Multiple Denial of Service Vulnerablities in Cisco IOS

• Cisco routers and switches running IOS in various
  configurations

Several denial-of-service vulnerabilities have been discovered in
Cisco's Internet Operating System (IOS). A remote attacker may be
able to cause an affected device to reload the operating system.

Cisco has published three advisories describing flaws in IOS that
could allow a remote attacker to cause an affected device to reload.
Further details are available in the following vulnerability
notes:

VU#583638 - Cisco IOS contains DoS vulnerability in MPLS packet processing

The IOS implementation of Multi Protocol Label Switching (MPLS)
contains a vulnerability that allows malformed MPLS packets to cause
an affected device to reload. An unauthenticated attacker can send
these malformed packets on a local network segment that is connected
to a vulnerable device interface.

VU#472582 - Cisco IOS IPv6 denial-of-service vulnerability

A vulnerability in the way that IOS handles a sequence of specially
crafted IPv6 packets could cause an affected device to reload,
resulting in a denial of service. The vulnerability is exposed on
both physical interfaces (i.e., hardware interfaces), and logical
interfaces (i.e., software defined interfaces such as tunnels) that
are configured for IPv6.

VU#689326 - Cisco IOS vulnerable to DoS via malformed BGP packet

An IOS device that is enabled for Border Gateway Protocol (BGP) and
set up with the bgp
log-neighbor-changes option is vulnerable to a
denial-of-service attack via a malformed BGP packet.

Impact

Although the underlying causes of these three vulnerabilities is
different, in each case a remote attacker could cause an affected
device to reload the operating system. This creates a
denial-of-service condition since packets are not forwarded through
the affected device while it is reloading. Repeated exploitation of
these vulnerabilites would result in a sustained denial-of-service
condition.

Since devices running IOS may transit traffic for a number of other
networks, the secondary impacts of a denial of service may be
severe.

Solution

Upgrade to a fixed version of IOS

Cisco has updated versions of its IOS software to address these
vulnerabilities. Please refer to the "Software Versions and Fixes"
sections of the Cisco Security Advisories listed in Appendix A for more information on upgrading.

Workaround

Cisco has also published practical workarounds for VU#689326 and
VU#583638. Please refer to the "Workarounds" section of each Cisco
Security Advisory listed in Appendix A for more
information.

Sites that are unable to install an upgraded version of IOS are
encouraged to implement these workarounds.

Appendix A. References

• Cisco Security Advisory: Crafted Packet Causes Reload on Cisco Routers - <http://www.cisco.com/warp/public/707/cisco-sa-20050126-les.shtml>
• Cisco Security Advisory: Multiple Crafted IPv6 Packets Cause Reload - <http://www.cisco.com/warp/public/707/cisco-sa-20050126-ipv6.shtml>
• Cisco Security Advisory: Cisco IOS Malformed BGP Packet Causes Reload Updated - <http://www.cisco.com/warp/public/707/cisco-sa-20050126-bgp.shtml>
• US-CERT Vulnerability Note VU#583638 - <http://www.kb.cert.org/vuls/id/583638>
• US-CERT Vulnerability Note VU#472582 - <http://www.kb.cert.org/vuls/id/472582>
• US-CERT Vulnerability Note VU#689326 - <http://www.kb.cert.org/vuls/id/689326>

Revision History

• January 26, 2005: Initial release
  

  Last updated