Cisco IOS Software Releases 12.3 Special and Early Deployments

Table Of Contents

Release Notes for the Cisco 3200 Series Wireless and Mobile Routers for Cisco IOS Release 12.3(2)JL

Contents

System Requirements

Memory Requirements

Hardware Supported

Determining the Software Version

Upgrading to a New Software Release

Feature Set Tables

New and Changed Information

New Hardware Features in Release 12.3(2)JL4

New Software Features in Release 12.3(2)JL4

New Hardware Features in Release 12.3(2)JL3

New Software Features in Release 12.3(2)JL3

New Hardware Features in Release 12.3(2)JL2

New Software Features in Release 12.3(2)JL2

New Hardware Features in Release 12.3(2)JL

New Software Features in Release 12.3(2)JL

5 GHz Frequency Band

802.11h (DFS and TPC)

Limitations and Restrictions

Caveats

Open Caveats - Cisco IOS Release 12.3(2)JL4

Resolved Caveats - Cisco IOS Release 12.3(2)JL4

Open Caveats - Cisco IOS Release 12.3(2)JL3

Resolved Caveats - Cisco IOS Release 12.3(2)JL3

Open Caveats - Cisco IOS Release 12.3(2)JL2

Resolved Caveats - Cisco IOS Release 12.3(2)JL2

Open Caveats - Cisco IOS Release 12.3(2)JL1

Resolved Caveats - Cisco IOS Release 12.3(2)JL1

Hardware Caveats - Cisco IOS Release 12.3(3)JL

Additional References

Release-Specific Documents

Platform-Specific Documents

Obtaining Documentation, Obtaining Support, and Security Guidelines

Release Notes for the Cisco 3200 Series Wireless and Mobile Routers for Cisco IOS Release 12.3(2)JL

---

October 29, 2007

Cisco IOS Release 12.3(2)JL4

OL-12925-03

These release notes describe new features and significant software components for the Cisco 3200 Series 5-GHz wireless mobile interface card (WMIC), model C3205, which supports Cisco IOS Release 12.3(2)JL. These release notes are updated as needed to describe new memory requirements, new features, new hardware support, software platform deferrals, microcode or modem code changes, related document changes, and any other important changes. Use these release notes with the Cross-Platform Release Notes for Cisco IOS Release 12.3T located on Cisco.com in pdf or html format.

For a list of the software caveats that apply to Release 12.3(2)JL, see the "Caveats" section section, and see the online Caveats for Cisco IOS Release 12.3(2)T document. The caveats document is updated for every 12.3T maintenance release and is located on Cisco.com.

We recommend that you view the field notices for this release to see if your software or hardware platforms are affected. If you have an account on Cisco.com, you can find field notices at http://www.cisco.com/warp/public/tech_tips/index/fn.html. If you do not have a Cisco.com login account, you can find field notices at http://www.cisco.com/warp/public/tech_tips/index/fn.html.

Contents

•System Requirements

•New and Changed Information

•Limitations and Restrictions

•Caveats

•Additional References

•Obtaining Documentation, Obtaining Support, and Security Guidelines

System Requirements

This section describes the system requirements for Cisco IOS Release 12.3(2)JL and includes the following sections:

•Memory Requirements

•Hardware Supported

•Determining the Software Version

•Upgrading to a New Software Release

•Feature Set Tables

Memory Requirements

This section describes the memory requirements for the Cisco IOS feature sets that are supported by the Cisco IOS Release 12.3(2)JL for the Cisco 3200 series wireless and mobile routers.

Table 1 Recommended Memory for the Cisco 3200 Series Mobile Access Router

Platform	Image Name	Feature Set	Image	Flash Memory	DRAM Memory
5-GHz Wireless Mobile Interface Card (WMIC)	Cisco C3205 WMIC WLAN	Wireless LAN	c3205-k9w7-tar	8 MB	32MB

Hardware Supported

The Cisco IOS Release 12.3(2)JL supports the 5-GHz Wireless Mobile Interface Card (WMIC) for the Cisco 3200 Series Mobile Access Router.

For descriptions of existing hardware features and supported modules, see the configuration guides and additional documents specific to the Cisco 3200 Series Mobile Access Router, which are available on Cisco.com at the following location:

http://www.cisco.com/en/US/products/hw/routers/ps272/tsd_products_support_series_home.html

Determining the Software Version

To determine which version of Cisco IOS software is currently running on the Cisco 3200 Series router, log in to the router and enter the show version EXEC command. The following sample output from the show version command indicates the version number on the second output line.

Router# show version

Cisco Internetwork Operating System Software 

IOS (tm) C3205 Software (C3205-K9W7-M), Experimental Version 12.3(20061011:211650) 

Copyright (c) 1986-2006 by cisco Systems, Inc.

Compiled Wed 11-Oct-06 14:20

Image text-base: 0x00003000, data-base: 0x00682E94

Upgrading to a New Software Release

For general information about upgrading to a new software release, see the Software Installation and Upgrade Procedures, which are located on Cisco.com.

