Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Cisco Security Advisory

Multiple Vulnerabilities in Cisco Intrusion Prevention System Software

Advisory ID: cisco-sa-20130717-ips

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130717-ips

Revision 1.0

For Public Release 2013 July 17 16:00  UTC (GMT)

Related Resources:

View related Applied Mitigation Bulletin

Summary

Cisco Intrusion Prevention System (IPS) Software is affected by the following vulnerabilities:

  • Cisco IPS Software Malformed IP Packets Denial of Service Vulnerability
  • Cisco IPS Software Fragmented Traffic Denial of Service Vulnerability
  • Cisco IPS NME Malformed IP Packets Denial of Service Vulnerability
  • Cisco IDSM-2 Malformed TCP Packets Denial of Service Vulnerability
The Cisco IPS Software Malformed IP Packets Denial of Service Vulnerability could allow an unauthenticated, remote attacker to cause the MainApp process to become unresponsive.

The Cisco IPS Software Fragmented Traffic Denial of Service Vulnerability could allow an unauthenticated, remote attacker to cause the Analysis Engine process to become unresponsive due to memory corruption or could cause the reload of the affected system.

The Cisco IPS NME Malformed IP Packets Denial of Service Vulnerability could allow an unauthenticated, remote attacker to cause a reload of a Cisco Intrusion Prevention System Network Module Enhanced (IPS NME).

The Cisco IDSM-2 Malformed TCP Packets Denial of Service Vulnerability could allow an unauthenticated, remote attacker to cause the kernel of the Cisco Catalyst 6500 Series Intrusion Detection System (IDSM-2) Module to become unresponsive.

Successful exploitation of any of these vulnerabilities could result in a denial of service (DoS) condition.

Cisco has released free software updates that address all the vulnerabilities in this advisory with the exception of the Cisco IDSM-2 Malformed TCP Packets Denial of Service Vulnerability. Customers running a vulnerable version of the Cisco IDSM-2 Module should refer to the "Workarounds" section of this advisory for available mitigations.

Workarounds that mitigate the Cisco IPS Software Fragmented Traffic Denial of Service Vulnerability and Cisco IDSM-2 Malformed TCP Packets Denial of Service Vulnerability are available.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130717-ips

Affected Products

Vulnerable Products

Cisco IPS Software Malformed IP Packets Denial of Service Vulnerability

The following products are affected by the Cisco IPS Software Malformed IP Packets Denial of Service Vulnerability:
  • Cisco ASA 5500-X Series IPS Security Services Processor (IPS SSP) software and hardware modules running Cisco IPS Software 7.1 through version 7.1(4)E4
  • Cisco IPS 4500 Series Sensors running Cisco IPS Software version 7.1(4)E4
  • Cisco IPS 4300 Series Sensors running Cisco IPS Software versions 7.1(3)E4 and 7.1(4)E4
Note: This vulnerability affects only products running Cisco IPS Software version 7.1. Products running Cisco IPS Software version 7.0 and earlier are not affected.

Cisco IPS Software Fragmented Traffic Denial of Service Vulnerability

The following products are affected by the Cisco IPS Software Fragmented Traffic Denial of Service Vulnerability:
  • Cisco ASA 5500-X Series (IPS SSP) software modules running Cisco IPS Software versions 7.1(4)E4 through 7.1(7)E4
Note: The Cisco IPS Software Fragmented Traffic Denial of Service Vulnerability affects only the Cisco ASA 5500-X Series IPS SSP software module; Cisco IPS SSP hardware modules for the Cisco ASA 5585-X are not affected by this vulnerability.

