Cisco Security Advisory: Crafted IP Option Vulnerability
Gadi Evron
ge at linuxbox.org
Wed Jan 24 19:32:27 UTC 2007
How many OPK's are being released today.. anyone?
On Wed, 24 Jan 2007, Cisco Systems Product Security Incident Response Team wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Cisco Security Advisory: Crafted IP Option Vulnerability
>
> Advisory ID: cisco-sa-20070124-crafted-ip-option
>
> http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
>
> Revision 1.0
>
> For Public Release 2007 January 24 1600 UTC (GMT)
>
> +--------------------------------------------------------------------
>
> Contents
> ========
>
> Summary
> Affected Products
> Details
> Vulnerability Scoring Details
> Impact
> Software Version and Fixes
> Workarounds
> Obtaining Fixed Software
> Exploitation and Public Announcements
> Status of this Notice: FINAL
> Distribution
> Revision History
> Cisco Security Procedures
>
> - ---------------------------------------------------------------------
>
> Summary
> =======
>
> Cisco routers and switches running Cisco IOS® or Cisco IOS XR
> software may be vulnerable to a remotely exploitable crafted IP
> option Denial of Service (DoS) attack. Exploitation of the
> vulnerability may potentially allow for arbitrary code execution. The
> vulnerability may be exploited after processing an Internet Control
> Message Protocol (ICMP) packet, Protocol Independent Multicast
> version 2 (PIMv2) packet, Pragmatic General Multicast (PGM) packet,
> or URL Rendezvous Directory (URD) packet containing a specific
> crafted IP option in the packet's IP header. No other IP protocols
> are affected by this issue.
>
> Cisco has made free software available to address this vulnerability
> for affected customers.
>
> There are workarounds available to mitigate the effects of the
> vulnerability.
>
> This vulnerability was discovered during internal testing.
>
> This advisory is available at
> http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
>
> Affected Products
> =================
>
> Vulnerable Products
> +------------------
>
> This issue affects all Cisco devices running Cisco IOS or Cisco IOS
> XR software and configured to process Internet Protocol version 4
> (IPv4) packets. Devices which run only Internet Protocol version 6
> (IPv6) are not affected.
>
> This vulnerability is present in all unfixed versions of Cisco IOS
> software, including versions 9.x, 10.x, 11.x and 12.x.
>
> This vulnerability is present in all unfixed versions of Cisco IOS XR
> software, including versions 2.0.X, 3.0.X, and 3.2.X.
>
> All versions of Cisco IOS or Cisco IOS XR prior to the versions
> listed in the Fixed Software table below may be susceptible to this
> vulnerability.
>
> To determine the software running on a Cisco product, log in to the
> device and issue the "show version" command to display the system
> banner. Cisco IOS software will identify itself as "Internetwork
> Operating System Software" or simply "IOS". On the next line of
> output, the image name will be displayed between parentheses,
> followed by "Version" and the IOS release name. Cisco IOS XR software
> will identify itself as "Cisco IOS XR Software" followed by "Version"
> and the version number. Other Cisco devices will not have the show
> version command or will give different output.
>
> The following example identifies a Cisco product running Cisco IOS
> release 12.2(14)S16 with an installed image name of C7200-IS-M:
>
> Cisco Internetwork Operating System Software
> IOS (tm) 7200 Software (C7200-IS-M), Version 12.2(14)S16,
> RELEASE SOFTWARE (fc1)
>
> The release train label is "12.2".
>
> The next example shows a product running IOS release 12.3(7)T12 with
> an image name of C7200-IK9S-M:
>
> Cisco IOS Software, 7200 Software (C7200-IK9S-M), Version 12.3(7)T12,
> RELEASE SOFTWARE (fc1)
>
> Additional information about Cisco IOS Banners is available at
> http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_white_paper09186a008018305e.shtml#3
>
> Cisco IOS XR Software is a member of the Cisco IOS software family
> that uses a microkernel-based distributed operating system
> infrastructure. Cisco IOS XR runs only on Cisco Carrier Routing
> System 1 (CRS-1) and Cisco XR 12000 series routers.
>
> Additional information about Cisco IOS XR is available at
> http://www.cisco.com/en/US/products/ps5845/index.html
>
> The following example shows partial output from the show version
> command which identifies a Cisco product running Cisco IOS XR release
> 3.3.0:
>
> RP/0/RP0/CPU0:router#show version
> Cisco IOS XR Software, Version 3.3.0
> Copyright (c) 2006 by cisco Systems, Inc.
> ROM: System Bootstrap, Version 1.32(20050525:193559) [CRS-1 ROMMON]
>
> Products Confirmed Not Vulnerable
> +--------------------------------
>
> Cisco devices that do not run Cisco IOS or Cisco IOS XR software are
> not affected. CatOS software is not affected by this issue.
>
> No other Cisco products are currently known to be affected by this
> vulnerability.
>
> Details
> =======
>
> This vulnerability may be exploited when an affected device processes
> a packet that meets all three of the following conditions:
>
> +---------------------------------------+
> | 1. The packet contains a specific |
> | crafted IP option. |
> |---------------------------------------|
> | AND |
> |---------------------------------------|
> | 2. The packet is one of the following |
> | protocols: |
> |---------------------------------------|
> | * ICMP - Echo (Type 8) - 'ping' |
> |---------------------------------------|
> | * ICMP - Timestamp (Type 13) |
> |---------------------------------------|
> | * ICMP - Information Request (Type |
> | 15) |
> |---------------------------------------|
> | * ICMP - Address Mask Request (Type |
> | 17) |
> |---------------------------------------|
> | * PIMv2 - IP protocol 103 |
> |---------------------------------------|
> | * PGM - IP protocol 113 |
> |---------------------------------------|
> | * URD - TCP Port 465 |
> |---------------------------------------|
> | AND |
> |---------------------------------------|
> | 3. The packet is sent to a physical |
> | or virtual IPv4 address configured on |
> | the affected device. |
> +---------------------------------------+
>
> No other ICMP message types are affected by this issue.
>
> No other IP protocols are affected by this issue.
>
> No other TCP services are affected by this issue.
>
> The packet can be sent from a local network or from a remote network.
>
> The source IP address of the packet can be spoofed or non-spoofed.
>
> Packets which transit the device (packets not sent to one of the
> device's IP addresses) do not trigger the vulnerability and the
> device is not affected.
>
> This vulnerability is documented in these Bug IDs:
>
> * Cisco Bug ID CSCec71950 for Cisco IOS
> * Cisco Bug ID CSCeh52410 for Cisco IOS XR
>
> Cisco IOS
> +--------
>
> A crafted packet addressed directly to a vulnerable device running
> Cisco IOS software may result in the device reloading or may allow
> execution of arbitrary code.
>
> Cisco IOS XR
> +-----------
>
> A crafted packet addressed directly to a vulnerable device running
> Cisco IOS XR software may result in the ipv4_io process restarting or
> may allow execution of arbitrary code. CRS-1 Nodes that run the
> ipv4_io process include Route Processors (RP), Distributed Route
> Processors (DRP), Modular Services Cards (MSC), and XR 12000 Line
> Cards. While the ipv4_io process is restarting, all ICMP traffic
> destined for the device itself and exception punts will be dropped.