Feature Set Tables

The Cisco IOS software is packaged in feature sets consisting of software images, depending on the platform. Each feature set contains a specific set of Cisco IOS features. Cisco IOS Release 12.3(2)JL supports the same feature sets as Cisco IOS Releases 12.3, but Release 12.3(2)JL includes new features supported by the Cisco 3200 Series wireless and mobile routers.

---

Caution The Cisco IOS images with strong encryption (including, but not limited to, 168-bit [3DES] data encryption feature sets) are subject to United States government export controls and have limited distribution. Strong encryption images to be installed outside the United States will likely require an export license. Customer orders can be denied or subject to delay as a result of United States government regulations. When applicable, the purchaser/user must obtain local import and use authorizations for all encryption strengths. Please contact your sales representative or distributor for more information, or send an e-mail to export@cisco.com.

---

Table 1 lists the features and feature sets that are supported in Cisco IOS Release 12.3(2)JL.

The table uses the following conventions:

•Yes—The feature is supported in the software image.

•No—The feature is not supported in the software image.

---

Note This feature set table contains only a selected list of features, which are cumulative for Cisco IOS Release 12.3(2)nn early deployment releases only (nn identifies each early deployment release). The table does not list all features in each image; additional features are listed in Cross-Platform Release Notes for Cisco IOS Release 12.3(2)T and in Cisco IOS Release 12.3(2)T documentation.

Table 1 Features Supported by the Cisco 3200 Series Wireless and Mobile Routers

Feature	In	Image
802.11a (5 GHz) frequency band	Yes	5-GHz WMIC only. See Table 1 for image
802.11h (DFS & TPC)	Yes	5-GHz WMIC only. See Table 1 for image

New and Changed Information

•New Hardware Features in Release 12.3(2)JL4

•New Software Features in Release 12.3(2)JL4

•New Hardware Features in Release 12.3(2)JL3

•New Software Features in Release 12.3(2)JL3

•New Hardware Features in Release 12.3(2)JL3

•New Software Features in Release 12.3(2)JL2

•New Hardware Features in Release 12.3(2)JL3

•New Software Features in Release 12.3(2)JL

New Hardware Features in Release 12.3(2)JL4

There are no new hardware features in this release.

New Software Features in Release 12.3(2)JL4

There are no new software features in this release.

New Hardware Features in Release 12.3(2)JL3

There are no new hardware features in this release.

New Software Features in Release 12.3(2)JL3

There are no new software features in this release.

New Hardware Features in Release 12.3(2)JL2

There are no new hardware features in this release.

New Software Features in Release 12.3(2)JL2

There are no new software features in this release.

New Hardware Features in Release 12.3(2)JL

The 5-GHz Wireless Mobile Interface Card (WMIC) is a mobile interface card (MIC) in a standard PC/104-Plus form factor. It is one component of the Cisco 3200 Series wireless and mobile routers, connected to the router internally through a 10/100 Fast Ethernet interface, and provides a 5-GHz wireless interface for ETSI the regulatory domain.

The 5-GHz Wireless Mobile Interface Card (WMIC) can be configured as a:

•wireless access point

•wireless root bridge

•wireless work group bridge

•wireless non-root bridge without clients.

The key features of the Wireless Mobile Interface Card (WMIC) include the following:

•Ruggedized components.

•One autosensing switched 10/100 Fast Ethernet interface.

New Software Features in Release 12.3(2)JL

The following sections describe the new software features supported by the Cisco 3200 Series wireless and mobile routers for Cisco IOS Release 12.3(2)JL:

•5 GHz frequency band

•802.11h (DFS and TPC)

5 GHz Frequency Band

For different countries or regulatory domains, channelization is different. ETSI regulatory domain defines 5.15 GHz to 5.25 GHz for indoor use, 5.25 GHz to 5.35 GHz for indoor or outdoor use, and 5.47 GHz to 5.725 GHz for outdoor only. FCC regulatory domain defines 5.15 GHz to 5.25 GHz for indoor use, 5.25 GHz to 5.35 GHz for indoor or outdoor use, and 5.725 GHz to 5.825 GHz for outdoor only.

The 5.0 GHz radio in the Cisco 3200 Series router (currently available as the Cisco 3205 WMIC) supports the following US and ETSI channels:

•USA M&L: 5180 MHz (36), 5200 MHz (40), 5220 MHz (44), 5240 MHz (48), 5260 MHz (52), 5280 MHz (56), 5300 MHz (60), 5320 MHz (64), 5745 MHz (149), 5765 MHz (153), 5785 MHz (157), and 5805 MHz (161).

•US UNI3: 5745 MHz (149), 5765 MHz (153), 5785 MHz (157), and 5805 MHz (161).

•ETSI Channel: 5260 MHz (52), 5280 MHz (56), 5300 MHz (60), 5320 MHz (64), 5.470 GHz to 5.725 GHz: 5500 MHz (100), 5520 MHz (104), 5540 MHz (108), 5560 MHz (112), 5580 MHz (116), 5600 MHz (120), 5620 MHz (124), 5640 MHz (128), 5660 MHz (132), 5680 MHz (136), 5700 MHz (140). (Channels 52 through 140 are ETSI outdoor channels:

•Dynamic Frequency Selection (DFS) requires automatic channel selection on the interface. Channel selection might be disabled for in an ETSI regulatory domain. The spacing channel dfs command command is supported in the ETSI domain. The show interface d0 dfs command provides DFS statistics.

