Cisco Security Advisory: Multiple Vulnerabilities in Cisco IOS Software Common Industrial Protocol
Cisco Systems Product Security Incident Response Team
psirt at cisco.com
Wed Mar 25 16:05:49 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Multiple Vulnerabilities in Cisco IOS Software Common Industrial Protocol
Advisory ID: cisco-sa-20150325-cip
For Public Release 2015 March 25 16:00 UTC (GMT)
The Cisco IOS Software implementation of the Common Industrial Protocol (CIP) feature contains the following vulnerabilities when processing crafted CIP packets that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition:
Cisco IOS Software UDP CIP Denial of Service Vulnerability
Cisco IOS Software TCP CIP Packet Memory Leak Vulnerability
Cisco IOS Software TCP CIP Denial of Service Vulnerability
These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others.
Successful exploitation of any of these vulnerabilities could allow an unauthenticated, remote attacker to cause a reload of the forwarding plane, resulting in an interruption of services on an affected device. Repeated exploitation could result in a sustained DoS condition.
Additionally, successful exploitation of Cisco IOS Software TCP CIP Packet Memory Leak Vulnerability could allow an unauthenticated, remote attacker to cause a memory leak on an affected device.
Cisco has released free software updates that address these vulnerabilities.
This advisory is available at the following link:
Note: The March 25, 2015, Cisco IOS & XE Software Security Advisory bundled publication includes seven Cisco Security Advisories. The advisories address vulnerabilities in Cisco IOS Software and Cisco IOS XE Software. Individual publication links are in Cisco Event Response: Semiannual Cisco IOS & XE Software Security Advisory Bundled Publication at the following link:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
-----END PGP SIGNATURE-----
More information about the NANOG