> Examples of exception punts include packets having IP header
> information that requires further processing such as IP options,
> Time-to-Live equal to 0 or 1, and layer-2 keepalives. CLNS traffic to
> the Node or Line Card is not affected. If the ipv4_io process is
> restarted several times consecutively, the CRS-1 Node or XR 12000
> Line Card may reload, causing a Denial of Service (DoS) condition for
> the transit traffic switched on that Node or Line card.
>
> Devices Configured for ICMP Message Types
> +----------------------------------------
>
> ICMP Type 8
> +----------
>
> By default, devices running all Cisco IOS and Cisco IOS XR versions
> will process ICMP echo-request (Type 8) packets. This behavior cannot
> be modified.
>
> ICMP Type 13
> +-----------
>
> By default, devices running all Cisco IOS versions will process ICMP
> timestamp (Type 13) packets. This behavior cannot be modified.
>
> By default, devices running all Cisco IOS XR versions will NOT
> process ICMP timestamp (Type 13) packets. This behavior cannot be
> modified.
>
> ICMP Type 15
> +-----------
>
> With the introduction of CSCdz50424, by default routers will NOT
> process ICMP information request (Type 15) packets. Releases of Cisco
> IOS that contain CSCdz50424 include 12.3, 12.3T, 12.4, 12.4T, later
> 12.0S and later 12.2S. See CSCdz50424 for complete release
> information.
>
> A router running a Cisco IOS release containing CSCdz50424 that has
> been modified to process ICMP information request packets will have
> the interface configuration statement "ip information-reply", which
> can be seen by issuing the command "show running-config" as shown
> in the following examples:
>
> router#show running-config | include information-reply
> ip information-reply
>
> or
>
> router#show running-config
>
> interface FastEthernet0/0
> ip address 192.0.2.1 255.255.255.0
> ip information-reply
>
> By default, devices running all other Cisco IOS versions will process
> ICMP information request (Type 15) packets. This behavior cannot be
> modified. Since this is the default behavior, "ip information-reply"
> will not be visible in the device's configuration.
>
> By default, devices running all Cisco IOS XR versions will NOT
> process ICMP information request (Type 15) packets. This behavior
> cannot be modified.
>
> ICMP Type 17
> +-----------
>
> Beginning in Cisco IOS version 10.0, by default devices will NOT
> process ICMP address mask request (Type 17) packets. A router that
> has been modified to process ICMP address mask request packets will
> have the interface configuration statement "ip mask-reply", which
> can be seen by issuing the command "show running-config" as shown
> in the following examples:
>
> router#show running-config | include mask-reply
> ip mask-reply
>
> or
>
> router#show running-config
>
> interface FastEthernet0/0
> ip address 192.0.2.1 255.255.255.0
> ip mask-reply
>
> By default, devices running all Cisco IOS XR versions will NOT
> process ICMP address mask request (Type 17) packets. A router that
> has been modified to process ICMP address mask request packets will
> have the interface configuration statement "ipv4 mask-reply", which
> can be seen by issuing the command show running-config as shown in
> the following examples:
>
> RP/0/RP0/CPU0:router#show running-config | include mask-reply
> Building configuration...
> ipv4 mask-reply
>
> or
>
> RP/0/RP0/CPU0:router#show running-config
> interface POS0/1/3/0
> ipv4 address 192.0.2.1 255.255.255.252
> ipv4 mask-reply
>
> Devices Configured for Protocol Independent Multicast Version 2
> (PIMv2)
> +--------------------------------------------------------------
>
> Cisco IOS
> +--------
>
> A router running Cisco IOS that is configured to process PIMv2
> packets will have an interface configuration statement that begins
> with "ip pim", which can be seen by issuing the command "show
> running-config" as shown in the following examples:
>
> router#show running-config | include ip pim
> ip pim sparse-mode
>
> or
>
> router#show running-config
>
> interface FastEthernet0/0
> ip address 192.0.2.1 255.255.255.0
> ip pim sparse-dense-mode
>
> The command "show ip pim interface" can also be used to determine
> if a router is configured to process PIMv2 packets, as shown in
> the following example:
>
> router#show ip pim interface
> Address Interface Ver/ Nbr Query DR DR
> Mode Count Intvl Prior
> 192.0.2.1 FastEthernet0/0 v1/S 0 30 1 0.0.0.0
> 192.168.1.1 FastEthernet1/0 v2/SD 0 30 1 0.0.0.0
>
> Interfaces running PIMv2 will show "v2/" under the Ver/Mode column.
> Interfaces without PIM configured will not be shown in the command
> output.
>
> PIMv2 is the default PIM version. Routers configured to process only
> PIMv1 messages are not vulnerable to the PIMv2 exploit. Routers that
> do not have PIM configured are not vulnerable to the PIMv2 exploit.
> PIM is not enabled by default.
>
> Additional information about PIM is available at
> http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca794.html
>
> Cisco IOS XR
> +-----------
>
> The command show pim interface can be used to determine if a router
> running Cisco IOS XR is configured to process PIMv2 packets, as shown
> in the following example:
>
> RP/0/0/CPU0:router#show pim interface
> Address Interface PIM Nbr Hello DR DR
> Count Intvl Prior
> 192.168.1.1 Loopback0 on 1 30 1 this system
> 192.168.2.1 MgmtEth0/0/CPU0/0 off 0 30 1 not elected
> 192.168.3.1 Loopback1 on 1 30 1 this system
> 192.168.4.1 Loopback3 on 1 30 1 this system
> 192.168.5.1 POS0/4/0/0 on 1 30 1 this system
> 192.0.2.1 POS0/4/0/1 on 1 30 1 this system
>
> Interfaces running PIMv2 will show on under the PIM column.
> Interfaces without PIM configured will show "off" under the PIM
> column.
>
> Cisco IOS XR does not support PIMv1. PIM is not enabled by default on
> Cisco IOS XR.
>
> Additional information about PIM on Cisco IOS XR is available at
> http://www.cisco.com/en/US/products/ps5845/products_configuration_guide_chapter09186a008069a8a2.html
>
> Devices Configured for Pragmatic General Multicast (PGM)
> +-------------------------------------------------------
>
> A router that is configured to process PGM packets will have the
> interface configuration statement "ip pgm router", which can be
> seen by issuing the command "show running-config" as shown in
> the following examples:
>
> router#show running-config | include ip pgm
> ip pgm router
>
> or
>
> router#show running-config
>
> interface FastEthernet1/0
> ip address 192.0.2.1 255.255.255.0
> ip pim sparse-dense-mode
> ip pgm router
>
> or
>
> router#show running-config
>
> interface FastEthernet1/0
> ip address 192.0.2.1 255.255.255.0
> ip pgm router
>
> Routers that do not have PGM configured are not vulnerable to the PGM
> exploit. PGM is not enabled by default.
>
> Additional information about PGM is available at
> http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca798.html
>
> Cisco IOS XR does not support PGM and is not affected by PGM packets
> that exploit this vulnerability.