802.11h (DFS and TPC)

802.11h is a protocol enhancement designed to add two new feature enhancements in the 5 GHz band. Approved in September, 2003, the IEEE 802.11h standard defines mechanisms to ensure that 802.11h WLAN devices operate according to regulatory requirements for the 5 GHz spectrum. These mechanisms are Dynamic Frequency Selection (DFS) and Transmission Power Control (TPC). DFS selects the radio channel at the access point to minimize interference with military radar. TPC limits the transmitted power to the minimum power level needed to reach the furthest user. In addition to meeting regulatory requirements, DFS and TPC can be leveraged to improve the deployment, operation and management of WLANs.

To date, regulatory requirements governing the use of the 5 GHz band vary from country to country, slowing broad market adoption of 802.11h. In response to these barriers to adoption, the International Telecommunication Union (ITU) recommended a standard for WLANs to share the 5 GHz spectrum with primary-use devices such as military radar systems.

The Cisco 3205 WMIC supports 802.11h for ETSI regulatory domain only.

Limitations and Restrictions

The following sections describe limitations concerning the new hardware and software features supported by the Cisco 3200 Series WMIC for Cisco IOS Release 12.3(2)JL.

•This version of hardware release only supports 20 MHz channel bandwidth.

•This version of hardware release only supports data rates upto 48 MB.

Caveats

Caveats describe unexpected behavior or defects in the Cisco IOS software releases. Severity 1 caveats are the most serious caveats, severity 2 caveats are less serious, and severity 3 caveats are the least serious of these three severity levels.

---

Note If you have an account with Cisco.com, you can also use the Bug Toolkit to find select caveats of any severity. To reach the Bug Toolkit, log in to Cisco.com, to go to: http://www.cisco.com/pcgi-bin/Support/Bugtool/launch_bugtool.pl. 

---

This sections contains the following information:

•Open Caveats - Cisco IOS Release 12.3(2)JL4

•Resolved Caveats - Cisco IOS Release 12.3(2)JL4

•Open Caveats - Cisco IOS Release 12.3(2)JL3

•Resolved Caveats - Cisco IOS Release 12.3(2)JL3

•Open Caveats - Cisco IOS Release 12.3(2)JL2

•Resolved Caveats - Cisco IOS Release 12.3(2)JL2

•Open Caveats - Cisco IOS Release 12.3(2)JL1

•Resolved Caveats - Cisco IOS Release 12.3(2)JL1

•Hardware Caveats - Cisco IOS Release 12.3(3)JL

Open Caveats - Cisco IOS Release 12.3(2)JL4

There are no open caveats in this release.

Resolved Caveats - Cisco IOS Release 12.3(2)JL4

CSCsj81502 show pagp clis are not displaying the correct information

Symptom    In release 12.2(33)SXH or 12.2(18)SXF10 releases, the output of 'show pagp neighbor' command may truncate the neighbor device name and port name fields by 1 character. This is just a display issue and has no functional impact on the PAGP protocol.

Conditions   

1. This issue is only seen with 12.2(33)SXH and 12.2(18)SXF10 images.

2. This issue only affects PAGP etherchannel member ports.

Workaround   There is no workaround. If a user wants to find out the partner's correct information, it is recommended to use the output of "show cdp neighbor" command.

CSCsj66692 Data integrity traceback seen in voip/ccapi/ccapi_call.c

Symptom    Data corruption copy error tracebacks are seen on the console or output from the show logging command.

For example:

%DATACORRUPTION-1-DATAINCONSISTENCY: copy error,  -PC= 0x41224EFC,  -

Traceback= 0x4153A7D0 0x4155BA0C 0x4157FAF0 0x41224EFC 0x41DDC0A8 0x41DDC198 

0x41DC6D84 0x41DF3B0C 0x41DC506C 0x41DCE5A4 0x41D91AF8 0x41D90F88 0x41D9BEFC 

0x41D9C0C0 0x41DAEA68 

Conditions   Cisco IOS Software has been enhanced with the introduction of additional software checks to signal improper use of internal data structures. With the new enhancement, IOS will emit a %DATACORRUPTION-1-DATAINCONSISTENCY error message whenever it detects an inconsistency in its internal data structures.

Workaround   There is no workaround.

CSCsk44257 WMIC 3205 RTS/CTS drops the links when used with encryption

Symptom    When RTS/CTS is deployed on two WMIC acting as root and non-root in conjunction to encryption WPA/TKIP/PSK, link between the two WMICS might experience RTS retries causing disassociation when the RTS retries threshold is reached.

Conditions   There are no special conditions.

Workaround   There is no workaround.

CSCsg39295 Syslog displays password if SCP or FTP selected in 
CISCO-COPY-CONFIG-MIB

Symptom    Password information may be displayed in a Syslog message as follows:

%SYS-5-CONFIG_I: Configured from scp://userid:password@10.1.1.1/config.txt by 
console

Conditions   When using SNMP to modify a configuration by means of the CISCO-CONFIG-COPY-MIB, selection of ConfigCopyProtocol of SCP or FTP may result in the password being exposed in a syslog message.