Cisco IPS NME Malformed IP Packets Denial of Service Vulnerability

The following product is affected by the Cisco IPS NME Malformed IP Packets Denial of Service Vulnerability:
  • Cisco Intrusion Prevention System Network Module Enhanced (IPS NME)
Cisco IDSM-2 Malformed TCP Packets Denial of Service Vulnerability

The following product is affected by the Cisco IDSM-2 Malformed TCP Packets Denial of Service Vulnerability:
  • Cisco Catalyst 6500 Series Intrusion Detection System (IDSM-2) Module

How to Determine the Running Software Version

To determine whether a vulnerable version of Cisco IPS Software is running on an appliance, administrators can issue the show version command. The following example shows a Cisco IPS 4345 that is running software version 7.1(3)E4:
sensor# show version
Application Partition:

Cisco Intrusion Prevention System, Version 7.1(3)E4

Host:
    Realm Keys          key1.0
Signature Definition:
    Signature Update    S605.0        2011-10-25
OS Version:             2.6.29.1
Platform:               IPS-4345-K9
Customers who use Cisco Intrusion Prevention System Device Manager (IDM) to manage devices can locate the software version in the table that is displayed in the login window or top left corner of the Cisco IDM window.

Products Confirmed Not Vulnerable

The following products are not affected by the vulnerabilities described in this advisory:
  • Cisco IOS IPS
  • Cisco IPS 4200 Series Sensors
  • Cisco Intrusion Prevention System Advanced Integration Module (IPS AIM)
  • Cisco ASA 5500 Series Advanced Inspection and Prevention Security Services Card (AIP SSC)
  • Cisco ASA 5500 Series Advanced Inspection and Prevention Security Services Module (AIP SSM)
No other Cisco products are currently known to be affected by these vulnerabilities.

Details

Cisco IPS Software Malformed IP Packets Denial of Service Vulnerability

The Cisco IPS is a family of network security devices that provide network-based threat prevention services. Cisco IPS Software includes several applications that are used by the system to run different tasks. In particular, the MainApp process is responsible for multiple critical tasks including reading the configuration, starting and stopping applications and authentication service.

Additional information about the MainApp process is in the "System Architecture" section of the product configuration guide:
http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/idm/idm_system_architecture.html#wp1126061

A vulnerability in the IP stack could allow an unauthenticated, remote attacker to cause the MainApp process to become unresponsive. This creates a denial of service (DoS) condition because the Cisco IPS sensor is not able to execute several critical tasks including alert notification, event store management, and sensor authentication. The Cisco IPS web server will also be unavailable while the MainApp process is unresponsive. Additionally, due to this general system failure, other processes such as the Analysis Engine may not work properly. The vulnerability is due to improper handling of malformed IP packets from the management interface of the affected system. An attacker may exploit this vulnerability by sending malformed IP packets to the management interface.

The vulnerability can be triggered only by IPv4 traffic directed to the management interface. Traffic passing through the sensing interfaces will not trigger this vulnerability. If the Cisco IPS is configured in promiscuous mode, mitigation actions that require MainApp processing such as shun or rate-limit may be unavailable. If the Cisco IPS is configured in inline mode, the sensor may not correctly perform inspection and mitigation actions because the Analysis Engine process may not be working properly.

This vulnerability is documented in Cisco bug ID CSCtx18596 (registered customers only) and Common Vulnerabilities and Exposures (CVE) ID CVE-2013-1243.

Cisco IPS Software Fragmented Traffic Denial of Service Vulnerability

Cisco IPS SSP is an integrated module running on Cisco ASA 5500-X Series. The module could be deployed in hardware for the Cisco ASA 5585-X, or as an integrated software module for the Cisco ASA 5512-X, Cisco ASA 5515-X, Cisco ASA 5525-X, Cisco ASA 5545-X, and Cisco ASA 5555-X Series.

Cisco IPS Software running on the ASA 5500-X IPS SSP processes only traffic that it receives from the Cisco ASA. Cisco ASA needs to be configured with Modular Policy Framework (MPF) to redirect specific traffic to the Cisco IPS Software.

A vulnerability in the implementation of the code that processes fragmented traffic could allow an unauthenticated, remote attacker to cause the Analysis Engine process to become unresponsive or cause the affected system to reload.