>
> Devices Configured for URL Rendezvous Directory (URD)
> +----------------------------------------------------
>
> A router that is configured to process URD packets will have the
> interface configuration statement "ip urd" or "ip urd proxy",
> which can be seen by issuing the command "show running-config"
> as shown in the following examples:
>
> router#show running-config | include ip urd
> ip urd
>
> or
>
> router#show running-config | include ip urd
> ip urd proxy
>
> or
>
> router#show running-config
>
> interface FastEthernet1/0
> ip address 192.0.2.1 255.255.255.0
> ip pim sparse-mode
> ip urd
>
> or
>
> router#show running-config
>
> interface FastEthernet1/0
> ip address 192.0.2.1 255.255.255.0
> ip pim sparse-dense-mode
> ip urd proxy
>
> or
>
> router#show running-config
>
> interface FastEthernet1/0
> ip address 192.0.2.1 255.255.255.0
> ip urd
>
> Routers that do not have URD configured are not vulnerable to the URD
> exploit. URD is not enabled by default.
>
> Additional information about URD is available at
> http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca795.html
>
> Cisco IOS XR does not support URD and is not affected by URD packets
> that exploit this vulnerability.
>
> Vulnerability Scoring Details
> =============================
>
> Cisco is providing scores for the vulnerabilities in this advisory
> based on the Common Vulnerability Scoring System (CVSS). Cisco will
> provide a base and temporal score. Customers can then compute
> environmental scores to assist in determining the impact of the
> vulnerability in individual networks.
>
> Cisco PSIRT will set the bias in all cases to normal. Customers are
> encouraged to apply the bias parameter when determining the
> environmental impact of a particular vulnerability.
>
> CVSS is a standards-based scoring method that conveys vulnerability
> severity and helps determine urgency and priority of response.
>
> Cisco has provided an FAQ to answer additional questions regarding
> CVSS at
> http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
>
> Cisco has also provided a CVSS calculator to help compute the
> environmental impact for individual networks at
> http://intellishield.cisco.com/security/alertmanager/cvss
>
>
> CSCec71950 - Crafted IP Option may cause DoS or code execution
> CVSS Base Score: 10
> - - Access Vector: Remote
> - - Access Complexity: Low
> - - Authentication: Not Required
> - - Confidentiality Impact: Complete
> - - Integrity Impact: Complete
> - - Availability Impact: Complete
> - - Impact Bias: Normal
>
> CVSS Temporal Score: 8.3
> - - Exploitability: Functional
> - - Remediation Level: Official Fix
> - - Report Confidence: Confirmed
>
>
> CSCeh52410 - Crafted IP Option may cause ipv4-io DoS or code
> execution
> CVSS Base Score: 10
> - - Access Vector: Remote
> - - Access Complexity: Low
> - - Authentication: Not Required
> - - Confidentiality Impact: Complete
> - - Integrity Impact: Complete
> - - Availability Impact: Complete
> - - Impact Bias: Normal
>
> CVSS Temporal Score: 8.3
> - - Exploitability: Functional
> - - Remediation Level: Official Fix
> - - Report Confidence: Confirmed
>
>
> Impact
> ======
>
> Cisco IOS
> +--------
>
> Successful exploitation of the vulnerability on Cisco IOS may result
> in a reload of the device or execution of arbitrary code. Repeated
> exploitation could result in a sustained DoS attack.
>
> Cisco IOS XR
> +-----------
>
> Successful exploitation of the vulnerability on Cisco IOS XR may
> result in the ipv4_io process restarting or execution of arbitrary
> code. Repeated exploitation could result in a CRS-1 Node or XR 12000
> Line Card reload and sustained DoS attack.
>
> Software Version and Fixes
> ==========================
>
> When considering software upgrades, also consult
> http://www.cisco.com/go/psirt and any subsequent advisories to
> determine exposure and a complete upgrade solution.
>
> In all cases, customers should exercise caution to be certain the
> devices to be upgraded contain sufficient memory and that current
> hardware and software configurations will continue to be supported
> properly by the new release. If the information is not clear, contact
> the Cisco Technical Assistance Center ("TAC") or your contracted
> maintenance provider for assistance.
>
> Each row of the Cisco IOS software table (below) describes a release
> train and the platforms or products for which it is intended. If a
> given release train is vulnerable, then the earliest possible
> releases that contain the fix (the "First Fixed Release") and the
> anticipated date of availability for each are listed in the "Rebuild"
> and "Maintenance" columns. A device running a release in the given
> train that is earlier than the release in a specific column (less
> than the First Fixed Release) is known to be vulnerable. The release
> should be upgraded at least to the indicated release or a later
> version (greater than or equal to the First Fixed Release label).
>
> For more information on the terms "Rebuild" and "Maintenance,"
> consult the following URL:
> http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_white_paper09186a008018305e.shtml
>
> Note: There are three IOS security advisories and one field notice
> being published on January 24, 2007. Each advisory lists only the
> releases which fix the issue described in the advisory. A combined
> software table is available at
> http://www.cisco.com/warp/public/707/cisco-sa-20070124-bundle.shtml
> and can be used to choose a software release which fixes all
> security vulnerabilities published as of January 24, 2007. Links
> for the advisories and field notice are listed here.
>
> * http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml
> * http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml
> * http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
> * http://www.cisco.com/warp/customer/770/fn62613.shtml
>
> Requests for software rebuilds to include the change for Daylight
> Savings Time (DST) that will be implemented in March 2007 should be
> directed through the Technical Assistance Center (TAC), and this
> advisory should be used as reference.
>
> +---------------------------------------+
> | Major | Availability of Repaired |
> | Release | Releases |
> |------------+--------------------------|
> | Affected | | |
> | 12.0-Based | Rebuild | Maintenance |
> | Release | | |
> |------------+--------------------------|
> | 12.0 | Vulnerable; migrate to |
> | | 12.2(37)or later |
> |------------+--------------------------|
> | 12.0DA | Vulnerable; migrate to |
> | | 12.2(10)DA5 or later |
> |------------+--------------------------|
> | 12.0DB | Vulnerable; migrate to |
> | | 12.3(4)T13 or later |
> |------------+--------------------------|
> | 12.0DC | Vulnerable; migrate to |
> | | 12.3(4)T13 or later |
> |------------+--------------------------|
> | 12.0S | 12.0(27)S3 | 12.0(28)S |
> |------------+--------------------------|
> | 12.0SC | Vulnerable; migrate to |
> | | 12.3(9a)BC or later |
> |------------+--------------------------|
> | 12.0SL | Vulnerable; migrate to |
> | | 12.0(28)S or later |
> |------------+--------------------------|
> | 12.0SP | Vulnerable; migrate to |
> | | 12.0(28)S or later |
> |------------+--------------------------|
> | 12.0ST | Vulnerable; migrate to |
> | | 12.0(28)S or later |
> |------------+--------------------------|
> | 12.0SX | 12.0(25) | 12.0(30)SX |
> | | SX11 | |
> |------------+------------+-------------|
> | 12.0SY | | 12.0(27)SY |
> |------------+------------+-------------|
> | 12.0SZ | | 12.0(30)SZ |
> |------------+--------------------------|
> | 12.0T | Vulnerable; migrate to |
> | | 12.2(37)or later |
> |------------+--------------------------|
> | | 12.0(28)W5 | |
> | 12.0W | (32c); | |
> | | available | |
> | | 31-Jan-07 | |