Workaround   When using SNMP to modify a configuration by means of the CISCO-CONFIG-COPY-MIB, use the ConfigCopyProtocol of RCP to avoid exposure of the password.

CSCeb69473 connect '/terminal-type' command memory corruption

Symptom    Device crashes with a segmentation violation (SegV) exception.

Conditions   Issuing the 'connect <target_ip> [login|513] /terminal-type <value>'command with a large input parameter to the '/terminal-type' argument such as the following:

router>connect 192.168.0.1 login /terminal-type aaaaaaaaaaaaaaaaaaaa

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

Trying 192.168.0.1...Open

login:

*** System received a SegV exception ***

signal= 0xb, code= 0x1100, context= 0x82f9e688

PC = 0x61616160, Vector = 0x1100, SP = 0x833ae5a8

Workaround   

1. AAA Authorization: AAA authorization enables you to limit the services available to a user. When AAA authorization is enabled, the network access server uses information retrieved from the user's profile, which is located either in the local user database or on the security server, to configure the user's session. Once this is done, the user will be granted access to a requested service only if the information in the user profile allows it.

For a complete description of authorization commands, refer to the following links:

–Configuring Authorization: http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part05/schathor.htm

–ACS 4.1 Command Authorization Sets: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/SPC.html#wpxref9538

–CS 4.1 Configuring a Shell Command Authorization Set for a User Group: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/GrpMgt.html#wp480029

2. Role-Based CLI Access: The Role-Based CLI Access feature allows the network administrator to define "views," which are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration (Config) mode commands. Views restrict user access to Cisco IOS command-line interface (CLI) and configuration information; that is, a view can define what commands are accepted and what configuration information is visible. Thus, network administrators can exercise better control over access to Cisco networking devices. The following link provides more information about the Role-Based CLI Access feature:

–Role-Based CLI Access: http://www.cisco.com/en/US/netsol/ns696/networking_solutions_white_paper09186a00801ee18d.shtml

3. Device Access Control: Due to the nature of this vulnerability, networking best practices such as access control lists (ACLs) and Control Plane Policing (CoPP) that restrict vulnerable device access to certain IP addresses or Subnetworks may not be effective. Device access best practices provide some mitigation for these issues by allowing systemic control of authenticated and unauthenticated users. Device access best practices are documented in:

–Infrastructure Protection on Cisco IOS Software-Based Platforms Appendix B-Controlling Device Access: http://www.cisco.com/application/pdf/en/us/guest/products/ps1838/c1244/cdccont_0900aecd804ac831.pdf

–Improving Security on Cisco Routers: http://www.cisco.com/warp/public/707/21.html

CSCeg62070 Tracebacks noticed with Radius configs through HTTP Post

Symptom    Tracebacks or crash are seen during HTTP transactions with long URLs.

Conditions   The crash is seen when the length of any token in the URL of the request is excessively long.

Workaround   Disable HTTP server using the no ip http server command.

Open Caveats - Cisco IOS Release 12.3(2)JL3

There are no open caveats in this release.

Resolved Caveats - Cisco IOS Release 12.3(2)JL3

CSCsj18014 Caller ID string received with extra characters

Symptom    A caller ID may be received with extra characters.

Conditions   This symptom is observed when caller ID is enabled on both routers and when the station ID and station name are configured on the FXS side.

Workaround   There is no workaround.

CSCed26739 mm/gk/gk_cli.c:CLI:gw-type-prefix possible buffer overflow

Symptom    The router will reload if "she run" is given after a tech-prefix terminating with a large number of '.'s is configured as follows:

           conf t

               gatekeeper

                 gw-type-prefix 1234......................................................

Conditions   

    conf t

      gatekeeper

        gw-type-prefix

               1234......................................................

       and enter command sh run

Workaround   Do not enter long tech-prefix and using the "....." pattern.

CSCsj66513 Traceback detected at DNQueuePeers

Symptom    Traceback found at DNQueuePeers

Conditions   While verifying the variable digit length dialing numbers for 'Type National' and 'Type International' in the numbering plan to be accepted by the network-side by using functionality/isdn/isdn_dialPlan script.

Workaround   There is no workaround.

CSCsh66369 Traceback seen at rpmxf_dg_db_init

Symptom    Tracebacks seen while running metal_vpn_cases.itcl script

Conditions   A script in the file 'rpmxf_dg_online.c' copies more bytes than the destination buffer size. Due to this we are getting data corruption tracebacks.

Workaround   There is no workaround.

CSCdz55178 QoS profile name of more then 32 chars will crash the router

Symptom    System reloads unexpectedly or other serious side-affects such as memory corruption occur.

Conditions   A cable qos profile with a length greater than 32 characters is configured on the system.

For example:

cable qos profile 12 name g711@10ms_for_any_softswitch_Traa^C

                          00000000011111111111222222222333^ 

                          12345678901234567890123456789012|

                                                          |

                                                       PROBLEM (Variable Overflowed).

Workaround   Change the qos profile name to a value less that 32 characters.

