Cisco Security Advisory

Crafted IP Option Vulnerability

Advisory ID: cisco-sa-20070124-crafted-ip-option

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070124-crafted-ip-option

Revision 2.0

For Public Release 2007 January 24 16:00  UTC (GMT)


Summary

Cisco routers and switches running Cisco IOS® or Cisco IOS XR software may be vulnerable to a remotely exploitable crafted IP option Denial of Service (DoS) attack. Exploitation of the vulnerability may potentially allow for arbitrary code execution. The vulnerability may be exploited after processing an Internet Control Message Protocol (ICMP) packet, Protocol Independent Multicast version 2 (PIMv2) packet, Pragmatic General Multicast (PGM) packet, or URL Rendezvous Directory (URD) packet containing a specific crafted IP option in the packet's IP header. No other IP protocols are affected by this issue.

Cisco has made free software available to address this vulnerability for affected customers.

There are workarounds available to mitigate the effects of the vulnerability.

This vulnerability was discovered during internal testing.

This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070124-crafted-ip-option.

Affected Products

Vulnerable Products

This issue affects all Cisco devices running Cisco IOS or Cisco IOS XR software and configured to process Internet Protocol version 4 (IPv4) packets. Devices which run only Internet Protocol version 6 (IPv6) are not affected.

This vulnerability is present in all unfixed versions of Cisco IOS software, including versions 9.x, 10.x, 11.x and 12.x.

This vulnerability is present in all unfixed versions of Cisco IOS XR software, including versions 2.0.X, 3.0.X, and 3.2.X.

All versions of Cisco IOS or Cisco IOS XR prior to the versions listed in the Fixed Software table below may be susceptible to this vulnerability.

To determine the software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS". On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the IOS release name. Cisco IOS XR software will identify itself as "Cisco IOS XR Software" followed by "Version" and the version number. Other Cisco devices will not have the show version command or will give different output.

The following example identifies a Cisco product running Cisco IOS release 12.2(14)S16 with an installed image name of C7200-IS-M:

Cisco Internetwork Operating System Software
IOS (tm) 7200 Software (C7200-IS-M), Version 12.2(14)S16, RELEASE SOFTWARE (fc1)

The release train label is "12.2".

The next example shows a product running IOS release 12.3(7)T12 with an image name of C7200-IK9S-M:

Cisco IOS Software, 7200 Software (C7200-IK9S-M), Version 12.3(7)T12, RELEASE SOFTWARE (fc1)

Additional information about Cisco IOS Banners is available at http://www.cisco.com/web/about/security/intelligence/ios-ref.html.

Cisco IOS XR Software is a member of the Cisco IOS software family that uses a microkernel-based distributed operating system infrastructure. Cisco IOS XR runs only on Cisco Carrier Routing System 1 (CRS-1) and Cisco XR 12000 series routers.

Additional information about Cisco IOS XR is available at http://www.cisco.com/en/US/products/ps5845/index.html

The following example shows partial output from the show version command which identifies a Cisco product running Cisco IOS XR release 3.3.0:

RP/0/RP0/CPU0:router#show version
Cisco IOS XR Software, Version 3.3.0 
Copyright (c) 2006 by cisco Systems, Inc. 
ROM: System Bootstrap, Version 1.32(20050525:193559) [CRS-1 ROMMON]

Products Confirmed Not Vulnerable

Cisco devices that do not run Cisco IOS or Cisco IOS XR software are not affected. CatOS software is not affected by this issue.

No other Cisco products are currently known to be affected by this vulnerability.

Details

This vulnerability may be exploited when an affected device processes a packet that meets all three of the following conditions:

1. The packet contains a specific crafted IP option.

AND

2. The packet is one of the following protocols:

  • ICMP - Echo (Type 8) - 'ping'
  • ICMP - Timestamp (Type 13)
  • ICMP - Information Request (Type 15)
  • ICMP - Address Mask Request (Type 17)
  • PIMv2 - IP protocol 103
  • PGM - IP protocol 113
  • URD - TCP Port 465

AND

3. The packet is sent to a physical or virtual IPv4 address configured on the affected device.

No other ICMP message types are affected by this issue.

No other IP protocols are affected by this issue.

No other TCP services are affected by this issue.

The packet can be sent from a local network or from a remote network.

The source IP address of the packet can be spoofed or non-spoofed.

Packets which transit the device (packets not sent to one of the device's IP addresses) do not trigger the vulnerability and the device is not affected.

This vulnerability is documented in these Bug IDs:

Cisco IOS

A crafted packet addressed directly to a vulnerable device running Cisco IOS software may result in the device reloading or may allow execution of arbitrary code.

Cisco IOS XR

A crafted packet addressed directly to a vulnerable device running Cisco IOS XR software may result in the ipv4_io process restarting or may allow execution of arbitrary code. CRS-1 Nodes that run the ipv4_io process include Route Processors (RP), Distributed Route Processors (DRP), Modular Services Cards (MSC), and XR 12000 Line Cards. While the ipv4_io process is restarting, all ICMP traffic destined for the device itself and exception punts will be dropped. Examples of exception punts include packets having IP header information that requires further processing such as IP options, Time-to-Live equal to 0 or 1, and layer-2 keepalives. CLNS traffic to the Node or Line Card is not affected. If the ipv4_io process is restarted several times consecutively, the CRS-1 Node or XR 12000 Line Card may reload, causing a Denial of Service (DoS) condition for the transit traffic switched on that Node or Line card.