> |------------+------------+-------------|
> | 12.0WC | 12.0(5) | |
> | | WC15 | |
> |------------+--------------------------|
> | 12.0WT | Vulnerable; contact TAC |
> |------------+--------------------------|
> | 12.0XA | Vulnerable; migrate to |
> | | 12.2(37)or later |
> |------------+--------------------------|
> | 12.0XB | Vulnerable; migrate to |
> | | 12.2(37)or later |
> |------------+--------------------------|
> | 12.0XC | Vulnerable; migrate to |
> | | 12.2(37)or later |
> |------------+--------------------------|
> | 12.0XD | Vulnerable; migrate to |
> | | 12.2(37)or later |
> |------------+--------------------------|
> | 12.0XE | Vulnerable; migrate to |
> | | 12.1(23)E or later |
> |------------+--------------------------|
> | 12.0XF | Not vulnerable |
> |------------+--------------------------|
> | 12.0XG | Vulnerable; migrate to |
> | | 12.2(37)or later |
> |------------+--------------------------|
> | 12.0XH | Vulnerable; migrate to |
> | | 12.2(37)or later |
> |------------+--------------------------|
> | 12.0XI | Vulnerable; migrate to |
> | | 12.2(37)or later |
> |------------+--------------------------|
> | 12.0XJ | Vulnerable; migrate to |
> | | 12.2(37)or later |
> |------------+--------------------------|
> | 12.0XK | Vulnerable; migrate to |
> | | 12.2(37)or later |
> |------------+--------------------------|
> | 12.0XL | Vulnerable; migrate to |
> | | 12.2(37)or later |
> |------------+--------------------------|
> | 12.0XM | Vulnerable; migrate to |
> | | 12.2(37)or later |
> |------------+--------------------------|
> | 12.0XN | Vulnerable; migrate to |
> | | 12.2(37)or later |
> |------------+--------------------------|
> | 12.0XQ | Vulnerable; migrate to |
> | | 12.2(37)or later |
> |------------+--------------------------|
> | 12.0XR | Vulnerable; migrate to |
> | | 12.2(37)or later |
> |------------+--------------------------|
> | 12.0XS | Vulnerable; migrate to |
> | | 12.1(23)E or later |
> |------------+--------------------------|
> | 12.0XV | Vulnerable; migrate to |
> | | 12.2(37)or later |
> |------------+--------------------------|
> | 12.0XW | Vulnerable; migrate to |
> | | 12.0(5)WC15 or later |
> |------------+--------------------------|
> | Affected | | |
> | 12.1-Based | Rebuild | Maintenance |
> | Release | | |
> |------------+--------------------------|
> | 12.1 | Vulnerable; migrate to |
> | | 12.2(37)or later |
> |------------+--------------------------|
> | 12.1AA | Vulnerable; migrate to |
> | | 12.2(37)or later |
> |------------+--------------------------|
> | | Vulnerable; for |
> | | c3750-ME, migrate to |
> | 12.1AX | 12.2(25)EY or later. For |
> | | c2970 and 3750, migrate |
> | | to 12.2(25)SE or later. |
> |------------+--------------------------|
> | 12.1AY | Vulnerable; migrate to |
> | | 12.1(22)EA8 |
> |------------+--------------------------|
> | 12.1AZ | Vulnerable; migrate to |
> | | 12.1(22)EA8 |
> |------------+--------------------------|
> | 12.1CX | Vulnerable; migrate to |
> | | 12.2(37)or later |
> |------------+--------------------------|
> | 12.1DA | Vulnerable; migrate to |
> | | 12.2(10)DA5 or later |
> |------------+--------------------------|
> | 12.1DB | Vulnerable; migrate to |
> | | 12.3(4)T13 or later |
> |------------+--------------------------|
> | 12.1DC | Vulnerable; migrate to |
> | | 12.3(4)T13 or later |
> |------------+--------------------------|
> | 12.1E | | 12.1(23)E |
> |------------+------------+-------------|
> | 12.1EA | 12.1(22) | |
> | | EA8 | |
> |------------+------------+-------------|
> | 12.1EB | | 12.1(23)EB |
> |------------+--------------------------|
> | 12.1EC | Vulnerable; migrate to |
> | | 12.3(9a)BC or later |
> |------------+--------------------------|
> | | 12.1(19) | |
> | | EO6, | |
> | | available | |
> | 12.1EO | 31-Jan-07 | |
> | |------------+-------------|
> | | 12.1(20) | |
> | | EO3 | |
> |------------+--------------------------|
> | 12.1EU | Vulnerable; migrate to |
> | | 12.2(25)EWA or later |
> |------------+--------------------------|
> | 12.1EV | Vulnerable; migrate to |
> | | 12.2(26)SV1 or later |
> |------------+--------------------------|
> | 12.1EW | Vulnerable; migrate to |
> | | 12.2(18)EW3 or later |
> |------------+--------------------------|
> | 12.1EX | Vulnerable; migrate to |
> | | 12.1(23)E or later |
> |------------+--------------------------|
> | 12.1EY | Vulnerable; migrate to |
> | | 12.1(23)E or later |
> |------------+--------------------------|
> | 12.1EZ | Vulnerable; migrate to |
> | | 12.1(23)E or later |
> |------------+--------------------------|
> | 12.1T | Vulnerable; migrate to |
> | | 12.2(37)or later |
> |------------+--------------------------|
> | 12.1XA | Vulnerable; migrate to |
> | | 12.2(37)or later |
> |------------+--------------------------|
> | 12.1XB | Vulnerable; migrate to |
> | | 12.2(37)or later |
> |------------+--------------------------|
> | 12.1XC | Vulnerable; migrate to |
> | | 12.2(37)or later |
> |------------+--------------------------|
> | 12.1XD | Vulnerable; migrate to |
> | | 12.2(37)or later |
> |------------+--------------------------|
> | 12.1XE | Vulnerable; migrate to |
> | | 12.1(23)E or later |
> |------------+--------------------------|
> | 12.1XF | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.1XG | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.1XH | Vulnerable; migrate to |
> | | 12.2(37)or later |
> |------------+--------------------------|
> | 12.1XI | Vulnerable; migrate to |
> | | 12.2(37)or later |
> |------------+--------------------------|
> | 12.1XJ | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.1XL | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.1XM | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.1XP | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.1XQ | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.1XR | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.1XS | Vulnerable; migrate to |
> | | 12.2(37)or later |
> |------------+--------------------------|
> | 12.1XT | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.1XU | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.1XV | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.1XW | Vulnerable; migrate to |
> | | 12.2(37)or later |
> |------------+--------------------------|
> | 12.1XX | Vulnerable; migrate to |
> | | 12.2(37)or later |
> |------------+--------------------------|
> | 12.1XY | Vulnerable; migrate to |
> | | 12.2(37)or later |
> |------------+--------------------------|
> | 12.1XZ | Vulnerable; migrate to |
> | | 12.2(37)or later |
> |------------+--------------------------|
> | 12.1YA | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.1YB | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.1YC | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.1YD | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.1YE | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.1YF | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.1YH | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.1YI | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.1YJ | Vulnerable; migrate to |
> | | 12.1(22)EA8 |
> |------------+--------------------------|
> | Affected | | |
> | 12.2-Based | Rebuild | Maintenance |
> | Release | | |
> |------------+------------+-------------|
> | 12.2 | 12.2(34a) | 12.2(37) |
> |------------+--------------------------|
> | 12.2B | Vulnerable; migrate to |
> | | 12.3(4)T13 or later |
> |------------+--------------------------|
> | 12.BC | Vulnerable; migrate to |
> | | 12.3(9a)BC or later |
> |------------+--------------------------|
> | 12.2BW | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.2BY | Vulnerable; migrate to |
> | | 12.3(4)T13 or later |
> |------------+--------------------------|
> | 12.2BZ | Vulnerable; migrate to |
> | | 12.3(7)XI8 or later |
