|
Table Of Contents
Release Notes for Cisco 830 Series and Cisco 2801 Series Routers for Cisco IOS Release 12.3(11)YK
Determining the Software Version
Upgrading to a New Software Release
New Hardware Features in Cisco IOS Release 12.3(11)YK3
New Hardware Features in Cisco IOS Release 12.3(11)YK2
New Hardware Features in Cisco IOS Release 12.3(11)YK1
New Hardware Features in Cisco IOS Release 12.3(11)YK
New Software Features in Cisco IOS Release 12.3(11)YK3
New Software Features in Cisco IOS Release 12.3(11)YK2
New Software Features in Cisco IOS Release 12.3(11)YK1
New Software Features in Cisco IOS Release 12.3(11)YK
Resolved Caveats - Cisco IOS Release 12.3(11)YK3
Resolved Caveats - Cisco IOS Release 12.3(11)YK2
Resolved Caveats - Cisco IOS Release 12.3(11)YK1
Resolved Caveats - Cisco IOS Release 12.3(11)YK
Cisco IOS Software Documentation Set
Cisco IOS Release 12.3 Documentation Set Contents
Obtaining Documentation, Obtaining Support, and Security Guidelines
Release Notes for Cisco 830 Series and Cisco 2801 Series Routers for Cisco IOS Release 12.3(11)YK
August 10, 2007Cisco IOS Release 12.3(11)YK3OL-8429-03 Fourth ReleaseContents
•Obtaining Documentation, Obtaining Support, and Security Guidelines
System Requirements
This section describes the system requirements for Cisco IOS Release 12.3(11)YK3 and includes the following sections:
•Determining the Software Version
•Upgrading to a New Software Release
Memory Requirements
This section describes the memory requirements for the Cisco IOS feature sets that are supported by Cisco IOS Release 12.3(11)YK2 for the Cisco 2801 and Cisco 830 series routers.
Table 1 Recommended Memory for the Cisco 2801 Routers
Platform Image Name Feature Set Image Flash Memory DRAM Mini-
mum Recom- mended1 Mini-
mum Recom- mendedCisco 2801
Cisco 2801 IOS ADVANCED ENTERPRISE SERVICES
ADVANCED ENTERPRISE SERVICES
c2801-adventerprisek9-mz
64 MB
64 MB
192 MB
192 MB
Cisco 2801 IOS ADVANCED IP SERVICES
ADVANCED IP SERVICES
c2801-advipservicesk9-mz
64 MB
64 MB
192 MB
192 MB
Cisco 2801 IOS ADVANCED SECURITY
ADVANCED SECURITY
c2801-advsecurityk9-mz
64 MB
64 MB
128 MB
128 MB
Cisco 2801 IOS ENTERPRISE BASE w/o Crypto
ENTERPRISE BASE w/o Crypto
c2801-entbase-mz
64 MB
64 MB
128 MB
128 MB
Cisco 2801 IOS ENTERPRISE SERVICES
ENTERPRISE SERVICES
c2801-entservicesk9-mz
64 MB
64 MB
192 MB
192 MB
Cisco 2801 IOS IP BASE w/o Crypto
IP BASE w/o Crypto
c2801-ipbase-mz
64 MB
64 MB
128 MB
128 MB
Cisco 2801 IOS IP VOICE w/o Crypto
IP VOICE w/o Crypto
c2801-ipvoice-mz
64 MB
64 MB
192 MB
192 MB
Cisco 2801 IOS SP SERVICES
SP SERVICES
c2801-spservicesk9-mz
64 MB
64 MB
192 MB
192 MB
1 Recommended memory is the memory required for potential future expansions.
Hardware Supported
Cisco IOS Release 12.3(11)YK3 supports the following routers:
•Cisco 830 series routers
Cisco IOS Release 12.3(11)YK2 supports the following routers:
•Cisco 830 series routers
•Cisco 2801 router
For detailed descriptions of new hardware features and which features are supported on each router, see the "New and Changed Information" section. For descriptions of existing hardware features and supported modules, see the hardware installation guides, configuration and command reference guides, and additional documents specific to these routers, which are available on Cisco.com at the following location:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_fix/index.htm
This URL is subject to change without notice. If it changes, point your web browser to Cisco.com, and click the following path:
Technical Documentation: Routers: Fixed Config. Access Routers: <platform_name>
Determining the Software Version
To determine which version of the Cisco IOS software is currently running on your Cisco router, log in to the router, and enter the show version command. The following sample output from the show version command indicates the version number on the second output line.
router> show versionCisco IOS Software, 2801 Software (C2801-IPBASE-M), Version 12.3(11)YK2, RELEASE SOFTWARE (fcl)Synched to technology version 12.3(12.8)TTechnical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2005 by Cisco Systems, Inc.Upgrading to a New Software Release
For general information about upgrading to a new software release, see Cisco IOS Software Releases 12.3 T Installation and Upgrade Procedures located on Cisco.com.
Feature Set Tables
The Cisco IOS software is packaged in feature sets consisting of software images, depending on the platform. Each feature set contains a specific set of Cisco IOS features.
Caution The Cisco IOS images with strong encryption (including, but not limited to, 168-bit [3DES] data encryption feature sets) are subject to United States government export controls and have limited distribution. Strong encryption images to be installed outside the United States will likely require an export license. Customer orders can be denied or subject to delay as a result of United States government regulations. When applicable, the purchaser/user must obtain local import and use authorizations for all encryption strengths. Please contact your sales representative or distributor for more information, or send an e-mail to export@cisco.com.
Table 3 through Table 6 lists the features and feature sets that are supported in Cisco IOS Release 12.3(11)YK2.
