 Feedback
|
Table Of Contents
Release Notes for the Cisco 800 and Cisco SOHO 90 Series with Cisco IOS Release 12.3(11)YZ
Determining the Software Version
Upgrading to a New Software Release
New Hardware and Software Features in Cisco IOS Release 12.3(11)YZ1
New Software Features in Release 12.3(11)T
Caveats for Cisco IOS Release 12.3(11)YZ
Resolved Caveats for Cisco IOS Release 12.3(11)YZ2
Resolved Caveats for Cisco IOS Release 12.3(11)YZ1
Cisco IOS Software Documentation Set
Cisco IOS Release 12.3 Documentation Set Contents
Obtaining Technical Assistance
Obtaining Additional Publications and Information
Release Notes for the Cisco 800 and Cisco SOHO 90 Series with Cisco IOS Release 12.3(11)YZ
September 24, 2008Cisco IOS Release 12.3(11)YZ2OL-11419-02 Third ReleaseThese release notes describe new features and significant software components for the Cisco 800 and Cisco SOHO90 series, that support Cisco IOS Release 12.3 T, up to and including Release 12.3(11)YZ. These release notes are updated as needed to describe new memory requirements, new features, new hardware support, software platform deferrals, microcode or modem code changes, related document changes, and any other important changes. Use these release notes with the Cross-Platform Release Notes for Cisco IOS Release 12.3 T for Cisco IOS Release 12.3 T located on Cisco.com.
For a list of the software caveats that apply to Release Cisco IOS Release 12.3(11)YZ, refer to the "Caveats for Cisco IOS Release 12.3(11)YZ" section and refer to the online Caveats for Cisco IOS Release 12.3 T document. The caveats document is updated for every 12.3 T maintenance release and is located on Cisco.com.
Contents
•
Caveats for Cisco IOS Release 12.3(11)YZ
•
•
System Requirements
This section describes the system requirements for Cisco IOS Release 12.3(11)YZ.
Memory Requirements
Table 1 lists the memory requirements for Cisco IOS 12.3(11)YZ on the Cisco 800 and Cisco SOHO 90 series.
Note
Hardware Supported
Cisco IOS Release 12.3(11)YZ supports the following routers:
•
•
•
•
•
•
•
•
•
•
Determining the Software Version
To determine the version of Cisco IOS software running on your Cisco router, log in to the router and enter the show version command:
Router> show versionCisco IOS Software, C837 Software (C837-K9O3SY6-M), Version 12.3(11)YZ, RELEASE SOFTWARE (fc1) Synched to technology version 12.3(11)T Technical Support: http://www.cisco.com/techsupport (c) 1986-2006 by Cisco Systems, Inc.Upgrading to a New Software Release
For general information about upgrading to a new software release, see the Software Installation and Upgrade Procedures located at: http://www.cisco.com/warp/public/130/upgrade_index.shtml.
New and Changed Information
New Hardware and Software Features in Cisco IOS Release 12.3(11)YZ1
There are no new hardware or software features in this release.
New Software Features in Release 12.3(11)T
For information regarding the features supported in Cisco IOS Release 12.3(11)T, refer to the Cross-Platform Release Notes and New Feature Documentation links at the following location on Cisco.com:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123relnt/xprn123/index.htm
This URL is subject to change without notice. If it changes, point your web browser to Cisco.com, and click the following path:
Service & Support: Technical Documents: Cisco IOS Software: Release 12.3: Release Notes: Cross-Platform Release Notes (Cisco IOS Release 12.3(11)T)
Limitations and Restrictions
Refer to each feature for individual limitations and restrictions.
Deferrals
Cisco IOS software images are subject to deferral. Cisco recommends that you view the deferral notices at the following location to determine if your software release is affected:
http://www.cisco.com/en/US/products/products_security_advisories_listing.html
Field Notices and Bulletins
For general information about the types of documents listed in this section, refer to the following document:
http://www.cisco.com/en/US/products/sw/custcosw/ps747/prod_field_notices_list.html
•
•
•
•
Caveats for Cisco IOS Release 12.3(11)YZ
Caveats describe unexpected behavior or defects in the Cisco IOS software releases. Severity 1 caveats are the most serious caveats, severity 2 caveats are less serious, and severity 3 caveats are the least serious of these three severity levels.