> |------------+--------------------------|
> | 12.2CX | Vulnerable; migrate to |
> | | 12.3(9a)BC or later |
> |------------+--------------------------|
> | 12.2CY | Vulnerable; migrate to |
> | | 12.3(9a)BC or later |
> |------------+--------------------------|
> | 12.2CZ | Vulnerable; contact TAC |
> |------------+--------------------------|
> | | 12.2(10) | |
> | | DA5 | |
> |12.2DA |------------+-------------|
> | | 12.2(12) | |
> | | DA10 | |
> |------------+--------------------------|
> | 12.2DD | Vulnerable; migrate to |
> | | 12.3(4)T13 or later |
> |------------+--------------------------|
> | 12.2DX | Vulnerable; migrate to |
> | | 12.3(4)T13 or later |
> |------------+--------------------------|
> | 12.2EU | Vulnerable; migrate to |
> | | 12.2(25)EWA5 or later |
> |------------+--------------------------|
> | | 12.2(18) | |
> | | EW3 | |
> |12.2EW |------------+-------------|
> | | 12.2(20) | 12.2(25)EW |
> | | EW4 | |
> |------------+------------+-------------|
> | 12.2EWA | 12.2(20) | 12.2(25)EWA |
> | | EWA4 | |
> |------------+------------+-------------|
> | 12.2EX | | 12.2(25)EX |
> |------------+--------------------------|
> | 12.2EY | All 12.2EY releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.2EZ | All 12.2EZ releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.2FX | All 12.2FX releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.2FY | All 12.2FY releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.2FZ | All 12.2FZ releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.2IXA | All 12.2IXA releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.2IXB | All 12.2IXB releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.2IXC | All 12.2IXC releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.2JA | Vulnerable; migrate to |
> | | 12.3(8)JA or later |
> |------------+--------------------------|
> | 12.2JK | Vulnerable; migrate to |
> | | 12.4(4)T or later |
> |------------+--------------------------|
> | 12.2MB | Vulnerable; migrate to |
> | | 12.2(25)SW1 or later |
> |------------+--------------------------|
> | 12.2MC | 12.2(15)MC2h |
> |------------+--------------------------|
> | 12.2S | | 12.2(25)S |
> |------------+------------+-------------|
> | 12.2SB | | 12.2(28)SB |
> |------------+--------------------------|
> | 12.2SBC | All 12.2SBC releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.2SE | | 12.2(25)SE |
> |------------+--------------------------|
> | 12.2SEA | All 12.2SEA releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.2SEB | All 12.2SEB releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.2SEC | All 12.2SEC releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.2SED | All 12.2SED releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.2SEE | All 12.2SEE releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.2SEF | All 12.2SEF releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.2SEG | All 12.2SEG releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.2SG | All 12.2SG releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.2SGA | All 12.2SGA releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.2SO | 12.2(18) | |
> | | SO7 | |
> |------------+--------------------------|
> | 12.2SRA | All 12.2SRA releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.2SRB | All 12.2SRB releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.2SU | Vulnerable; migrate to |
> | | 12.3(14)T or later |
> |------------+--------------------------|
> | 12.2SV | | 12.2(23)SV |
> |------------+------------+-------------|
> | 12.2SW | 12.2(25) | |
> | | SW1 | |
> |------------+--------------------------|
> | 12.2SX | Vulnerable; migrate to |
> | | 12.2(17d)SXB11a or later |
> |------------+--------------------------|
> | 12.2SXA | Vulnerable; migrate to |
> | | 12.2(17d)SXB11a or later |
> |------------+--------------------------|
> | 12.2SXB | 12.2(17d) | |
> | | SXB11a | |
> |------------+------------+-------------|
> | 12.2SXD | 12.2(18) | |
> | | SXD7a | |
> |------------+--------------------------|
> | 12.2SXE | All 12.2SXE releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.2SXF | All 12.2SXF releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.2SY | Vulnerable; migrate to |
> | | 12.2(17d)SXB11a or later |
> |------------+--------------------------|
> | 12.2SZ | Vulnerable; migrate to |
> | | 12.2(25)S or later |
> |------------+--------------------------|
> | 12.2T | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.2TPC | Vulnerable; contact TAC |
> |------------+--------------------------|
> | 12.2XA | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.2XB | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.2XC | Vulnerable; migrate to |
> | | 12.3(8)T or later |
> |------------+--------------------------|
> | 12.2XD | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.2XE | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.2XF | Vulnerable; migrate to |
> | | 12.3(9a)BC or later |
> |------------+--------------------------|
> | 12.2XG | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.2XH | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.2XI | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.2XJ | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.2XK | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.2XL | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.2XM | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.2XN | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.2XQ | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.2XR | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.2XS | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.2XT | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.2XU | Vulnerable; migrate to |
> | | 12.3(12) or later |
> |------------+--------------------------|
> | 12.2XV | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.2XW | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.2YA | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.2YB | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.2YC | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.2YD | Vulnerable; migrate to |
> | | 12.3(8)T or later |
> |------------+--------------------------|
> | 12.2YE | Vulnerable; migrate to |
> | | 12.2(25)S or later |
> |------------+--------------------------|
> | 12.2YF | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.2YG | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.2YH | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.2YJ | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.2YK | Vulnerable; migrate to |
> | | 12.3(8)T or later |
> |------------+--------------------------|
> | 12.2YL | Vulnerable; migrate to |
> | | 12.3(8)T or later |
> |------------+--------------------------|
> | 12.2YM | Vulnerable; migrate to |
> | | 12.3(8)T or later |
> |------------+--------------------------|
> | 12.2YN | Vulnerable; migrate to |
> | | 12.3(8)T or later |
> |------------+--------------------------|
> | 12.2YO | Not vulnerable |
> |------------+--------------------------|
> | 12.2YP | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.2YQ | Vulnerable; migrate to |
> | | 12.3(4)T13 or later |
> |------------+--------------------------|
> | 12.2YR | Vulnerable; migrate to |
> | | 12.3(4)T13 or later |
> |------------+--------------------------|
> | 12.2YS | Vulnerable; migrate to |
> | | 12.3(8)T or later |
> |------------+--------------------------|
> | 12.2YT | Vulnerable; migrate to |
> | | 12.3(8) or later |
> |------------+--------------------------|
> | 12.2YU | Vulnerable; migrate to |
> | | 12.3(8)T or later |
> |------------+--------------------------|
> | 12.2YV | Vulnerable; migrate to |
> | | 12.3(4)T13 or later |
> |------------+--------------------------|
> | 12.2YW | Vulnerable; migrate to |