Further Problem Description:   The variable which holds the value for the string name only allows for 32 characters and the code did not properly truncate names longer than the associated buffer.

This caused other locations in memory to be corrupted.

CSCsj52927 DATACORRUPTION-1-DATAINCONSISTENCY message in show log

Symptom    DATACORRUPTION-1-DATAINCONSISTENCY messages are seen in 'show log'

Conditions   The messages are seen when the router comes up.

Workaround   There is no workaround.

CSCsb79076 MGCP RSVP enabled calls fails due to spurious error @ qosmodule_main

Symptom    %SYS-3-TIMERNEG errors and tracebacks are observed while making MGCP RSVP calls on a analog (RGW) setups. Observed in 12.4(3.9)T1 IOS version.

Workaround   No workaround currently available.

CSCsj16292 DATACORRUPTION-1-DATAINCONSISTENCY: copy error

Symptom    Following an upgrade to 12.2(18)SXF9, the following message may be displayed:

%DATACORRUPTION-1-DATAINCONSISTENCY: copy error

-Traceback= 

Conditions   This message may appear as a result of SNMP polling of PAgP variables, but does not appear to be service impacting

Workaround   There is no workaround.

CSCsj18014 Caller ID string received with extra characters

Symptom    A caller ID may be received with extra characters.

Conditions   This symptom is observed when caller ID is enabled on both routers and when the station ID and station name are configured on the FXS side.

Workaround   There is no workaround.

CSCsj44081 Improvements in diagnostics and instrumentation 

Cisco IOS Software has been enhanced with the introduction of additional software checks to signal improper use of internal data structures. This enhancement was introduced in select Cisco IOS Software releases published after April 5, 2007.

Details:    With the new enhancement in place, IOS will emit a %DATACORRUPTION-1-DATAINCONSISTENCY error message whenever it detects an inconsistency in its internal data structures. This is a new error message. The following is an example.

The %DATACORRUPTION-1-DATAINCONSISTENCY error message is preceded by a timestamp

May 17 10:01:27.815 UTC: %DATACORRUPTION-1-DATAINCONSISTENCY: copy error 

The error message is then followed by a traceback.

It is important to note that this error message does not imply that packet data is being corrupted. It does, however provide an early indicator of other conditions that can eventually lead to poor system performance or an IOS restart.

Recommended Action    Collect "show tech-support" command output and open a service request with the Technical Assistance Center (TAC) or designated support organization. Pay particular attention to any other error messages or error symptoms that accompany the %DATACORRUPTION-1-DATAINCONSISTENCY message and note those to your support contact.

Open Caveats - Cisco IOS Release 12.3(2)JL2

There are no open caveats in this release.

Resolved Caveats - Cisco IOS Release 12.3(2)JL2

There ere no closed careats for this release.

Open Caveats - Cisco IOS Release 12.3(2)JL1

There are no open caveats in this release.

Resolved Caveats - Cisco IOS Release 12.3(2)JL1

CSCsd85587

A vulnerability has been discovered in a third party cryptographic library which is used by a number of Cisco products. This vulnerability may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to trigger this vulnerability without a valid certificate or valid application-layer credentials (such as a valid username or password).

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

The vulnerable cryptographic library is used in the following Cisco products:

–Cisco IOS, documented as Cisco bug ID CSCsd85587

–Cisco IOS XR, documented as Cisco bug ID CSCsg41084

–Cisco PIX and ASA Security Appliances, documented as Cisco bug ID CSCse91999

–Cisco Unified CallManager, documented as Cisco bug ID CSCsg44348

–Cisco Firewall Service Module (FWSM)

This vulnerability is also being tracked by CERT/CC as VU#754281.

Cisco has made free software available to address this vulnerability for affected customers. There are no workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml.

---

Note Another related advisory is posted together with this Advisory. It also describes vulnerabilities related to cryptography that affect Cisco IOS. A combined software table for Cisco IOS only is available at http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml and can be used to choose a software release which fixes all security vulnerabilities published as of May 22, 2007. The related advisory is published at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.

---

CSCsb12598

Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

Cisco IOS is affected by the following vulnerabilities:

–Processing ClientHello messages, documented as Cisco bug ID CSCsb12598

–Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304

–Processing Finished messages, documented as Cisco bug ID CSCsd92405

Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.

---

Note Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml.

---

A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.

CSCec71950 Crafted IP Option may cause DoS or code execution

Symptom    Cisco routers and switches running Cisco IOS or Cisco IOS XR software may be vulnerable to a remotely exploitable crafted IP option Denial of Service (DoS) attack. Exploitation of the vulnerability may potentially allow for arbitrary code execution. The vulnerability may be exploited after processing an Internet Control Message Protocol (ICMP) packet, Protocol Independent Multicast version 2 (PIMv2) packet, Pragmatic General Multicast (PGM) packet, or URL Rendezvous Directory (URD) packet containing a specific crafted IP option in the packet's IP header. No other IP protocols are affected by this issue.

Workaround   There are workarounds available to mitigate the effects of the vulnerability. Cisco has made free software available to address this vulnerability for affected customers.

