to-live (TTL) value. For example, in the situation where the IP checksum must be 0x1134 with a TTL of 3, if the packet is sent with an IP checksum of 0x1234 that is calculated by using a TTL value of 2, the packet is not dropped. In all other cases, packets with incorrect checksums are dropped.
Workaround: There is no workaround.
•CSCeb88239
Symptoms: A router that runs RIPng may crash after receiving a malformed RIPng packet, causing a Denial of Service (DoS) on the device.
Conditions: This symptom is observed when the ipv6 debug rip command is enabled on the router. Normally, malformed packets can be sent locally. However, when the ipv6 debug rip command is enabled, the crash can also be triggered remotely. Note that RIP for IPv4 is not affected by this vulnerability.
Workaround: There is no workaround.
•CSCec16481
A Cisco device running Internetwork Operating System (IOS) and enabled for the Open Shortest Path First (OSPF) Protocol is vulnerable to a Denial of Service (DoS) attack from a malformed OSPF packet. The OSPF protocol is not enabled by default.
The vulnerability is only present in IOS releases based on 12.0S, 12.2, and 12.3. Releases based on 12.0, 12.1 mainlines and all IOS images prior to 12.0 are not affected. Refer to the Security Advisory for a complete list of affected release trains.
Further details and the workarounds to mitigate the effects are explained in the Security Advisory which is available at the following URL:
http://www.cisco.com/warp/public/707/cisco-sa-20040818-ospf.shtml.
•CSCec20085
Symptoms: A Cisco router may pause indefinitely when it attempts to play a nonexistent audio file.
Conditions: This symptom is observed when it attempts to get a nonexistent audio file from a Real-Time Streaming Protocol (RTSP) server.
Workaround: There is no workaround.
•CSCec25430
Symptoms: A Cisco device reloads on receipt of a corrupt CDP packet.
Conditions: This symptom is observed when an empty "version" field exists in the output of the show cdp entry * command in least one entry.
Workaround: Disable CDP by entering the no cdp run global configuration command.
First Alternate Workaround: Disable CDP on the specific (sub-)interface(s) whose corresponding neighbor(s) has an empty "version" field in the output of the show cdp entry * command.
Second Alternate Workaround: Disconnect the 7935 or 7936 phone, in the case of the specific symptom that is described above.
•CSCec76694
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packeted voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks.
This advisory is available at the following URL: http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•CSCed03333
Symptom: CBAC sessions are left in sis-closing state due to out-of-order packet handling.
Workaround: There is no workaround. Lowering the inspect FTP timeout will reduce exposure. Disabling CEF will reduce exposure.
Fix: Bump certain out-of-order packets to process path for catch-up and then drop packets if unsuccessful.
•CSCed21717
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks.
This advisory is available at the following URL: http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•CSCed27956
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at the following URL: http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml. It describes this vulnerability as it applies to Cisco products that run Cisco IOSÆ software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at the following URL: http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•CSCed35253
Symptoms: A router may reload unexpectedly after it attempts to access a low memory address.
Conditions: This symptom is observed after ACLs have been updated dynamically, or after the router has responded dynamically to an IDS signature.
Workaround: Disable IP Inspect and IDS.
•CSCed38527
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond the terminated connection. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at the following URL: http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml. It describes this vulnerability as it applies to Cisco products that run Cisco IOS software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at the following URL: http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•CSCed40563
Symptoms: Depending upon configuration, issuing the show cdp entry * protocol command may cause a reload of the device.
Conditions: This symptom occurs on Cisco products that are speaking CDP with configurable interface MTU.
Workaround: Disable the CDP, avoid issuing the command under given circumstances, or upgrade to a fixed version of software.
•CSCed65357
Symptom: The HEX representation of ALERTING TPKT is not sent in a voice call with PI value of 8 being sent.
Workaround: There is no workaround.
•CSCed93836
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may automatically get re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond the terminated connection. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at the following URL: http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at the following URL: http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•CSCee08584
The following Cisco Internetwork Operating System (IOS) Software releases (12.1YD, 12.2T, 12.3 and 12.3T) when configured for the Cisco IOS Telephony Service (ITS), Cisco CallManager Express (CME) or Survivable Remote Site Telephony (SRST) may contain a vulnerability in processing certain malformed control protocol messages.