Devices Configured for ICMP Message Types

ICMP Type 8

By default, devices running all Cisco IOS and Cisco IOS XR versions will process ICMP echo-request (Type 8) packets. This behavior cannot be modified.

ICMP Type 13

By default, devices running all Cisco IOS versions will process ICMP timestamp (Type 13) packets. This behavior cannot be modified.

By default, devices running all Cisco IOS XR versions will NOT process ICMP timestamp (Type 13) packets. This behavior cannot be modified.

ICMP Type 15

With the introduction of CSCdz50424, by default routers will NOT process ICMP information request (Type 15) packets. Releases of Cisco IOS that contain CSCdz50424 include 12.3, 12.3T, 12.4, 12.4T, later 12.0S and later 12.2S. See CSCdz50424 ( registered customers only) for complete release information.

A router running a Cisco IOS release containing CSCdz50424 that has been modified to process ICMP information request packets will have the interface configuration statement ip information-reply, which can be seen by issuing the command show running-config as shown in the following examples:

router#show running-config | include information-reply
  ip information-reply

or

router#show running-config 

interface FastEthernet0/0 
  ip address 192.0.2.1 255.255.255.0 
  ip information-reply

By default, devices running all other Cisco IOS versions will process ICMP information request (Type 15) packets. This behavior cannot be modified. Since this is the default behavior, ip information-reply will not be visible in the device's configuration.

By default, devices running all Cisco IOS XR versions will NOT process ICMP information request (Type 15) packets. This behavior cannot be modified.

ICMP Type 17

Beginning in Cisco IOS version 10.0, by default devices will NOT process ICMP address mask request (Type 17) packets. A router that has been modified to process ICMP address mask request packets will have the interface configuration statement ip mask-reply, which can be seen by issuing the command show running-config as shown in the following examples:

router#show running-config | include mask-reply
 ip mask-reply

or

router#show running-config

interface FastEthernet0/0
 ip address 192.0.2.1 255.255.255.0 
 ip mask-reply

By default, devices running all Cisco IOS XR versions will NOT process ICMP address mask request (Type 17) packets. A router that has been modified to process ICMP address mask request packets will have the interface configuration statement ipv4 mask-reply, which can be seen by issuing the command show running-config as shown in the following examples:

RP/0/RP0/CPU0:router#show running-config | include mask-reply
Building configuration...
 ipv4 mask-reply

or

RP/0/RP0/CPU0:router#show running-config
interface POS0/1/3/0 
 ipv4 address 192.0.2.1 255.255.255.252 
 ipv4 mask-reply

Devices Configured for Protocol Independent Multicast Version 2 (PIMv2)

Cisco IOS

A router running Cisco IOS that is configured to process PIMv2 packets will have an interface configuration statement that begins with ip pim, which can be seen by issuing the command show running-config as shown in the following examples:

router#show running-config | include ip pim
 ip pim sparse-mode

or

router#show running-config

interface FastEthernet0/0
 ip address 192.0.2.1 255.255.255.0 
 ip pim sparse-dense-mode

The command show ip pim interface can also be used to determine if a router is configured to process PIMv2 packets, as shown in the following example:

router#show ip pim interface
Address        Interface           Ver/    Nbr     Query  DR      DR
				           Mode    Count   Intvl  Prior 
192.0.2.1      FastEthernet0/0     v1/S    0       30     1       0.0.0.0
192.168.1.1    FastEthernet1/0     v2/SD   0       30     1       0.0.0.0

Interfaces running PIMv2 will show "v2/" under the Ver/Mode column. Interfaces without PIM configured will not be shown in the command output.

PIMv2 is the default PIM version. Routers configured to process only PIMv1 messages are not vulnerable to the PIMv2 exploit. Routers that do not have PIM configured are not vulnerable to the PIMv2 exploit. PIM is not enabled by default.

Additional information about PIM is available at http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.3/multicast/configuration/guide/mc33mcst.html.

Cisco IOS XR

The command show pim interface can be used to determine if a router running Cisco IOS XR is configured to process PIMv2 packets, as shown in the following example:

RP/0/0/CPU0:router#show pim interface 
Address                     Interface              PIM  Nbr   Hello  DR    DR
                                                         Count Intvl  Prior
192.168.1.1                 Loopback0              on   1     30     1     this system
192.168.2.1                 MgmtEth0/0/CPU0/0      off  0     30     1     not elected
192.168.3.1                 Loopback1              on   1     30     1     this system
192.168.4.1                 Loopback3              on   1     30     1     this system
192.168.5.1                 POS0/4/0/0             on   1     30     1     this system
192.0.2.1                   POS0/4/0/1             on   1     30     1     this system

Interfaces running PIMv2 will show on under the PIM column. Interfaces without PIM configured will show "off" under the PIM column.

Cisco IOS XR does not support PIMv1. PIM is not enabled by default on Cisco IOS XR.

Additional information about PIM on Cisco IOS XR is available at http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.3/multicast/configuration/guide/mc33mcst.html.

