When considering software upgrades, also consult
and any subsequent advisories to determine exposure and a complete upgrade
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current hardware and
software configurations will continue to be supported properly by the new
release. If the information is not clear, contact the Cisco Technical
Assistance Center ("TAC") or your contracted maintenance provider for
This problem has been corrected in the following classic Cisco IOS
First Repaired Maintenance Release
Recommended Maintenance Releases For Installation
Cisco IOS 10.3
Cisco IOS 11.0
Cisco IOS 11.1
11.1(13), 11.1(13)AA, 11.1(13)CA, 11.1(13)IA
11.1(14), 11.1(14)AA, 11.1(14)CA, 11.1(14)IA
Cisco IOS 11.2
11.2(8), 11.2(8)P, 11.2(4)F1 (replaces
11.2(8), 11.2(8)P, 11.2(4)F1. 11.2(9) not recommended for CHAP
Cisco Systems strongly recommends that all customers using classic
Cisco IOS PPP with CHAP authentication upgrade to one of these or to a newer
release, and that all users of IOS/700 PPP with CHAP authentication install the
configuration workarounds described in this document.
The 11.2(4)F1 release will be available by Monday, October 6, 1997.
Users of 11.2F releases are encouraged to move to 11.2 or 11.2P releases if at
all possible. All the other releases mentioned above are available immediately
as of the release of this notice.
The recommended release numbers listed above are expected to be the
best choices for most common situations, but it's very important that customers
evaluate their network configurations and other needs before choosing which
releases to use.
Cisco is offering free software upgrades to all classic Cisco IOS PPP
users in order to address this vulnerability. Upgrade details are at the end of
this notice. Free upgrades will be offered to IOS/700 users upon release of
IOS/700 version 4.1(2).
You should upgrade your classic Cisco IOS software to one of the
releases mentioned in the first section of this notice, or to a later release.
Instructions for obtaining the new software are at the end of this notice.
Instructions for installing upgraded software are in the standard system
Before installing any Cisco IOS software upgrade, you should always
verify that the new software is compatible with your hardware. It's especially
important to make sure that you have enough memory to do the upgrade. General
assistance and full system documentation are available via the Internet's
Worldwide Web at http://www.cisco.com.
Before installing any upgrade of any description, it's always wise to
make sure that the version you're installing has no bugs that will negatively
impact your configuration. Please check Cisco's Web site for more information
and advice on software upgrades in general.
The new software has been changed in a number of ways in order to make
it more resistant to CHAP-related attacks. Some of those changes may cause CHAP
authentication to fail in certain customer networks. Cisco believes the
affected configurations to be rare. If you install upgraded software, and
legitimate CHAP connections stop working, please see the paragraphs immediately
following this one, which we believe describe the failures that are likely to
be be seen in real networks. If you still can't get CHAP working after reading
the paragraphs below, please call the Cisco TAC for assistance in reconfiguring
The fix for this vulnerability was released in Cisco IOS software
version 10.3(19), but an error in the implementation of the fix caused almost
all CHAP authentication between 10.3(19) systems to fail. This error is
corrected in 10.3(19a). 10.3(19) may be safely used if the command
no ppp chap wait is configured for each interface on
which CHAP is used. Because multiple fixes have been introduced for the
potential attack against which the modified behavior guards, using
no ppp chap wait will not appreciably increase your
If an intermediate device, such as an ISDN switch, establishes incoming
calls to two separate systems running the modified Cisco IOS software, and then
places those two systems in contact with one another, CHAP authentication
between the two systems may fail. This is because each system "thinks" that
it's receiving a call, and neither system "thinks" that it originated the call.
If this is a problem in your configuration, use the command ppp direction
dedicated on the affected interfaces of both systems.