[SECURITY-L] ISS Alert: Cisco IOS Remote Denial of Service Vulnerability

Qui Jul 17 09:47:29 -03 2003

----- Forwarded message from Klaus Steding-Jessen <jessen em nic.br> -----

From: Klaus Steding-Jessen <jessen em nic.br>
Subject: [GTS-L] ISS Alert: Cisco IOS Remote Denial of Service Vulnerability
To: gts-l em listas.unesp.br
Date: Thu, 17 Jul 2003 07:56:42 -0300

[http://xforce.iss.net/xforce/alerts/id/148]

Internet Security Systems Security Alert
July 17, 2003

Cisco IOS Remote Denial of Service Vulnerability

Synopsis:

A serious flaw exists in the Cisco IOS (Internetwork Operating System)
that powers most currently deployed Cisco devices. Cisco Systems has
released a security advisory documenting the vulnerability. All IPv4 Cisco
devices running Cisco IOS are vulnerable to remote Denial of Service (DoS)
attack.

Impact:

Cisco is the market leading router and infrastructure supplier of IP-
based networking technology. The vulnerability may allow remote attackers
to target and shutdown network interfaces on vulnerable devices by sending
a special sequence of IPv4 packets. This type of attack can be launched at
a specific target, or launched indiscriminately to cause widespread
outages. It is unlikely to be blocked by legacy firewall devices.

Affected Versions:

Cisco IOS 11.x
Cisco IOS 12.x

Note: The vulnerable platforms represent the vast majority of currently
deployed Cisco devices. Please refer to the Cisco Systems Security
Advisory for the most current vulnerability matrix. IOS versions 12.3 and
above are not vulnerable. Cisco devices that operate only in IPv6
environments are also not vulnerable.

Description:

Cisco Systems has released a security advisory detailing a significant
denial of service vulnerability that affects its entire line of IPv4
devices. The vulnerability is caused by flawed packet processing routines
that do not correctly process an abnormal and specific sequence of IPv4
traffic. If such a sequence is encountered, IOS incorrectly flags the
input queue on the network interface as full. After a specific time-out
period, the affected device will stop processing routing and ARP
protocols. This effectively stops the interface from processing any
traffic.

The attack can be repeated against a targeted device to disable all
network interfaces. While a targeted device does not hang or crash, it can
be forced to stop routing all traffic on all interfaces and cause networks
on both sides of the device to disappear. Devices that enter this state
can not be reset without user intervention and a cold restart.

Recommendations:

ISS X-Force recommends that Cisco customers review the Cisco security
advisory and take immediate action. Cisco has released patches for
vulnerable platforms and has also provided workaround information. Please
review the Cisco security advisory at the following location:

http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml

______

About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
pioneer and world leader in software and services that protect critical
online resources from an ever-changing spectrum of threats and misuse.
Internet Security Systems is headquartered in Atlanta, GA, with
additional operations throughout the Americas, Asia, Australia, Europe
and the Middle East.

This document is not to be edited or altered in any way without the
express written consent of Internet Security Systems, Inc. If you wish
to reprint the whole or any part of this document, please email
xforce em iss.net for permission. You may provide links to this document
from your web site, and you may make copies of this document in
accordance with the fair use doctrine of the U.S. copyright laws.

Disclaimer: The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Internet Security
Systems X-Force) be held liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.

X-Force PGP Key available on MIT's PGP key server and PGP.com's key server,
as well as at http://www.iss.net/security_center/sensitive.php
Please send suggestions, updates, and comments to: X-Force
xforce em iss.net of Internet Security Systems, Inc.

----- End forwarded message -----