A successful exploitation of this vulnerability may cause a reload of the device and could be exploited repeatedly to produce a Denial of Service (DoS). This advisory is available at the following URL:
http://www.cisco.com/warp/public/707/cisco-sa-20050119-itscme.shtml.
Cisco has made free software upgrades available to address this vulnerability for all affected customers. There are workarounds available to mitigate the effects of the vulnerability.
•CSCee45312
Remote Authentication Dial In User Service (RADIUS) authentication on a device that is running certain versions of Cisco Internetworking Operating System (IOS) and configured with a fallback method to none can be bypassed. Systems that are configured for other authentication methods or that are not configured with a fallback method to none are not affected.
Only the systems that are running certain versions of Cisco IOS are affected. Not all configurations using RADIUS and none are vulnerable to this issue. Some configurations using RADIUS, none and an additional method are not affected.
Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects of the vulnerability.
More details can be found in the security advisory which posted at the following URL: http://www.cisco.com/warp/public/707/cisco-sa-20050629-aaa.shtml.
•CSCee47441
Symptoms: When the Cisco IOS Firewall CBAC is configured, the router has an apparent software-forced reload caused by one of the inspections processed.
Conditions: This symptom is observed when the router is part of a DMVPN hub-spoke with a Cisco VoIP phone solution deployed on it and the router is connected to the central office over the Internet. The Cisco VoIP phone runs the SKINNY protocol.
Workaround: There is no workaround.
•CSCee67450
A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DoS) attack from a malformed BGP packet. Only devices with the command bgp log-neighbor-changes configured are vulnerable. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet.
Cisco has made free software available to address this problem.
This issue is tracked by CERT/CC VU#689326.
This advisory will be posted at thre following URL: http://www.cisco.com/warp/public/707/cisco-sa-20050126-bgp.shtml.
•CSCef46191
Symptoms: A specifically crafted Transmission Control Protocol (TCP) connection to a telnet or reverse telnet port of a Cisco device running Internetwork Operating System (IOS) may block further telnet, reverse telnet, Remote Shell (RSH), Secure Shell (SSH), and in some cases Hypertext Transport Protocol (HTTP) access to the Cisco device. Telnet, reverse telnet, RSH and SSH sessions established prior to exploitation are not affected.
All other device services will operate normally.
Conditions: User initiated specially crafted TCP connection to a telnet or reverse telnet port results in blocking further telnet sessions. Services such as packet forwarding, routing protocols and all other communication to and through the device remains unaffected.
Workaround: The detail advisory is available at the following URL: http://www.cisco.com/warp/public/707/cisco-sa-20040827-telnet.shtml.
•CSCef48336
OSPF is a routing protocol defined by RFC 2328. It is designed to manage IP routing inside an Autonomous System (AS). OSPF packets use IP protocol number 89.
A vulnerability exists in the processing of an OSPF packet that can be exploited to cause the reload of a system. Since OSPF needs to process unicast packets as well as multicast packets, this vulnerability can be exploited remotely. It is also possible for an attacker to target multiple systems on the local segment.
Using OSPF Authentication can be used to mitigate the effects of this vulnerability. Using OSPF Authentication is a highly recommended security best practice. A Cisco device receiving a malformed OSPF packet will reset and may take several minutes to become fully functional. This vulnerability may be exploited repeatedly resulting in an extended DOS attack.
Workarounds: OSPF authentication may be used as a workaround. OSPF packets without a valid key will not be processed. MD5 authentication is highly recommended, due to inherent weaknesses in plain text authentication. With plain text authentication, the authentication key will be sent unencrypted over the network, which can allow an attacker on a local network segment to capture the key by sniffing packets.
For more information about OSPF authentication, refer to the following URL: http://www.cisco.com/en/US/products/products_security_advisory09186a00803be77c.shtml for more information about OSPF authentication.