The vulnerability is due to improper handling of fragmented IP packets sent from the Cisco ASA data plane to the Cisco IPS processor for inspection and processing. An attacker could exploit this vulnerability by sending a combination of fragmented and other IP packets through the affected system. An exploit could allow the attacker to cause a reload of the affected system or cause the Analysis Engine process to become unresponsive. When the Analysis Engine process is unresponsive, the affected system will not process traffic, which will cause that traffic to be dropped. Additionally, if the Cisco ASA with a Cisco IPS SSP software module running an affected version of software is configured in High-Availability mode (HA), a failover event may be triggered when the Cisco IPS SSP reloads or stops forwarding traffic.

The vulnerability can be triggered by IPv4 and IPv6 fragmented packets passing through the affected system. Traffic directed to the management IP address of the Cisco IPS software module will not trigger this vulnerability.

Note: This vulnerability affects only the Cisco ASA 5500-X Series IPS SSP software module. Cisco IPS SSP hardware modules supported on the Cisco ASA5585-X Series are not affected by this vulnerability.

This vulnerability is documented in Cisco bug ID CSCue51272 (registered customers only) and has been assigned CVE ID CVE-2013-1218.

Cisco IPS NME Malformed IP Packets Denial of Service Vulnerability

A vulnerability in the memory allocation code could allow an unauthenticated, remote attacker to cause a reload of the affected system. The vulnerability is due to improper handling of memory allocation when malformed IP packets are received on the management interface of the affected system. An attacker may exploit this vulnerability by sending malformed IP packets to the management IP address.

The vulnerability can be triggered only by IPv4 traffic directed to the management interface. Traffic passing through the sensing interfaces will not trigger this vulnerability.

This vulnerability affects only Cisco IPS Software running on Cisco IPS NME.

This vulnerability is documented in Cisco bug ID CSCua61977 (registered customers only) and has been assigned CVE ID CVE-2013-3410.

Cisco IDSM-2 Malformed TCP Packets Denial of Service Vulnerability

A vulnerability in the IDSM-2 drivers could allow an unauthenticated, remote attacker to cause the system kernel to become unresponsive. This creates a denial of service (DoS) condition because the Cisco IPS sensor is not able to execute several critical tasks, including alert notification, event store management, sensor authentication, and traffic inspection. The Cisco IPS web server will also be unavailable.

The vulnerability is due to improper handling of malformed TCP packets from the management interface of the affected system. An attacker may exploit this vulnerability by sending malformed IP packets to the management interface. A TCP three-way handshake is not required to exploit this vulnerability. A hard system reboot is needed to restore the functionality of the system.

The vulnerability can be triggered only by IPv4 traffic directed to the management interface. Traffic passing through the sensing interfaces will not trigger this vulnerability.

This vulnerability affects only Cisco IPS Software running on Cisco IDSM-2 Module.

This vulnerability is documented in Cisco bug ID CSCuh27460 (registered customers only) and has been assigned CVE ID CVE-2013-3411.

Vulnerability Scoring Details

Cisco has scored the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response.

Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks.

Cisco has provided additional information regarding CVSS at the following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link:
http://intellishield.cisco.com/security/alertmanager/cvss

CSCtx18596 - Cisco IPS Software Malformed IP Packets Denial of Service Vulnerability

Calculate the environmental score of CSCtx18596

CVSS Base Score - 7.8

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Low

None

None

None

Complete

CVSS Temporal Score - 6.4

Exploitability

Remediation Level

Report Confidence

Functional

Official-Fix

Confirmed




CSCue51272 - Cisco IPS Software Fragmented Traffic Denial of Service Vulnerability

