|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Cisco Security Advisory: Crafted IP Option Vulnerability
How many OPK's are being released today.. anyone? On Wed, 24 Jan 2007, Cisco Systems Product Security Incident Response Team wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Cisco Security Advisory: Crafted IP Option Vulnerability > > Advisory ID: cisco-sa-20070124-crafted-ip-option > > http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml > > Revision 1.0 > > For Public Release 2007 January 24 1600 UTC (GMT) > > +-------------------------------------------------------------------- > > Contents > ======== > > Summary > Affected Products > Details > Vulnerability Scoring Details > Impact > Software Version and Fixes > Workarounds > Obtaining Fixed Software > Exploitation and Public Announcements > Status of this Notice: FINAL > Distribution > Revision History > Cisco Security Procedures > > - --------------------------------------------------------------------- > > Summary > ======= > > Cisco routers and switches running Cisco IOS® or Cisco IOS XR > software may be vulnerable to a remotely exploitable crafted IP > option Denial of Service (DoS) attack. Exploitation of the > vulnerability may potentially allow for arbitrary code execution. The > vulnerability may be exploited after processing an Internet Control > Message Protocol (ICMP) packet, Protocol Independent Multicast > version 2 (PIMv2) packet, Pragmatic General Multicast (PGM) packet, > or URL Rendezvous Directory (URD) packet containing a specific > crafted IP option in the packet's IP header. No other IP protocols > are affected by this issue. > > Cisco has made free software available to address this vulnerability > for affected customers. > > There are workarounds available to mitigate the effects of the > vulnerability. > > This vulnerability was discovered during internal testing. > > This advisory is available at > http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml > > Affected Products > ================= > > Vulnerable Products > +------------------ > > This issue affects all Cisco devices running Cisco IOS or Cisco IOS > XR software and configured to process Internet Protocol version 4 > (IPv4) packets. Devices which run only Internet Protocol version 6 > (IPv6) are not affected. > > This vulnerability is present in all unfixed versions of Cisco IOS > software, including versions 9.x, 10.x, 11.x and 12.x. > > This vulnerability is present in all unfixed versions of Cisco IOS XR > software, including versions 2.0.X, 3.0.X, and 3.2.X. > > All versions of Cisco IOS or Cisco IOS XR prior to the versions > listed in the Fixed Software table below may be susceptible to this > vulnerability. > > To determine the software running on a Cisco product, log in to the > device and issue the "show version" command to display the system > banner. Cisco IOS software will identify itself as "Internetwork > Operating System Software" or simply "IOS". On the next line of > output, the image name will be displayed between parentheses, > followed by "Version" and the IOS release name. Cisco IOS XR software > will identify itself as "Cisco IOS XR Software" followed by "Version" > and the version number. Other Cisco devices will not have the show > version command or will give different output. > > The following example identifies a Cisco product running Cisco IOS > release 12.2(14)S16 with an installed image name of C7200-IS-M: > > Cisco Internetwork Operating System Software > IOS (tm) 7200 Software (C7200-IS-M), Version 12.2(14)S16, > RELEASE SOFTWARE (fc1) > > The release train label is "12.2". > > The next example shows a product running IOS release 12.3(7)T12 with > an image name of C7200-IK9S-M: > > Cisco IOS Software, 7200 Software (C7200-IK9S-M), Version 12.3(7)T12, > RELEASE SOFTWARE (fc1) > > Additional information about Cisco IOS Banners is available at > http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_white_paper09186a008018305e.shtml#3 > > Cisco IOS XR Software is a member of the Cisco IOS software family > that uses a microkernel-based distributed operating system > infrastructure. Cisco IOS XR runs only on Cisco Carrier Routing > System 1 (CRS-1) and Cisco XR 12000 series routers. > > Additional information about Cisco IOS XR is available at > http://www.cisco.com/en/US/products/ps5845/index.html > > The following example shows partial output from the show version > command which identifies a Cisco product running Cisco IOS XR release > 3.3.0: > > RP/0/RP0/CPU0:router#show version > Cisco IOS XR Software, Version 3.3.0 > Copyright (c) 2006 by cisco Systems, Inc. > ROM: System Bootstrap, Version 1.32(20050525:193559) [CRS-1 ROMMON] > > Products Confirmed Not Vulnerable > +-------------------------------- > > Cisco devices that do not run Cisco IOS or Cisco IOS XR software are > not affected. CatOS software is not affected by this issue. > > No other Cisco products are currently known to be affected by this > vulnerability. > > Details > ======= > > This vulnerability may be exploited when an affected device processes > a packet that meets all three of the following conditions: > > +---------------------------------------+ > | 1. The packet contains a specific | > | crafted IP option. | > |---------------------------------------| > | AND | > |---------------------------------------| > | 2. The packet is one of the following | > | protocols: | > |---------------------------------------| > | * ICMP - Echo (Type 8) - 'ping' | > |---------------------------------------| > | * ICMP - Timestamp (Type 13) | > |---------------------------------------| > | * ICMP - Information Request (Type | > | 15) | > |---------------------------------------| > | * ICMP - Address Mask Request (Type | > | 17) | > |---------------------------------------| > | * PIMv2 - IP protocol 103 | > |---------------------------------------| > | * PGM - IP protocol 113 | > |---------------------------------------| > | * URD - TCP Port 465 | > |---------------------------------------| > | AND | > |---------------------------------------| > | 3. The packet is sent to a physical | > | or virtual IPv4 address configured on | > | the affected device. | > +---------------------------------------+ > > No other ICMP message types are affected by this issue. > > No other IP protocols are affected by this issue. > > No other TCP services are affected by this issue. > > The packet can be sent from a local network or from a remote network. > > The source IP address of the packet can be spoofed or non-spoofed. > > Packets which transit the device (packets not sent to one of the > device's IP addresses) do not trigger the vulnerability and the > device is not affected. > > This vulnerability is documented in these Bug IDs: > > * Cisco Bug ID CSCec71950 for Cisco IOS > * Cisco Bug ID CSCeh52410 for Cisco IOS XR > > Cisco IOS > +-------- > > A crafted packet addressed directly to a vulnerable device running > Cisco IOS software may result in the device reloading or may allow > execution of arbitrary code. > > Cisco IOS XR > +----------- > > A crafted packet addressed directly to a vulnerable device running > Cisco IOS XR software may result in the ipv4_io process restarting or > may allow execution of arbitrary code. CRS-1 Nodes that run the > ipv4_io process include Route Processors (RP), Distributed Route > Processors (DRP), Modular Services Cards (MSC), and XR 12000 Line > Cards. While the ipv4_io process is restarting, all ICMP traffic > destined for the device itself and exception punts will be dropped. > Examples of exception punts include packets having IP header > information that requires further processing such as IP options, > Time-to-Live equal to 0 or 1, and layer-2 keepalives. CLNS traffic to > the Node or Line Card is not affected. If the ipv4_io process is > restarted several times consecutively, the CRS-1 Node or XR 