Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Cisco Security Advisory

TCP Vulnerabilities in Multiple Non-IOS Cisco Products

Advisory ID: cisco-sa-20040420-tcp-nonios

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20040420-tcp-nonios

Revision 2.10

Last Updated  2014 October 23 12:53  UTC (GMT)

For Public Release 2004 April 20 21:00  UTC (GMT)

Related Resources:


Summary

A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer), and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, the attack vector does not directly compromise data integrity or confidentiality.

All Cisco products which contain a TCP stack are susceptible to this vulnerability.

This advisory is available at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20040420-tcp-nonios, and it describes this vulnerability as it applies to Cisco products that do not run Cisco IOS® software.

A companion advisory that describes this vulnerability for products that run Cisco IOS software is available at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20040420-tcp-ios.

Affected Products

This section provides details on affected products.

Vulnerable Products

Products which contain a TCP stack are susceptible to this vulnerability. All Cisco products and models are affected. The severity of the exposure depends upon the protocols and applications that utilize TCP.

In some cases the vulnerability lies in the underlying operating system. In these cases, we rely on the original OS vendor to provide the patch.

The nonexhaustive list of vulnerable non-IOS based Cisco products is as follows:

  • Access Registrar
  • BPX 8600, IGX 8400, MGX 82xx, 88xx and 8950 WAN Switches, and the Service Expansion Shelf
  • BR340, WGB340, AP340, AP350, BR350 Cisco/Aironet wireless products
  • Cache Engine 505 and 570
  • CallManager
  • Catalyst 1200, 1900, 28xx, 2948G-GE-TX, 3000, 3900, 4000, 5000, 6000
  • Cisco 8110 Broadband Network Termination Unit
  • Cisco Element Management Framework
  • Cisco Info Center
  • Cisco Intelligent Contact Management
  • Cisco MDS 9000
  • Cisco ONS 15190/15194 IP Transport Concentrator
  • Cisco ONS 15327 Metro Edge Optical Transport Platform
  • Cisco ONS 15454 Optical Transport Platform
  • Cisco ONS 15531/15532 T31 OMDS Metro WDM System
  • Cisco ONS 15800/15801/15808 Dense Wave Division Multiplexing Platform
  • Cisco ONS 15830 T30 Optical Amplification System
  • Cisco ONS 15831/15832 T31 DWDM System
  • Cisco ONS 15863 T31 Submarine WDM System
  • Content Router 4430 and Content Delivery Manager 4630 and 4650
  • CiscoSecure ACS for Windows and Unix, and CiscoSecure ACS 1111 Appliance
  • Cisco Secure Intrusion Detection System (NetRanger) appliance and IDS Module
  • Cisco Secure PIX firewall
  • Cisco ws-x6608 and ws-x6624 IP Telephony Modules
  • CiscoWorks Windows
  • Content Engine 507, 560, 590, and 7320
  • CSS11000 (Arrowpoint) Content Services Switch
  • Hosting Solution Engine
  • User Registration Tool VLAN Policy Server
  • Cisco FastHub 300 and 400
  • CR-4430-B
  • Device Fault Manager
  • Internet CDN Content Engine 590 and 7320, Content Distribution Manager 4670, and Content Router 4450
  • IP Phone (all models including ATA and VG248)
  • IP/TV
  • LightStream 1010
  • LightStream 100 ATM Switches
  • LocalDirector
  • ME1100 series
  • MicroHub 1500,MicroSwitch 1538/1548
  • Voice Manager
  • RTM
  • SN5400 series storage routers
  • Switch Probe
  • Unity Server
  • VG248 Analog Phone Gateway
  • VPN5000 - VPN Concentrator
  • Traffic Director
  • WAN Manager
  • CSS 11050, CSS 11100, CSS 11150, CSS 11500 and CSS 11800
  • GSS, CSM
  • Cisco Channel Interface Processor (CIP) and Channel Port Adapter (CPA)
  • Cisco Systems ESCON Channel Port Adapter (ECPA)
  • Cisco Systems Parallel Channel Port Adapter (PCPA)
  • Cisco Firewall Services Module for Cisco Catalyst 6500 Series and Cisco 7600 Series (FWSM)
  • Cisco ACNS
  • CiscoWorks Wireless LAN Solution Appliance
  • Cisco VPN 3000 Series Concentrators
  • Cisco Standalone rack server CIMC

Products Confirmed Not Vulnerable

No other Cisco products are currently known to be affected by these vulnerabilities.