Devices Configured for Pragmatic General Multicast (PGM)

A router that is configured to process PGM packets will have the interface configuration statement ip pgm router, which can be seen by issuing the command show running-config as shown in the following examples:

router#show running-config | include ip pgm
 ip pgm router

or

router#show running-config

 interface FastEthernet1/0
  ip address 192.0.2.1 255.255.255.0 
  ip pim sparse-dense-mode 
  ip pgm router

or

router#show running-config

interface FastEthernet1/0 
 ip address 192.0.2.1 255.255.255.0 
 ip pgm router

Routers that do not have PGM configured are not vulnerable to the PGM exploit. PGM is not enabled by default.

Additional information about PGM is available at http://www.cisco.com/en/US/docs/ios/ipmulti/configuration/guide/imc_cfg_pgm_routasst_ps6350_TSD_Products_Configuration_Guide_Chapter.html.

Cisco IOS XR does not support PGM and is not affected by PGM packets that exploit this vulnerability.

Devices Configured for URL Rendezvous Directory (URD)

A router that is configured to process URD packets will have the interface configuration statement ip urd or ip urd proxy, which can be seen by issuing the command show running-config as shown in the following examples:

router#show running-config | include ip urd
 ip urd

or

router#show running-config | include ip urd
 ip urd proxy

or

router#show running-config

 interface FastEthernet1/0
  ip address 192.0.2.1 255.255.255.0 
  ip pim sparse-mode 
  ip urd

or

router#show running-config

 interface FastEthernet1/0
  ip address 192.0.2.1 255.255.255.0 
  ip pim sparse-dense-mode 
  ip urd proxy

or

router#show running-config

interface FastEthernet1/0 
 ip address 192.0.2.1 255.255.255.0 
 ip urd

Routers that do not have URD configured are not vulnerable to the URD exploit. URD is not enabled by default.

Additional information about URD is available at http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfssm.html.

Cisco IOS XR does not support URD and is not affected by URD packets that exploit this vulnerability.

Vulnerability Scoring Details

Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html .

Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss .


Impact

Cisco IOS

Successful exploitation of the vulnerability on Cisco IOS may result in a reload of the device or execution of arbitrary code. Repeated exploitation could result in a sustained DoS attack.

Cisco IOS XR

Successful exploitation of the vulnerability on Cisco IOS XR may result in the ipv4_io process restarting or execution of arbitrary code. Repeated exploitation could result in a CRS-1 Node or XR 12000 Line Card reload and sustained DoS attack.

Software Versions and Fixes

When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.

Each row of the Cisco IOS software table (below) describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix (the "First Fixed Release") and the anticipated date of availability for each are listed in the "Rebuild" and "Maintenance" columns. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label).

For more information on the terms "Rebuild" and "Maintenance," consult the following URL: http://www.cisco.com/web/about/security/intelligence/ios-ref.html.

Note:  There are three IOS security advisories and one field notice being published on January 24, 2007. Each advisory lists only the releases which fix the issue described in the advisory. A combined software table is available at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070124-bundle and can be used to choose a software release which fixes all security vulnerabilities published as of January 24, 2007. Links for the advisories and field notice are listed here.

Requests for software rebuilds to include the change for Daylight Savings Time (DST) that will be implemented in March 2007 should be directed through the Technical Assistance Center (TAC), and this advisory should be used as reference.

Major Release

Availability of Repaired Releases

Affected 12.0-Based Release

Rebuild

Maintenance

12.0

Vulnerable; migrate to 12.2(37)or later

12.0DA

Vulnerable; migrate to 12.2(10)DA5 or later

12.0DB

Vulnerable; migrate to 12.3(4)T13 or later

12.0DC

Vulnerable; migrate to 12.3(4)T13 or later

12.0S

12.0(27)S3

12.0(28)S

12.0SC

Vulnerable; migrate to 12.3(9a)BC or later

12.0SL

Vulnerable; migrate to 12.0(28)S or later

12.0SP

Vulnerable; migrate to 12.0(28)S or later

12.0ST

Vulnerable; migrate to 12.0(28)S or later

12.0SX

12.0(25)SX11

12.0(30)SX

12.0SY

 

12.0(27)SY

12.0SZ

 

12.0(30)SZ

12.0T

Vulnerable; migrate to 12.2(37)or later

12.0W

12.0(28)W5(32b)

 

12.0WC

12.0(5)WC15

 

12.0WT

Vulnerable; contact TAC

12.0XA

Vulnerable; migrate to 12.2(37)or later

12.0XB

Vulnerable; migrate to 12.2(37)or later

12.0XC

Vulnerable; migrate to 12.2(37)or later

12.0XD

Vulnerable; migrate to 12.2(37)or later

12.0XE

Vulnerable; migrate to 12.1(23)E or later

12.0XF

Not vulnerable

12.0XG

Vulnerable; migrate to 12.2(37)or later

12.0XH

Vulnerable; migrate to 12.2(37)or later

12.0XI

Vulnerable; migrate to 12.2(37)or later

12.0XJ

Vulnerable; migrate to 12.2(37)or later

12.0XK

Vulnerable; migrate to 12.2(37)or later

12.0XL

Vulnerable; migrate to 12.2(37)or later

12.0XM

Vulnerable; migrate to 12.2(37)or later

12.0XN

Vulnerable; migrate to 12.2(37)or later

12.0XQ

Vulnerable; migrate to 12.2(37)or later

12.0XR

Vulnerable; migrate to 12.2(37)or later

12.0XS

Vulnerable; migrate to 12.1(23)E or later

12.0XV

Vulnerable; migrate to 12.2(37)or later

12.0XW

Vulnerable; migrate to 12.0(5)WC15 or later

Affected 12.1-Based Release

Rebuild

Maintenance

12.1

Vulnerable; migrate to 12.2(37)or later

12.1AA

Vulnerable; migrate to 12.2(37)or later

12.1AX

Vulnerable; for c3750-ME, migrate to 12.2(25)EY or later. For c2970 and 3750, migrate to 12.2(25)SE or later.