12000 > Line Card may reload, causing a Denial of Service (DoS) condition for > the transit traffic switched on that Node or Line card. > > Devices Configured for ICMP Message Types > +---------------------------------------- > > ICMP Type 8 > +---------- > > By default, devices running all Cisco IOS and Cisco IOS XR versions > will process ICMP echo-request (Type 8) packets. This behavior cannot > be modified. > > ICMP Type 13 > +----------- > > By default, devices running all Cisco IOS versions will process ICMP > timestamp (Type 13) packets. This behavior cannot be modified. > > By default, devices running all Cisco IOS XR versions will NOT > process ICMP timestamp (Type 13) packets. This behavior cannot be > modified. > > ICMP Type 15 > +----------- > > With the introduction of CSCdz50424, by default routers will NOT > process ICMP information request (Type 15) packets. Releases of Cisco > IOS that contain CSCdz50424 include 12.3, 12.3T, 12.4, 12.4T, later > 12.0S and later 12.2S. See CSCdz50424 for complete release > information. > > A router running a Cisco IOS release containing CSCdz50424 that has > been modified to process ICMP information request packets will have > the interface configuration statement "ip information-reply", which > can be seen by issuing the command "show running-config" as shown > in the following examples: > > router#show running-config | include information-reply > ip information-reply > > or > > router#show running-config > > interface FastEthernet0/0 > ip address 192.0.2.1 255.255.255.0 > ip information-reply > > By default, devices running all other Cisco IOS versions will process > ICMP information request (Type 15) packets. This behavior cannot be > modified. Since this is the default behavior, "ip information-reply" > will not be visible in the device's configuration. > > By default, devices running all Cisco IOS XR versions will NOT > process ICMP information request (Type 15) packets. This behavior > cannot be modified. > > ICMP Type 17 > +----------- > > Beginning in Cisco IOS version 10.0, by default devices will NOT > process ICMP address mask request (Type 17) packets. A router that > has been modified to process ICMP address mask request packets will > have the interface configuration statement "ip mask-reply", which > can be seen by issuing the command "show running-config" as shown > in the following examples: > > router#show running-config | include mask-reply > ip mask-reply > > or > > router#show running-config > > interface FastEthernet0/0 > ip address 192.0.2.1 255.255.255.0 > ip mask-reply > > By default, devices running all Cisco IOS XR versions will NOT > process ICMP address mask request (Type 17) packets. A router that > has been modified to process ICMP address mask request packets will > have the interface configuration statement "ipv4 mask-reply", which > can be seen by issuing the command show running-config as shown in > the following examples: > > RP/0/RP0/CPU0:router#show running-config | include mask-reply > Building configuration... > ipv4 mask-reply > > or > > RP/0/RP0/CPU0:router#show running-config > interface POS0/1/3/0 > ipv4 address 192.0.2.1 255.255.255.252 > ipv4 mask-reply > > Devices Configured for Protocol Independent Multicast Version 2 > (PIMv2) > +-------------------------------------------------------------- > > Cisco IOS > +-------- > > A router running Cisco IOS that is configured to process PIMv2 > packets will have an interface configuration statement that begins > with "ip pim", which can be seen by issuing the command "show > running-config" as shown in the following examples: > > router#show running-config | include ip pim > ip pim sparse-mode > > or > > router#show running-config > > interface FastEthernet0/0 > ip address 192.0.2.1 255.255.255.0 > ip pim sparse-dense-mode > > The command "show ip pim interface" can also be used to determine > if a router is configured to process PIMv2 packets, as shown in > the following example: > > router#show ip pim interface > Address Interface Ver/ Nbr Query DR DR > Mode Count Intvl Prior > 192.0.2.1 FastEthernet0/0 v1/S 0 30 1 0.0.0.0 > 192.168.1.1 FastEthernet1/0 v2/SD 0 30 1 0.0.0.0 > > Interfaces running PIMv2 will show "v2/" under the Ver/Mode column. > Interfaces without PIM configured will not be shown in the command > output. > > PIMv2 is the default PIM version. Routers configured to process only > PIMv1 messages are not vulnerable to the PIMv2 exploit. Routers that > do not have PIM configured are not vulnerable to the PIMv2 exploit. > PIM is not enabled by default. > > Additional information about PIM is available at > http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca794.html > > Cisco IOS XR > +----------- > > The command show pim interface can be used to determine if a router > running Cisco IOS XR is configured to process PIMv2 packets, as shown > in the following example: > > RP/0/0/CPU0:router#show pim interface > Address Interface PIM Nbr Hello DR DR > Count Intvl Prior > 192.168.1.1 Loopback0 on 1 30 1 this system > 192.168.2.1 MgmtEth0/0/CPU0/0 off 0 30 1 not elected > 192.168.3.1 Loopback1 on 1 30 1 this system > 192.168.4.1 Loopback3 on 1 30 1 this system > 192.168.5.1 POS0/4/0/0 on 1 30 1 this system > 192.0.2.1 POS0/4/0/1 on 1 30 1 this system > > Interfaces running PIMv2 will show on under the PIM column. > Interfaces without PIM configured will show "off" under the PIM > column. > > Cisco IOS XR does not support PIMv1. PIM is not enabled by default on > Cisco IOS XR. > > Additional information about PIM on Cisco IOS XR is available at > http://www.cisco.com/en/US/products/ps5845/products_configuration_guide_chapter09186a008069a8a2.html > > Devices Configured for Pragmatic General Multicast (PGM) > +------------------------------------------------------- > > A router that is configured to process PGM packets will have the > interface configuration statement "ip pgm router", which can be > seen by issuing the command "show running-config" as shown in > the following examples: > > router#show running-config | include ip pgm > ip pgm router > > or > > router#show running-config > > interface FastEthernet1/0 > ip address 192.0.2.1 255.255.255.0 > ip pim sparse-dense-mode > ip pgm router > > or > > router#show running-config > > interface FastEthernet1/0 > ip address 192.0.2.1 255.255.255.0 > ip pgm router > > Routers that do not have PGM configured are not vulnerable to the PGM > exploit. PGM is not enabled by default. > > Additional information about PGM is available at > http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca798.html > > Cisco IOS XR does not support PGM and is not affected by PGM packets > that exploit this vulnerability. > > Devices Configured for URL Rendezvous Directory (URD) > +---------------------------------------------------- > > A router that is configured to process URD packets will have the > interface configuration statement "ip urd" or "ip urd proxy", > which can be seen by issuing the command "show running-config" > as shown in the following examples: > > router#show running-config | include ip urd > ip urd > > or > > router#show running-config | include ip urd > ip urd proxy > > or > > router#show running-config > > interface FastEthernet1/0 > ip address 192.0.2.1 255.255.255.0 > ip pim sparse-mode > ip urd > > or > > router#show running-config > > interface FastEthernet1/0 > ip address 192.0.2.1 255.255.255.0 > ip pim sparse-dense-mode > ip urd proxy > > or > > router#show running-config > > interface FastEthernet1/0 > ip address 192.0.2.1 255.255.255.0 > ip urd > > Routers that do not have URD configured are not vulnerable to the URD > exploit. URD is not enabled by default. > > Additional information about URD is available at > http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca795.html > > Cisco IOS XR does not support URD and is not affected by URD packets > that exploit this