The tables use the following conventions:
•In—The number in the "In" column indicates the Cisco IOS release in which the feature was introduced. For example, "12.3(11)YK" indicates that the feature was introduced in Release 12.3(11)YK. If a cell in this column is empty, the feature was included in a previous release or in the initial base release.
•Yes—The feature is supported in the software image.
•No—The feature is not supported in the software image.
Table 3 Feature Set Table for the Cisco 2801 Router
Feature In Feature Set IP BASE w/o Crypto IP Base Enterprise Base w/o Crypto Enterprise BaseE1 R2 Collect Call Blocking
12.3(11)YK
No
No
No
No
Table 6 Feature Set Table for the Cisco 2801 Router
Feature In Feature Set Advanced Enterprise Services + SNAE1 R2 Collect Call Blocking
12.3(11)YK
Yes
New and Changed Information
Cisco IOS Release 12.3(11)YK2 supports the features listed in this section.
New Hardware Features in Cisco IOS Release 12.3(11)YK3
There are no new hardware features for this release.
se.
New Hardware Features in Cisco IOS Release 12.3(11)YK2
There are no new hardware features for this release.
New Hardware Features in Cisco IOS Release 12.3(11)YK1
There are no new hardware features for this release.
New Hardware Features in Cisco IOS Release 12.3(11)YK
There are no new hardware features in this release.
New Software Features in Cisco IOS Release 12.3(11)YK3
There are no new software features in this release.
New Software Features in Cisco IOS Release 12.3(11)YK2
There are no new software features in this release.
New Software Features in Cisco IOS Release 12.3(11)YK1
There are no new software features in this release.
New Software Features in Cisco IOS Release 12.3(11)YK
The following sections describe the new software features supported by the Cisco 2801 router for Cisco IOS Release 12.3(11)YK.
E1 R2 Collect Call Blocking
E1 R2 Call Blocking feauture provides two ways to block incoming collect calls: category-based and double answer.
With the category based call blocking, collect calls will be blocked based on a specific category. For example in Brazil, collect calls arrive with a category II-8 for which the Cisco access router will send B-7 as response instead of an answer signal. This approach is only applicable when switches in Centrol Office support category-based blocking.
For legacy switches which do not support category-based blocking, "double answer" is implemented on the Cisco 2801 in this release to support the collect call blocking. For an incoming collect call, the gateway will answer the call with a clear-back after 1 second and re-answer the call after 2 seconds. This causes the collect call to be dropped and normal calls to stay connected. This will be implemented as a CLI option for any country.
Caveats
Caveats describe unexpected behavior or defects in the Cisco IOS software releases. Severity 1 caveats are the most serious caveats, severity 2 caveats are less serious, and severity 3 caveats are the least serious of these three severity levels.
Note If you have an account with Cisco.com, you can also use the Bug Toolkit to find select caveats of any severity. To reach the Bug Toolkit, log in to Cisco.com and click Service & Support: Technical Assistance Center: Tool Index: Bug Toolkit. Another option is to go to http://www.cisco.com/pcgi-bin/Support/Bugtool/launch_bugtool.pl.
Resolved Caveats - Cisco IOS Release 12.3(11)YK3
CSCsf04754Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document.
The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044 to these vulnerabilities.
Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0960 has been assigned to these vulnerabilities.
This advisory will be posted at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0960.
CSCsj81502 show pagp clis are not displaying the correct informationCSCsi09530 CME SIP phone failed to register because of authenticate registerSymptom If the authenticate register command is configured under the voice register global command, CME SIP failed to registered.
Conditions The authenticate register command is configured under the voice register global command when CME is acting as a registrar.
Workaround Disable the authenticate register command under the voice register global command.
Further Problem Description In registrar functionality, CME challenges an inbound register request with a 401 response. If the authenticate register command is configured under the voice register global command, the Registering Endpoint then ends a Register Request with Credentials. The Gateway Stack is not processing this request and is dropping it.
CSCsi01470Symptom A vulnerability in the Cisco implementation of Multicast Virtual Private Network (MVPN) is subject to exploitation that can allow a malicious user to create extra multicast states on the core routers or receive multicast traffic from other Multiprotocol Label Switching (MPLS) based Virtual Private Networks (VPN) by sending specially crafted messages.
Workaround Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml.CSCsj32707 GW rejects SIP UPDATE with Cseq 0Symptom A "SIP UPDATE" message from a Cisco CallManager or SIP Proxy Server with a "Cseq" value of 0 may be rejected or considered invalid by A Cisco gateway.
Conditions This symptom is observed on a Cisco gateway that runs Cisco IOS Release 12.4(9)T4 or a later release and that is connected to a SIP endpoint.
Workaround There is no workaround. Note that the symptom does not occur in Release 12.4(9)T3.
CSCdz55178 QoS profile name of more then 32 chars will crash the routerSymptom System reloads unexpectedly or other serious side-affects such as memory corruption occur.
Conditions A cable qos profile with a length greater than 32 characters is configured on the system.
For example:
cable qos profile 12 name g711@10ms_for_any_softswitch_Traa^C00000000011111111111222222222333^12345678901234567890123456789012||PROBLEM (Variable Overflowed).Workaround Change the qos profile name to a value less that 32 characters.
Further Problem Description The variable which holds the value for the string name only allows for 32 characters and the code did not properly truncate names longer than the associated buffer.
This caused other locations in memory to be corrupted.
CSCsj52927 DATACORRUPTION-1-DATAINCONSISTENCY message in show logSymptom DATACORRUPTION-1-DATAINCONSISTENCY messages are seen in 'show log'
Conditions The messages are seen when when the router comes up.