12.1AY

Vulnerable; migrate to 12.1(22)EA8

12.1AZ

Vulnerable; migrate to 12.1(22)EA8

12.1CX

Vulnerable; migrate to 12.2(37)or later

12.1DA

Vulnerable; migrate to 12.2(10)DA5 or later

12.1DB

Vulnerable; migrate to 12.3(4)T13 or later

12.1DC

Vulnerable; migrate to 12.3(4)T13 or later

12.1E

 

12.1(23)E

12.1EA

12.1(22)EA8

 

12.1EB

 

12.1(23)EB

12.1EC

Vulnerable; migrate to 12.3(9a)BC or later

12.1EO

12.1(19)EO6

 

12.1(20)EO3

 

12.1EU

Vulnerable; migrate to 12.2(25)EWA or later

12.1EV

Vulnerable; migrate to 12.2(26)SV1 or later

12.1EW

Vulnerable; migrate to 12.2(18)EW3 or later

12.1EX

Vulnerable; migrate to 12.1(23)E or later

12.1EY

Vulnerable; migrate to 12.1(23)E or later

12.1EZ

Vulnerable; migrate to 12.1(23)E or later

12.1T

Vulnerable; migrate to 12.2(37)or later

12.1XA

Vulnerable; migrate to 12.2(37)or later

12.1XB

Vulnerable; migrate to 12.2(37)or later

12.1XC

Vulnerable; migrate to 12.2(37)or later

12.1XD

Vulnerable; migrate to 12.2(37)or later

12.1XE

Vulnerable; migrate to 12.1(23)E or later

12.1XF

Vulnerable; migrate to 12.3(8) or later

12.1XG

Vulnerable; migrate to 12.3(8) or later

12.1XH

Vulnerable; migrate to 12.2(37)or later

12.1XI

Vulnerable; migrate to 12.2(37)or later

12.1XJ

Vulnerable; migrate to 12.3(8) or later

12.1XL

Vulnerable; migrate to 12.3(8) or later

12.1XM

Vulnerable; migrate to 12.3(8) or later

12.1XP

Vulnerable; migrate to 12.3(8) or later

12.1XQ

Vulnerable; migrate to 12.3(8) or later

12.1XR

Vulnerable; migrate to 12.3(8) or later

12.1XS

Vulnerable; migrate to 12.2(37)or later

12.1XT

Vulnerable; migrate to 12.3(8) or later

12.1XU

Vulnerable; migrate to 12.3(8) or later

12.1XV

Vulnerable; migrate to 12.3(8) or later

12.1XW

Vulnerable; migrate to 12.2(37)or later

12.1XX

Vulnerable; migrate to 12.2(37)or later

12.1XY

Vulnerable; migrate to 12.2(37)or later

12.1XZ

Vulnerable; migrate to 12.2(37)or later

12.1YA

Vulnerable; migrate to 12.3(8) or later

12.1YB

Vulnerable; migrate to 12.3(8) or later

12.1YC

Vulnerable; migrate to 12.3(8) or later

12.1YD

Vulnerable; migrate to 12.3(8) or later

12.1YE

Vulnerable; migrate to 12.3(8) or later

12.1YF

Vulnerable; migrate to 12.3(8) or later

12.1YH

Vulnerable; migrate to 12.3(8) or later

12.1YI

Vulnerable; migrate to 12.3(8) or later

12.1YJ

Vulnerable; migrate to 12.1(22)EA8

Affected 12.2-Based Release

Rebuild

Maintenance

12.2

12.2(34a)

12.2(37)

12.2B

Vulnerable; migrate to 12.3(4)T13 or later

12.2BC

Vulnerable; migrate to 12.3(9a)BC or later

12.2BW

Vulnerable; migrate to 12.3(8) or later

12.2BY

Vulnerable; migrate to 12.3(4)T13 or later

12.2BZ

Vulnerable; migrate to 12.3(7)XI8 or later

12.2CX

Vulnerable; migrate to 12.3(9a)BC or later

12.2CY

Vulnerable; migrate to 12.3(9a)BC or later

12.2CZ

Vulnerable; contact TAC

12.2DA

12.2(10)DA5

 

12.2(12)DA10

 

12.2DD

Vulnerable; migrate to 12.3(4)T13 or later

12.2DX

Vulnerable; migrate to 12.3(4)T13 or later

12.2EU

Vulnerable; migrate to 12.2(25)EWA5 or later

12.2EW

12.2(18)EW3

 

12.2(20)EW4

12.2(25)EW

12.2EWA

12.2(20)EWA4

12.2(25)EWA

12.2EX

 

12.2(25)EX

12.2EY

All 12.2EY releases are fixed

12.2EZ

All 12.2EZ releases are fixed

12.2FX

All 12.2FX releases are fixed

12.2FY

All 12.2FY releases are fixed

12.2FZ

All 12.2FZ releases are fixed

12.2IXA

All 12.2IXA releases are fixed

12.2IXB

All 12.2IXB releases are fixed

12.2IXC

All 12.2IXC releases are fixed

12.2JA

Vulnerable; migrate to 12.3(8)JA or later

12.2JK

Vulnerable; migrate to 12.4(4)T or later

12.2MB

Vulnerable; migrate to 12.2(25)SW1 or later

12.2MC

12.2(15)MC2h

12.2S

 