vulnerability. > > Vulnerability Scoring Details > ============================= > > Cisco is providing scores for the vulnerabilities in this advisory > based on the Common Vulnerability Scoring System (CVSS). Cisco will > provide a base and temporal score. Customers can then compute > environmental scores to assist in determining the impact of the > vulnerability in individual networks. > > Cisco PSIRT will set the bias in all cases to normal. Customers are > encouraged to apply the bias parameter when determining the > environmental impact of a particular vulnerability. > > CVSS is a standards-based scoring method that conveys vulnerability > severity and helps determine urgency and priority of response. > > Cisco has provided an FAQ to answer additional questions regarding > CVSS at > http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html > > Cisco has also provided a CVSS calculator to help compute the > environmental impact for individual networks at > http://intellishield.cisco.com/security/alertmanager/cvss > > > CSCec71950 - Crafted IP Option may cause DoS or code execution > CVSS Base Score: 10 > - - Access Vector: Remote > - - Access Complexity: Low > - - Authentication: Not Required > - - Confidentiality Impact: Complete > - - Integrity Impact: Complete > - - Availability Impact: Complete > - - Impact Bias: Normal > > CVSS Temporal Score: 8.3 > - - Exploitability: Functional > - - Remediation Level: Official Fix > - - Report Confidence: Confirmed > > > CSCeh52410 - Crafted IP Option may cause ipv4-io DoS or code > execution > CVSS Base Score: 10 > - - Access Vector: Remote > - - Access Complexity: Low > - - Authentication: Not Required > - - Confidentiality Impact: Complete > - - Integrity Impact: Complete > - - Availability Impact: Complete > - - Impact Bias: Normal > > CVSS Temporal Score: 8.3 > - - Exploitability: Functional > - - Remediation Level: Official Fix > - - Report Confidence: Confirmed > > > Impact > ====== > > Cisco IOS > +-------- > > Successful exploitation of the vulnerability on Cisco IOS may result > in a reload of the device or execution of arbitrary code. Repeated > exploitation could result in a sustained DoS attack. > > Cisco IOS XR > +----------- > > Successful exploitation of the vulnerability on Cisco IOS XR may > result in the ipv4_io process restarting or execution of arbitrary > code. Repeated exploitation could result in a CRS-1 Node or XR 12000 > Line Card reload and sustained DoS attack. > > Software Version and Fixes > ========================== > > When considering software upgrades, also consult > http://www.cisco.com/go/psirt and any subsequent advisories to > determine exposure and a complete upgrade solution. > > In all cases, customers should exercise caution to be certain the > devices to be upgraded contain sufficient memory and that current > hardware and software configurations will continue to be supported > properly by the new release. If the information is not clear, contact > the Cisco Technical Assistance Center ("TAC") or your contracted > maintenance provider for assistance. > > Each row of the Cisco IOS software table (below) describes a release > train and the platforms or products for which it is intended. If a > given release train is vulnerable, then the earliest possible > releases that contain the fix (the "First Fixed Release") and the > anticipated date of availability for each are listed in the "Rebuild" > and "Maintenance" columns. A device running a release in the given > train that is earlier than the release in a specific column (less > than the First Fixed Release) is known to be vulnerable. The release > should be upgraded at least to the indicated release or a later > version (greater than or equal to the First Fixed Release label). > > For more information on the terms "Rebuild" and "Maintenance," > consult the following URL: > http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_white_paper09186a008018305e.shtml > > Note: There are three IOS security advisories and one field notice > being published on January 24, 2007. Each advisory lists only the > releases which fix the issue described in the advisory. A combined > software table is available at > http://www.cisco.com/warp/public/707/cisco-sa-20070124-bundle.shtml > and can be used to choose a software release which fixes all > security vulnerabilities published as of January 24, 2007. Links > for the advisories and field notice are listed here. > > * http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml > * http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml > * http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml > * http://www.cisco.com/warp/customer/770/fn62613.shtml > > Requests for software rebuilds to include the change for Daylight > Savings Time (DST) that will be implemented in March 2007 should be > directed through the Technical Assistance Center (TAC), and this > advisory should be used as reference. > > +---------------------------------------+ > | Major | Availability of Repaired | > | Release | Releases | > |------------+--------------------------| > | Affected | | | > | 12.0-Based | Rebuild | Maintenance | > | Release | | | > |------------+--------------------------| > | 12.0 | Vulnerable; migrate to | > | | 12.2(37)or later | > |------------+--------------------------| > | 12.0DA | Vulnerable; migrate to | > | | 12.2(10)DA5 or later | > |------------+--------------------------| > | 12.0DB | Vulnerable; migrate to | > | | 12.3(4)T13 or later | > |------------+--------------------------| > | 12.0DC | Vulnerable; migrate to | > | | 12.3(4)T13 or later | > |------------+--------------------------| > | 12.0S | 12.0(27)S3 | 12.0(28)S | > |------------+--------------------------| > | 12.0SC | Vulnerable; migrate to | > | | 12.3(9a)BC or later | > |------------+--------------------------| > | 12.0SL | Vulnerable; migrate to | > | | 12.0(28)S or later | > |------------+--------------------------| > | 12.0SP | Vulnerable; migrate to | > | | 12.0(28)S or later | > |------------+--------------------------| > | 12.0ST | Vulnerable; migrate to | > | | 12.0(28)S or later | > |------------+--------------------------| > | 12.0SX | 12.0(25) | 12.0(30)SX | > | | SX11 | | > |------------+------------+-------------| > | 12.0SY | | 12.0(27)SY | > |------------+------------+-------------| > | 12.0SZ | | 12.0(30)SZ | > |------------+--------------------------| > | 12.0T | Vulnerable; migrate to | > | | 12.2(37)or later | > |------------+--------------------------| > | | 12.0(28)W5 | | > | 12.0W | (32c); | | > | | available | | > | | 31-Jan-07 | | > |------------+------------+-------------| > | 12.0WC | 12.0(5) | | > | | WC15 | | > |------------+--------------------------| > | 12.0WT | Vulnerable; contact TAC | > |------------+--------------------------| > | 12.0XA | Vulnerable; migrate to | > | | 12.2(37)or later | > |------------+--------------------------| > | 12.0XB | Vulnerable; migrate to | > | | 12.2(37)or later | > |------------+--------------------------| > | 12.0XC | Vulnerable; migrate to | > | | 12.2(37)or later | > |------------+--------------------------| > | 12.0XD | Vulnerable; migrate to | > | | 12.2(37)or later | > |------------+--------------------------| > | 12.0XE | Vulnerable; migrate to | > | | 12.1(23)E or later | > |------------+--------------------------| > | 12.0XF | Not vulnerable | > |------------+--------------------------| > | 12.0XG | Vulnerable; migrate to | > | | 12.2(37)or later | > |------------+--------------------------| > | 12.0XH | Vulnerable; migrate to | > | | 12.2(37)or later | > |------------+--------------------------| > | 12.0XI | Vulnerable; migrate to | > | | 12.2(37)or later | > |------------+--------------------------| > | 12.0XJ | Vulnerable; migrate to | > | | 12.2(37)or later | > |------------+--------------------------| > | 12.0XK | Vulnerable; migrate to | > | | 