Infrastructure Access Control Lists
Although it is often difficult to block traffic transiting your network, it is possible to identify traffic which should never be allowed to target your infrastructure devices and block that traffic at the border of your network. Infrastructure ACLs are considered a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The white paper "Protecting Your Core: Infrastructure Protection Access Control Lists" presents guidelines and recommended deployment techniques for infrastructure protection ACLs. You can find it at the following URL: http://www.cisco.com/warp/public/707/iacl.html.
•CSCef61610
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages.
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks.
3. Attacks that use ICMP "source quench" messages.
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at the following URL: http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at the following URL:
•CSCef67682
Reception of certain IPv6 fragments with carefully crafted illegal contents may cause a router running Cisco IOS to reload if it has IPv6 configured. This applies to all versions of Cisco IOS that include support for IPv6.
The system may be protected by installing appropriate access lists to filter all IPv6 fragments destined for the system. For example:
interface Ethernet0/0
ipv6 traffic-filter nofragments in
!
ipv6 access-list nofragments
deny ipv6 any <my address1> undetermined-transport
deny ipv6 any <my address2> fragments
permit ipv6 any any
This must be applied across all interfaces, and must be applied to all IPv6 addresses which the system recognizes as its own.
This will effectively disable reassembly of all IPv6 fragments. Some networks may rely on IPv6 fragmentation, so careful consideration should be given before applying this workaround.
We would recommend for customers to upgrade to the fixed IOS release. All IOS releases listed in IPv6 Routing Header Vulnerability Advisory at http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml contain fixes for this issue.
•CSCeg15044
Symptoms: A Telnet connection cannot be made even though there are free tty lines, and a "No Free TTYs error" message is generated.
Conditions: This symptom is observed when there are simultaneous Telnet requests.
Workaround: Enter the clear tcp tcb command to clear the line.
•CSCeh13489
Symptoms: A router may reset its Border Gateway Protocol (BGP) session.
Conditions: This symptom is observed when a Cisco router that peers with other routers receives an Autonomous System (AS) path with a length that is equal to or greater than 255.
Workaround: Configure the bgp maxas limit command in such as way that the maximum length of the AS path is a value below 255. When the router receives an update with an excessive AS path value, the prefix is rejected and recorded the event in the log.
•CSCeh47763
Symptoms: A Cisco router may erroneously send ACK packets in response to RST packets for non-local TCP sessions. This can cause high CPU utilization on the router.
Conditions: This symptom occurs when using Port Address Translation (PAT).
Workaround: Use the clear ip nat translation command.
•CSCei61732
Cisco IOS may permit arbitrary code execution after exploitation of a heap-based buffer overflow vulnerability. Cisco has included additional integrity checks in its software, described below, that are intended to reduce the likelihood of arbitrary code execution.
Cisco has made free software available that includes the additional integrity checks for affected customers. This advisory is posted at the following URL: http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml.
•CSCin56408
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks.
This advisory is available at the following URL: http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•CSCin67568
Symptoms: A Cisco device experiences a memory leak in the CDP process.
Conditions: The device sending CDP packets sends a hostname that is 256 or more characters. There are no problems with a hostname of 255 or fewer characters.
Workaround: Configure the neighbor device to use less than a 256 character hostname, or disable the CDP process with the global command no cdp run.
•CSCsa52807
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages.
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks.
3. Attacks that use ICMP "source quench" messages.
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at the following URL: http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at the following URL:
•CSCsa54608
The Cisco IOS Firewall Authentication Proxy for FTP and/or Telnet Sessions feature in specific versions of Cisco IOS software is vulnerable to a remotely-exploitable buffer overflow condition.
Devices that do not support, or are not configured, for Firewall Authentication Proxy for FTP and/or Telnet Services are not affected.
Devices configured with only Authentication Proxy for HTTP and/or HTTPS are not affected.
Only devices running certain versions of Cisco IOS are affected.
Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects of the vulnerability.
This advisory will be posted at the following URL: http://www.cisco.com/warp/public/707/cisco-sa-20050907-auth_proxy.shtml.