Note
Resolved Caveats for Cisco IOS Release 12.3(11)YZ2
CSCec12299Devices running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and configured for Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs) or VPN Routing and Forwarding Lite (VRF Lite) and using Border Gateway Protocol (BGP) between Customer Edge (CE) and Provider Edge (PE) devices may permit information to propagate between VPNs.
Workarounds are available to help mitigate this vulnerability.
This issue is triggered by a logic error when processing extended communities on the PE device.
This issue cannot be deterministically exploited by an attacker.
Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml.
CSCsf04754Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document.
The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044 to these vulnerabilities.
Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0960 has been assigned to these vulnerabilities.
This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml
CSCse56501A device running Cisco IOS software that has Internet Protocol version 6 (IPv6) enabled may be subject to a denial of service (DoS) attack. For the device to be affected by this vulnerability the device also has to have certain Internet Protocol version 4 (IPv4) User Datagram Protocol (UDP) services enabled. To exploit this vulnerability an offending IPv6 packet must be targeted to the device. Packets that are routed throughout the router can not trigger this vulnerability. Successful exploitation will prevent the interface from receiving any additional traffic. The only exception is Resource Reservation Protocol (RSVP) service, which if exploited, will cause the device to crash. Only the interface on which the vulnerability was exploited will be affected.
Cisco is providing fixed software to address this issue. There are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml.
CSCsi01470A vulnerability in the Cisco implementation of Multicast Virtual Private Network (MVPN) is subject to exploitation that can allow a malicious user to create extra multicast states on the core routers or receive multicast traffic from other Multiprotocol Label Switching (MPLS) based Virtual Private Networks (VPN) by sending specially crafted messages.
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml.
CSCse68138 Issue in handling specific packets in VOIP RTP LibMultiple voice-related vulnerabilities are identified in Cisco IOS software,one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
Session Initiation Protocol (SIP)
Media Gateway Control Protocol (MGCP)
Signaling protocols H.323, H.254
Real-time Transport Protocol (RTP)
Facsimile reception
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml.
CSCsi64851 %DATACORRUPTION-1-DATAINCONSISTENCY unterminated string in bufferSymptom Traceback is seen while configuring "incoming port" using a string [large value 238 characters] for "call filter match-list 1 voice". Trace shows unterminated string in buffer.
Conditions
Workaround
CSCsi74508 data inconsistency error in red_nvgen_paramsSymptom A Cisco IOS device may produce the following error when reading or writing the configuration:
%DATACORRUPTION-1-DATAINCONSISTENCY: write of 11 bytes to 10 bytes
Conditions
Workaround
CSCsi78118 Traceback seen at iphc_decompress.Symptom A traceback may be generated at the "iphc_decompress" function.
Conditions
Workaround
CSCsi78162 SNASw %DATACORRUPTION-1-DATAINCONSISTENCY messagesSymptom A router that has the SNASwitch feature enabled may generate several of the following messages along with tracebacks %DATACORRUPTION-1-DATAINCONSISTENCY: copy of xx bytes should be xx bytes
Conditions
Workaround: There is no workaround.
Further Problem Description: The messages do not affect the normal operation of the router in any way. The SNASwitch continues to function normally.
CSCsj06951 Traceback @ createCNF_file while configuring user-localeSymptom Traceback seen on terminal.
Conditions
Workaround
CSCei52653 cipSecTunInOctets/cipSecTunOutOctets report zerocipSecTunInOctets/cipSecTunOutOctets is report zero when using c1841-advsecurityk9-mz.123- 14.T2.bin.
CSCse05642 I/O memory corruption crash on as5850Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
Session Initiation Protocol (SIP)
Media Gateway Control Protocol (MGCP)
Signaling protocols H.323, H.254
Real-time Transport Protocol (RTP)
Facsimile reception
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml.