Calculate the environmental score of CSCue51272

CVSS Base Score - 7.8

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Low

None

None

None

Complete

CVSS Temporal Score - 6.4

Exploitability

Remediation Level

Report Confidence

Functional

Official-Fix

Confirmed




CSCua61977 - Cisco IPS NME Malformed IP Packets Denial of Service Vulnerability

Calculate the environmental score of CSCua61977

CVSS Base Score - 7.8

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Low

None

None

None

Complete

CVSS Temporal Score - 6.4

Exploitability

Remediation Level

Report Confidence

Functional

Official-Fix

Confirmed




CSCuh27460 - Cisco IDSM-2 Malformed TCP Packets Denial of Service Vulnerability

Calculate the environmental score of CSCuh27460

CVSS Base Score - 7.8

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Low

None

None

None

Complete

CVSS Temporal Score - 7.0

Exploitability

Remediation Level

Report Confidence

Functional

Workaround

Confirmed


Impact

Successful exploitation of the Cisco IPS Software Malformed IP Packets Denial of Service Vulnerability may allow a remote, unauthenticated attacker to cause the MainApp process to become unresponsive and prevent it from executing several tasks including alert notification, event store management, and sensor authentication. The Cisco IPS web server will also be unavailable while the MainApp process is unresponsive, and other processes such as the Analysis Engine process may not work properly.

If the Cisco IPS is configured in promiscuous mode, mitigation actions that require MainApp processing, such as shun or rate-limit, may be unavailable. If the Cisco IPS is configured in inline mode, there may be the possibility that the sensor will not be able to correctly perform inspection and mitigation actions because the Analysis Engine process may not be working properly. A hard system reload is required to restore the full functionality of the affected system.

Successful exploitation of the Cisco IPS Software Fragmented Traffic Denial of Service Vulnerability may allow a remote, unauthenticated attacker to cause a reload of the affected system, or cause the Analysis Engine process to become unresponsive. When the Analysis Engine process is unresponsive, the affected system will not process traffic, which will cause that traffic to be dropped. Additionally, if the Cisco ASA with a Cisco IPS SSP software module running an affected version of software is configured in HA mode, a fail-over event may be triggered when the Cisco IPS SSP reloads or stops forwarding traffic.

Successful exploitation of the Cisco IPS NME Malformed IP Packets Denial of Service Vulnerability may allow a remote, unauthenticated attacker to cause a reload of a Cisco IPS NME.

Successful exploitation of the Cisco IDSM-2 Malformed TCP Packets Denial of Service Vulnerability may allow a remote, unauthenticated attacker to cause the kernel of the Cisco IDSM-2 Module to become unresponsive, which will create general system instability. This will prevent the affected system from executing several tasks, including alert notification, event store management, sensor authentication, and traffic inspection and mitigation. The Cisco IPS web server will also be unavailable and the system will be unreachable for remote management.

Software Versions and Fixes

Cisco has released free software updates that address all the vulnerabilities in this advisory with the exception of the Cisco IDSM-2 Malformed TCP Packets Denial of Service Vulnerability. Customers running a vulnerable version of Cisco IDSM-2 module should refer to the "Workarounds" section of this advisory for available mitigations.

Recommended Releases

The following table lists the recommended Cisco IPS Software releases that correct all the vulnerabilities described in this security advisory:

Products
Recommended
 Cisco ASA 5500-X Series IPS SSP software modules
 7.1(7p1)E4 and higher
 Cisco ASA 5585-X Series IPS SSP hardware modules 
 7.1(7)E4 and higher
 Cisco IPS 4500 Series Sensors
 7.1(7)E4 and higher
 Cisco IPS 4300 Series Sensors
 7.1(7)E4 and higher
 Cisco IPS NME  7.0(9)E4 and higher
 Cisco IDSM-2
 No available releases - See "Workarounds" section for available mitigations

The following tables list the first fixed releases that contain the fixes for individual vulnerabilities in this advisory for each of the affected products. Note that this information is provided for completeness only because different vulnerabilities have different first-fixed releases. Refer to the previous table for releases that have fixes for all vulnerabilities in this advisory.