> | | 12.3(8)T or later |
> |------------+--------------------------|
> | 12.2YX | Vulnerable; migrate to |
> | | 12.3(14)T or later |
> |------------+--------------------------|
> | 12.2YY | Vulnerable; migrate to |
> | | 12.3(4)T13 or later |
> |------------+--------------------------|
> | 12.2YZ | Vulnerable; migrate to |
> | | 12.2(25)S or later |
> |------------+--------------------------|
> | 12.2ZA | Vulnerable; migrate to |
> | | 12.2(17d)SXBa or later |
> |------------+--------------------------|
> | 12.2ZB | Vulnerable; migrate to |
> | | 12.3(8)T or later |
> |------------+--------------------------|
> | 12.2ZC | Vulnerable; migrate to |
> | | 12.3(8)T or later |
> |------------+--------------------------|
> | 12.2ZD | Vulnerable; contact TAC |
> |------------+--------------------------|
> | 12.2ZE | Vulnerable; migrate to |
> | | 12.3(8) or laer |
> |------------+--------------------------|
> | 12.2ZF | Vulnerable; migrate to |
> | | 12.3(4)T13 or later |
> |------------+--------------------------|
> | | Vulnerable; for SOHO9x, |
> | 12.2ZG | migrate to 12.3(8)YG2 or |
> | | later. For c83x, migrate |
> | | to 12.3(2)XA3 or later |
> |------------+--------------------------|
> | 12.2ZH | Vulnerable; contact TAC |
> |------------+--------------------------|
> | 12.2ZJ | Vulnerable; migrate to |
> | | 12.3(8)T or later |
> |------------+--------------------------|
> | 12.2ZL | Vulnerable; contact TAC |
> |------------+--------------------------|
> | 12.2ZN | Vulnerable; migrate to |
> | | 12.3(4)T13 or later |
> |------------+--------------------------|
> | 12.2ZP | Vulnerable; migrate to |
> | | 12.3(8)XY or later |
> |------------+--------------------------|
> | Affected | | |
> | 12.3-Based | Rebuild | Maintenance |
> | Release | | |
> |------------+------------+-------------|
> | 12.3 | | 12.3(8) |
> |------------+--------------------------|
> | 12.3B | Vulnerable; migrate to |
> | | 12.3(8)T7 or later |
> |------------+--------------------------|
> | 12.3BC | | 12.3(9a)BC |
> |------------+--------------------------|
> | 12.3BW | Vulnerable; migrate to |
> | | 12.3(8)T or later |
> |------------+--------------------------|
> | 12.3JA | | 12.3(8)JA |
> |------------+--------------------------|
> | 12.3JEA | All 12.3JEA releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.3JEB | All 12.3JEA releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.3JK | 12.3(2)JK2 | 12.3(8)JK |
> |------------+------------+-------------|
> | 12.3JX | 12.3(7)JX6 | 12.3(11)JX |
> |------------+------------+-------------|
> | 12.3T | 12.3(4)T13 | 12.3(8)T |
> |------------+------------+-------------|
> | 12.3TPC | 12.3(4) | |
> | | TPC11b | |
> |------------+------------+-------------|
> | 12.3XA | 12.3(2)XA6 | |
> |------------+--------------------------|
> | 12.3XB | Vulnerable; migrate to |
> | | 12.3(8)T or later |
> |------------+--------------------------|
> | 12.3XC | Vulnerable; contact TAC |
> |------------+--------------------------|
> | 12.3XD | Vulnerable; migrate to |
> | | 12.3(8)T7 or later |
> |------------+--------------------------|
> | 12.3XE | Vulnerable; contact TAC |
> |------------+--------------------------|
> | 12.3XF | Vulnerable; migrate to |
> | | 12.3(11)T or later |
> |------------+--------------------------|
> | 12.3XG | Vulnerable; contact TAC |
> |------------+--------------------------|
> | 12.3XH | Vulnerable; migrate to |
> | | 12.3(11)T or later |
> |------------+--------------------------|
> | 12.3XI | 12.3(7)XI8 | |
> |------------+--------------------------|
> | 12.3XJ | Vulnerable; migrate to |
> | | 12.3(8)XW or later |
> |------------+--------------------------|
> | 12.3XK | Vulnerable; migrate to |
> | | 12.3(14)T or later |
> |------------+--------------------------|
> | 12.3XQ | Vulnerable; migrate to |
> | | 12.4(1) or later |
> |------------+--------------------------|
> | 12.3XR | All 12.3XR releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.3XS | All 12.3XS releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.3XU | All 12.3XU releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.3XW | All 12.3XW releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.3XX | All 12.3XX releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.3XY | All 12.3XR releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.3YA | All 12.3YA releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.3YD | All 12.3YD releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.3YF | All 12.3YF releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.3YG | All 12.3YG releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.3YH | All 12.3YH releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.3YI | All 12.3YI releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.3YJ | All 12.3YJ releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.3YK | All 12.3YK releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.3YM | All 12.3YM releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.3YQ | All 12.3YQ releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.3YS | All 12.3YS releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.3YT | All 12.3YT releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.3YU | All 12.3YU releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.3YX | All 12.3YX releases are |
> | | fixed |
> |------------+--------------------------|
> | 12.3YZ | All 12.3YZ releases are |
> | | fixed |
> |------------+--------------------------|
> | Affected | | |
> | 12.4-Based | Rebuild | Maintenance |
> | Release | | |
> |---------------------------------------|
> | All 12.4 releases are fixed |
> +---------------------------------------+
>
> +---------------------------------------+
> | Cisco IOS XR Version | SMU ID |
> |-----------------------------+---------|
> | 3.2.2 for CRS-1 | AA01482 |
> |-----------------------------+---------|
> | 3.2.3 for CRS-1 | AA01483 |
> |-----------------------------+---------|
> | 3.2.4 for CRS-1 | AA01484 |
> |-----------------------------+---------|
> | 3.2.6 for CRS-1 | AA01727 |
> |-----------------------------+---------|
> | 3.3.x for CRS-1 and XR12000 | Fixed |
> |-----------------------------+---------|
> | 3.4.x for CRS-1 and XR12000 | Fixed |
> +---------------------------------------+
>
> Workarounds
> ===========
>
> Additional mitigations that can be deployed on Cisco devices within
> the network are available in the Cisco Applied Intelligence companion
> document for this advisory:
>
> http://www.cisco.com/warp/public/707/cisco-air-20070124-crafted-ip-option.shtml
>
> IP Options Selective Drop
> +------------------------
>
> The IP Options Selective Drop feature allows Cisco routers to
> mitigate the effects of IP options by dropping packets containing
> them or by not processing (ignoring) IP options in a packet.
>
> The most effective workaround is using the "drop" option of this
> global configuration command: "ip options drop". This command
> will drop all IP packets containing IP options that are both
> destined to the router itself or transiting through the router
> before they are processed, preventing exploitation locally and
> downstream.
>
> The IP Options Selective Drop feature is available beginning in Cisco
> IOS software version 12.0(23)S for 12000, 12.0(32)S for 10720, and
> 12.3(4)T, 12.2(25)S, and 12.2(27)SBC for other hardware platforms.
>
> Please note that deploying this command will drop legitimate packets
> containing IP options as well. Protocols this may impact include RSVP
> (used by Microsoft NetMeeting), MPLS TE, MPLS OAM, DVMRP, IGMPv3,
> IGMPv2, and legitimate PGM.
>
> Note: The "ignore" option of the global command "ip options ignore",
> available only on the Cisco 12000 router beginning in 12.0(23)S, is
> NOT a workaround for this issue.