CSCsj16292 DATACORRUPTION-1-DATAINCONSISTENCY: copy errorSymptom Following an upgrade to Cisco IOS Release 12.2(18)SXF9, the following message may be displayed:
%DATACORRUPTION-1-DATAINCONSISTENCY: copy error
-Traceback=
Conditions
Workaround
CSCsb79076 MGCP RSVP enabled calls fails due to spurious error @ qosmodule_main %SYS-3-TIMERNEG errors and tracebacks are observed while making MGCP RSVP calls on a analog (RGW) setups.Symptom Observed in 12.4(3.9)T1 IOS version.
Workaround
CSCsj18014 Caller ID string received with extra characters CSCsf28840 dwind Crash due to configured peer type control vector
Symptom A caller ID may be received with extra characters.
Conditions
Workaround
CSCsg16908 IOS FTP Server DeprecationMultiple vulnerabilities exist in the Cisco IOS File Transfer Protocol (FTP) Server feature. These vulnerabilities include Denial of Service, improper verification of user credentials and the ability to read or write any file in the device's filesystem, including the device's saved configuration, which may include passwords or other sensitive information.
The IOS FTP Server is an optional service that is disabled by default. Devices that are not specifically configured to enable the IOS FTP Server service are unaffected by these vulnerabilities.
This vulnerability does not apply to the IOS FTP Client feature. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070509-iosftp.shtml.
CSCin95836 NHRP does not handle error conditions gracefullyThe Cisco Next Hop Resolution Protocol (NHRP) feature in Cisco IOS?? contains a vulnerability that can result in a restart of the device or possible remote code execution.
NHRP is a primary component of the Dynamic Multipoint Virtual Private Network (DMVPN) feature.
NHRP can operate in three ways: at the link layer (Layer 2), over Generic Routing Encapsulation (GRE) and multipoint GRE (mGRE) tunnels and directly on IP (IP protocol number 54). This vulnerability affects all three methods of operation.
NHRP is not enabled by default for Cisco IOS.
This vulnerability is addressed by Cisco bug IDs CSCin95836 for non-12.2 mainline releases and CSCsi23231 for 12.2 mainline releases.
This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070808-nhrp.shtml.
CSCsf08998 MGCP stop responding after receiving malformed packetMultiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
Session Initiation Protocol (SIP)
Media Gateway Control Protocol (MGCP)
Signaling protocols H.323, H.254
Real-time Transport Protocol (RTP)
Facsimile reception
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml.
CSCsg03449 Etherswitch module VLAN Trunking Protocol VulnerabilitiesSymptom
•
•
•
Conditions
Further Information: On the 13th September 2006, Phenoelit Group posted an advisory containing three vulnerabilities:
–
–
–
These vulnerabilities are addressed by Cisco IDs:
•
•
•
•
CSCsh58082 SIP: A router may reload due to SIP trafficCisco devices running an affected version of Internetwork Operating System (IOS) which supports Session Initiation Protocol (SIP) are affected by a vulnerability that may lead to a reload of the device when receiving a specific series of packets destined to port 5060. This issue is compounded by a related bug which allows traffic to TCP 5060 and UDP port 5060 on devices not configured for SIP. There are no known instances of intentional exploitation of this issue. However, Cisco has observed data streams that appear to be unintentionally triggering the vulnerability.
Workarounds exist to mitigate the effects of this problem on devices which do not require SIP. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml.
CSCse68355 Router crashed by malformed SIP packetMultiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
Session Initiation Protocol (SIP)
Media Gateway Control Protocol (MGCP)
Signaling protocols H.323, H.254
Real-time Transport Protocol (RTP)
Facsimile reception
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml.
CSCsc64976 rbisarya HTTP server should scrub embedded HTML tags from cmd outputA vulnerability exists in the IOS HTTP server in which HTML code inserted
into dynamically generated output, such as the output from a show buffers command, will be passed to the browser requesting the page. This HTML code could be interpreted by the client browser and potentially execute malicious commands against the device or other possible cross-site scripting attacks. Successful exploitation of this vulnerability requires that a user browse a page containing dynamic content in which HTML commands have been injected.