Details

TCP is the transport layer protocol designed to provide connection-oriented reliable delivery of a data stream. To accomplish this, TCP uses a mixture of flags to indicate state and sequence numbers to identify the order in which the packets are to be reassembled. TCP also provides a number, called an acknowledgement number, that is used to indicate the sequence number of the next packet expected. The packets are reassembled by the receiving TCP implementation only if their sequence numbers fall within a range of the acknowledgement number (called a "window"). The acknowledgement number is not used in a packet with the reset (RST) flag set because a reset does not expect a packet in return. The full specification of the TCP protocol can be found at http://www.ietf.org/rfc/rfc0793.txt leavingcisco.com.

According to the RFC793 specification, it is possible to reset an established TCP connection by sending a packet with the RST or synchronize (SYN) flag set. In order for this to occur, the 4-tuple must be known or guessed (source and destination IP address and ports) together with a sequence number. However, the sequence number does not have to be an exact match; it is sufficient to fall within the advertised window. This significantly decreases the effort required by an adversary: the larger the window, the easier it is to reset the connection. While source and destination IP addresses may be relatively easy to determine, the source TCP port must be guessed. The destination TCP port is usually known for all standard services (for example, 23 for Telnet, 80 for HTTP). Many operating systems (OSs) use predictable ephemeral ports for known services with a predictable increment (the next port which will be used for a subsequent connection). These values, while constant for a particular OS and protocol, do vary from one OS release to another.

Here is an example of a normal termination of a TCP session:

                Host(1)                       Host(2)
                  |                             |
                  |                             |
                  |  ACK ack=1001, window=5000  |
                  |<----------------------------|
                  |                             |



              Host(1) is

         closing the session



                  |        RST seq=1001         |
                  |---------------------------->|
                  |                             |



                                            Host(2) is

                                        closing the session

In addition, the following scenario is also permitted:

                Host(1)                       Host(2)
                  |                             |
                  |                             |
                  |  ACK ack=1001, window=5000  |
                  |<----------------------------|
                  |                             |



              Host(1) is

         closing the session



                  |        RST seq=4321         |
                  |---------------------------->|
                  |                             |



                                            Host(2) is

                                        closing the session

Note how the RST packet was able to terminate the session although the sequence number was not the next expected one (which is 1001). It was sufficient for the sequence number to fall within the advertised "window". In this example, Host(2) was accepting sequence numbers from 1001 to 6001 and 4321 is clearly within the acceptable range.

Cisco fixed this vulnerability in accordance with the http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-02.txt leavingcisco.com.

As a general rule, all protocols where a TCP connection stays established for longer than one minute should be considered exposed.

Vulnerability Scoring Details

Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html .

Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss .


Impact

The impact is different for each specific protocol. While, in the majority of cases, a TCP connection will be automatically re-established, in some specific protocols a second order of consequences may have a larger impact than tearing down the connection itself. The Cisco PSIRT has analyzed multiple TCP-based protocols, as they are used within our offering, and we believe that this vulnerability does not have a significant impact on them. We will present our analysis for a few protocols which have the potential for higher impact due to the long lived connections.

Voice signaling H.225, H.245 (part of H.323 suite)

H.225 and H.245 protocols are used in voice signaling. Their purpose is to negotiate parameters for content transfer (voice or video). The established sessions persist for the duration of a call. Any call in progress is terminated when the signaling session is broken. A new signaling session will be established immediately for the new call, but terminated calls cannot be re-established.

Each call from an IP telephone or softphone will result in the creation of a single signaling session. Terminating that signaling session affects only a single user. It is possible that a single signaling session is responsible for multiple calls, but that setup is used deeper within the Service Provider's network. Determining all necessary parameters for mounting an attack is deemed a non-trivial task if the network is designed according to the current best practices.

Network Storage (iSCSI, FCIP)

Network Storage products use two TCP-based protocols: SCSI over IP (iSCSI) and Fiber Channel over IP (FCIP).