Workaround There is not workaround.
CSCsj66369 Traceback seen at rpmxf_dg_db_initSymptom Tracebacks seen while running metal_vpn_cases.itcl script
Conditions A strcpy in the file 'rpmxf_dg_online.c' copies more bytes than the destination buffer size.Due to this we are getting data corruption tracebacks
Workaround There is not workaround.
CSCse85200 Inadequate validation of TLVs in cdpSymptom Specifically crafted CDP packets can cause a router to allocate and keep extra memory. Exploitation of this behaviour by sending multiple specifically crafted CDP packets could cause memory allocation problems on the router.
Since CDP is a layer-2 protocol, this issue can only be triggered by systems that are residing on the same network segment.
Workaround Workaround is to disable on interfaces where CDP is not necessary.
CSCse56501Symptom A device running Cisco IOS software that has Internet Protocol version 6 (IPv6) enabled may be subject to a denial of service (DoS) attack. For the device to be affected by this vulnerability the device also has to have certain Internet Protocol version 4 (IPv4) User Datagram Protocol (UDP) services enabled. To exploit this vulnerability an offending IPv6 packet must be targeted to the device. Packets that are routed throughout the router can not trigger this vulnerability. Successful exploitation will prevent the interface from receiving any additional traffic. The only exception is Resource Reservation Protocol (RSVP) service, which if exploited, will cause the device to crash. Only the interface on which the vulnerability was exploited will be affected.
Workaround Cisco is providing fixed software to address this issue. There are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml.CSCsj44081 Improvements in diagnostics and instrumentationSymptom Cisco IOS Software has been enhanced with the introduction of additional software checks to signal improper use of internal data structures. This enhancement was introduced in select Cisco IOS Software releases published after April 5, 2007.
Details With the new enhancement in place, IOS will emit a %DATACORRUPTION-1-DATAINCONSISTENCY error message whenever it detects an inconsistency in its internal data structures. This is a new error message. The following is an example.
The %DATACORRUPTION-1-DATAINCONSISTENCY error message is preceded by a timestamp
May 17 10:01:27.815 UTC: %DATACORRUPTION-1-DATAINCONSISTENCY: copy error
The error message is then followed by a traceback.
It is important to note that this error message does not imply that packet data is being corrupted. It does, however provide an early indicator of other conditions that can eventually lead to poor system performance or an IOS restart.
Recommended Action Collect "show tech-support" command output and open a service request with the Technical Assistance Center (TAC) or designated support organization. Pay particular attention to any other error messages or error symptoms that accompany the%DATACORRUPTION-1-DATAINCONSISTENCY message and note those to your support contact.
CSCsg40567 Memory leak found with malformed tls/ssl packets in http core processSymptom Malformed SSL packets may cause a router to leak multiple memory blocks.
Conditions This symptom is observed on a Cisco router that has the ip http secure server command enabled.
Workaround Disable the ip http secure server command.
CSCsg96319 reverse ssh eliminated telnet authention on VTYSymptom When a reverse SSH session is established with valid authentication credentials, anyone can obtain unprivileged Telnet access to a system without being authenticated. This situation affects only reverse SSH sessions when a connection is made with the
ssh -l userid :number ip-address command.Conditions This symptom is observed only when the Reverse SSH Enhancement is configured. This enhancement is documented at the following URL:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t11/feature/guide/gt_rssh.html
Workaround Configure reverse SSH by entering the ip ssh port portnum rotary group command. This configuration is explained at the following URL:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t11/feature/guide/gt_rssh.html#wp1027195
CSCsj06951Traceback @ createCNF_file while configuring user-localeSymptom Traceback seen on terminal.
Conditions When config user-locale and generate CNF file under telephony-service.
Workaround There is no workaround.
CSCsj44099 Router crashes if DSPFARM profile description is 128 characters long.Symptom A cisco c3800 router can experience a memory corruption resulting in a crash if the description field under the "dspfarm profile" configuration matches the maximum of 128 characters.
Conditions During configuration of the dspfarm profile thru the CLI, a description that is 128 characters will cause a memory copy problem. If the user tries to display the results of the configuration using "show dspfarm profile", the router will crash trying to display the output.
Workaround To prevent this problem configure the dspfarm profile description with 127 characters or less.
CSCed94829 IOS reloads due to malformed IKE messagesMultiple Cisco products contain vulnerabilities in the processing of IPSec IKE (Internet Key Exchange) messages. These vulnerabilities were identified by the University of Oulu Secure Programming Group (OUSPG) "PROTOS" Test Suite for IPSec and can be repeatedly exploited to produce a denial of service.
Cisco has made free software available to address this vulnerability for
affected customers. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100324-ipsec.shtml
CSCsg03449 Etherswitch module VLAN Trunking Protocol Vulnerabilities•VTP Version field DoS
•Integer Wrap in VTP revision
•Buffer Overflow in VTP VLAN name
Conditions The packets must be received on a trunk enabled port.
Further Information On the 13th September 2006, Phenoelit Group posted an advisory containing
three vulnerabilities:
These vulnerabilities are addressed by Cisco IDs:
•CSCsd52629/CSCsd34759 -- VTP version field DoS
•CSCse40078/CSCse47765 -- Integer Wrap in VTP revision
•CSCsd34855/CSCei54611 -- Buffer Overflow in VTP VLAN name
•CSCsg03449 -- Etherswitch module VLAN Trunking Protocol Vulnerabilities
Cisco's statement and further information are available on the Cisco public website at
http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml
CSCsg03449 Etherswitch module VLAN Trunking Protocol Vulnerabilities•VTP Version field DoS
•Integer Wrap in VTP revision
•Buffer Overflow in VTP VLAN name
Conditions The packets must be received on a trunk enabled port.