This advisory is available at:

http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml

CSCed95187 IP ID field is predictable for connectionless RST packets

Symptom    RST packets sent in response to a TCP SYN packet received by the device on a non-listening port contain a non-randomized Identification value on the IP header.

Conditions   There are no special conditions

Workaround   There is no workaround.

Further Problem Description:

From RFC791, the description of the Identification field is: Identification

The choice of the Identifier for a datagram is based on the need to provide a way to uniquely identify the fragments of a particular datagram. The protocol module assembling fragments judges fragments to belong to the same datagram if they have the same source, destination, protocol, and Identifier.

Thus, the sender must choose the Identifier to be unique for this source, destination pair and protocol for the time the datagram (or any fragment of it) could be alive in the internet. It seems then that a sending protocol module needs to keep a table of Identifiers, one entry for each destination it has communicated with in the last maximum packet lifetime for the internet.

Also from RFC791: The IP ID is before the flags and fragment offset fields.

3.1. Internet Header Format

Example Internet Datagram Header

A summary of the contents of the internet header follows:

0                   1                   2                   3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

    |Version| IHL  |Type of Service|          Total Length         |

    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

    |         Identification        |Flags|      Fragment Offset    |

    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

    |  Time to Live |    Protocol   |         Header Checksum       |

    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

    |                       Source Address                          |

    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

    |                    Destination Address                        |

    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

    |                    Options                    |    Padding    |

    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

CSCeh60551 certificate crashes 12.3.4.JA AP

Symptom    Certain malformed client certificates may cause an Access Point (AP) to crash.

Conditions   This symptom is observed on a Cisco platform that functions as an AP and that runs Cisco IOS Release 12.3(2)JA2 or Release 12.3(4)JA when EAP-TLS is configured. The symptom may also occur in other releases.

Workaround   Issue a new client certificate.

CSCek26492 Enhancements to Packet Input Path.

Symptom    A router may crash if it receives a packet with a specific crafted IP option as detailed in Cisco Security Advisory: Crafted IP Option Vulnerability:

http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml

Conditions   This Bug resolves a symptom of CSCec71950. Cisco IOS with this specific Bug are not at risk of crash if CSCec71950 has been resolved in the software.

Workaround   Cisco IOS versions with the fix for CSCec71950 are not at risk for this issue and no workaround is required. If CSCec71950 is not resolved, see the following Cisco Security Advisory: Crafted IP Option Vulnerability for workaround information:

http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml

CSCek37177 malformed tcp packets deplete processor memory.

Symptom    The Cisco IOS Transmission Control Protocol (TCP) listener in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable memory leak that may lead to a denial of service condition.

Conditions   This vulnerability only applies to traffic destined to the Cisco IOS device.Traffic transiting the Cisco IOS device will not trigger this vulnerability.

Workaround   Cisco has made free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml

CSCsd92405 router crashed by repeated SSL connection with malformed finished 
message

Symptom    A router crashes when receiving multiple malformed TLS and/or SSL3 finished messages. A valid username and password are not required for the crash to occur.

Conditions   This symptom is observed when a router has HTTP secure server enabled and has an open, unprotected HTTP port.

Workaround   There is no workaround. Minimize the chances of the symptom occurring by permitting only legitimate hosts to access HTTP on the router.

CSCse04560 tftp-server allows for information disclosure

Symptom    A tftp client trying to transfer a file from a Cisco IOS device configured as a tftp server and which is denied by an ACL receives a different result depending if the file is being offered for download or not. This may allow a third party to enumerate which files are available for download.

Conditions   The tftp-server command is configured on the device and an ACL restricting access to the file in question has been applied as in this example:

tftp-server 

flash:filename1 

access-list-number

access-list access-list-

number 

permit 192.168.1.0 

0.0.0.255

access-list access-list-

number 

deny any

Workaround   The following workarounds can be applied:

1. Interface ACL

Configure and attach an access list to every router interface active and configured for IP packet processing. For example:

access-list access-list-

number 

remark --- the following hosts 

and networks area 

ALLOWED for TFTP access

access-list access-list-

number 

permit udp host 

source_1 

host 

interface_address_1 

eq 69

access-list access-list-

number 

permit udp host 

source_2 

host 

interface_address_2 

eq 69

access-list access-list-

number 

permit udp source source-

wildcard 

host 

interface_address_1 

eq 69

access-list access-list-

number 

permit udp source source-

wildcard 

host 

interface_address_2 

eq 69

access-list access-list-

number 

remark --- everyone else is 

DENIED for TFTP 

access

access-list access-list-

number 

deny   udp any host 

interface_address_1 

eq 69

access-list access-list-

number 

deny   udp any host 

interface_address_2 

eq 69

access-list access-list-

number 

remark --- any other traffic 

to/through the router 

is allowed

access-list access-list-

number 

permit ip any any 

interface Ethernet0/0

  ip access-group access-list-

number 

in

Once the tftp server in Cisco IOS is enabled and listening by default on all interfaces enabled for IP processing, the access list would need to deny traffic to each and every IP address assigned to any active router interface.

2. Control Plane Policing

Configure and apply a CoPP policy.