  • SCSI over IP (iSCSI)
    iSCSI is used in a client/server environment. The client is your computer and it is only the client that initiates a connection. This connection is not shared with any other users. A separate session is established for each virtual device used. Terminating the session will not have any adverse consequences if people are using current drivers from Microsoft for Windows and from Cisco for Linux. These drivers will re-establish the session and continue transfer from the point where it was disconnected. Drivers from other vendors may behave differently.
    The user may notice that access to a virtual device is slightly slower than usual.
  • Fiber Channel over IP (FCIP)
    FCIP is a peer-to-peer protocol. It is used for mirroring data between switches. Each peer can initiate the session. Switches can, and should be in practice, configured in a mesh. Bringing one link down will cause traffic to be re-routed over other link(s). If an adversary can manage to terminate the session multiple times in a row, the user's application may terminate with a "Device unreachable" or similar error message. This does not have any influence on the switch itself and the user can retry the operation.
    The user may notice that access to a virtual device is slightly slower than usual. An occasional error message is possible.

Transport Layer Security/Secure Socket Layer (TLS/SSL)

Since this vulnerability operates on a TCP layer, encryption does not provide any protection. SSL/TLS connections can be used to encapsulate various kinds of traffic and these sessions can be long lived. A successful exploitation does not impact confidentiality of the data. An encrypted session can be attacked either on the originating or terminating host or on the firewalls in front of them (if they exist).

Software Versions and Fixes

For all Cisco products that are based on a third party Operating System and when Cisco is not supplying the OS, please contact your respective vendor for the appropriate patches.

Be advised that Cisco released multiple advisories on 2004-April-20.

Product

Defect ID

Intended First Fixed Release

LAN Switching

Catalyst 1200, 1900, 28xx, 29xx, 3000, 3900, 4000, 5000, 6000

CSCed32349 ( registered customers only)

6.4(13), 6.4(12.3), 7.6(8.6), 8.3(2.8), 8.3(3.4), 8.4(0.47COC, 8.4(0.91)COC, 8.4(1.2)GLX, 8.4(2.1)GLX, 8.6(0.1)TAL, 8.6(0.21)TAL

Catalyst 1900 and 2820

 

9.00.07 Available on 2004-Apr-27

Catalyst 6500 Series SSL Services Module

CSCee35285 ( registered customers only)

2.1(2)

Network Storage

Cisco MDS 9000 Family

CSCed27956 ( registered customers only) , CSCed38527 ( registered customers only) , CSCed65607 ( registered customers only)

1.3(4a)

Cisco Channel Interface Processor (CIP)

CSCee35335 ( registered customers only)

27-x and 28-x, No software available; date has not been determined yet.

Cisco SN5428 and SN5428-2 Storage Routers

CSCee36193 ( registered customers only)

3.5(3)-K9

Unified Computing

Cisco Standalone rack server CIMC

CSCur03816 ( registered customers only)

No software available; date has not been determined yet.

Voice Products

VG248 Analog Phone Gateway

CSCsk45124 ( registered customers only)

No software available; date has not been determined yet.

WS-6624 analog station gateway module for the Catalyst 6500

CSCee22691 ( registered customers only)

No software available; date has not been determined yet.

Windows-based CallManager

Fixed by http://www.microsoft.com/technet/security/Bulletin/MS05-019.mspx leavingcisco.com

Windows version 2000.2.7sr5 and later contain the fix

RedHat-based CallManager

Waiting on RedHat to provide the fix

No software available; date has not been determined yet.

Wireless Products

Cisco Aironet Access Point 340, 350, 1200 Series (only VxWorks-based)

CSCee22526 ( registered customers only)

No software available; date has not been determined yet. Customers are encouraged to migrate to IOS.

Security Products

Cisco Intrusion Detection System (IDS)

CSCee33732 ( registered customers only)

5.0

No software available; date has not been determined yet.

Cisco Firewall Services Module for Cisco Catalyst 6500 and 7600 Series (FWSM)

CSCee07453 ( registered customers only)

1.1(3.17) Contact TAC

Cisco PIX Firewall

CSCed31689 ( registered customers only) , CSCed91445 ( registered customers only) , CSCed70062 ( registered customers only) , CSCed91726 ( registered customers only)

6.1.5(104), 6.2.3(110), and 6.3.3(133) Contact TAC

Content Networking

Cisco CSS11500 Family

CSCee06117 ( registered customers only) , SSL termination

07.30(00.09)S 07.20(03.10)S 07.30(00.08)S 07.10(05.07)S 07.20(03.09)S, 07.30(1.06), 07.20(4.05)

Cisco CSS11000 and CSS11500 Family

CSCee39336 ( registered customers only) , TCP management connections

07.30(01.02), 07.30(01.06), 07.20(04.05), 05.00(05.05)S, 06.10(03.10)S

Cisco Content Switching Module (CSM)

CSCee33252 ( registered customers only)

4.1(2) Available 2004-Jun, for 3.x releases contact TAC

Cisco ACNS

CSCee37496 ( registered customers only)

No software available; date has not been determined yet.