12.2(37)or later | > |------------+--------------------------| > | 12.0XL | Vulnerable; migrate to | > | | 12.2(37)or later | > |------------+--------------------------| > | 12.0XM | Vulnerable; migrate to | > | | 12.2(37)or later | > |------------+--------------------------| > | 12.0XN | Vulnerable; migrate to | > | | 12.2(37)or later | > |------------+--------------------------| > | 12.0XQ | Vulnerable; migrate to | > | | 12.2(37)or later | > |------------+--------------------------| > | 12.0XR | Vulnerable; migrate to | > | | 12.2(37)or later | > |------------+--------------------------| > | 12.0XS | Vulnerable; migrate to | > | | 12.1(23)E or later | > |------------+--------------------------| > | 12.0XV | Vulnerable; migrate to | > | | 12.2(37)or later | > |------------+--------------------------| > | 12.0XW | Vulnerable; migrate to | > | | 12.0(5)WC15 or later | > |------------+--------------------------| > | Affected | | | > | 12.1-Based | Rebuild | Maintenance | > | Release | | | > |------------+--------------------------| > | 12.1 | Vulnerable; migrate to | > | | 12.2(37)or later | > |------------+--------------------------| > | 12.1AA | Vulnerable; migrate to | > | | 12.2(37)or later | > |------------+--------------------------| > | | Vulnerable; for | > | | c3750-ME, migrate to | > | 12.1AX | 12.2(25)EY or later. For | > | | c2970 and 3750, migrate | > | | to 12.2(25)SE or later. | > |------------+--------------------------| > | 12.1AY | Vulnerable; migrate to | > | | 12.1(22)EA8 | > |------------+--------------------------| > | 12.1AZ | Vulnerable; migrate to | > | | 12.1(22)EA8 | > |------------+--------------------------| > | 12.1CX | Vulnerable; migrate to | > | | 12.2(37)or later | > |------------+--------------------------| > | 12.1DA | Vulnerable; migrate to | > | | 12.2(10)DA5 or later | > |------------+--------------------------| > | 12.1DB | Vulnerable; migrate to | > | | 12.3(4)T13 or later | > |------------+--------------------------| > | 12.1DC | Vulnerable; migrate to | > | | 12.3(4)T13 or later | > |------------+--------------------------| > | 12.1E | | 12.1(23)E | > |------------+------------+-------------| > | 12.1EA | 12.1(22) | | > | | EA8 | | > |------------+------------+-------------| > | 12.1EB | | 12.1(23)EB | > |------------+--------------------------| > | 12.1EC | Vulnerable; migrate to | > | | 12.3(9a)BC or later | > |------------+--------------------------| > | | 12.1(19) | | > | | EO6, | | > | | available | | > | 12.1EO | 31-Jan-07 | | > | |------------+-------------| > | | 12.1(20) | | > | | EO3 | | > |------------+--------------------------| > | 12.1EU | Vulnerable; migrate to | > | | 12.2(25)EWA or later | > |------------+--------------------------| > | 12.1EV | Vulnerable; migrate to | > | | 12.2(26)SV1 or later | > |------------+--------------------------| > | 12.1EW | Vulnerable; migrate to | > | | 12.2(18)EW3 or later | > |------------+--------------------------| > | 12.1EX | Vulnerable; migrate to | > | | 12.1(23)E or later | > |------------+--------------------------| > | 12.1EY | Vulnerable; migrate to | > | | 12.1(23)E or later | > |------------+--------------------------| > | 12.1EZ | Vulnerable; migrate to | > | | 12.1(23)E or later | > |------------+--------------------------| > | 12.1T | Vulnerable; migrate to | > | | 12.2(37)or later | > |------------+--------------------------| > | 12.1XA | Vulnerable; migrate to | > | | 12.2(37)or later | > |------------+--------------------------| > | 12.1XB | Vulnerable; migrate to | > | | 12.2(37)or later | > |------------+--------------------------| > | 12.1XC | Vulnerable; migrate to | > | | 12.2(37)or later | > |------------+--------------------------| > | 12.1XD | Vulnerable; migrate to | > | | 12.2(37)or later | > |------------+--------------------------| > | 12.1XE | Vulnerable; migrate to | > | | 12.1(23)E or later | > |------------+--------------------------| > | 12.1XF | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.1XG | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.1XH | Vulnerable; migrate to | > | | 12.2(37)or later | > |------------+--------------------------| > | 12.1XI | Vulnerable; migrate to | > | | 12.2(37)or later | > |------------+--------------------------| > | 12.1XJ | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.1XL | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.1XM | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.1XP | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.1XQ | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.1XR | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.1XS | Vulnerable; migrate to | > | | 12.2(37)or later | > |------------+--------------------------| > | 12.1XT | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.1XU | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.1XV | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.1XW | Vulnerable; migrate to | > | | 12.2(37)or later | > |------------+--------------------------| > | 12.1XX | Vulnerable; migrate to | > | | 12.2(37)or later | > |------------+--------------------------| > | 12.1XY | Vulnerable; migrate to | > | | 12.2(37)or later | > |------------+--------------------------| > | 12.1XZ | Vulnerable; migrate to | > | | 12.2(37)or later | > |------------+--------------------------| > | 12.1YA | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.1YB | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.1YC | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.1YD | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.1YE | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.1YF | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.1YH | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.1YI | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.1YJ | Vulnerable; migrate to | > | | 12.1(22)EA8 | > |------------+--------------------------| > | Affected | | | > | 12.2-Based | Rebuild | Maintenance | > | Release | | | > |------------+------------+-------------| > | 12.2 | 12.2(34a) | 12.2(37) | > |------------+--------------------------| > | 12.2B | Vulnerable; migrate to | > | | 12.3(4)T13 or later | > |------------+--------------------------| > | 12.BC | Vulnerable; migrate to | > | | 12.3(9a)BC or later | > |------------+--------------------------| > | 12.2BW | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.2BY | Vulnerable; migrate to | > | | 12.3(4)T13 or later | > |------------+--------------------------| > | 12.2BZ | Vulnerable; migrate to | > | | 12.3(7)XI8 or later | > |------------+--------------------------| > | 12.2CX | Vulnerable; migrate to | > | | 12.3(9a)BC or later | > |------------+--------------------------| > | 12.2CY | Vulnerable; migrate to | > | | 12.3(9a)BC or later | > |------------+--------------------------| > | 12.2CZ | Vulnerable; contact TAC | > |------------+--------------------------| > | | 12.2(10) | | > | | DA5 | | > |12.2DA |------------+-------------| > | | 12.2(12) | | > | | DA10 | | > |------------+--------------------------| > | 12.2DD | Vulnerable; migrate to | > | | 12.3(4)T13 or later | > |------------+--------------------------| > | 12.2DX | Vulnerable; migrate to | > | | 12.3(4)T13 or later | > |------------+--------------------------| > | 12.2EU | Vulnerable; migrate to | > | | 12.2(25)EWA5 or later | > |------------+--------------------------| > | | 12.2(18) | | > | | EW3 | | > |12.2EW |------------+-------------| > | | 12.2(20) | 12.2(25)EW | > | | EW4 | | > |------------+------------+-------------| > | 12.2EWA | 12.2(20) | 12.2(25)EWA | > | | EWA4 | | > |------------+------------+-------------| > | 12.2EX | | 12.2(25)EX | > |------------+--------------------------| > | 12.2EY | All 12.2EY releases are | > | | fixed | > |------------+--------------------------| > | 12.2EZ | All 12.2EZ releases are | > | | fixed | > |------------+--------------------------| > | 12.2FX | All 12.2FX