Cisco IPS Software Malformed IP Packets Denial of Service Vulnerability

The following table lists the fixed releases for the Cisco IPS Software Malformed IP Packets Denial of Service Vulnerability for each of the affected products:

Products
Affected Releases
Resolved In
 Cisco ASA 5500-X Series IPS-SSP software and hardware modules
 7.1(x)E4
 7.1(5)E4
 Cisco IPS 4500 Series Sensors
 7.1(4)E4  7.1(6)E4
 Cisco IPS 4300 Series Sensors
 7.1(3)E4 and 7.1(4)E4
 7.1(5)E4

Note: Cisco IPS Software release 7.1(5)E4 is not available for download anymore due to instability issues.

Cisco IPS Software Fragmented Traffic Denial of Service Vulnerability

The following table lists the fixed releases for the Cisco IPS Software Fragmented Traffic Denial of Service Vulnerability for each of the affected products:

Products
Affected Releases
Resolved In
 Cisco ASA 5500-X Series IPS SSP software modules
 7.1(4)E4 through 7.1(7)E4
 7.1(7p1)E4

Cisco IPS NME Malformed IP Packets Denial of Service Vulnerability

The following table lists the fixed releases for the Cisco IPS NME Malformed IP Packets Denial of Service Vulnerability for each of the affected products:

Products
Affected Releases
Resolved In
Cisco Intrusion Prevention System Network Module Enhanced (IPS NME)
 All
 7.0(9)E4

When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Workarounds

Cisco IPS Software Malformed IP Packets Denial of Service Vulnerability and Cisco IPS NME Malformed IP Packets Denial of Service Vulnerability

There are no workarounds to mitigate this vulnerability.

Cisco IPS Software Fragmented Traffic Denial of Service Vulnerability

If an exploit of this vulnerability is causing traffic interruption, administrators can remove the Modular Policy Framework (MPF) configuration on the Cisco ASA that is used to direct the user traffic toward the Cisco IPS SSP. This change will cause all user traffic to bypass Cisco IPS SSP module inspection and allow it to pass through the Cisco ASA.

The following example shows how to disable the redirecting of web traffic to the Cisco IPS Software module from the Cisco ASA firewall:
ASA(config)# class-map ips_traffic
ASA(config-cmap)# match any
ASA(config)# policy-map ips_traffic_policy
ASA(config-pmap)# class ips_traffic
ASA(config-pmap-c)# no ips inline|promiscious
Note: Configuring IPS bypass with the command fail-open or fail-close will not have any effect on the Cisco IPS software module for the Cisco ASA.

If the IPS is running in promiscuous mode, as a mitigation, fragmented traffic can be disabled for IPS processing.

The following example shows how to disable fragmented traffic on the Cisco IPS software module:
sensor# conf t
sensor(config)# ser sig sig0
sensor(config-sig)# sig 1200 0
sensor(config-sig-sig)# engine normalizer
sensor(config-sig-sig-nor)# edit-default-sigs-only default-signatures-only
sensor(config-sig-sig-nor-def)# specify-max-fragments yes
sensor(config-sig-sig-nor-def-yes)# max-fragments 0
sensor(config-sig-sig-nor-def-yes)# exit
sensor(config-sig-sig-nor-def)# exit
sensor(config-sig-sig-nor)# exit
sensor(config-sig-sig)# exit
sensor(config-sig)# exit Apply Changes?[yes]: yes
This change requires a Cisco IPS software module reload.

Note: This change will cause all non-TCP fragments to pass uninspected.

Alternatively, fragmented traffic can be disallowed on the Cisco ASA firewall. This will cause the Cisco ASA firewall not to accept any fragments on its interfaces. Consequently, the Cisco ASA will not send any fragments to the Cisco IPS software module for inspection.

The following example shows how to disable fragmented traffic on the Cisco ASA firewall:
ASA(config)# fragment chain 1 
Note: The preceding example will disable fragments on all the Cisco ASA interfaces.

Cisco IDSM-2 Malformed TCP Packets Denial of Service Vulnerability

There is no workaround for this vulnerability however, the Cisco IDSM-2 Module administrator should make sure to limit the number of hosts (IP addresses) allowed to connect to the management interface of system.