Cisco 11000 Series Secure Content Accelerator (SCA)

CSCee49634 ( registered customers only)

No software available; date has not been determined yet.

Cisco LocalDirector

CSCee08921 ( registered customers only)

4.2(1), 4.2(2), 4.2(3), 4.2(4), 4.2(5), 4.2(6)

Optical Products

Cisco ONS 15327, 15454 and 15454SDH Optical Transport Platform

CSCed73026 ( registered customers only)

R4.14 available 2004-Apr-27; future releases R4.62, R2.35.

Cisco ONS 15501 Optical Transport Platform

CSCee41687 ( registered customers only)

No software available; date has not been determined yet.

Cisco ONS 15600 Optical Transport Platform

CSCed73026 ( registered customers only)

Future releases R5.0

WAN Switching

MGX 8850, MGX 8830, MGX 8950

CSCee34615 ( registered customers only)

4.0.17, 5.1.20, 5.2.00.

SES

CSCee34615 ( registered customers only)

4.0.X. No software available; date has not been determined yet.

MGX 8230, MGX 8250

CSCee34620 ( registered customers only)

1.2.23, 1.3.11.

MGX 8220

This product reached End-of-Support. Customers are recomended to upgrade to MGX 8230 or MGX8250 models.

http://www.cisco.com/en/US/products/hw/switches/ps1925/ prod_eol_notice09186a00800a445d.html

CSCee34624 ( registered customers only)

No fixed software planned.

BPX 8600, IGX 8400

CSCee34625 ( registered customers only)

9.3.51, 9.4.12

VPN Concentrators

VPN 3000 Series Concentrators

CSCsc28894 ( registered customers only)

04.7.02.C

4.1.7.K. > Release


Workarounds

The effectiveness of any workaround is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround is the most appropriate for use in the intended network before it is deployed.

There are no workarounds available to mitigate the effects of this vulnerability.

It is possible to mitigate the exposure on this vulnerability by applying anti-spoofing measures on the edge of the network.

By enabling Unicast Reverse Path Forwarding (uRPF), all spoofed packets will be dropped at the first device. To enable uRPF, use the following commands.

router(config)#ip cef 

router(config)#interface <interface> <interface #>


router(config-if)#ip verify unicast reverse-path

Please consult http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ft_urpf.html and ftp://ftp-eng.cisco.com/cons/isp/security/URPF-ISP.pdf for further descriptions of how uRPF works and how to configure it in various scenarios. This is especially important if you are using asymmetric routing.

Access control lists (ACLs) should also be deployed as close to the edge as possible. Unlike uRPF, you must specify the exact IP range that is permitted. Specifying which addresses should be blocked is not the optimal solution because it tends to be harder to maintain.

caution Caution: In order for anti-spoofing measures to be effective, they must be deployed at least one hop away from the devices which are being protected. Ideally, they will be deployed at the network edge.

Obtaining Fixed Software

Cisco has made free software available to address this vulnerability for affected customers. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

Do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades.

Customers with Service Contracts

Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com.

Customers Using Third-Party Support Organizations

Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed.

Customers Without Service Contracts

Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows.

  • +1 800 553 2447 (toll free from within North America)
  • +1 408 526 7209 (toll call from anywhere in the world)
  • e-mail: tac@cisco.com

Have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC.

Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages.

Exploitation and Public Announcements

This vulnerability was presented at the public conference. The Cisco PSIRT is not aware malicious use of the vulnerability described in this advisory.

The exploitation of the vulnerability with packets having RST flag set (reset packets) was discovered by Paul (Tony) Watson of OSVDB.org. The extension of the attack vector to packets with SYN flag set and data injection was discovered by the vendors cooperating on the resolution of this issue.

Status of This Notice: Final

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.


Distribution

This advisory will be posted on Cisco's worldwide website at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20040420-tcp-nonios.