12.2(25)S

12.2SB

 

12.2(28)SB

12.2SBC

All 12.2SBC releases are fixed

12.2SE

 

12.2(25)SE

12.2SEA

All 12.2SEA releases are fixed

12.2SEB

All 12.2SEB releases are fixed

12.2SEC

All 12.2SEC releases are fixed

12.2SED

All 12.2SED releases are fixed

12.2SEE

All 12.2SEE releases are fixed

12.2SEF

All 12.2SEF releases are fixed

12.2SEG

All 12.2SEG releases are fixed

12.2SG

All 12.2SG releases are fixed

12.2SGA

All 12.2SGA releases are fixed

12.2SO

12.2(18)SO7

 

12.2SRA

All 12.2SRA releases are fixed

12.2SRB

All 12.2SRB releases are fixed

12.2SU

Vulnerable; migrate to 12.3(14)T or later

12.2SV

 

12.2(23)SV

12.2SW

12.2(25)SW1

 

12.2SX

Vulnerable; migrate to 12.2(17d)SXB11a or later

12.2SXA

Vulnerable; migrate to 12.2(17d)SXB11a or later

12.2SXB

12.2(17d)SXB11a

 

12.2SXD

12.2(18)SXD7a

 

12.2SXE

All 12.2SXE releases are fixed

12.2SXF

All 12.2SXF releases are fixed

12.2SY

Vulnerable; migrate to 12.2(17d)SXB11a or later

12.2SZ

Vulnerable; migrate to 12.2(25)S or later

12.2T

Vulnerable; migrate to 12.3(8) or later

12.2TPC

Vulnerable; contact TAC

12.2XA

Vulnerable; migrate to 12.3(8) or later

12.2XB

Vulnerable; migrate to 12.3(8) or later

12.2XC

Vulnerable; migrate to 12.3(8)T or later

12.2XD

Vulnerable; migrate to 12.3(8) or later

12.2XE

Vulnerable; migrate to 12.3(8) or later

12.2XF

Vulnerable; migrate to 12.3(9a)BC or later

12.2XG

Vulnerable; migrate to 12.3(8) or later

12.2XH

Vulnerable; migrate to 12.3(8) or later

12.2XI

Vulnerable; migrate to 12.3(8) or later

12.2XJ

Vulnerable; migrate to 12.3(8) or later

12.2XK

Vulnerable; migrate to 12.3(8) or later

12.2XL

Vulnerable; migrate to 12.3(8) or later

12.2XM

Vulnerable; migrate to 12.3(8) or later

12.2XN

Vulnerable; migrate to 12.3(8) or later

12.2XQ

Vulnerable; migrate to 12.3(8) or later

12.2XR

Vulnerable; migrate to 12.3(8) or later

12.2XS

Vulnerable; migrate to 12.3(8) or later

12.2XT

Vulnerable; migrate to 12.3(8) or later

12.2XU

Vulnerable; migrate to 12.3(12) or later

12.2XV

Vulnerable; migrate to 12.3(8) or later

12.2XW

Vulnerable; migrate to 12.3(8) or later

12.2YA

Vulnerable; migrate to 12.3(8) or later

12.2YB

Vulnerable; migrate to 12.3(8) or later

12.2YC

Vulnerable; migrate to 12.3(8) or later

12.2YD

Vulnerable; migrate to 12.3(8)T or later

12.2YE

Vulnerable; migrate to 12.2(25)S or later

12.2YF

Vulnerable; migrate to 12.3(8) or later

12.2YG

Vulnerable; migrate to 12.3(8) or later

12.2YH

Vulnerable; migrate to 12.3(8) or later

12.2YJ

Vulnerable; migrate to 12.3(8) or later

12.2YK

Vulnerable; migrate to 12.3(8)T or later

12.2YL

Vulnerable; migrate to 12.3(8)T or later

12.2YM

Vulnerable; migrate to 12.3(8)T or later

12.2YN

Vulnerable; migrate to 12.3(8)T or later

12.2YO

Not vulnerable

12.2YP

Vulnerable; migrate to 12.3(8) or later

12.2YQ

Vulnerable; migrate to 12.3(4)T13 or later

12.2YR

Vulnerable; migrate to 12.3(4)T13 or later

12.2YS

Vulnerable; migrate to 12.3(8)T or later

12.2YT

Vulnerable; migrate to 12.3(8) or later

12.2YU

Vulnerable; migrate to 12.3(8)T or later

12.2YV

Vulnerable; migrate to 12.3(4)T13 or later

12.2YW

Vulnerable; migrate to 12.3(8)T or later

12.2YX

Vulnerable; migrate to 12.3(14)T or later

12.2YY

Vulnerable; migrate to 12.3(4)T13 or later

12.2YZ

Vulnerable; migrate to 12.2(25)S or later

12.2ZA

Vulnerable; migrate to 12.2(17d)SXBa or later

12.2ZB

Vulnerable; migrate to 12.3(8)T or later

12.2ZC

Vulnerable; migrate to 12.3(8)T or later

12.2ZD

Vulnerable; contact TAC

12.2ZE

Vulnerable; migrate to 12.3(8) or laer

12.2ZF

Vulnerable; migrate to 12.3(4)T13 or later

12.2ZG

Vulnerable; for SOHO9x, migrate to 12.3(8)YG2 or later. For c83x, migrate to 12.3(2)XA3 or later