Further Information On the 13th September 2006, Phenoelit Group posted an advisory containing
three vulnerabilities:
These vulnerabilities are addressed by Cisco IDs:
•CSCsd52629/CSCsd34759 -- VTP version field DoS
•CSCse40078/CSCse47765 -- Integer Wrap in VTP revision
•CSCsd34855/CSCei54611 -- Buffer Overflow in VTP VLAN name
•CSCsg03449 -- Etherswitch module VLAN Trunking Protocol Vulnerabilities
Cisco's statement and further information are available on the Cisco public website at
http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml
CSCsb33172 short-circuit crypto engine operations when faking AM2Symptom A vulnerability exists in the way some Cisco products handle IKE phase I messages which allows an attacker to discover which group names are configured and valid on the device.
A Cisco Security Notice has been published on this issue and can be found at the following URL:
http://www.cisco.com/warp/public/707/cisco-sn-20050624-vpn-grpname.shtml
CSCsa62111 7200 input queue stuckSymptom Packets may be stuck in the input queue of a Cisco 7200 series.
Conditions This symptom is observed on a Cisco 7200 series that is running Cisco IOS interim Release 12.3(12.10) and that is configured with an NPE-G1.
Workaround : Reload the router to clear the input queue or increase the input queue beyond the default limit of 75 via the hold-queue length command.
CSCek37177 malformed tcp packets deplete processor memory.The Cisco IOS Transmission Control Protocol (TCP) listener in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable memory leak that may lead to a denial of service condition.
This vulnerability only applies to traffic destined to the Cisco IOS device. Traffic transiting the Cisco IOS device will not trigger this vulnerability.
Cisco has made free software available to address this vulnerability for affected customers.
This issue is documented as Cisco bug ID CSCek37177
There are workarounds available to mitigate the effects of the vulnerability. This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml
CSCeh73049 tclsh mode bypasses aaa command authorization checkSymptom A vulnerability exists within the Cisco IOS Authentication, Authorization, and Accounting (AAA) command authorization feature, where command authorization checks are not performed on commands executed from the Tool Command Language (Tcl) exec shell. This may allow authenticated users to bypass command authorization checks in some configurations resulting in unauthorized privilege escalation.
Conditions Devices that are not running AAA command authorization feature, or do not support Tcl functionality are not affected by this vulnerability. This vulnerability is present in all versions of Cisco IOS that support the tclsh command.
Workaround This advisory with appropriate workarounds is posted at http://www.cisco.com/warp/public/707/cisco-response-20060125-aaatcl.shtml
CSCsd92405 router crashed by repeated SSL connection with malformed finished messageCisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
•Processing ClientHello messages, documented as Cisco bug ID CSCsb12598
•Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304
•Processing Finished messages, documented as Cisco bug ID CSCsd92405
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml
Note Note: Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
CSCsb12598 Router forced crash on receiving fragmented TLS ClientHelloCisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
•* Processing ClientHello messages, documented as Cisco bug ID CSCsb12598
• * Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304
• * Processing Finished messages, documented as Cisco bug ID CSCsd92405
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml
Note Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
CSCsb40304 Router crash on sending repetitive SSL ChangeCipherSpecCisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, A malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
•Processing ClientHello messages, documented as Cisco bug ID CSCsb12598
•Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304
•Processing Finished messages, documented as Cisco bug ID CSCsd92405
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml
Note Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
CSCsb06658 mwr1900 incorrectly identified as a DOCSIS devices.A vulnerability exists in certain Cisco Internetwork Operating System (IOS) Software release trains running on the Cisco IAD2400 series, 1900 Series Mobile Wireless Edge Routers and Cisco VG224 Analog Phone Gateways. Vulnerable versions may contain a default hard-coded Simple Network Management Protocol (SNMP) community string when SNMP is enabled on the device. The default community string is a result of inadvertently identifying these devices as supporting Data Over Cable Service Interface Specification (DOCSIS) compliant interfaces. The consequence of this error is that an additional read-write community string may be enabled if the device is configured for SNMP management, allowing a knowledgeable attacker the potential to gain privileged access to the device. Cisco is making free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20060920-docsis.shtml .
CSCsi80749 Crash while processing malformed SIP packetSymptom Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
•Session Initiation Protocol (SIP)
•Media Gateway Control Protocol (MGCP)
•Signaling protocols H.323, H.254
•Real-time Transport Protocol (RTP)
•Facsimile reception
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
Workaround There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
CSCsd81407 Router crash on receiving abnormal MGCP messagesSymptom Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
•Session Initiation Protocol (SIP)
•Media Gateway Control Protocol (MGCP)
•Signaling protocols H.323, H.254
•Real-time Transport Protocol (RTP)
•Facsimile reception
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
Workaround There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
CSCej20505 Router hangs with overly large packetSymptom Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
•Session Initiation Protocol (SIP)
•Media Gateway Control Protocol (MGCP)
•Signaling protocols H.323, H.254
•Real-time Transport Protocol (RTP)
•Facsimile reception
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
Workaround There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
CSCsb11124 SGBP Crafted Packet Denial of ServiceThe Cisco IOS Stack Group Bidding Protocol (SGBP) feature in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable denial of service condition.
Devices that do not support or have not enabled the SGBP protocol are not affected by this vulnerability. Cisco has made free software available to address this vulnerability for affected customers.
There are workarounds available to mitigate the effects of the vulnerability.