releases are | > | | fixed | > |------------+--------------------------| > | 12.2FY | All 12.2FY releases are | > | | fixed | > |------------+--------------------------| > | 12.2FZ | All 12.2FZ releases are | > | | fixed | > |------------+--------------------------| > | 12.2IXA | All 12.2IXA releases are | > | | fixed | > |------------+--------------------------| > | 12.2IXB | All 12.2IXB releases are | > | | fixed | > |------------+--------------------------| > | 12.2IXC | All 12.2IXC releases are | > | | fixed | > |------------+--------------------------| > | 12.2JA | Vulnerable; migrate to | > | | 12.3(8)JA or later | > |------------+--------------------------| > | 12.2JK | Vulnerable; migrate to | > | | 12.4(4)T or later | > |------------+--------------------------| > | 12.2MB | Vulnerable; migrate to | > | | 12.2(25)SW1 or later | > |------------+--------------------------| > | 12.2MC | 12.2(15)MC2h | > |------------+--------------------------| > | 12.2S | | 12.2(25)S | > |------------+------------+-------------| > | 12.2SB | | 12.2(28)SB | > |------------+--------------------------| > | 12.2SBC | All 12.2SBC releases are | > | | fixed | > |------------+--------------------------| > | 12.2SE | | 12.2(25)SE | > |------------+--------------------------| > | 12.2SEA | All 12.2SEA releases are | > | | fixed | > |------------+--------------------------| > | 12.2SEB | All 12.2SEB releases are | > | | fixed | > |------------+--------------------------| > | 12.2SEC | All 12.2SEC releases are | > | | fixed | > |------------+--------------------------| > | 12.2SED | All 12.2SED releases are | > | | fixed | > |------------+--------------------------| > | 12.2SEE | All 12.2SEE releases are | > | | fixed | > |------------+--------------------------| > | 12.2SEF | All 12.2SEF releases are | > | | fixed | > |------------+--------------------------| > | 12.2SEG | All 12.2SEG releases are | > | | fixed | > |------------+--------------------------| > | 12.2SG | All 12.2SG releases are | > | | fixed | > |------------+--------------------------| > | 12.2SGA | All 12.2SGA releases are | > | | fixed | > |------------+--------------------------| > | 12.2SO | 12.2(18) | | > | | SO7 | | > |------------+--------------------------| > | 12.2SRA | All 12.2SRA releases are | > | | fixed | > |------------+--------------------------| > | 12.2SRB | All 12.2SRB releases are | > | | fixed | > |------------+--------------------------| > | 12.2SU | Vulnerable; migrate to | > | | 12.3(14)T or later | > |------------+--------------------------| > | 12.2SV | | 12.2(23)SV | > |------------+------------+-------------| > | 12.2SW | 12.2(25) | | > | | SW1 | | > |------------+--------------------------| > | 12.2SX | Vulnerable; migrate to | > | | 12.2(17d)SXB11a or later | > |------------+--------------------------| > | 12.2SXA | Vulnerable; migrate to | > | | 12.2(17d)SXB11a or later | > |------------+--------------------------| > | 12.2SXB | 12.2(17d) | | > | | SXB11a | | > |------------+------------+-------------| > | 12.2SXD | 12.2(18) | | > | | SXD7a | | > |------------+--------------------------| > | 12.2SXE | All 12.2SXE releases are | > | | fixed | > |------------+--------------------------| > | 12.2SXF | All 12.2SXF releases are | > | | fixed | > |------------+--------------------------| > | 12.2SY | Vulnerable; migrate to | > | | 12.2(17d)SXB11a or later | > |------------+--------------------------| > | 12.2SZ | Vulnerable; migrate to | > | | 12.2(25)S or later | > |------------+--------------------------| > | 12.2T | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.2TPC | Vulnerable; contact TAC | > |------------+--------------------------| > | 12.2XA | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.2XB | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.2XC | Vulnerable; migrate to | > | | 12.3(8)T or later | > |------------+--------------------------| > | 12.2XD | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.2XE | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.2XF | Vulnerable; migrate to | > | | 12.3(9a)BC or later | > |------------+--------------------------| > | 12.2XG | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.2XH | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.2XI | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.2XJ | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.2XK | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.2XL | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.2XM | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.2XN | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.2XQ | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.2XR | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.2XS | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.2XT | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.2XU | Vulnerable; migrate to | > | | 12.3(12) or later | > |------------+--------------------------| > | 12.2XV | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.2XW | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.2YA | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.2YB | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.2YC | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.2YD | Vulnerable; migrate to | > | | 12.3(8)T or later | > |------------+--------------------------| > | 12.2YE | Vulnerable; migrate to | > | | 12.2(25)S or later | > |------------+--------------------------| > | 12.2YF | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.2YG | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.2YH | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.2YJ | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.2YK | Vulnerable; migrate to | > | | 12.3(8)T or later | > |------------+--------------------------| > | 12.2YL | Vulnerable; migrate to | > | | 12.3(8)T or later | > |------------+--------------------------| > | 12.2YM | Vulnerable; migrate to | > | | 12.3(8)T or later | > |------------+--------------------------| > | 12.2YN | Vulnerable; migrate to | > | | 12.3(8)T or later | > |------------+--------------------------| > | 12.2YO | Not vulnerable | > |------------+--------------------------| > | 12.2YP | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.2YQ | Vulnerable; migrate to | > | | 12.3(4)T13 or later | > |------------+--------------------------| > | 12.2YR | Vulnerable; migrate to | > | | 12.3(4)T13 or later | > |------------+--------------------------| > | 12.2YS | Vulnerable; migrate to | > | | 12.3(8)T or later | > |------------+--------------------------| > | 12.2YT | Vulnerable; migrate to | > | | 12.3(8) or later | > |------------+--------------------------| > | 12.2YU | Vulnerable; migrate to | > | | 12.3(8)T or later | > |------------+--------------------------| > | 12.2YV | Vulnerable; migrate to | > | | 12.3(4)T13 or later | > |------------+--------------------------| > | 12.2YW | Vulnerable; migrate to | > | | 12.3(8)T or later | > |------------+--------------------------| > | 12.2YX | Vulnerable; migrate to | > | | 12.3(14)T or later | > |------------+--------------------------| > | 12.2YY | Vulnerable; migrate to | > | | 12.3(4)T13 or later | > |------------+--------------------------| > | 12.2YZ | Vulnerable; migrate to | > | | 12.2(25)S or later | > |------------+--------------------------| > | 12.2ZA | Vulnerable; migrate to | > | | 12.2(17d)SXBa or later | > |------------+--------------------------| > | 12.2ZB | Vulnerable; migrate to | > | | 12.3(8)T or later | > |------------+--------------------------| > | 12.2ZC | Vulnerable; migrate to | > | | 12.3(8)T or later | > |------------+--------------------------| > | 12.2ZD | Vulnerable; contact TAC | > |------------+--------------------------| > | 12.2ZE | Vulnerable; migrate to | > | | 12.3(8) or laer | > |------------+--------------------------| > | 12.2ZF | Vulnerable; migrate to | > | | 12.3(4)T13 or