12.2ZH

Vulnerable; contact TAC

12.2ZJ

Vulnerable; migrate to 12.3(8)T or later

12.2ZL

Vulnerable; contact TAC

12.2ZN

Vulnerable; migrate to 12.3(4)T13 or later

12.2ZP

Vulnerable; migrate to 12.3(8)XY or later

Affected 12.3-Based Release

Rebuild

Maintenance

12.3

 

12.3(8)

12.3B

Vulnerable; migrate to 12.3(8)T7 or later

12.3BC

 

12.3(9a)BC

12.3BW

Vulnerable; migrate to 12.3(8)T or later

12.3JA

 

12.3(8)JA

12.3JEA

All 12.3JEA releases are fixed

12.3JEB

All 12.3JEA releases are fixed

12.3JK

12.3(2)JK2

12.3(8)JK

12.3JL

 

12.3(2)JL

12.3JX

12.3(7)JX6

12.3(11)JX

12.3T

12.3(4)T13

12.3(8)T

Limited platform support is available: Contact TAC

 

Please migrate to 12.4(1) or later

 

12.3TPC

12.3(4)TPC11b

 

12.3XA

12.3(2)XA6

 

12.3XB

Vulnerable; migrate to 12.3(8)T or later

12.3XC

Vulnerable; contact TAC

12.3XD

Vulnerable; migrate to 12.3(8)T7 or later

12.3XE

Vulnerable; contact TAC

12.3XF

Vulnerable; migrate to 12.3(11)T or later

12.3XG

Vulnerable; contact TAC

12.3XH

Vulnerable; migrate to 12.3(11)T or later

12.3XI

12.3(7)XI8

 

12.3XJ

Vulnerable; migrate to 12.3(8)XW or later

12.3XK

Vulnerable; migrate to 12.3(14)T or later

12.3XQ

Vulnerable; migrate to 12.4(1) or later

12.3XR

All 12.3XR releases are fixed

12.3XS

All 12.3XS releases are fixed

12.3XU

All 12.3XU releases are fixed

12.3XW

All 12.3XW releases are fixed

12.3XX

All 12.3XX releases are fixed

12.3XY

All 12.3XR releases are fixed

12.3YA

All 12.3YA releases are fixed

12.3YD

All 12.3YD releases are fixed

12.3YF

All 12.3YF releases are fixed

12.3YG

All 12.3YG releases are fixed

12.3YH

All 12.3YH releases are fixed

12.3YI

All 12.3YI releases are fixed

12.3YJ

All 12.3YJ releases are fixed

12.3YK

All 12.3YK releases are fixed

12.3YM

All 12.3YM releases are fixed

12.3YQ

All 12.3YQ releases are fixed

12.3YS

All 12.3YS releases are fixed

12.3YT

All 12.3YT releases are fixed

12.3YU

All 12.3YU releases are fixed

12.3YX

All 12.3YX releases are fixed

12.3YZ

All 12.3YZ releases are fixed

Affected 12.4-Based Release

Rebuild

Maintenance

All 12.4 releases are fixed

Cisco IOS XR Version

SMU ID

Package Installation Envelopes

3.2.2 for CRS-1

AA01482

hfr-base-3.2.2.CSCeh52410.pie

3.2.3 for CRS-1

AA01483

hfr-base-3.2.3.CSCeh52410.pie

3.2.4 for CRS-1

AA01484

hfr-base-3.2.4.CSCeh52410.pie

3.2.6 for CRS-1

AA01727

hfr-base-3.2.6.CSCeh52410.pie

3.3.x for CRS-1 and XR12000

Fixed

 

3.4.x for CRS-1 and XR12000

Fixed

 

IOS XR Package Installation Envelopes (PIE) can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/iosxr-smu?sort=release ( registered customers only) . Installation instructions are included in the accompanying .txt files.


Workarounds

Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory:

http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20070124-crafted-ip-option

IP Options Selective Drop

The IP Options Selective Drop feature allows Cisco routers to mitigate the effects of IP options by dropping packets containing them or by not processing (ignoring) IP options in a packet.

The most effective workaround is using the "drop" option of this global configuration command: ip options drop. This command will drop all IP packets containing IP options that are both destined to the router itself or transiting through the router before they are processed, preventing exploitation locally and downstream.

The IP Options Selective Drop feature is available beginning in Cisco IOS software version 12.0(23)S for 12000, 12.0(32)S for 10720, and 12.3(4)T, 12.2(25)S, and 12.2(27)SBC for other hardware platforms.

Please note that deploying this command will drop legitimate packets containing IP options as well. Protocols this may impact include RSVP (used by Microsoft NetMeeting), MPLS TE, MPLS OAM, DVMRP, IGMPv3, IGMPv2, and legitimate PGM.

Note:  The ignore option of the global command ip options ignore, available only on the Cisco 12000 router beginning in 12.0(23)S, is NOT a workaround for this issue.

Additional information about IP Options Selective Drop feature is available at http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_acl_sel_drop_ps6017_TSD_Products_Configuration_Guide_Chapter.html .

