Cisco devices that are running Cisco IOS Software are vulnerable when they are configured for the IP SLA general responder feature.
There are two methods to determine whether a device is configured for the IP SLA general responder:
- Determine whether the IP SLA general responder command is included in the device configuration.
- Determine whether the IP SLA general responder is active on a running device.
The preferred method to verify whether IP SLA is enabled on a Cisco IOS device is to inspect the device configuration to determine whether IP SLA general responder is configured.
Determine Whether IP SLA General Responder Command Is Included in the Device Configuration
To determine whether the IP SLA general responder has been enabled in the Cisco IOS Software configuration. The ip sla responder global configuration command must be present The show running-config | include ip sla responder command can be used to determine whether IP SLA is present in the configuration, as illustrated in the following example:
Router> show running-config | include ip sla responder$
ip sla responder
Determine Whether IP SLA General Responder Is Active on a Running Device
The administrator can establish whether the IP SLA general responder is enabled on a Cisco IOS device by using the show ip sla responder | include ^General command. If the vulnerable IP SLA general responder is active, the output will include a line with Enabled.
The following example shows a device on which the vulnerable IP SLA responder is active:
Router# show ip sla responder | include ^General
General IP SLA Responder is: Enabled
Determine the Cisco IOS Software Release
To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software." The image name displays in parentheses, followed by "Version" and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output.
The following example identifies a Cisco product that is running Cisco IOS Software Release 15.0(1)M1 with an installed image name of C3900-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 02-Dec-09 17:17 by prod_rel_team
!--- output truncated
Additional information about Cisco IOS Software release naming conventions is available in "White Paper: Cisco IOS and NX-OS Software Reference Guide" at http://www.cisco.com/web/about/security/intelligence/ios-ref.html.
A Cisco IOS device is not vulnerable if the IP SLA general responder feature is not configured.
The following products have been confirmed not vulnerable:
- Cisco IOS XR Software
- Cisco NX-OS Software
- Cisco ASA Software
No other Cisco products are currently known to be affected by this vulnerability.