Cisco has published a Security Advisory on this issue; it is available at http://www.cisco.com/warp/public/707/cisco-sa-20060118-sgbp.shtml
CSCse05736 A router running RCP can be reloaded with a specific packetSymptom A router that is running RCP can be reloaded by a specific packet.
Conditions This symptom is seen under the following conditions: - The router must have RCP enabled.
•The packet must come from the source address of the designated system configured to send RCP packets to the router.
•The packet must have a specific data content.
Workaround Put access lists on the edge of your network blocking RCP packets to prevent spoofed RSH packets. Use another protocol such as SCP. Use VTY ACLs.
CSCsd85587 7200 Router crashes with ISAKMP Codenomicon test suiteA vulnerability has been discovered in a third party cryptographic library which is used by a number of Cisco products. This vulnerability may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to trigger this vulnerability without a valid certificate or valid application-layer credentials (such as a valid username or password).
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
The vulnerable cryptographic library is used in the following Cisco products:
•Cisco IOS, documented as Cisco bug ID CSCsd85587
•Cisco IOS XR, documented as Cisco bug ID CSCsg41084
•Cisco PIX and ASA Security Appliances, documented as Cisco bug ID CSCse91999
•Cisco Unified CallManager, documented as Cisco bug ID CSCsg44348
•Cisco Firewall Service Module (FWSM) CSCsi97695
This vulnerability is also being tracked by CERT/CC as VU#754281.
Cisco has made free software available to address this vulnerability for affected customers. There are no workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml .
Note Another related advisory is posted together with this Advisory. It also describes vulnerabilities related to cryptography that affect Cisco IOS. A combined software table for Cisco IOS only is available at http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml and can be used to choose a software release which fixes all security vulnerabilities published as of May 22, 2007. The related advisory is published at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml
CSCsb11784 Input Queue Wedge with syslogSymptom The interface input queue may fill up with up to 50 packets
Conditions A syslog server is configured
Workaround For each syslog server configured, it may be possible that up to 50 packets can become stuck in the interface input queue. Increasing the size of the input hold-queue to accomodate these packets will allow traffic to pass freely.
CSCsc72722 CBAC - firewall resets TCP idle timer upon receiving invalid TCP packetsSymptom TCP connections that are opened through a Cisco IOS Firewall (CBAC) may not timeout.
Conditions With Cisco IOS Firewall (CBAC) enabled, the TCP idle timer for a session may be reset even by TCP packets that fail TCP inspection and are subsequently dropped. This could lead to the TCP session not timing out.
Workaround There is no workaround.
CSCsa53334 bus error in single_pkt_regexThe Intrusion Prevention System (IPS) feature set of Cisco IOS® contains several vulnerabilities. These include:
•Fragmented IP packets may be used to evade signature inspection.
•IPS signatures utilizing the regular expression feature of the ATOMIC.TCP signature engine may cause a router to crash resulting in a denial of service.
There are mitigations and workarounds for these vulnerabilities. Cisco has made free software available to address these vulnerabilities for affected customers.
This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070213-iosips.shtml
CSCsg16908 IOS FTP Server DeprecationMultiple vulnerabilities exist in the Cisco IOS File Transfer Protocol (FTP) Server feature. These vulnerabilities include Denial of Service, improper verification of user credentials and the ability to read or write any file in the device's file system, including the device's saved configuration, which may include passwords or other sensitive information. The IOS FTP Server is an optional service that is disabled by default. Devices that are not specifically configured to enable the IOS FTP Server service are unaffected by these vulnerabilities. This vulnerability does not apply to the IOS FTP Client feature.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070509-iosftp.shtml.
CSCsc64976 HTTP server should scrub embedded HTML tags from cmd outputA vulnerability exists in the IOS HTTP server in which HTML code inserted into dynamically generated output, such as the output from a show buffers command, will be passed to the browser requesting the page. This HTML code could be interpreted by the client browser and potentially execute malicious commands against the device or other possible cross-site scripting attacks. Successful exploitation of this vulnerability requires that a user browse a page containing dynamic content in which HTML commands have been injected. Cisco will be making free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051201-http.shtml
CSCsb25337 unnecessary tcp ports opened in default router configSymptom Session Initiated Protocol (SIP) are vulnerable to a crash under yet to be determined conditions, but isolated to traffic destined to User Datagram Protocol (UDP) 5060. SIP is enabled by default on all Advanced images which support voice and do not contain the fix for [Sev2/State:R/28 SRs] unnecessary tcp ports opened in default router config CSCsb25337. Devices which are properly configured for SIP processing are not vulnerable to this issue.
Workaround Workarounds exist to mitigate the effects of this problem.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml
CSCsb93407 H323 port tcp 1720 still listening after call service stopSymptom When H323 call service stops, the router still listens on TCP port 1720 and completes connection attempts.
Conditions This symptom occurs after H323 is disabled using the following configuration commands:
voice service voiph323
call service stop
Workaround Access can be blocked by deploying an interface access list that blocks access to TCP port 1720 for traffic that is destined for any of the IP addresses of the router.
CSCsf28840 Crash due to configured peer type control vectorA vulnerability exists in the Data-link Switching (DLSw) feature in Cisco IOS where an invalid value in a DLSw message could result in a reload of the DLSw device. Successful exploitation of this vulnerability requires that an attacker be able to establish a DLSw connection to the device. There are workarounds available for this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070110-dlsw.shtml
CSCsb11849 CoPP: Need support for malformed IP optionsSymptom CoPP policy configured to drop packets with IP options will ignore packets with malformed IP options
Conditions CoPP configured to filter ip packets with IP options
Workaround Do not use IP option ACL filtering with CoPP. Instead configure CoPP to filter ip packets by source or destination address.