Cisco will be making free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20051201-http.shtml
CSCek26492 Enhancements to Packet Input Path.Symptom A router may crash if it receives a packet with a specific crafted IP option as detailed in Cisco Security Advisory: Crafted IP Option Vulnerability:
http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
Conditions
Workaround
http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
CSCsg70474 IOS FW with h323 inspect crashes when malformed H.323 packets receivedMultiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
Session Initiation Protocol (SIP)
Media Gateway Control Protocol (MGCP)
Signaling protocols H.323, H.254
Real-time Transport Protocol (RTP)
Facsimile reception
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml.
CSCse05736 A router running RCP can be reloaded with a specific packetSymptom A router that is running RCP can be reloaded by a specific packet.
Conditions
Workaround
CSCef77013 Tighter parameter checking for ipv6Cisco IOS and Cisco IOS XR contain a vulnerability when processing specially crafted IPv6 packets with a Type 0 Routing Header present. Exploitation of this vulnerability can lead to information leakage on affected IOS and IOS XR devices, and may also result in a crash of the affected IOS device. Successful exploitation on an affected device running Cisco IOS XR will not result in a crash of the device itself, but may result in a crash of the IPv6 subsystem.
Cisco has made free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-IPv6-leak.shtml
CSCsd81407 Router crash on receiving abnormal MGCP messagesMultiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
Session Initiation Protocol (SIP)
Media Gateway Control Protocol (MGCP)
Signaling protocols H.323, H.254
Real-time Transport Protocol (RTP)
Facsimile reception
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml.
CSCsd85587 7200 Router crashes with ISAKMP Codenomicon test suiteA vulnerability has been discovered in a third party cryptographic library which is used by a number of Cisco products. This vulnerability may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to trigger this vulnerability without a valid certificate or valid application-layer credentials (such as a valid username or password).
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
The vulnerable cryptographic library is used in the following Cisco products:
–
–
–
–
–
This vulnerability is also being tracked by CERT/CC as VU#754281.
Cisco has made free software available to address this vulnerability for affected customers. There are no workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml .
Note
CSCsi60004 H323 Proxy Unregistration from GatekeeperMultiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
Session Initiation Protocol (SIP)
Media Gateway Control Protocol (MGCP)
Signaling protocols H.323, H.254
Real-time Transport Protocol (RTP)
Facsimile reception
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml.
CSCse24889 Malformed SSH version 2 packets may cause processor memory depletionSymptom Malformed SSH version 2 packets may cause a memory leak, causing the platform to operate under a degraded condition. Under rare circumstances, the platform may reload to recover itself.
Conditions
Workaround
config tip ssh version 1 endAlternate Workaround: Permit only known trusted hosts and/or networks to connect to the router by creating a vty access list, as in the following example:
10.1.1.0/24 is a trusted network that is permitted access to the router, all other access is denied access-list 99 permit 10.1.1.0 0.0.0.255 access-list 99 deny any line vty 0 4 access-class 99 in endFurther Problem Description: For information about configuring vty access lists, see the Controlling Access to a Virtual Terminal Line document: http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cntrl_acc_vtl.html
For information about SSH, see the Configuring Secure Shell on Routers and Switches Running Cisco IOS document: http://www.cisco.com/warp/public/707/ssh.shtml
CSCse85200 Inadequate validation of TLVs in cdpSymptom Specifically crafted CDP packets can cause a router to allocate and keep extra memory. Exploitation of this behaviour by sending multiple specifically crafted CDP packets could cause memory allocation problems on the router.
Conditions
Workaround
CSCsg40567 Memory leak found with malformed tls/ssl packets in http core processSymptom Malformed SSL packets may cause a router to leak multiple memory blocks.
Conditions
Workaround
CSCsb12598 Router forced crash on receiving fragmented TLS ClientHelloCisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml
Note
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
CSCsb40304 Router crash on sending repetitive SSL ChangeCipherSpecCisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol
exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml
Note
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
CSCsd92405 Router crashed by repeated SSL connection with malformed finished messageCisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml
Note
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
CSCsg96319 reverse ssh eliminated telnet authention on VTYSymptom When a reverse SSH session is established with valid authentication credentials, anyone can obtain unprivileged Telnet access to a system without being authenticated. This situation affects only reverse SSH sessions when a connection is made with the
ssh -l userid :number ip-address command.
