Cisco Security AdvisoryMedium
Advisory ID:
cisco-sa-20161102-asr
First Published:
2016 November 2 16:00 GMT
Version 1.0:
Workarounds:
Cisco Bug IDs:
CVSS Score:
Base 5.0,
Temporal 4.1
Click Icon to Copy Verbose Score
AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C
Click Icon to Copy Verbose Score
AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C
-
A vulnerability in the Slowpath of StarOS for Cisco ASR 5500 Series routers with Data Processing Card 2 (DPC2) could allow an unauthenticated, remote attacker to cause a subset of the subscriber sessions to be disconnected, resulting in a partial denial of service (DoS) condition.
The vulnerability is due to improper processing during the handoff of reassembled IPv4 or IPv6 packets. An attacker could exploit this vulnerability by sending crafted IPv4 or IPv6 fragments across the ASR 5500 Series router. An exploit could allow the attacker to cause an instance of the sessmgr service on the affected device to reload. A reload of the sessmgr service will cause all subscriber sessions serviced by that task to be disconnected, resulting in a denial of service (DoS) condition.
Cisco has released software updates that address this vulnerability. There is a workaround that addresses this vulnerability.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-asr
-
Vulnerable Products
This vulnerability affects Cisco ASR 5500 devices with Data Processing Card 2 (DPC2) running StarOS 18.0 or later.
To determine whether a vulnerable version of Cisco StarOS is running, administrators can use the show version command in the command-line interface (CLI). The following example shows the output of the show version command for a router that is running Cisco StarOS Release 19.2.1:
[local]ASR-2# show version
Friday August 12 13:17:31 AST 2016
Active Software:
Image Version: 19.2.1
Image Build Number: 62564
Image Description: Deployment_Build
Image Date: Thu Dec 31 20:13:39 EST 2015
Boot Image: /flash/asr5500-19.2.1.bin
To determine whether DPC2 cards are in use on a device, administrators can use the show card table command in the CLI. The following example shows the output of the show card table command for a router that has active DPC2 cards in slots 2 and 3:
[local]ASR-2# show card table Friday August 12 13:18:25 AST 2016 Slot Card Type Oper State SPOF Attach ----------- ------------------------- ------------- ---- ------ 1: DPC None - - 2: DPC Data Processing Card 2 Active No 3: DPC Data Processing Card 2 Active No 4: DPC None - - . . .Products Confirmed Not Vulnerable
Cisco has confirmed that this vulnerability does not affect the following products:
- Cisco ASR 5000 Series Routers
- Cisco ASR 5500 Series Routers with DPC1 cards
- Cisco Virtualized Packet Core (VPC)
No other Cisco products are currently known to be affected by this vulnerability.
-
To work around and help prevent the effects of an attempt to exploit this vulnerability, administrators can change the maximum transmission unit (MTU) configuration on one or more internal interfaces for an affected device. Note that this workaround will not persist if a card is rebooted. If a card is rebooted, the MTU configuration must be changed again. For information about implementing this workaround, please contact the Cisco Technical Assistance Center (TAC).
-
Cisco provides information about fixed software in Cisco bugs, which are accessible through the Cisco Bug Search Tool.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
-
This vulnerability was found during internal security testing.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show LessVersion Description Section Status Date 1.0 Initial public release. — Final 2016-November-02
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.