CSCse248849 Malformed SSH version 2 packets may cause processor memory depletionSymptom Malformed SSH version 2 packets may cause a memory leak, causing the platform to operate under a degraded condition. Under rare circumstances, the platform may reload to recover itself.
Conditions This symptom is observed on a Cisco platform that is configured for SSH version 2 after it has received malformed SSHv2 packets.
Workaround As an interim solution until the affected platform can be upgraded to a Cisco IOS software image that contains the fix for caveat CSCse24889, configure SSH version 1 from the global configuration mode, as in the following example:
config tip ssh version 1endAlternate Workaround Permit only known trusted hosts and/or networks to connect to the router by creating a vty access list, as in the following example:
10.1.1.0/24 is a trusted network thatis permitted access to the router, allother access is deniedaccess-list 99 permit 10.1.1.0 0.0.0.255access-list 99 deny anyline vty 0 4access-class 99 inendFurther Problem Description For information about configuring vty access lists, see the Controlling Access to a Virtual Terminal Line document:
For information about SSH, see the Configuring Secure Shell on Routers and Switches Running Cisco IOS document:
CSCeh60551 certificate crashes 12.3.4.JA APSymptom Certain malformed client certificates may cause an Access Point (AP) to crash.
Conditions This symptom is observed on a Cisco platform that functions as an AP and that runs Cisco IOS Release 12.3(2)JA2 or Release 12.3(4)JA when EAP-TLS is configured. The symptom may also occur in other releases.
Workaround Issue a new client certificate.
CSCsa54608 IOS Firewall Auth-Proxy for FTP/Telnet Sessions buffer overflowThe Cisco IOS Firewall Authentication Proxy for FTP and/or Telnet Sessions feature in specific versions of Cisco IOS software is vulnerable to a remotely-exploitable buffer overflow condition.
Devices that do not support, or are not configured for Firewall Authentication Proxy for FTP and/or Telnet Services are not affected.
Devices configured with only Authentication Proxy for HTTP and/or HTTPS are not affected.
Only devices running certain versions of Cisco IOS are affected. Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects of the vulnerability.
This advisory will be posted at
http://www.cisco.com/warp/public/707/cisco-sa-20050907-auth_proxy.shtml
CSCsf30058 Memory leak when processing malformed SIP messageMultiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
•Session Initiation Protocol (SIP)
•Media Gateway Control Protocol (MGCP)
•Signaling protocols H.323, H.254
•Real-time Transport Protocol (RTP)
•Facsimile reception
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml.
CSCsf08998 MGCP stop responding after receiving malformed packetMultiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
•Session Initiation Protocol (SIP)
•Media Gateway Control Protocol (MGCP)
•Signaling protocols H.323, H.254
•Real-time Transport Protocol (RTP)
•Facsimile reception
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml.
CSCse68355 Router crashed by malformed SIP packetMultiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
•Session Initiation Protocol (SIP)
•Media Gateway Control Protocol (MGCP)
•Signaling protocols H.323, H.254
•Real-time Transport Protocol (RTP)
•Facsimile reception
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml.
CSCse68138 Issue in handling specific packets in VOIP RTP LibMultiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
•Session Initiation Protocol (SIP)
•Media Gateway Control Protocol (MGCP)
•Signaling protocols H.323, H.254
•Real-time Transport Protocol (RTP)
•Facsimile reception
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml.
CSCsg70474 IOS FW with h323 inspect crashes when malformed H.323 packets receivedMultiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
•Session Initiation Protocol (SIP)
•Media Gateway Control Protocol (MGCP)
•Signaling protocols H.323, H.254
•Real-time Transport Protocol (RTP)
•Facsimile reception
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml.
CSCef77013 tighter parameter checking for ipv6Cisco IOS and Cisco IOS XR contain a vulnerability when processing specially crafted IPv6 packets with a Type 0 Routing Header present. Exploitation of this vulnerability can lead to information leakage on affected IOS and IOS XR devices, and may also result in a crash of the affected IOS device. Successful exploitation on an affected device running Cisco IOS XR will not result in a crash of the device itself, but may result in a crash of the IPv6 subsystem.
Cisco has made free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-IPv6-leak.shtml
CSCsh58082SIP: A router may reload due to SIP trafficCisco devices running an affected version of Internetwork Operating System (IOS) which supports Session Initiation Protocol (SIP) are affected by a vulnerability that may lead to a reload of the device when receiving a specific series of packets destined to port 5060. This issue is compounded by a related bug which allows traffic to TCP 5060 and UDP port 5060 on devices not configured for SIP. There are no known instances of intentional exploitation of this issue. However, Cisco has observed data streams that appear to be unintentionally triggering the vulnerability. Workarounds exist to mitigate the effects of this problem on devices which do not require SIP. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml.
CSCsb79076 MGCP RSVP enabled calls fails due to spurious error @ qosmodule_mainSymptom %SYS-3-TIMERNEG errors and tracebacks are observed while making MGCP RSVP calls on a analog (RGW) setups. Observed in 12.4(3.9)T1 IOS version.
Workaround No workaround currently available.
CSCsj18014 Caller ID string received with extra charactersSymptom A caller ID may be received with extra characters.
Conditions This symptom is observed when caller ID is enabled on both routers and when the station ID and station name are configured on the FXS side.
Workaround There is no workaround.