Conditions
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t11/feature/guide/gt_rssh.html
Workaround
http://www.cisco.com/en/US/tech/tk583/tk617/technologies_q_and_a_item09186a0080267e0f.shtml#newq1
CSCsj66369 Traceback seen at rpmxf_dg_db_initSymptom Tracebacks seen while running metal_vpn_cases.itcl script
Conditions
Workaround
CSCsj66513 Traceback detected at DNQueuePeersSymptom Traceback found at DNQueuePeers
Conditions
Workaround
CSCsj44099 Router crashes if DSPFARM profile description is 128 characters long.Symptom A cisco c3800 router can experience a memory corruption resulting in a crash if the description field under the "dspfarm profile" configuration matches the maximum of 128 characters.
Conditions
Workaround
CSCsj52927 DATACORRUPTION-1-DATAINCONSISTENCY message in show logSymptom DATACORRUPTION-1-DATAINCONSISTENCY messages are seen in `show log'.
Conditions
Workaround
CSCdz55178 QoS profile name of more then 32 chars will crash the routerSymptom A router that is configured for QoS may reload unexpectedly or other serious symptoms such as memory corruption may occur.
Conditions
cable qos profile 12 name g711@10ms_for_any_softswitch_Traa^C
00000000011111111111222222222333^
12345678901234567890123456789012|
|
PROBLEM
(Variable Overflowed).
Change the name of the cable QoS profile qos profile to a length that is less than 32 characters.
Resolved Caveats for Cisco IOS Release 12.3(11)YZ1
•
This vulnerability only applies to traffic destined to the Cisco IOS device. Traffic transiting the Cisco IOS device will not trigger this vulnerability.
Cisco has made free software available to address this vulnerability for affected customers.
Workaround: There are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml
•
Cisco has made free software available to address this vulnerability for affected customers.
Workaround: There are workarounds available to mitigate the effects of the vulnerability. The workaround depends on if Mobile IPv6 is used and what version on Cisco IOS is being currently used.
This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml
•
Cisco has made free software available to address this vulnerability for affected customers.
Workaround: There are workarounds available to mitigate the effects of the vulnerability. The workaround depends on if Mobile IPv6 is used and what version on Cisco IOS is being currently used.
This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml
•
Symptoms: With H323 call service stopped, the router still listens on tcp port 1720 and completes connection attempts.
Conditions: After H323 is disabled using the configuration commands:
voice service voiph323call service stopWorkaround: Access can be blocked by deploying an interface access list that blocks access to TCP port 1720 for traffic that is destined for any of the IP addresses of the router.
For information about deploying access lists, see the "Transit Access Control Lists: Filtering at Your Edge" document:
http://www.cisco.com/warp/public/707/tacl.html
For further information about deploying access lists, see the "Protecting Your Core: Infrastructure Protection Access Control Lists" document:
http://www.cisco.com/warp/public/707/iacl.html
For information about using control plane policing to block access to TCP port 1720, see the "Deploying Control Plane Policing White Paper:"
http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd804fa16a.shtml
•
Symptoms: TCP connections that are opened through a Cisco IOS Firewall (CBAC) may not timeout.
Conditions: With Cisco IOS Firewall (CBAC) enabled, the TCP idle timer for a session may be reset even by TCP packets that fail TCP inspection and are subsequently dropped. This could lead to the TCP session not timing out.
Workaround: There is no workaround.
•
Symptoms: CoPP policy configured to drop packets with IP options will ignore packets with malformed IP options
Conditions: CoPP configured to filter ip packets with IP options
Workaround: Do not use IP option ACL filtering with CoPP. Instead configure CoPP to filter ip packets by source or destination address.
•
Symptoms: A Cisco router configured for multicast VPN may reload after receiving a malformed MDT data group join packet.