To restrict the number of allowed hosts, the administrator should use the access-list command. The no access-list command should be used to remove any hosts or networks from the list.
The following example shows the sequence of commands to remove the access to the full 192.168.1.0/24 network and allow access only to the host with IP address 192.168.1.1:
  • Use the show settings command in network-setting configuration mode to see the current allowed hosts or networks. The following example shows that the Cisco IDSM-2 is configured to allow all the hosts in the 192.168.1.0/24 network
sensor(config-hos-net)# show settings
   network-settings
   -----------------------------------------------
[...]
      access-list (min: 0, max: 512, current: 1)
      -----------------------------------------------
         network-address: 192.168.1.0/24
         -----------------------------------------------
      -----------------------------------------------
      ftp-timeout: 300 seconds <defaulted>
      login-banner-text: <defaulted>
   [...]
  • Use the access-list command in network-setting configuration mode, to add the 192.168.1.1 hosts. Make sure that if this is the only allowed host, it is also the one from which you are executing the configuration to avoid losing connectivity to the Cisco IDSM-2 Module.
sensor(config-hos-net)#access-list 192.168.1.1/32
  • Use the no access-list command in network-setting configuration mode, to remove the 192.168.1.0/32 network for the allowed hosts list.
sensor(config-hos-net)#no access-list 192.168.1.0/24
  • Use the show setting command in network-setting configuration mode to check that the list of allowed hosts is correct:
sensor(config-hos-net)# show settings
   network-settings
   -----------------------------------------------
[...]
      access-list (min: 0, max: 512, current: 1)
      -----------------------------------------------
         network-address: 192.168.1.1/32
         -----------------------------------------------
      -----------------------------------------------
      ftp-timeout: 300 seconds <defaulted>
      login-banner-text: <defaulted>
   [...]
  • Exit and apply the configuration:
sensor(config-hos-net)# exit
sensor(config-hos)# exit
Apply Changes:?[yes]:
Note: Internal tests performed by Cisco have shown that this vulnerability cannot be exploited if the total number of hosts allowed is less than or equal to 254 hosts. Administrators who cannot reduce the number of allowed hosts to the number indicated in this advisory should contact Cisco Technical Assistance Center for additional support.

Additional mitigation information for the vulnerabilities described in this advisory is available in the companion Applied Mitigation Bulletin (AMB) at the following location:
http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=29271

Obtaining Fixed Software

Cisco has released free software updates that address the vulnerabilities described in this advisory. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments.

Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html.

Customers with Service Contracts

Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Navigator on Cisco.com at http://www.cisco.com/cisco/software/navigator.html.

Customers Using Third-Party Support Organizations

Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action.

The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed.

Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC):
  • +1 800 553 2447 (toll free from within North America)
  • +1 408 526 7209 (toll call from anywhere in the world)
  • e-mail: tac@cisco.com
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC.

Refer to Cisco Worldwide Contacts at http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, instructions, and e-mail addresses for support in various languages.

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

The Cisco IPS Software Malformed IP Packets Denial of Service Vulnerability, Cisco IPS NME Malformed IP Packets Denial of Service Vulnerability, and Cisco IDSM-2 Malformed TCP Packets Denial of Service Vulnerability were discovered during internal testing.

The Cisco IPS Software Fragmented Traffic Denial of Service Vulnerability was discovered during resolution of support cases.

Status of This Notice: Final

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.


Distribution

This advisory is posted on Cisco Security at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130717-ips

Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses:
  • cust-security-announce@cisco.com
  • first-bulletins@lists.first.org
  • bugtraq@securityfocus.com
  • vulnwatch@vulnwatch.org
  • cisco@spot.colorado.edu
  • cisco-nsp@puck.nether.net
  • full-disclosure@lists.grok.org.uk
Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates.

Revision History

Revision 1.0 2013-July-17 Initial public release.

Cisco Security Procedures

Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at http://www.cisco.com/go/psirt.
Download this document (PDF)
View Printable Version