CSCsj16292 DATACORRUPTION-1-DATAINCONSISTENCY: copy errorSymptom Following an upgrade to Cisco IOS Release 12.2(18)SXF9, the following message may be displayed:
%DATACORRUPTION-1-DATAINCONSISTENCY: copy error-Traceback=Conditions This message may appear as a result of SNMP polling of PAgP variables, but does not appear to be service impacting.
Workaround There is no workaround.
CSCek26492 Enhancements to Packet Input PathSymptom A router may crash if it receives a packet with a specific crafted IP option as detailed in Cisco Security Advisory: Crafted IP Option Vulnerability:
http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
Conditions This Bug resolves a symptom of CSCec71950. Cisco IOS with this specific Bug are not at risk of crash if CSCec71950 has been resolved in the software.
Workaround Cisco IOS versions with the fix for CSCec71950 are not at risk for this issue and no workaround is required. If CSCec71950 is not resolved, see the following Cisco Security Advisory: Crafted IP Option Vulnerability for workaround information:
http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
CSCei61732 Additional data integrity check in system timerCisco IOS may permit arbitrary code execution after exploitation of a heap-based buffer overflow vulnerability. Cisco has included additional integrity checks in its software, as further described below, that are intended to reduce the likelihood of arbitrary code execution.
Cisco has made free software available that includes the additional integrity checks for affected customers.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml
CSCec12299 Corruption of ext communities when receiving over ipv4 EBGP sessionSymptom EIGRP-specific Extended Community 0x8800 is corrupted and shown as 0x0:0:0.
Conditions This symptom is observed when EIGRP-specific Extended Community 0x8800 is received via an IPv4 EBGP session on a CE router. This occurs typically in the following inter-autonomous system scenario:
ASBR/PE-1 <----> VRF-to-VRF <----> ASBR/PE-2Workaround Use a configuration such as the following to remove extended communities from the CE router:
router bgp 1address-family ipv4 vrf oneneighbor 1.0.0.1 remote-as 100neighbor 1.0.0.1 activateneighbor 1.0.0.1 route-map FILTER inexit-address-family!ip extcommunity-list 100 permit _RT.*_!!route-map FILTER permit 10set extcomm-list 100 delete!CSCsb24007 Memory corruption and unexpected reload on receiving a SIP packetMultiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
•Session Initiation Protocol (SIP)
•Media Gateway Control Protocol (MGCP)
•Signaling protocols H.323, H.254
•Real-time Transport Protocol (RTP)
•Facsimile reception
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml.
CSCin95836 Buffer overflow in NHRP protocolSymptom A Cisco IOS device configured for NHRP may restart.
Workaround There is no workaround.
CSCec12299Symptom Devices running Cisco IOS versions 12.0S, 12.2, 12.3, or 12.4 and configured for Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs) or VPN Routing and Forwarding Lite (VRF Lite) and using Border Gateway Protocol (BGP) between Customer Edge (CE) and Provider Edge (PE) devices may permit information to propagate between VPNs.
Conditions This issue is triggered by a logic error when processing extended communities on the PE device.
This issue cannot be deterministically exploited by an attacker.
Workaround Cisco has released free software updates that address these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml.
Resolved Caveats - Cisco IOS Release 12.3(11)YK2
•CSCsb24007
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–Session Initiation Protocol (SIP)
–Media Gateway Control Protocol (MGCP)
–Signaling protocols H.323, H.254
–Real-time Transport Protocol (RTP)
–Facsimile reception
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•CSCej26641
Ping drops for aal5mux encapsulation.
•CSCeh60551
Symptom: Certain malformed client certificates may cause an AP running 12.3.2.JA2 or 12.3.4.JA to crash when EAP-TLS is used.
Workaround: Issue a new client certificate.
•CSCei61732
Cisco IOS may permit arbitrary code execution after exploitation of a heap-based buffer overflow vulnerability. Cisco has included additional integrity checks in its software, as further described below, that are intended to reduce the likelihood of arbitrary code execution.
Cisco has made free software available that includes the additional integrity checks for affected customers.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml.
•CSCsa54608
The Cisco IOS Firewall Authentication Proxy for FTP and/or Telnet Sessions feature in specific versions of Cisco IOS software is vulnerable to a remotely-exploitable buffer overflow condition.
Devices that do not support, or are not configured for Firewall Authentication Proxy for FTP and/or Telnet Services are not affected.
Devices configured with only Authentication Proxy for HTTP and/or HTTPS are not affected.
Only devices running certain versions of Cisco IOS are affected.
Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects of the vulnerability.
This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20050907-auth_proxy.shtml
•CSCeh35823
Free memory disappears quickly.
•CSCei27330
SYS-2-BADSHARE displays on the router log often.
•CSCsa48125
ISDN B-channels remains in PROPOSED state on initial NFAS setup.
•CSCeg15044
Unable to telnet to card (No Free TTYs error).
•CSCeh13489
BGP shouldn't propogate updates with AS path lengths greater than 255.
Resolved Caveats - Cisco IOS Release 12.3(11)YK1
•CSCeg89937
Ethernet interface does not send ping replies after reload.
•CSCsa61989
L2TPv3 should not allow MTU increase based on ICMP.
A router running L2TPv3 using Path-MTU Discovery (PMTUD) may incorrectly increase the discovered MTU solely based on information contained in ICMP packet-too-big messages (ICMP 3/4).
Workaround: None.
•CSCsa74819
Can't disable vpdn ip udp ignore checksum across reloads.