Resolved Caveats - Cisco IOS Release 12.3(2)XA4
This section describes unexpected behavior that is fixed in Cisco IOS Release 12.3(2)XA4. Only severity level 1 through 3 are listed.
•CSCef68324
Cisco Internetwork Operating System (IOS) software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation.
Cisco has made free software available to address this vulnerability for all affected customers.
More details can be found in the security advisory that is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml.
Resolved Caveats - Cisco IOS Release 12.3(2)XA3
This section describes unexpected behavior that is fixed in Cisco IOS Release 12.3(2)XA3. Only severity level 1 through 3 are listed.
•CSCed78149—TCP connections doing PMTU discovery vulnerable to spoofed ICMP pkts.
See note for CSCef43691.
•CSCef43691—L2TPv3 and UTI sessions doing PMTUD vulnerable to spoofed ICMP paks.
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at:
•CSCef44225—IPSec (ESP-AH) doing PMTUD vulnerable to spoofed ICMP packets.
See note for CSCef43691.
•CSCef44699—GRE and IPinIP doing PMTUD vulnerable to spoofed ICMP packets.
See note for CSCef43691.
•CSCef60659—More stringent checks required for ICMP unreachables.
See note for CSCef43691.
•CSCin82407—XAUTH failure and blank ACK can allow Phase 2 negotiation.
Cisco Internetwork Operating System (IOS) Software release trains 12.2T, 12.3 and 12.3T may contain vulnerabilities in processing certain Internet Key Exchange (IKE) Xauth messages when configured to be an Easy VPN Server.
Successful exploitation of these vulnerabilities may permit an unauthorized user to complete authentication and potentially access network resources.
This advisory will be posted to http://www.cisco.com/warp/public/707/cisco-sa-20050406-xauth.shtml
•CSCsa59600—IPSec PMTUD not working [after CSCef44225].
See note for CSCef43691.
Resolved Caveats - Cisco IOS Release 12.3(2)XA2
This section describes unexpected behavior that is fixed in Cisco IOS Release 12.3(2)XA2.
Note Release 12.3(2)XA2 is a rebuild that applies to the Cisco 3200 series platform only.
Resolved Caveats - Cisco IOS Release 12.3(2)XA1
This section describes unexpected behavior that is fixed in Cisco IOS Release 12.3(2)XA1.
Note Release 12.3(2)XA1 is a rebuild that applies to the Cisco 1700 series and the Cisco 3200 series platforms only.
Resolved Caveats - Cisco IOS Release 12.3(2)XA
This section describes unexpected behavior that is fixed in Cisco IOS Release 12.3(2)XA. Only severity level 1 through 3 are listed.
•CSCdw29559
Easy VPN does not support Secure ID token-based cards.
Workaround: Upgrade to Cisco IOS Release 12.3(2)XA.
•CSCdx27977
Easy VPN and IPSEC NAT transparency are not interoperable.
Workaround: Upgrade to Cisco IOS Release 12.3(2)XA.
•CSCdy01553
The server is not allowed to use the client configured username and password in Xauthentication. This forces the client to manually enter the information.
Workaround: Upgrade to Cisco IOS Release 12.3(2)XA.
•CSCdz09223
Easy VPN does not support IP compression because the client does not propose the compression method.
Workaround: Upgrade to Cisco IOS Release 12.3(2)XA.
•CSCdz77757
The client might not handle AAA Authentication (XAuth) requests properly during an IKE rekey. This causes the Easy VPN connection to drop.
Workaround: Upgrade to Cisco IOS 12.3(2)XA.
•CSCea33138
While NHRP and IPSec are resolving and building, spoke-to-spoke dynamic tunnel packets are dropped if the spoke is Cisco Expressed Forwarding (CEF). Packets are forwarded through the hub if the spoke is process switching.
Workaround: Upgrade to Cisco IOS 12.3(2)XA.
•CSCea34836
NHRP might incorrectly send a resolution request to the last configured Next Hop Server (NHS) after sending a resolution to the first NHS.
Workaround: Upgrade to Cisco IOS 12.3(2)XA.