later | > |------------+--------------------------| > | | Vulnerable; for SOHO9x, | > | 12.2ZG | migrate to 12.3(8)YG2 or | > | | later. For c83x, migrate | > | | to 12.3(2)XA3 or later | > |------------+--------------------------| > | 12.2ZH | Vulnerable; contact TAC | > |------------+--------------------------| > | 12.2ZJ | Vulnerable; migrate to | > | | 12.3(8)T or later | > |------------+--------------------------| > | 12.2ZL | Vulnerable; contact TAC | > |------------+--------------------------| > | 12.2ZN | Vulnerable; migrate to | > | | 12.3(4)T13 or later | > |------------+--------------------------| > | 12.2ZP | Vulnerable; migrate to | > | | 12.3(8)XY or later | > |------------+--------------------------| > | Affected | | | > | 12.3-Based | Rebuild | Maintenance | > | Release | | | > |------------+------------+-------------| > | 12.3 | | 12.3(8) | > |------------+--------------------------| > | 12.3B | Vulnerable; migrate to | > | | 12.3(8)T7 or later | > |------------+--------------------------| > | 12.3BC | | 12.3(9a)BC | > |------------+--------------------------| > | 12.3BW | Vulnerable; migrate to | > | | 12.3(8)T or later | > |------------+--------------------------| > | 12.3JA | | 12.3(8)JA | > |------------+--------------------------| > | 12.3JEA | All 12.3JEA releases are | > | | fixed | > |------------+--------------------------| > | 12.3JEB | All 12.3JEA releases are | > | | fixed | > |------------+--------------------------| > | 12.3JK | 12.3(2)JK2 | 12.3(8)JK | > |------------+------------+-------------| > | 12.3JX | 12.3(7)JX6 | 12.3(11)JX | > |------------+------------+-------------| > | 12.3T | 12.3(4)T13 | 12.3(8)T | > |------------+------------+-------------| > | 12.3TPC | 12.3(4) | | > | | TPC11b | | > |------------+------------+-------------| > | 12.3XA | 12.3(2)XA6 | | > |------------+--------------------------| > | 12.3XB | Vulnerable; migrate to | > | | 12.3(8)T or later | > |------------+--------------------------| > | 12.3XC | Vulnerable; contact TAC | > |------------+--------------------------| > | 12.3XD | Vulnerable; migrate to | > | | 12.3(8)T7 or later | > |------------+--------------------------| > | 12.3XE | Vulnerable; contact TAC | > |------------+--------------------------| > | 12.3XF | Vulnerable; migrate to | > | | 12.3(11)T or later | > |------------+--------------------------| > | 12.3XG | Vulnerable; contact TAC | > |------------+--------------------------| > | 12.3XH | Vulnerable; migrate to | > | | 12.3(11)T or later | > |------------+--------------------------| > | 12.3XI | 12.3(7)XI8 | | > |------------+--------------------------| > | 12.3XJ | Vulnerable; migrate to | > | | 12.3(8)XW or later | > |------------+--------------------------| > | 12.3XK | Vulnerable; migrate to | > | | 12.3(14)T or later | > |------------+--------------------------| > | 12.3XQ | Vulnerable; migrate to | > | | 12.4(1) or later | > |------------+--------------------------| > | 12.3XR | All 12.3XR releases are | > | | fixed | > |------------+--------------------------| > | 12.3XS | All 12.3XS releases are | > | | fixed | > |------------+--------------------------| > | 12.3XU | All 12.3XU releases are | > | | fixed | > |------------+--------------------------| > | 12.3XW | All 12.3XW releases are | > | | fixed | > |------------+--------------------------| > | 12.3XX | All 12.3XX releases are | > | | fixed | > |------------+--------------------------| > | 12.3XY | All 12.3XR releases are | > | | fixed | > |------------+--------------------------| > | 12.3YA | All 12.3YA releases are | > | | fixed | > |------------+--------------------------| > | 12.3YD | All 12.3YD releases are | > | | fixed | > |------------+--------------------------| > | 12.3YF | All 12.3YF releases are | > | | fixed | > |------------+--------------------------| > | 12.3YG | All 12.3YG releases are | > | | fixed | > |------------+--------------------------| > | 12.3YH | All 12.3YH releases are | > | | fixed | > |------------+--------------------------| > | 12.3YI | All 12.3YI releases are | > | | fixed | > |------------+--------------------------| > | 12.3YJ | All 12.3YJ releases are | > | | fixed | > |------------+--------------------------| > | 12.3YK | All 12.3YK releases are | > | | fixed | > |------------+--------------------------| > | 12.3YM | All 12.3YM releases are | > | | fixed | > |------------+--------------------------| > | 12.3YQ | All 12.3YQ releases are | > | | fixed | > |------------+--------------------------| > | 12.3YS | All 12.3YS releases are | > | | fixed | > |------------+--------------------------| > | 12.3YT | All 12.3YT releases are | > | | fixed | > |------------+--------------------------| > | 12.3YU | All 12.3YU releases are | > | | fixed | > |------------+--------------------------| > | 12.3YX | All 12.3YX releases are | > | | fixed | > |------------+--------------------------| > | 12.3YZ | All 12.3YZ releases are | > | | fixed | > |------------+--------------------------| > | Affected | | | > | 12.4-Based | Rebuild | Maintenance | > | Release | | | > |---------------------------------------| > | All 12.4 releases are fixed | > +---------------------------------------+ > > +---------------------------------------+ > | Cisco IOS XR Version | SMU ID | > |-----------------------------+---------| > | 3.2.2 for CRS-1 | AA01482 | > |-----------------------------+---------| > | 3.2.3 for CRS-1 | AA01483 | > |-----------------------------+---------| > | 3.2.4 for CRS-1 | AA01484 | > |-----------------------------+---------| > | 3.2.6 for CRS-1 | AA01727 | > |-----------------------------+---------| > | 3.3.x for CRS-1 and XR12000 | Fixed | > |-----------------------------+---------| > | 3.4.x for CRS-1 and XR12000 | Fixed | > +---------------------------------------+ > > Workarounds > =========== > > Additional mitigations that can be deployed on Cisco devices within > the network are available in the Cisco Applied Intelligence companion > document for this advisory: > > http://www.cisco.com/warp/public/707/cisco-air-20070124-crafted-ip-option.shtml > > IP Options Selective Drop > +------------------------ > > The IP Options Selective Drop feature allows Cisco routers to > mitigate the effects of IP options by dropping packets containing > them or by not processing (ignoring) IP options in a packet. > > The most effective workaround is using the "drop" option of this > global configuration command: "ip options drop". This command > will drop all IP packets containing IP options that are both > destined to the router itself or transiting through the router > before they are processed, preventing exploitation locally and > downstream. > > The IP Options Selective Drop feature is available beginning in Cisco > IOS software version 12.0(23)S for 12000, 12.0(32)S for 10720, and > 12.3(4)T, 12.2(25)S, and 12.2(27)SBC for other hardware platforms. > > Please note that deploying this command will drop legitimate packets > containing IP options as well. Protocols this may impact include RSVP > (used by Microsoft NetMeeting), MPLS TE, MPLS OAM, DVMRP, IGMPv3, > IGMPv2, and legitimate PGM. > > Note: The "ignore" option of the global command "ip options ignore", > available only on the Cisco 12000 router beginning in 12.0(23)S, is > NOT a workaround for this issue. > > Additional information about IP Options Selective Drop feature is > available at > http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a00801d4a94.html > > Transit Access Control Lists (ACLs) > +---------------------------------- > > Configure an interface ACL that blocks traffic of these types: > > * Echo (Ping) ICMP type 8 > * Timestamp ICMP type 13 > * Information Request ICMP type 15 > * Address Mask Request ICMP Type 17 > * Protocol Independent Multicast (PIM) IP protocol 103 > * Pragmatic General Multicast (PGM) IP protocol 113 > * URL Rendezvous Directory (URD) TCP port 465 > > The Internet Control