Transit Access Control Lists (ACLs)

Configure an interface ACL that blocks traffic of these types:

  • Echo (Ping) ICMP type 8
  • Timestamp ICMP type 13
  • Information Request ICMP type 15
  • Address Mask Request ICMP Type 17
  • Protocol Independent Multicast (PIM) IP protocol 103
  • Pragmatic General Multicast (PGM) IP protocol 113
  • URL Rendezvous Directory (URD) TCP port 465

The Internet Control Message Protocol is an integral part of the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite that is used to report error conditions and provide diagnostic information. Filtering ICMP messages may impact this error condition and diagnostic reporting including "ping" and Windows traceroute which uses ICMP ping.

If the device is configured to process PIM, PGM, or URD, blocking those packets will prevent legitimate operation of the protocols.

Since the source IP address of these packets can be easily spoofed, the affected traffic should be blocked on all of the device's IPv4 interfaces.

The following ACL is specifically designed to block attack traffic and should be applied to all IPv4 interfaces of the device and should include topology-specific filters:

access-list 150 deny   icmp any any echo
access-list 150 deny   icmp any any information-request
access-list 150 deny   icmp any any timestamp-request
access-list 150 deny   icmp any any mask-request
access-list 150 deny   tcp any any eq 465 
access-list 150 deny   103 any any
access-list 150 deny   113 any any
access-list 150 permit ip any any

interface serial 2/0 
 ip access-group 150 in

These ACL statements should be deployed at the network edge as part of a transit access list which will protect the router where the ACL is configured as well as other devices behind it. Further information about transit ACLs is available in the white paper "Transit Access Control Lists: Filtering at Your Edge", available at http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml.

The following Cisco IOS XR ACL is specifically designed to block attack traffic and should be applied to all IPv4 interfaces of the device and should include topology-specific filters:

ipv4 access-list ios-xr-transit-acl
 10 deny   icmp any any echo
 20 deny   icmp any any information-request
 30 deny   icmp any any timestamp-request
 40 deny   icmp any any mask-request
 50 deny   tcp any any eq 465 
 60 deny   103 any any
 70 deny   113 any any
 80 permit ip any any

interface POS 0/2/0/
  ipv4 access-group ios-xr-transit-acl ingress

Information about configuring access lists on Cisco IOS XR is available at http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.2/addr_serv/command/reference/ir32acl.html.

Infrastructure ACLs

Although it is often difficult to block traffic transiting your network, it is possible to identify traffic which should never be allowed to target your infrastructure devices and block that traffic at the border of your network. Infrastructure ACLs are considered a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The ACL example shown below should be included as part of the deployed infrastructure access list which will protect all devices with IP addresses in the infrastructure IP address range.

Cisco IOS

access-list 150 deny   icmp any INFRASTRUCTURE_ADDRESSES echo
access-list 150 deny   icmp any INFRASTRUCTURE_ADDRESSES information-request
access-list 150 deny   icmp any INFRASTRUCTURE_ADDRESSES timestamp-request
access-list 150 deny   icmp any INFRASTRUCTURE_ADDRESSES mask-request
access-list 150 deny   tcp any INFRASTRUCTURE_ADDRESSES  eq 465 
access-list 150 deny   103 any INFRASTRUCTURE_ADDRESSES 
access-list 150 deny   113 any INFRASTRUCTURE_ADDRESSES 
access-list 150 permit ip any any

interface serial 2/0
 ip access-group 150 in

Cisco IOS XR

ipv4 access-list ios-xr-infrastructure-acl
 10 deny   icmp any INFRASTRUCTURE_ADDRESSES  echo
 20 deny   icmp any INFRASTRUCTURE_ADDRESSES  information-request
 30 deny   icmp any INFRASTRUCTURE_ADDRESSES  timestamp-request
 40 deny   icmp any INFRASTRUCTURE_ADDRESSES  mask-request
 50 deny   tcp any INFRASTRUCTURE_ADDRESSES  eq 465
 60 deny   103 any INFRASTRUCTURE_ADDRESSES 
 70 deny   113 any INFRASTRUCTURE_ADDRESSES 
 80 permit ip any any

interface POS 0/2/0/2
  ipv4 access-group ios-xr-infrastructure-acl ingress

The white paper entitled "Protecting Your Core: Infrastructure Protection Access Control Lists" presents guidelines and recommended deployment techniques for infrastructure protection access lists and is available at http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml.

Information about configuring access lists on Cisco IOS XR is available at http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.2/addr_serv/command/reference/ir32acl.html.

Receive ACLs

For distributed platforms, receive ACLs may be an option starting in Cisco IOS Software Versions 12.0(21)S2 for the 12000 (GSR), 12.0(24)S for the 7500, and 12.0(31)S for the 10720. The receive ACL protects the device from harmful traffic before the traffic can impact the route processor. A receive ACL is designed to protect only the device on which it is configured. On the 12000, 7500, and 10720, transit traffic is never affected by a receive ACL. Because of this, the destination IP address "any" used in the example ACL entries below only refer to the router's own physical or virtual IP addresses. Receive ACLs are considered a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability.