•CSCea55431
The browser might abort the processing of a redirect message if it receives a TCP reset before it sends the FIN. The browser requires the TCP connection to be closed gracefully in order to process redirect message.
Workaround: Upgrade to Cisco IOS 12.3(2)XA.
•CSCea64819
Crypto/Next Hop Resolution Protocol (NHRP) are not able handle a peer address change.
Workaround: Upgrade to Cisco IOS 12.3(2)XA.
•CSCeb01608
The Secure Shell (SSH) session might hang.
Workaround: Enter the clear tcp tcb command to clear the VTY line.
•CSCeb03666
If the router is configured for Internet Key Exchange (IKE) aggressive mode negotiation, it might abort the operation. If it does abort it, the router will display the following error message:
%CRYPTO-3-IKMP_PEER_INIT_FAILUREWorkaround: Use only main mode of IKE negotiation or upgrade to Cisco IOS 12.3(2)XA.
•CSCeb07288
The Cisco 800 router might crash unexpectedly soon after reboot. When it crashes, it displays the following error message:
Unexpected exception to CPUvector 1200, PC = 801E6C1C -Traceback= 801E6C1C 801E6EC0 801E70C4 806C70F0 806C7384 806D3C58 806D3C84 803C3664 8030ACC8 80184EA0 803B2524 803A01AC 803A17BC 8039F724 8039F8F4 8039FAC0 801FD9C8 0x801E6C1C:mgd_timer_set_exptime_internal(0x801e6980)+0x29c 0x801E6EC0:mgd_timer_set_exptime(0x801e6e8c)+0x34 0x801E70C4:mgd_timer_start_jittered(0x801e7098)+0x2c 0x806C70F0:nhrp_init_retransmission_timer(0x806c70a8)+0x48 0x806C7384:nhrp_req_enq(0x806c7114)+0x270 0x806D3C58:nhrp_ip_macaddr(0x806d397c)+0x2dc 0x806D3C84:nhrp_ip_macaddr_wrap(0x806d3c70)+0x14 0x803C3664:ip_tunnel_macaddr(0x803c35b0)+0xb4 0x8030ACC8:tunnel_vencap(0x8030ab98)+0x130 0x80184EA0:pak_encap(0x80184e74)+0x2c 0x803B2524:ipsendnet(0x803b2158)+0x3cc 0x803A01AC:ip_forward_to_net(0x803a00b4)+0xf8 0x803A17BC:ip_forward(0x803a0380)+0x143c 0x8039F724:ip_process_pak(0x8039e678)+0x10ac 0x8039F8F4:ip_process_input(0x8039f89c)+0x58 0x8039FAC0:ip_input(0x8039fa00)+0xc0 0x801FD9C8:ppc_process_dispatch(0x801fd9a4)+0x24Workaround: Upgrade to Cisco IOS Release 12.3(2)XA.
•CSCeb30308
When HSRP is configured on multiple interfaces, one of the interfaces might continuously keep line protocol down/up.
Workaround:There are five workaround options for this problem:
1. Configure the interface's burned in address with the standby use-bia command.
2. Increase the HSRP minimum delay timer from 1 second to 37 seconds.
3. Decrease the HSRP minimum delay timer from 1 second to 12 seconds and change the Fast Ethernet keepalive timer to 12 seconds.
4. Downgrade Cisco IOS software 12.2(11)YV or earlier.
5. Upgrade to Cisco IOS software 12.3(2)XA.
•CSCeb39074
Easy VPN client crashes due to %SYS-6-STACKLOW.
Workaround: Upgrade to Cisco IOS Release 12.3(2)XA.
•CSCeb40987
When the unit under testing (UUT) that is the Easy VPN Client tries to establish the tunnel with the remote end, frequent crypto debugs might appear on the UUT. This happens only with hardware crypto enable.
Workaround: Upgrade to Cisco IOS Release 12.3(2)XA.
•CSCeb42023
Complex crypto map entries might be missing from mtree at the time the router is boot up.
Workaround:Upgrade to Cisco IOS Release 12.3(2)XA.