Message Protocol is an integral part of the > Transmission Control Protocol/Internet Protocol (TCP/IP) protocol > suite that is used to report error conditions and provide diagnostic > information. Filtering ICMP messages may impact this error condition > and diagnostic reporting including "ping" and Windows traceroute > which uses ICMP ping. > > If the device is configured to process PIM, PGM, or URD, blocking > those packets will prevent legitimate operation of the protocols. > > Since the source IP address of these packets can be easily spoofed, > the affected traffic should be blocked on all of the device's IPv4 > interfaces. > > The following ACL is specifically designed to block attack traffic > and should be applied to all IPv4 interfaces of the device and should > include topology-specific filters: > > access-list 150 deny icmp any any echo > access-list 150 deny icmp any any information-request > access-list 150 deny icmp any any timestamp-request > access-list 150 deny icmp any any mask-request > access-list 150 deny tcp any any eq 465 > access-list 150 deny 103 any any > access-list 150 deny 113 any any > access-list 150 permit ip any any > > interface serial 2/0 > ip access-group 150 in > > These ACL statements should be deployed at the network edge as part > of a transit access list which will protect the router where the ACL > is configured as well as other devices behind it. Further information > about transit ACLs is available in the white paper "Transit Access > Control Lists: Filtering at Your Edge", available at > http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml > > The following Cisco IOS XR ACL is specifically designed to block > attack traffic and should be applied to all IPv4 interfaces of the > device and should include topology-specific filters: > > ipv4 access-list ios-xr-transit-acl > 10 deny icmp any any echo > 20 deny icmp any any information-request > 30 deny icmp any any timestamp-request > 40 deny icmp any any mask-request > 50 deny tcp any any eq 465 > 60 deny 103 any any > 70 deny 113 any any > 80 permit ip any any > > interface POS 0/2/0/ > ipv4 access-group ios-xr-transit-acl ingress > > Information about configuring access lists on Cisco IOS XR is > available at > http://www.cisco.com/en/US/products/ps5763/products_command_reference_chapter09186a00803e01ae.html > > Infrastructure ACLs > +------------------ > > Although it is often difficult to block traffic transiting your > network, it is possible to identify traffic which should never be > allowed to target your infrastructure devices and block that traffic > at the border of your network. Infrastructure ACLs are considered a > network security best practice and should be considered as a > long-term addition to good network security as well as a workaround > for this specific vulnerability. The ACL example shown below should > be included as part of the deployed infrastructure access list which > will protect all devices with IP addresses in the infrastructure IP > address range. > > Cisco IOS > +-------- > > access-list 150 deny icmp any INFRASTRUCTURE_ADDRESSES echo > access-list 150 deny icmp any INFRASTRUCTURE_ADDRESSES information-request > access-list 150 deny icmp any INFRASTRUCTURE_ADDRESSES timestamp-request > access-list 150 deny icmp any INFRASTRUCTURE_ADDRESSES mask-request > access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES eq 465 > access-list 150 deny 103 any INFRASTRUCTURE_ADDRESSES > access-list 150 deny 113 any INFRASTRUCTURE_ADDRESSES > access-list 150 permit ip any any > > interface serial 2/0 > ip access-group 150 in > > Cisco IOS XR > +----------- > > ipv4 access-list ios-xr-infrastructure-acl > 10 deny icmp any INFRASTRUCTURE_ADDRESSES echo > 20 deny icmp any INFRASTRUCTURE_ADDRESSES information-request > 30 deny icmp any INFRASTRUCTURE_ADDRESSES timestamp-request > 40 deny icmp any INFRASTRUCTURE_ADDRESSES mask-request > 50 deny tcp any INFRASTRUCTURE_ADDRESSES eq 465 > 60 deny 103 any INFRASTRUCTURE_ADDRESSES > 70 deny 113 any INFRASTRUCTURE_ADDRESSES > 80 permit ip any any > > interface POS 0/2/0/2 > ipv4 access-group ios-xr-infrastructure-acl ingress > > The white paper entitled "Protecting Your Core: Infrastructure > Protection Access Control Lists" presents guidelines and recommended > deployment techniques for infrastructure protection access lists and > is available at > http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml > > Information about configuring access lists on Cisco IOS XR is > available at > http://www.cisco.com/en/US/products/ps5763/products_command_reference_chapter09186a00803e01ae.html > > Receive ACLs > +----------- > > For distributed platforms, receive ACLs may be an option starting in > Cisco IOS Software Versions 12.0(21)S2 for the 12000 (GSR), 12.0(24)S > for the 7500, and 12.0(31)S for the 10720. The receive ACL protects > the device from harmful traffic before the traffic can impact the > route processor. A receive ACL is designed to protect only the device > on which it is configured. On the 12000, transit traffic is never > affected by a receive ACL. Because of this, the destination IP > address "any" used in the example ACL entries below only refer to the > router's own physical or virtual IP addresses. On the 7500 and 10720, > transit traffic with IP options set will be subject to the receive > ACL and permitted or denied accordingly. Receive ACLs are considered > a network security best practice and should be considered as a > long-term addition to good network security as well as a workaround > for this specific vulnerability. > > The white paper entitled "GSR: Receive Access Control Lists" will > help you identify and allow legitimate traffic to your device and > deny all unwanted packets and is available at > http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a0a5e.shtml > > The following receive path ACL is designed specifically to block this > attack traffic: > > access-list 101 deny icmp any any echo > access-list 101 deny icmp any any information-request > access-list 101 deny icmp any any timestamp-request > access-list 101 deny icmp any any mask-request > access-list 101 deny tcp any any eq 465 > access-list 101 deny 103 any any > access-list 101 deny 113 any any > access-list 101 permit ip any any > ! > ip receive access-list 101 > > Control Plane Policing > +--------------------- > > The Control Plane Policing (CoPP) feature may be used to mitigate > this vulnerability. In the following example, any packets that can > exploit the vulnerability are denied while all other IP traffic is > permitted. Because of the way routers process packets with IP > options, CoPP will be applied to attack packets destined for the > router itself and packets transiting through the router to other > destination IP addresses. This applies to all platforms except the > 12000 where only attack packets destined for the router itself will > be dropped. > > access-list 100 permit icmp any any echo > access-list 100 permit icmp any any information-request > access-list 100 permit icmp any any timestamp-request > access-list 100 permit icmp any any mask-request > access-list 100 permit tcp any any eq 465 > access-list 100 permit 103 any any > access-list 100 permit 113 any any > access-list 100 deny ip any any > ! > class-map match-all drop-options-class > match access-group 100 > ! > ! > policy-map drop-options-policy > class drop-options-class > drop > ! > control-plane > service-policy input drop-options-policy > > Please note that in the 12.0S, 12.2S, and 12.2SX Cisco IOS trains, > the policy-map syntax is different: > > policy-map drop-options-policy > class drop-options-class > police 32000 1500 1500 conform-action drop exceed-action drop > > Because of the way routers process packets with IP options, CoPP will > be applied to attack packets destined for the router itself and > packets transiting through the