>
> Additional information about IP Options Selective Drop feature is
> available at
> http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a00801d4a94.html
>
> Transit Access Control Lists (ACLs)
> +----------------------------------
>
> Configure an interface ACL that blocks traffic of these types:
>
> * Echo (Ping) ICMP type 8
> * Timestamp ICMP type 13
> * Information Request ICMP type 15
> * Address Mask Request ICMP Type 17
> * Protocol Independent Multicast (PIM) IP protocol 103
> * Pragmatic General Multicast (PGM) IP protocol 113
> * URL Rendezvous Directory (URD) TCP port 465
>
> The Internet Control Message Protocol is an integral part of the
> Transmission Control Protocol/Internet Protocol (TCP/IP) protocol
> suite that is used to report error conditions and provide diagnostic
> information. Filtering ICMP messages may impact this error condition
> and diagnostic reporting including "ping" and Windows traceroute
> which uses ICMP ping.
>
> If the device is configured to process PIM, PGM, or URD, blocking
> those packets will prevent legitimate operation of the protocols.
>
> Since the source IP address of these packets can be easily spoofed,
> the affected traffic should be blocked on all of the device's IPv4
> interfaces.
>
> The following ACL is specifically designed to block attack traffic
> and should be applied to all IPv4 interfaces of the device and should
> include topology-specific filters:
>
> access-list 150 deny icmp any any echo
> access-list 150 deny icmp any any information-request
> access-list 150 deny icmp any any timestamp-request
> access-list 150 deny icmp any any mask-request
> access-list 150 deny tcp any any eq 465
> access-list 150 deny 103 any any
> access-list 150 deny 113 any any
> access-list 150 permit ip any any
>
> interface serial 2/0
> ip access-group 150 in
>
> These ACL statements should be deployed at the network edge as part
> of a transit access list which will protect the router where the ACL
> is configured as well as other devices behind it. Further information
> about transit ACLs is available in the white paper "Transit Access
> Control Lists: Filtering at Your Edge", available at
> http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml
>
> The following Cisco IOS XR ACL is specifically designed to block
> attack traffic and should be applied to all IPv4 interfaces of the
> device and should include topology-specific filters:
>
> ipv4 access-list ios-xr-transit-acl
> 10 deny icmp any any echo
> 20 deny icmp any any information-request
> 30 deny icmp any any timestamp-request
> 40 deny icmp any any mask-request
> 50 deny tcp any any eq 465
> 60 deny 103 any any
> 70 deny 113 any any
> 80 permit ip any any
>
> interface POS 0/2/0/
> ipv4 access-group ios-xr-transit-acl ingress
>
> Information about configuring access lists on Cisco IOS XR is
> available at
> http://www.cisco.com/en/US/products/ps5763/products_command_reference_chapter09186a00803e01ae.html
>
> Infrastructure ACLs
> +------------------
>
> Although it is often difficult to block traffic transiting your
> network, it is possible to identify traffic which should never be
> allowed to target your infrastructure devices and block that traffic
> at the border of your network. Infrastructure ACLs are considered a
> network security best practice and should be considered as a
> long-term addition to good network security as well as a workaround
> for this specific vulnerability. The ACL example shown below should
> be included as part of the deployed infrastructure access list which
> will protect all devices with IP addresses in the infrastructure IP
> address range.
>
> Cisco IOS
> +--------
>
> access-list 150 deny icmp any INFRASTRUCTURE_ADDRESSES echo
> access-list 150 deny icmp any INFRASTRUCTURE_ADDRESSES information-request
> access-list 150 deny icmp any INFRASTRUCTURE_ADDRESSES timestamp-request
> access-list 150 deny icmp any INFRASTRUCTURE_ADDRESSES mask-request
> access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES eq 465
> access-list 150 deny 103 any INFRASTRUCTURE_ADDRESSES
> access-list 150 deny 113 any INFRASTRUCTURE_ADDRESSES
> access-list 150 permit ip any any
>
> interface serial 2/0
> ip access-group 150 in
>
> Cisco IOS XR
> +-----------
>
> ipv4 access-list ios-xr-infrastructure-acl
> 10 deny icmp any INFRASTRUCTURE_ADDRESSES echo
> 20 deny icmp any INFRASTRUCTURE_ADDRESSES information-request
> 30 deny icmp any INFRASTRUCTURE_ADDRESSES timestamp-request
> 40 deny icmp any INFRASTRUCTURE_ADDRESSES mask-request
> 50 deny tcp any INFRASTRUCTURE_ADDRESSES eq 465
> 60 deny 103 any INFRASTRUCTURE_ADDRESSES
> 70 deny 113 any INFRASTRUCTURE_ADDRESSES
> 80 permit ip any any
>
> interface POS 0/2/0/2
> ipv4 access-group ios-xr-infrastructure-acl ingress
>
> The white paper entitled "Protecting Your Core: Infrastructure
> Protection Access Control Lists" presents guidelines and recommended
> deployment techniques for infrastructure protection access lists and
> is available at
> http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml
>
> Information about configuring access lists on Cisco IOS XR is
> available at
> http://www.cisco.com/en/US/products/ps5763/products_command_reference_chapter09186a00803e01ae.html
>
> Receive ACLs
> +-----------
>
> For distributed platforms, receive ACLs may be an option starting in
> Cisco IOS Software Versions 12.0(21)S2 for the 12000 (GSR), 12.0(24)S
> for the 7500, and 12.0(31)S for the 10720. The receive ACL protects
> the device from harmful traffic before the traffic can impact the
> route processor. A receive ACL is designed to protect only the device
> on which it is configured. On the 12000, transit traffic is never
> affected by a receive ACL. Because of this, the destination IP
> address "any" used in the example ACL entries below only refer to the
> router's own physical or virtual IP addresses. On the 7500 and 10720,
> transit traffic with IP options set will be subject to the receive
> ACL and permitted or denied accordingly. Receive ACLs are considered
> a network security best practice and should be considered as a
> long-term addition to good network security as well as a workaround
> for this specific vulnerability.
>
> The white paper entitled "GSR: Receive Access Control Lists" will
> help you identify and allow legitimate traffic to your device and
> deny all unwanted packets and is available at
> http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a0a5e.shtml
>
> The following receive path ACL is designed specifically to block this
> attack traffic:
>
> access-list 101 deny icmp any any echo
> access-list 101 deny icmp any any information-request
> access-list 101 deny icmp any any timestamp-request
> access-list 101 deny icmp any any mask-request
> access-list 101 deny tcp any any eq 465
> access-list 101 deny 103 any any
> access-list 101 deny 113 any any
> access-list 101 permit ip any any
> !
> ip receive access-list 101
>
> Control Plane Policing
> +---------------------
>
> The Control Plane Policing (CoPP) feature may be used to mitigate
> this vulnerability. In the following example, any packets that can
> exploit the vulnerability are denied while all other IP traffic is
> permitted. Because of the way routers process packets with IP
> options, CoPP will be applied to attack packets destined for the
> router itself and packets transiting through the router to other
> destination IP addresses. This applies to all platforms except the
> 12000 where only attack packets destined for the router itself will
> be dropped.
>
> access-list 100 permit icmp any any echo
> access-list 100 permit icmp any any information-request
> access-list 100 permit icmp any any timestamp-request
> access-list 100 permit icmp any any mask-request
> access-list 100 permit tcp any any eq 465
> access-list 100 permit 103 any any
> access-list 100 permit 113 any any
> access-list 100 deny ip any any
> !