For example:

access-list access-list-

number 

remark --- Do not police TFTP 

traffic from trusted 

hosts and networks

access-list access-list-

number 

deny udp host 

source_1 any 

eq 69

access-list access-list-

number 

deny udp source source-

wildcard 

any eq 69

access-list access-list-

number 

remark --- Police TFTP traffic 

from untrusted 

hosts and networks

access-list access-list-

number 

permit udp any any eq 

69

access-list access-list-

number 

remark --- Do not police any 

other traffic going 

to the router

access-list access-list-

number 

deny ip any any

class-map match-all tftp-

class

match access-group access-list-

number

policy-map control-plane-

policy

  ! Drop all traffic that matches the class tftp-

class

class tftp-

class

drop

control-plane

service-policy input control-

plane-

policy

---

Note CoPP is only available on certain platforms and Cisco IOS releases. Additional information on the configuration and use of the CoPP feature can be found at the following URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_white_paper09186a0080211f39.shtml

---

3. Infrastructure ACLs (iACL)

Although often difficult to block traffic transiting your network, identifying traffic which should never be allowed to target your infrastructure devices and blocking this traffic at the border of your network is possible. Infrastructure ACLs are considered a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The white paper entitled "Protecting Your Core: Infrastructure Protection Access Control. Lists" presents guidelines and recommended deployment techniques for iACLs:

http://www.cisco.com/warp/public/707/iacl.html

4. Configuring Receive Access Lists (rACLs)

For distributed platforms, rACLs may be an option starting in Cisco IOS Release 12.0(21)S2 for the Cisco 12000 series GSR and Cisco IOS Release 12.0(24)S for the Cisco 7500 series. The receive access lists protect the device from harmful traffic before the traffic can impact the route processor. Receive path ACLs are considered a network security best practice, and should be considered as a long-term addition to good network security, as well as a workaround for this specific vulnerability. The CPU load is distributed to the line card processors and helps mitigate load on the main route processor. The white paper entitled "GSR: Receive Access Control Lists" will help identify and allow legitimate traffic to your device and deny all unwanted packets:

/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a0a5e.shtml

---

Note The suggested workarounds are an "all or nothing" solution. While the tftp-server feature in Cisco IOS allows per-file ACLs to be attached to every file being offered for download, the suggested workarounds are global and will either prevent or allow access to all files being shared. It is recommended to apply the suggested workarounds in addition to the existing per-file ACLs, instead of replacing them.

---

CSCse05736 A router running RCP can be reloaded with a specific packet

Symptom    A router that is running RCP can be reloaded by a specific packet.

Conditions   This symptom is seen under the following conditions:

–The router must have RCP enabled.

–The packet must come from the source address of the designated system configured to send RCP packets to the router.

–The packet must have a specific data content.

Workaround   Put access lists on the edge of your network blocking RCP packets to prevent spoofed RSH packets. Use another protocol such as SCP. Use VTY ACLs.

CSCse78963 adopt new default summer-time rules from EPA BADCODE BUG

Symptom    Starting calendar year 2007, daylight savings summer-time rules may cause Cisco IOS to generate timestamps (such as in syslog messages) that are off by one hour.

Conditions   The Cisco IOS configuration command:

clock summer-time zone recurring

This command uses United States standards for daylight savings time rules by default. The Energy Policy Act of 2005 (H.R.6.ENR), Section 110 changes the start date from the first Sunday of April to the second Sunday of March, and it changes the end date from the last Sunday of October to the first Sunday of November.

Workaround   A workaround is possible by using the clock summer-time configuration command to manually configure the proper start date and enddate for daylight savings time. After the summer-time period for calendar year 2006 is over, one can for example configure:

clock summer-time PDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

(this example is for the US/Pacific time zone)

CSCse85200 Inadequate validation of TLVs in cdp

Symptom    Specifically crafted CDP packets can cause a router to allocate and keep extra memory. Exploitation of this behavior by sending multiple specifically crafted CDP packets could cause memory allocation problems on the router.

Conditions   Since CDP is a layer-2 protocol, this issue can only be triggered by systems that are residing on the same network segment.

Workaround   is to disable on interfaces where CDP is not necessary.

CSCse95758 Access Lists support for all CONFIG-COPY-MIB protocols under 
snmp-server

Symptom    Customers can use an access list to restrict TFTP configuration transfers that are initiated via SNMP by using the command snmp-server tftp-server-list access-list. This restriction is not possible for theFTP, RCP, and SCP protocols.

Conditions   This symptom is observed on any Cisco IOS platform that is configured

for SNMP. The following sample configuration causes the platform to reject configuration file transfers via SNMP from all hosts except the TFTP server that is specified in access list 5:

snmp-server tftp-server-list 5

access-list 5 permit 10.1.1.1

snmp-server community private RW 5

snmp-server tftp-server-list 5

Workaround   The following workarounds can be applied

1) Apply a more general access list to restrict traffic to and from the affected platform.

2) Disallow configuration copy from SNMP by excluding CISCO-CONFIG-COPY-MIB using snmp views.

