MS-ISAC ADVISORY NUMBER:
2007-004

DATE(S) ISSUED:
1/25/2007

SUBJECT:
Multiple Vulnerabilities in Cisco IOS

OVERVIEW:
Multiple vulnerabilities have been found in several versions of Cisco network devices including their switches and routers which could allow an attacker to cause a Denial of Service or execute commands by sending specially-formatted network traffic to an affected device.

At this time, there are no known successful compromises or public attack tools for these vulnerabilities. In addition, it is important to note that Cisco PIX firewalls are not affected.

SYSTEMS AFFECTED:

  • Cisco IOS software versions 9.x, 10.x, 11.x and 12.x
  • Cisco IOS XR software versions 2.0.X, 3.0.X, and 3.2.X.

RISK:
Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: Not applicable

DESCRIPTION:
The first vulnerability exists in the Cisco IOS listener. An attacker can exploit this vulnerability by sending a specially crafted malicious TCP packet to a Cisco device running an affected IOS. Traffic passing through the Cisco device to another host does not pose a risk. If the attack is successful, it may result in a denial of service condition by causing memory leaks, potentially causing memory exhaustion over time. This vulnerability only affects devices currently running the Internet Protocol version 4 (IPv4). An attacker is not required to complete a full 3-way TCP handshake to carry out this attack.

The second vulnerability exists in IOS's failure to properly process specially-crafted IP options data in certain type of IPv4 packets. Specifically, Internet Control Message Protocol (ICMP) packet, Protocol Independent Multicast version 2 (PIMv2) packet, Pragmatic General Multicast (PGM) packet, or URL Rendezvous Directory (URD) packets can be used to exploit this vulnerability. An attacker who exploits this vulnerability may be able to cause a Denial of Service or execute code on a vulnerable device.

Cisco also announced a vulnerability that can be exploited by malformed IPv6 packets. An attacker can exploit this vulnerability by sending specifically crafted IPv6 Type 0 Routing headers, which are used for source routing. As IPv6 is not enabled by default in Cisco IOS and IPv6 is not widely deployed in most businesses and government organizations, we are considering this vulnerability to be a lower risk than the other two at this time.

At this time, there are no known successful compromises or attack tools for these vulnerabilities.

CVE: CVE numbers have not yet been assigned to these vulnerabilities.

RECOMMENDATIONS:
We recommend that all of the following actions be taken:

  • Consider upgrading to a version of IOS that is not affected by these vulnerabilities. Software upgrades can be obtained from Cisco for free by all affected customers.
  • If applying the patches is not an option at this time, consider implementing the workarounds described in the Cisco advisories.

REFERENCES:
Cisco
http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml(New Window)
http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml(New Window)
http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml(New Window)

SecurityFocus
http://www.securityfocus.com/archive/1/457972/30/0/threaded(New Window)

US-CERT
http://www.us-cert.gov/cas/techalerts/TA07-024A.html(New Window)

SANS - Internet Storm Center
http://isc.incidents.org/diary.html?storyid=2097(New Window)

 


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.