> class-map match-all drop-options-class
> match access-group 100
> !
> !
> policy-map drop-options-policy
> class drop-options-class
> drop
> !
> control-plane
> service-policy input drop-options-policy
>
> Please note that in the 12.0S, 12.2S, and 12.2SX Cisco IOS trains,
> the policy-map syntax is different:
>
> policy-map drop-options-policy
> class drop-options-class
> police 32000 1500 1500 conform-action drop exceed-action drop
>
> Because of the way routers process packets with IP options, CoPP will
> be applied to attack packets destined for the router itself and
> packets transiting through the router to other destination IP
> addresses. In the following example, only packets with IP options
> that can exploit the vulnerability and that are destined for the
> router or that transit through the router are denied while all other
> IP traffic is permitted.
>
> ip access-list extended drop-affected-options
> permit icmp any any echo option any-options
> permit icmp any any information-request option any-options
> permit icmp any any timestamp-request option any-options
> permit icmp any any mask-request option any-options
> permit pim any any option any-options
> permit 113 any any option any-options
> permit tcp any any eq 465 option any-options
> deny ip any any
> !
> class-map match-all drop-options-class
> match access-group name drop-affected-options
> !
> !
> policy-map drop-opt-policy
> class drop-options-class
> drop
> !
> control-plane
> service-policy input drop-opt-policy
>
> Please note that in the 12.2S Cisco IOS train, the policy-map syntax
> is different:
>
> policy-map drop-opt-policy
> class drop-options-class
> police 32000 1500 1500 conform-action drop exceed-action drop
>
> CoPP is available in Cisco IOS release trains 12.0S, 12.2SX, 12.2S,
> 12.3T, 12.4, and 12.4T.
>
> ACL support for filtering IP options requires named ACLs. ACL support
> for filtering IP options is not available in 12.0S or 12.2SX.
>
> Please note that PGM packets typically use the "Router Alert" Option,
> and dropping PGM packets with IP options will affect legitimate PGM
> packets.
>
> In the above CoPP examples, the ACL entries that match the exploit
> packets with the "permit" action result in these packets being
> discarded by the policy-map drop function, while packets that match
> the "deny" action are not affected by the policy-map drop function.
>
> Additional information on the configuration and use of the CoPP
> feature can be found at
> http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd804fa16a.shtml
> and
> http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a008052446b.html
>
> Additional information for filtering IP Options with access lists can
> be found at
> http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801d4a7d.html
>
> Obtaining Fixed Software
> ========================
>
> Cisco will make free software available to address this vulnerability
> for affected customers. This advisory will be updated as fixed
> software becomes available. Prior to deploying software, customers
> should consult their maintenance provider or check the software for
> feature set compatibility and known issues specific to their
> environment.
>
> Customers may only install and expect support for the feature sets
> they have purchased. By installing, downloading, accessing or
> otherwise using such software upgrades, customers agree to be bound
> by the terms of Cisco's software license terms found at
> http://www.cisco.com/public/sw-license-agreement.html, or as
> otherwise set forth at Cisco.com Downloads at
> http://www.cisco.com/public/sw-center/sw-usingswc.shtml
>
> Do not contact either "psirt at cisco.com" or "security-alert at cisco.com"
> for software upgrades.
>
> Customers with Service Contracts
> +-------------------------------
>
> Customers with contracts should obtain upgraded software through
> their regular update channels. For most customers, this means that
> upgrades should be obtained through the Software Center on Cisco's
> worldwide website at http://www.cisco.com
>
> Customers using Third Party Support Organizations
> +------------------------------------------------
>
> Customers whose Cisco products are provided or maintained through
> prior or existing agreement with third-party support organizations
> such as Cisco Partners, authorized resellers, or service providers
> should contact that support organization for guidance and assistance
> with the appropriate course of action in regards to this advisory.
>
> The effectiveness of any workaround or fix is dependent on specific
> customer situations such as product mix, network topology, traffic
> behavior, and organizational mission. Due to the variety of affected
> products and releases, customers should consult with their service
> provider or support organization to ensure any applied workaround or
> fix is the most appropriate for use in the intended network before it
> is deployed.
>
> Customers without Service Contracts
> +----------------------------------
>
> Customers who purchase direct from Cisco but who do not hold a Cisco
> service contract and customers who purchase through third-party
> vendors but are unsuccessful at obtaining fixed software through
> their point of sale should get their upgrades by contacting the Cisco
> Technical Assistance Center (TAC). TAC contacts are as follows.
>
> * +1 800 553 2447 (toll free from within North America)
> * +1 408 526 7209 (toll call from anywhere in the world)
> * e-mail: tac at cisco.com
>
> Have your product serial number available and give the URL of this
> notice as evidence of your entitlement to a free upgrade. Free
> upgrades for non-contract customers must be requested through the
> TAC.
>
> Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
> for additional TAC contact information, including special localized
> telephone numbers and instructions and e-mail addresses for use in
> various languages.
>
> Exploitation and Public Announcements
> =====================================
>
> The Cisco PSIRT is not aware of any public announcements or malicious
> use of the vulnerability described in this advisory. This
> vulnerability was discovered during internal testing.
>
> Status of this Notice: FINAL
> ============================
>
> THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
> KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
> MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
> INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
> AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
> DOCUMENT AT ANY TIME.
>
> A stand-alone copy or Paraphrase of the text of this document that
> omits the distribution URL in the following section is an
> uncontrolled copy, and may lack important information or contain
> factual errors.
>
> Distribution
> ============
>
> This advisory is posted on Cisco's worldwide website at:
>
> http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
>
> In addition to worldwide web posting, a text version of this notice
> is clear-signed with the Cisco PSIRT PGP key and is posted to the
> following e-mail and Usenet news recipients.
>
> * cust-security-announce at cisco.com
> * first-teams at first.org
> * bugtraq at securityfocus.com
> * vulnwatch at vulnwatch.org
> * cisco at spot.colorado.edu
> * cisco-nsp at puck.nether.net
> * full-disclosure at lists.grok.org.uk
> * comp.dcom.sys.cisco at newsgate.cisco.com
>
> Future updates of this advisory, if any, will be placed on Cisco's
> worldwide website, but may or may not be actively announced on
> mailing lists or newsgroups. Users concerned about this problem are
> encouraged to check the above URL for any updates.
>
> Revision History
> ================
> +---------------------------------------+
> | Revision | | Initial |
> | 1.0 | 2007-Jan-24 | public |
> | | | release. |
> +---------------------------------------+
>
> Cisco Security Procedures
> =========================
>
> Complete information on reporting security vulnerabilities in Cisco
> products, obtaining assistance with security incidents, and
> registering to receive security information from Cisco, is available
> on Cisco's worldwide website at
> http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
> This includes instructions for press inquiries regarding Cisco
> security notices. All Cisco security advisories are available at
> http://www.cisco.com/go/psirt
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (SunOS)
>
> iD8DBQFFt5cO8NUAbBmDaxQRAs6NAJsEXc4RCzhHI1n+Dxjmizm6mzIzmACbBr3H
> /ox3OGmd1I41UMn3iOM8qHc=
> =RlTo
> -----END PGP SIGNATURE-----
>
More information about the NANOG
mailing list