3) Disable the SNMP server. Fixed Software Information:

Access-List Support for CISCO-CONFIG-COPY-MIB

The snmp-server file-transfer access-group command is introduced to restrict configuration transfers that are initiated via the Simple Network Management Protocol (SNMP). Supported transfer protocols are TFTP, FTP, Remote Copy Protocol (RCP), Secure Copy Protocol (SCP), and Secured File Transfer Protocol (SFTP). This command replaces the snmp-server tftp-server-list command. For detailed information about the snmp-server file-transfer access-group command, see the Cisco IOS Network Management Command Reference, Release 12.4.

CSCsg47917 WMIC takes over 10+ minutes to associate when set distance = 99

Symptom    WMIC takes over 10+ minutes to associate when distance = 99

Conditions   WMIC takes over 10+ minutes to associate when distance = 99

Workaround   Use distance < 50 to avoid this issue.

CSCsg70355 adopt new default summer-time rules from Energy Policy Act of 2005

Symptom    Starting in calendar year 2007, daylight savings summer-time rules may cause Cisco IOS to generate timestamps (such as in syslog messages) that are off by one hour.

Conditions   The Cisco IOS configuration command:

clock summer-time zone

recurring

uses United States standards for daylight savings time rules by default. The Energy Policy Act of 2005 (H.R.6.ENR), Section 110 changes the start date from the first Sunday of April to the second Sunday of March. It changes the end date from the last Sunday of October to the first Sunday

of November.

Workaround   A workaround is possible by using the clock summer-time configuration command to manually configure the proper start date and end date for daylight savings time. After the summer-time period for calendar year 2006 is over, one can for example configure:

clock summer-time PDT

recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

(This example is for the US/Pacific time zone.)

---

Note Using NTP is not a workaround to this problem. NTP does not carry any information about timezones or summertime.

---

CSCsg95833 Redundant HTML subdir generated by c3202/3205 WMIC tar image

Symptom    There is a confusion with flash memory content which includes empty HTML subdirectory under main image directory on both c3202 and c3205 platform while document describes no GUI interface supported.

Conditions   Whenever c3202/3205 tar image is installed or upgraded to flash memory it will show empty HTMLsubdirectory as following:

Directory of flash:/c3205-k9w7-mx/

16 drwx 64 Jan 1 1970 00:07:59 +00:00 html

18 -rwx 3425677 Jan 1 1970 00:11:36 +00:00 c3205-k9w7-mx

19 -rwx 256 Jan 1 1970 00:11:36 +00:00 info

Directory of flash:c3205-k9w7-mx.123/html/

17 drwx 0 Jan 1 1970 00:07:59 +00:00 level

Workaround   New fixed image will not create this empty HTML subdirectory. Original empty HTML subdirectory have to be erased by following command at bootloader prompt before installing new image

bridge: rmdir flash:/c3205-k9w7-mx/html/level

bridge: rmdir flash:/c3205-k9w7-mx/html

To install new fixed image run following command at bootloader prompt:

bridge: tar tftp://<tftp server ip addr>/c3205-k9w7-mx flash:

Hardware Caveats - Cisco IOS Release 12.3(3)JL

CSCek56714

Symptom    Low throughput for Uni-Dir at Channel 100 (5.5 GHz)

See the Hardware release note for more infomation at:

http://www.cisco.com/en/US/products/hw/routers/ps272/prod_release_note09186a00806547c0.html

Additional References

http://www.cisco.com/en/US/products/hw/routers/ps272/prod_release_note09186a00806547c0.html#wp60567

Your product shipped with a minimal set of printed documentation. The full set of documentation is available online at: http://www.cisco.com/en/US/products/hw/routers/ps272/tsd_products_support_series_home.html

Release-Specific Documents

Cisco 3200 Series Router Product Release Notes—This document. It provides caveats and information on accessing documentation and obtaining technical assistance for the Cisco 3200 Series Router.

Platform-Specific Documents

The following documentation is available at the www.cisco.com>Technical Support & Documentation>Routers>Cisco 3200 Series Routers unless otherwise specified:

Cisco 3200 Series Router Hardware Reference Guide—Descriptions of the Cisco 3200 Series Mobile Access Router enclosures and mobile interface cards.

Cisco 3200 Series Wireless MIC Software Configuration Guide—Example procedures for using the IOS commands to configure the Cisco Wireless Mobile Interface Card (WMIC).

Configuration Guide for the Cisco 3200 Series Router—Example procedures for using the Cisco IOS commands to configure assembled Cisco 3200 Series routers.

Cisco 3200 Series Mobile Access Router Reference Sell Document—An overview of the reference sell program and components for the Cisco 3200 Series routers.

Cisco 3200 Rugged Enclosure Assembly Guidelines—Guidelines for adding or removing cards from the Cisco 3200 Router MIC stack in the Cisco 3200 Rugged Enclosure Assembly at http://www.cisco.com/en/US/partner/products/hw/routers/ps272/prod_technical_reference_list.html (A restricted document that requires a CCO password to access.)

Obtaining Documentation, Obtaining Support, and Security Guidelines

For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Use this document in conjunction with the documents listed in the "Additional References" section.

CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0710R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2006-2007, Cisco Systems, Inc. All rights reserved