•CSCeb43574
The no ip urlfilter exclusive-domain {permit | deny} domain-name command might crash the Cisco 831 router if the feature is not already configured on the router.
Workaround:Do not disable the feature if it is not already configured on the router or upgrade to Cisco IOS Release 12.3(2)XA.
•CSCeb43744
There might be Easy VPN-IOS functionality problems in HARPER images(0.5.0).
Workaround:Upgrade to Cisco IOS 12.3(2)XA.
•CSCeb44695
When GRE is protected through IPSec with the tunnel protection command and the peer loses its SAs, the peer that lost its SAs might not act upon invalid SPI events as it should. If the crypto policy is dynamically constructed, and the peer has lost its SAs, the peer also might not act upon invalid SPI events as it should.
Workaround: Upgrade to Cisco IOS release 12.3(2)XA.
•CSCeb52612
The CNS Agent might not use the source IP address to establish TCP connection to the server.
Workaround: Upgrade to Cisco IOS Release 12.3(2)XA.
•CSCeb63813
The crypto sockets might not be cleaned up properly after the life time IPSec expires.
Workaround: Upgrade to Cisco IOS Release 12.3(2)XA.
•CSCeb66294
The windows XP client might remain bound to the Ethernet interface even when authentication fails.
Workaround: Upgrade to Cisco IOS Release 12.3(2)XA.
•CSCin42398
When extended access lists are applied on output interfaces, the packets are not forwarded.
Workaround: Use standard access lists or upgrade to Cisco IOS release 12.3(2)XA.
•CSCin44117
Packets arriving at the Ethernet 0 interface of Cisco 831 router might be dropped.
Workaround: Upgrade to Cisco IOS Release 12.3(2)XA.
•CSCin44566
Removing the Easy VPN configuration from the Easy VPN client might not delete the IPSEC Security Associations at the Easy VPN server
Workaround: Manually clear the IPSEC SAs at the Easy VPN server or upgrade to Cisco IOS release 12.3(2)XA.
•CSCin47312
IPSEC cannot be used on the Cisco 827 router when the Easy VPN client is configured for network extension mode. The following error will display under these circumstances:
%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 70.0.0.2Workaround: Do not to use network extension mode on Easy VPN client or upgrade to Cisco IOS 12.3(2)XA.
•CSCin50136
PPPoE session might not come up upon delivering the PPPoE configuration to the CPE. This occurs even though the ISP router is configured for the PPPoE profile. The session comes up only when the clear pppoe all command is delivered.
Workaround: Upgrade to Cisco IOS 12.3(2)XA.
•CSCuk42546
The CNS syntax checker might fail when in IP DHCP pool submode.
Workaround: Upgrade to Cisco IOS 12.3(2)XA.
•CSCuk43613
If the Cisco IOS configuration sent to the router contains the encapsulation aal5snap command and the CNS syntax checking option is enabled, the syntax checker will return an error even though the configuration is valid.
Workaround: Disable the syntax checker when trying to apply the configuration with the encapsulation aal5snap command or upgrade to Cisco IOS 12.3(2)XA.
Open Caveats - Release 12.3(2)XA
The following sections list the open caveats for the Cisco IOS release 12.3(2)XA.
•CSCea90721
Cannot access Internet when Unicast Reverse Path Forwarding (uRPF) is enabled.
Workaround: Remove ip verify unicast source reachable-via rx 100 configuration from interface.
•CSCea93774
Telnet from inside to outside fails for BRI.
Workaround: Configure shutdown and no shutdown commands on the BRI after configuring AutoSecure Context-based Access Control (CBAC).
•CSCeb43048
When the logging buffered command is configured on Cisco 831 and 837 routers, the show run command does not display the logging buffered.
Workaround: None.
•CSCeb43082
Unwanted dot1x debugs are displayed repeatedly.
Workaround: None.
•CSCeb44319
Traceback occurs after the 802.1x authentication succeeds.
Workaround: None.
•CSCeb45476
Easy VPN Tunnel fails to come up after rebooting the router.
Workaround: After rebooting, remove the Easy VPN client configuration from the interface, and configure the tunnel again.