In a release which configures vpdn ip udp ignore checksum by default, if the user manually configures no vpdn ip udp ignore checksum in order NOT to ignore the checksum, this configuration change is not retained across reloads. After writing the configuration to NVRAM and reloading the router, the vpdn ip udp ignore checksum command will automatically be put back in place by IOS. This issue is seen on any image which contains the CSCef90365 fix and after configuring no vpdn ip udp ignore checksum.
Workaround: Re-configure the no vpdn ip udp ignore checksum command after every reload.
•CSCsa52807
L2TP doing PMTUD vulnerable to spoofed ICMP paks.
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.info/Home-1.aspx
•CSCsa62111
7200 input queue stuck.
Workaround: Reloading the router will clear the input queue, or increasing the input queue using the hold-queue length command beyond the default limit of 75.
Resolved Caveats - Cisco IOS Release 12.3(11)YK
•CSCef60659
More stringent checks required for ICMP unreachables.
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.info/Home-1.aspx.
•CSCsa59600
IPSec PMTUD not working.
See note for CSCef60659 above.
•CSCsa61864
Enhancements to L2TPv3 PMTUD may not work.
See note for CSCef60659 above.
•CSCef44699
GRE and IPinIP doing PMTUD vulnerable to spoofed ICMP packets.
See note for CSCef60659 above.
Related Documentation
The following sections describe the documentation available for the Cisco 830 series and Cisco 2801 routers. These documents consist of hardware and software installation guides, Cisco IOS configuration guides and command references, system error messages, feature modules, and other documents.
Documentation is available as printed manuals or electronic documents, except for feature modules, which are available online on Cisco.com and http://www.cisco.com/univercd/home/index.htm.
Use these release notes with these documents:
Release-Specific Documents
The following documents are specific to Cisco IOS Release 12.3 and are located on Cisco.com and http://www.cisco.com/univercd/home/index.htm:
•Cross-Platform Release Notes for Cisco IOS Release 12.3(8)T
On Cisco.com at:
Products and Solutions: Cisco IOS Software: Cisco IOS Software Releases 12.3: Instructions and Guides: Release Notes
On http://www.cisco.com/univercd/home/index.htm at:
Cisco IOS Software: Cisco IOS Release 12.3: Release Notes: Cross-Platform Release Notes
Note Cross-Platform Release Notes for Cisco IOS Release 12.3T are located on Cisco.com at or on http://www.cisco.com/univercd/home/index.htm at Cisco IOS Software: Cisco IOS Release 12.3: Release Notes: Cisco IOS Release 12.3T.
•Product bulletins, field notices, and other release-specific documents at http://www.cisco.com/univercd/home/index.htm
•Caveats for Cisco IOS Release 12.3
As a supplement to the caveats listed in these release notes, see Caveats for Cisco IOS Release 12.3 and Caveats for Cisco IOS Release 12.3T, which contains caveats applicable to all platforms for all maintenance releases of Cisco IOS Release 12.3 and Cisco IOS Release 12.3T.
On Cisco.com at:
Products & Solutions: IOS Software: Cisco IOS Software Releases 12.3: Instructions and Guides: Release Notes: Release Notes for Cisco IOS Release 12.3, Part 5: Caveats
On http://www.cisco.com/univercd/home/index.htm at:
Cisco IOS Software: Cisco IOS Release 12.3: Release Notes: Caveats
•If you have an account on Cisco.com, you can also use the Bug Toolkit to find select caveats of any severity. To reach the Bug Toolkit, log in to Cisco.com and click Products and Solutions: Cisco IOS Software: Cisco IOS Software Releases 12.3: Troubleshooting: Bug Toolkit. Another option is to go to http://www.cisco.com/pcgi-bin/Support/Bugtool/launch_bugtool.pl.
Platform-Specific Documents
Locate platform-specific documents for the Cisco 830 series and Cisco 2801 routers on Cisco.com by clicking the following path:
Technical Documentation: Routers: Fixed Config. Access Routers: <platform_name>
Cisco Feature Navigator
Cisco IOS software is packaged in feature sets that are supported on specific platforms. To obtain updated information regarding platform support for this feature, access Cisco Feature Navigator. Cisco Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.
Cisco Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or release. Under the release section, you can compare releases side by side to display both the features unique to each software release and the features in common.
To access Cisco Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
http://tools.cisco.com/RPF/register/register.do
Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
Cisco IOS Software Documentation Set
The Cisco IOS software documentation set consists of the Cisco IOS configuration guides, Cisco IOS command references, and several other supporting documents.
Documentation Modules
Each module in the Cisco IOS documentation set consists of one or more configuration guides and one or more corresponding command references. Chapters in a configuration guide describe protocols, configuration tasks, and Cisco IOS software functionality, and contain comprehensive configuration examples. Chapters in a command reference provide complete command syntax information. Use each configuration guide with its corresponding command reference.
On Cisco.com at:
Products and Solutions: Cisco IOS Software: Cisco IOS Releases 12.3: Instructions and Guides
On http://www.cisco.com/cisco/web/support/index.html at:
Cisco IOS Software: Cisco IOS Release 12.3: Configuration Guides and Command References
Cisco IOS Release 12.3 Documentation Set Contents
Table 7 lists the contents of the Cisco IOS Release 12.3 software documentation set, which is available in electronic form and in printed form if ordered.
On Cisco.com at:
Products and Solutions: Cisco IOS Software: Cisco IOS Releases 12.3: Instructions and Guides
On http://www.cisco.com/univercd/home/index.htm at:
Cisco IOS Software: Cisco IOS Release 12.3
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feed-back, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Use this document in conjunction with the documents listed in the "Related Documentation" section.
CCVP, the Cisco logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networking Academy, Network Registrar, Packet, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0705R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007, Cisco Systems, Inc. All rights reserved..