The white paper entitled "GSR: Receive Access Control Lists" will help you identify and allow legitimate traffic to your device and deny all unwanted packets and is available at http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a0a5e.shtml

The following receive path ACL is designed specifically to block this attack traffic:

access-list 101 deny   icmp any any echo
access-list 101 deny   icmp any any information-request
access-list 101 deny   icmp any any timestamp-request
access-list 101 deny   icmp any any mask-request
access-list 101 deny   tcp any any eq 465 
access-list 101 deny   103 any any
access-list 101 deny   113 any any
access-list 101 permit ip any any
!
ip receive access-list 101

Control Plane Policing

The Control Plane Policing (CoPP) feature may be used to mitigate this vulnerability. In the following example, any packets that can exploit the vulnerability are denied while all other IP traffic is permitted. Because of the way routers process packets with IP options, CoPP will be applied to attack packets destined for the router itself and packets transiting through the router to other destination IP addresses. This applies to all platforms except the 12000 where only attack packets destined for the router itself will be dropped.

access-list 100 permit icmp any any echo
access-list 100 permit icmp any any information-request
access-list 100 permit icmp any any timestamp-request
access-list 100 permit icmp any any mask-request
access-list 100 permit tcp any any eq 465 
access-list 100 permit 103 any any
access-list 100 permit 113 any any
access-list 100 deny   ip any any
!
class-map match-all drop-options-class
 match access-group 100
!
!
policy-map drop-options-policy
 class drop-options-class
   drop
!     
control-plane
 service-policy input drop-options-policy

Please note that in the 12.0S, 12.2S, and 12.2SX Cisco IOS trains, the policy-map syntax is different:

policy-map drop-options-policy
 class drop-options-class
 police 32000 1500 1500 conform-action drop exceed-action drop

Because of the way routers process packets with IP options, CoPP will be applied to attack packets destined for the router itself and packets transiting through the router to other destination IP addresses. In the following example, only packets with IP options that can exploit the vulnerability and that are destined for the router or that transit through the router are denied while all other IP traffic is permitted.

ip access-list extended drop-affected-options
 permit icmp any any echo option any-options
 permit icmp any any information-request option any-options
 permit icmp any any timestamp-request option any-options
 permit icmp any any mask-request option any-options
 permit pim any any option any-options
 permit 113 any any option any-options
 permit tcp any any eq 465 option any-options
 deny ip any any
!
class-map match-all drop-options-class
 match access-group name drop-affected-options
!
!
policy-map drop-opt-policy
 class drop-options-class 
  drop
!
control-plane
 service-policy input drop-opt-policy

Please note that in the 12.2S Cisco IOS train, the policy-map syntax is different:

policy-map drop-opt-policy
 class drop-options-class
  police 32000 1500 1500 conform-action drop exceed-action drop

CoPP is available in Cisco IOS release trains 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T.

ACL support for filtering IP options requires named ACLs. ACL support for filtering IP options is not available in 12.0S or 12.2SX.

Please note that PGM packets typically use the "Router Alert" Option, and dropping PGM packets with IP options will affect legitimate PGM packets.

In the above CoPP examples, the ACL entries that match the exploit packets with the "permit" action result in these packets being discarded by the policy-map drop function, while packets that match the "deny" action are not affected by the policy-map drop function.

Additional information on the configuration and use of the CoPP feature can be found at http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd804fa16a.html and http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html.

Additional information for filtering IP Options with access lists can be found at http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_create_IP_al_ps6350_TSD_Products_Configuration_Guide_Chapter.html.

Obtaining Fixed Software

Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html , or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml .

Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades

Customers with Service Contracts

Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com.

Customers Using Third-Party Support Organizations

Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed.

Customers Without Service Contracts

Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows.

  • +1 800 553 2447 (toll free from within North America)
  • +1 408 526 7209 (toll call from anywhere in the world)
  • e-mail: tac@cisco.com

Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC.

Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages.

Exploitation and Public Announcements

In December of 2008, FX of Phenoelit delivered a presentation at the Chaos Communication Congress entitled 'Cisco IOS attack and defense,' during which he asserted he had devised an exploit that takes advantage of this vulnerability. No new vulnerabilities were disclosed during FX's presentation at the 2008 Chaos Communication Congress.

http://events.ccc.de/congress/2008/Fahrplan/events/2816.en.html

Cisco is not aware of any malicious exploitation of this vulnerability.

Status of This Notice: Final

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.


Distribution

This advisory is posted on Cisco's worldwide website at:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070124-crafted-ip-option

In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients.

  • cust-security-announce@cisco.com
  • first-teams@first.org
  • bugtraq@securityfocus.com
  • vulnwatch@vulnwatch.org
  • cisco@spot.colorado.edu
  • cisco-nsp@puck.nether.net
  • full-disclosure@lists.grok.org.uk
  • comp.dcom.sys.cisco@newsgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.


Revision History

Revision 1.5

2009-January-09

Updated the Exploitation and Public Announcements section to reflect information learned at the Dec 2008 Chaos Communication Conference

Revision 1.4

2007-April-22

Updates to the the Workarounds > Receive ACLs section. Updated 12.1EO and 12.2BC entries in the Software Version and Fixes table and added new entry 12.3JL.

Revision 1.3

2007-February-02

Updated 12.0W and 12.1EO entries in the Software Version and Fixes table.

Revision 1.2

2007-January-27

Updated Cisco IOS software table.

Revision 1.1

2007-January-25

In the Software Version and Fixes section, added Package Installation Envelopes information to the Cisco IOS XR Version table.

Revision 1.0

2007-January-24

Initial public release.

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.


Download this document (PDF)
View Printable Version