•CSCeb46738
Easy VPN tunnel stays up with wrong password.
Workaround: Try again after ISAKMP SA table is flushed.The tunnel will not come up and it will display an error message.
•CSCeb48261
Console logging of crypto messages does not work as expected.
Workaround: None.
•CSCeb51603
Named IP extended ACLs are not supported in the IP base image on the Cisco 837 router.
Workaround: None.
•CSCeb53094
Spurious memory access occurs while unconfiguring the Easy VPN group.
Workaround: None.
•CSCeb56827
Rebooting the Easy VPN Client router with VPN mod enable command will stop encryption.
A Cisco 83x router configured as an Easy VPN Client with VPN mod enable command will not encrypt any packets after router gets rebooted. VPN tunnel will get established, but there will be no encryption.
Workaround: Disable the VPN card or remove and reapply the crypto map from the interface. Use Advanced Encryption Standard (AES) in software or Triple Data Encryption Standard (3DES) on hardware, and do not change intermittently.
•CSCeb55390
Easy VPN crashes during xauth prompting process.
Workaround: Use the "save-password" option instead of entering the user name and the password on the command-line interface (CLI).
Additional References
The following sections describe the documentation available for the Cisco 831, 836, and 837 routers. Typically, these documents consist of hardware and software installation guides, Cisco IOS configuration and command references, system error messages, feature modules, and other documents. Documentation is available as printed manuals or electronic documents, except for feature modules, which are available online on Cisco.com in pdf or html form.
Use these release notes with the documents listed in the following sections:
Release-Specific Documents
The following documents are specific to Release 12.3 and apply to Release 12.3(2)XA. They are located on Cisco.com:
•Cross-Platform Release Notes for Cisco IOS Release 12.3T
•Field Notices: http://www.cisco.com/warp/public/tech_tips/index/fn.html.
•Caveats for Cisco IOS Release 12.3 and Caveats for Cisco IOS Release 12.3T
Platform-Specific Documents
Hardware installation guides, configuration and command reference guides, and additional documents specific to the Cisco 831, 836, and 837 routers are available on Cisco.com at the following location:
http://www.cisco.com/en/US/products/hw/routers/tsd_products_support_category_home.html
Feature Modules
Feature modules describe new features supported by Cisco IOS Release 12.3 and Cisco IOS Release 12.4(6)XE, and are updates to the Cisco IOS documentation set. A feature module consists of a brief overview of the feature, benefits, configuration tasks, and a command reference. As updates, the feature modules are available online only.
Cisco Feature Navigator
Cisco Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a particular set of features and which features are supported in a particular Cisco IOS image. Cisco Feature Navigator is available 24 hours a day, 7 days a week.
To use Cisco Feature Navigator, you must have a JavaScript-enabled web browser such as Netscape 3.0 or later, or Internet Explorer 4.0 or later. Internet Explorer 4.0 always has JavaScript enabled. To enable JavaScript for Netscape 3.x or Netscape 4.x, follow the instructions provided with the web browser. For JavaScript support and enabling instructions for other browsers, check with the browser vendor.
Cisco Feature Navigator is updated when major Cisco IOS software releases and technology releases occur. You can access Feature Navigator at the following URL:
Cisco IOS Software Documentation Set
The Cisco IOS software documentation set consists of the Cisco IOS configuration guides, Cisco IOS command references, and several other supporting documents.
Documentation Modules
Each module in the Cisco IOS documentation set consists of one or more configuration guides and one or more corresponding command references. Chapters in a configuration guide describe protocols, configuration tasks, and Cisco IOS software functionality, and contain comprehensive configuration examples. Chapters in a command reference provide complete command syntax information. Use each configuration guide with its corresponding command reference. Cisco IOS Software Documentation is available in html or pdf form.
Select your release and click the command references, configuration guides, or any other Cisco IOS documentation you need
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feed-back, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Use this document in conjunction with the documents listed in the "Additional References" section.
CCVP, the Cisco logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networking Academy, Network Registrar, Packet, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0705R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007, Cisco Systems, Inc. All rights reserved