In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients:

  • cust-security-announce@cisco.com
  • first-teams@first.org (includes CERT/CC)
  • bugtraq@securityfocus.com
  • vulnwatch@vulnwatch.org
  • cisco@spot.colorado.edu
  • cisco-nsp@puck.nether.net
  • full-disclosure@lists.netsys.com
  • comp.dcom.sys.cisco@newsgate.cisco.com
  • Various internal Cisco mailing lists

Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.


Revision History

Revision 2.10 2014-October-23 Added CSCur03816, Cisco Standalone rack server CIMC.
Revision

2.9

2008-January-08

Removed CSCee07451 and CSCee07450 as Cisco FWSM itself is not affected. Added fixed software releases for the following MGX models: 8230, 8250, 8830, 8850 and 8950. MGX8220 reached End-of-Support. Added fixed software releases for BPX 8600 and IGX 8400.

Revision

2.8

2007-October-04

Added information for VG248.

Revision

2.7

2007-April-03

Added information for CallManger

Revision

2.6

2006-February -14

Added release 4.1.7.K to list of fixed releases for the VPN 3000 Series Concentrators.

Revision

2.5

2005-December-29

Moved Cisco VPN 3000 Series Concentrators to the Affected Products section; added VPN Concentrators to the Software Versions and Fixes section.

Revision

2.4

2004-December-6

Changed link to IETF draft in Details section.

Revision

2.3

2004-December-3

Added Cisco LocalDirector information to the Software Versions and Fixes section, under the Content Network heading.

Revision

2.2

2004-November 10

Updated first line of the table (under LAN Switching) in "Software Versions and Fixes" section.

Revision

2.1

2004-October-06

Added Cisco SN5428 and SN5428-2 Storage Routers information to the Software Versions and Fixes section, under the Network Storage heading.

Revision

2.0

2004-September-28

In "Software Versions and Fixes" section, added the following row in the table under "Security Products:"

Cisco Intrusion Detection System (IDS)¦ CSCee33732 ¦ 5.0, No software availability date has been determined yet.

Revision

1.9

2004-July-07

In the Software Versions and Fixes section in the Content Networking part of the table, removed the text "Contact TAC" and added: 07.30(1.06), 07.20(4.05) to the first row.

In the Software Versions and Fixes section in the Content Networking part of the table, removed the text "No Software availability date has been determined yet." and added: 07.30(01.02), 07.30(01.06), 07.20(04.05), 05.00(05.05)S, 06.10(03.10)S to the second row.

Revision

1.8

2004-Jun-03

In the Software Versions and Fixes section, added an entry for the Cisco 11000 Series Secure Content Accelerator (SCA).

Revision

1.7

2004-May-10

In the Affected Products section, added CiscoWorks Wireless LAN Solution Appliance. In the Software Versions and Fixes section, added the Catalyst 6500 Series SSL Services Module entry under LAN Switching.

Revision

1.6

2004-May-04

In the Software Versions and Fixes section, updated the entry for PIX in Security Products.

Revision

1.5

2004-Apr-30

In the Software Versions and Fixes section, modified the entry for PIX in Security Products and added an entry under Optical Products.

Revision

1.4

2004-Apr-28

In the Affected Products section, added another product and moved one from non-affected list.

In the Details section added link to the DoD Draft TCP protocol.

In the Software Versions and Fixes section, updated entry for Security Products and Content Networking.

In the Exploitation and Public Announcement section, changed wording of initial sentence.

Revision

1.3

2004-Apr-25

In Affected Products section, added more products to the end of the list.

In Software Versions and Fixes section, added introductory paragraphs as advisories.

In Software Versions and Fixes section, updated the Cisco MDS 9000 Family entry and added Cisco Channel Interface Processor (CIP) information.

In Workarounds section, updated the command sequence to enable uRPF.

Revision

1.2

2004-Apr-22

Under Affected Products section, updated BPX entry, and added CiscoSecure ACS for Windows and Unix and CiscoSecure ACS 1111 Appliance.

In Software Versions and Fixes section, added WAN Switching section in table.

Revision

1.1

2004-Apr-21

Affected Products section, list of Catalyst products updated.

In Software Versions and Fixes section, Optical products updated.

In Software Versions and Fixes section, Security products updated.

Revision

1.0

2004-Apr-20

Initial public release.

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.


Download this document (PDF)
View Printable Version