Conditions: Affects all Cisco IOS versions that support mVPN MDT.
Workaround: Filter out MDT Data Join messages from the router sending the malformed packet using a Receive Access Control List (rACL) feature. Note by doing this, the offending router will not be able to participate within the mVPN data trees.
The following example shows how to block malformed MDT Data Join messages that are sent from the device's IP addresses using a receive ACL:
!ip receive access-list 111!access-list 111 deny udp host <ip address of router sending malformed joinrequest> host 224.0.0.13 eq 3232access-list 111 permit ip any any!
Note
http://www.cisco.com/warp/public/707/racl.html.•
Symptoms: Add functionality to disable ESM filter to execute Cisco IOS configuration commands. To prevent configuration commands being executed via ESM TCL fitlers, enter the global configuration command: no loggin esm config
Conditions: Prevents execution of the tcl script command ios_config from ESM filters.
Further Problem Description: As Tcl script modules contain executable commands, you should manage the security of these files in the same way you manage configuration files."
Workaround: Syslog filter modules can be written and stored as plain-text files or as precompiled files. Tcl script pre-compiling can be done with tools such as TclPro. Precompiled scripts allow a measure of security and managed consistency because they cannot be edited.
•
Symptoms: After a reload, the router is unable to use its certificate to establish a VPN connection. If the peer is also a Cisco IOS router, debug crypto isakmp will show the following error during the negotiation:
ISAKMP:(...): signature invalid!Conditions: Certificate based authentication is used in ISAKMP
Workaround: Re-enroll the router after the reload, to get a new certificate.
Further Problem Description: After the reload, show crypto key mypubkey rsa shows that the RSA keypair used is an old one (the one that was in use before the most recent enrollment) so it does not match the keypair that was used to obtain the current certificate.
The RSA keypair that should be used (the one that was used to obtain the current certificate) has been renamed with a # at the end. For example, before the reload, the rsa keypair is named router.domain.priv. After the reload, this key is now named router.domain.priv#, and there is another (older) keypair named router.domain.priv that does not match the certificate.
Related Documentation
•
•
Release-Specific Documents
The following documents are specific to Cisco IOS Release 12.3 and are located on Cisco.com and http://www.cisco.com/univercd/home/index.htm:
•
On Cisco.com at:
Products and Solutions: Cisco IOS Software: Cisco IOS Software Releases 12.3: Instructions and Guides: Release Notes
On http://www.cisco.com/univercd/home/index.htm at:
Cisco IOS Software: Cisco IOS Release 12.3: Release Notes: Cross-Platform Release Notes
Cross-Platform Release Notes for Cisco IOS Release 12.3 T are located on Cisco.com at or on http://www.cisco.com/univercd/home/index.htm at Cisco IOS Software: Cisco IOS Release 12.3: Release Notes: Cisco IOS Release 12.3 T.
•
•
As a supplement to the caveats listed in these release notes, see Caveats for Cisco IOS Release 12.3 and Caveats for Cisco IOS Release 12.3 T, which contains caveats applicable to all platforms for all maintenance releases of Cisco IOS Release 12.3 and Cisco IOS Release 12.3 T.
On Cisco.com at:
Products & Services: IOS Software: Cisco IOS Software Releases 12.3: Instructions and Guides: Release Notes: Release Notes for Cisco IOS Release 12.3, Part 5: Caveats
On http://www.cisco.com/univercd/home/index.htm at:
Cisco IOS Software: Cisco IOS Release 12.3: Release Notes: Caveats
•
Platform-Specific Documents
Platform-specific documents are available on Cisco.com by following the appropriate Technical Documentation path below.
For Cisco SOHO 90 series and Cisco 830 series routers:
Product Documentation: Routers: Fixed Config. Access Routers
Cisco Feature Navigator
Cisco IOS software is packaged in feature sets that are supported on specific platforms. To get updated information regarding platform support for this feature, access Cisco Feature Navigator. Cisco Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.
Cisco Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or release. Under the release section, you can compare releases side by side to display both the features unique to each software release and the features in common.