router to other destination IP > addresses. In the following example, only packets with IP options > that can exploit the vulnerability and that are destined for the > router or that transit through the router are denied while all other > IP traffic is permitted. > > ip access-list extended drop-affected-options > permit icmp any any echo option any-options > permit icmp any any information-request option any-options > permit icmp any any timestamp-request option any-options > permit icmp any any mask-request option any-options > permit pim any any option any-options > permit 113 any any option any-options > permit tcp any any eq 465 option any-options > deny ip any any > ! > class-map match-all drop-options-class > match access-group name drop-affected-options > ! > ! > policy-map drop-opt-policy > class drop-options-class > drop > ! > control-plane > service-policy input drop-opt-policy > > Please note that in the 12.2S Cisco IOS train, the policy-map syntax > is different: > > policy-map drop-opt-policy > class drop-options-class > police 32000 1500 1500 conform-action drop exceed-action drop > > CoPP is available in Cisco IOS release trains 12.0S, 12.2SX, 12.2S, > 12.3T, 12.4, and 12.4T. > > ACL support for filtering IP options requires named ACLs. ACL support > for filtering IP options is not available in 12.0S or 12.2SX. > > Please note that PGM packets typically use the "Router Alert" Option, > and dropping PGM packets with IP options will affect legitimate PGM > packets. > > In the above CoPP examples, the ACL entries that match the exploit > packets with the "permit" action result in these packets being > discarded by the policy-map drop function, while packets that match > the "deny" action are not affected by the policy-map drop function. > > Additional information on the configuration and use of the CoPP > feature can be found at > http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd804fa16a.shtml > and > http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a008052446b.html > > Additional information for filtering IP Options with access lists can > be found at > http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801d4a7d.html > > Obtaining Fixed Software > ======================== > > Cisco will make free software available to address this vulnerability > for affected customers. This advisory will be updated as fixed > software becomes available. Prior to deploying software, customers > should consult their maintenance provider or check the software for > feature set compatibility and known issues specific to their > environment. > > Customers may only install and expect support for the feature sets > they have purchased. By installing, downloading, accessing or > otherwise using such software upgrades, customers agree to be bound > by the terms of Cisco's software license terms found at > http://www.cisco.com/public/sw-license-agreement.html, or as > otherwise set forth at Cisco.com Downloads at > http://www.cisco.com/public/sw-center/sw-usingswc.shtml > > Do not contact either "[email protected]" or "[email protected]" > for software upgrades. > > Customers with Service Contracts > +------------------------------- > > Customers with contracts should obtain upgraded software through > their regular update channels. For most customers, this means that > upgrades should be obtained through the Software Center on Cisco's > worldwide website at http://www.cisco.com > > Customers using Third Party Support Organizations > +------------------------------------------------ > > Customers whose Cisco products are provided or maintained through > prior or existing agreement with third-party support organizations > such as Cisco Partners, authorized resellers, or service providers > should contact that support organization for guidance and assistance > with the appropriate course of action in regards to this advisory. > > The effectiveness of any workaround or fix is dependent on specific > customer situations such as product mix, network topology, traffic > behavior, and organizational mission. Due to the variety of affected > products and releases, customers should consult with their service > provider or support organization to ensure any applied workaround or > fix is the most appropriate for use in the intended network before it > is deployed. > > Customers without Service Contracts > +---------------------------------- > > Customers who purchase direct from Cisco but who do not hold a Cisco > service contract and customers who purchase through third-party > vendors but are unsuccessful at obtaining fixed software through > their point of sale should get their upgrades by contacting the Cisco > Technical Assistance Center (TAC). TAC contacts are as follows. > > * +1 800 553 2447 (toll free from within North America) > * +1 408 526 7209 (toll call from anywhere in the world) > * e-mail: [email protected] > > Have your product serial number available and give the URL of this > notice as evidence of your entitlement to a free upgrade. Free > upgrades for non-contract customers must be requested through the > TAC. > > Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml > for additional TAC contact information, including special localized > telephone numbers and instructions and e-mail addresses for use in > various languages. > > Exploitation and Public Announcements > ===================================== > > The Cisco PSIRT is not aware of any public announcements or malicious > use of the vulnerability described in this advisory. This > vulnerability was discovered during internal testing. > > Status of this Notice: FINAL > ============================ > > THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY > KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF > MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE > INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS > AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS > DOCUMENT AT ANY TIME. > > A stand-alone copy or Paraphrase of the text of this document that > omits the distribution URL in the following section is an > uncontrolled copy, and may lack important information or contain > factual errors. > > Distribution > ============ > > This advisory is posted on Cisco's worldwide website at: > > http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml > > In addition to worldwide web posting, a text version of this notice > is clear-signed with the Cisco PSIRT PGP key and is posted to the > following e-mail and Usenet news recipients. > > * [email protected] > * [email protected] > * [email protected] > * [email protected] > * [email protected] > * [email protected] > * [email protected] > * [email protected] > > Future updates of this advisory, if any, will be placed on Cisco's > worldwide website, but may or may not be actively announced on > mailing lists or newsgroups. Users concerned about this problem are > encouraged to check the above URL for any updates. > > Revision History > ================ > +---------------------------------------+ > | Revision | | Initial | > | 1.0 | 2007-Jan-24 | public | > | | | release. | > +---------------------------------------+ > > Cisco Security Procedures > ========================= > > Complete information on reporting security vulnerabilities in Cisco > products, obtaining assistance with security incidents, and > registering to receive security information from Cisco, is available > on Cisco's worldwide website at > http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html > This includes instructions for press inquiries regarding Cisco > security notices. All Cisco security advisories are available at > http://www.cisco.com/go/psirt > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.5 (SunOS) > > iD8DBQFFt5cO8NUAbBmDaxQRAs6NAJsEXc4RCzhHI1n+Dxjmizm6mzIzmACbBr3H > /ox3OGmd1I41UMn3iOM8qHc= > =RlTo > -----END PGP SIGNATURE----- >
|