To access Cisco Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
http://tools.cisco.com/RPF/register/register.do
Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
Cisco IOS Software Documentation Set
The Cisco IOS software documentation set consists of the Cisco IOS configuration guides, Cisco IOS command references, and several other supporting documents. The Cisco IOS software documentation set is shipped with your order in electronic form on the Documentation CD-ROM—unless you specifically ordered the printed versions.
Documentation Modules
Each module in the Cisco IOS documentation set consists of one or more configuration guides and one or more corresponding command references. Chapters in a configuration guide describe protocols, configuration tasks, and Cisco IOS software functionality, and contain comprehensive configuration examples. Chapters in a command reference provide complete command syntax information. Use each configuration guide with its corresponding command reference.
On Cisco.com at:
Products and Solutions: Cisco IOS Software: Cisco IOS Releases 12.3: Instructions and Guides
On http://www.cisco.com/univercd/home/index.htm at:
Cisco IOS Software: Cisco IOS Release 12.3: Configuration Guides and Command References
Cisco IOS Release 12.3 Documentation Set Contents
Table 2 lists the contents of the Cisco IOS Release 12.3 software documentation set, which is available in electronic form and in printed form if ordered.
On Cisco.com at:
Products and Solutions: Cisco IOS Software: Cisco IOS Releases 12.3: Instructions and Guides
On http://www.cisco.com/univercd/home/index.htm at:
Cisco IOS Software: Cisco IOS Release 12.3
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation on the World Wide Web at this URL:
http://www.cisco.com/cisco/web/support/index.html
You can access the Cisco website at this URL:
International Cisco websites can be accessed from this URL:
http://www.cisco.com/public/countries_languages.shtml
Ordering Documentation
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
•
http://www.cisco.com/en/US/partner/ordering/index.shtml
•
Documentation Feedback
You can submit e-mail comments about technical documentation to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
Obtaining Technical Assistance
For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, the Cisco Technical Assistance Center (TAC) provides 24-hour-a-day, award-winning technical support services, online and over the phone. Cisco.com features the Cisco TAC website as an online starting point for technical assistance. If you do not hold a valid Cisco service contract, please contact your reseller.
Cisco TAC Website
The Cisco TAC website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The Cisco TAC website is available 24 hours a day, 365 days a year. The Cisco TAC website is located at this URL:
Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a login ID or password, register at this URL:
http://tools.cisco.com/RPF/register/register.do
Opening a TAC Case
Using the online TAC Case Open Tool is the fastest way to open P3 and P4 cases. (P3 and P4 cases are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Case Open Tool automatically recommends resources for an immediate solution. If your issue is not resolved using the recommended resources, your case will be assigned to a Cisco TAC engineer. The online TAC Case Open Tool is located at this URL:
http://www.cisco.com/tac/caseopen
For P1 or P2 cases (P1 and P2 cases are those in which your production network is down or severely degraded) or if you do not have Internet access, contact Cisco TAC by telephone. Cisco TAC engineers are assigned immediately to P1 and P2 cases to help keep your business operations running smoothly.
To open a case by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447
For a complete listing of Cisco TAC contacts, go to this URL:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
TAC Case Priority Definitions
To ensure that all cases are reported in a standard format, Cisco has established case priority definitions.
Priority 1 (P1)—Your network is "down" or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Priority 2 (P2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.
Priority 3 (P3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.
Priority 4 (P4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
•
http://www.cisco.com/en/US/partner/products/index.html
•
•
iQ Magazine is the Cisco bimonthly publication that delivers the latest information about Internet business strategies for executives. You can access iQ Magazine at this URL:
http://www.ilmc.com/iq_magazine
Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private Internets and Intranets. You can access the Internet Protocol Journal at this URL:
http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.html
Training—Cisco offers world-class networking training. Current offerings in network training are listed at this URL:
http://www.cisco.com/en/US/learning/index.html
Use this document in conjunction with the documents listed in the "Related Documentation" section.
CCVP, the Cisco logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networking Academy, Network Registrar, Packet, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0705R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007, Cisco Systems, Inc. All rights reserved.
