Security Intelligence Operations - Cisco Systems
Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation
 

Security Intelligence Operations


Cisco IOS IPS Feature SERVICE.DNS Signature Engine Network Traffic Handling Denial of Service Vulnerability
 
Vulnerability AlertPowered by Cisco Security IntelliShield Alert Manager
Threat Type:Unintended Weakness: Denial of Service
IntelliShield ID:16656
Version:1
First Published:September 24, 2008 01:21 PM EDT
Last Published:September 24, 2008 01:21 PM EDT
Vector:Network
Authentication:None
Exploit:Functional
Port: Not Available
CVE:CVE-2008-2739
BugTraq ID:31364
 
Urgency: Unlikely Use
Credibility: Confirmed
Severity: Mild Damage
CVSS Base:7.8 CVSS Calculator
CVSS Version 2
CVSS Temporal:6.4
 
Version Summary:

Cisco IOS devices that are configured with the Cisco IOS Intrusion Prevention System feature contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Updated software is available.
 
 
Description

Cisco IOS devices that are configured with the Cisco IOS Intrusion Prevention System (IPS) feature contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability only affects Cisco IOS devices running the IPS feature.

The vulnerability exists due to an unspecified error within the handling of certain IPS signatures. An attacker could exploit this vulnerability via crafted network traffic that triggers certain IPS signatures. An exploit could cause a crash of the Cisco IOS device, resulting in a DoS condition.

Exploit code is available.

Cisco has confirmed this vulnerability in a security advisory and released updated software.
 
Warning Indicators

The following Cisco IOS software versions that are configured with the Cisco IOS IPS feature are vulnerable:

12.3T
12.3XL
12.3XQ
12.3XR
12.3XS
12.3XX
12.3YA
12.3YD
12.3YG
12.3YH
12.3YI
12.3YK
12.3YM
12.3YS
12.3YT
12.3YZ
12.3ZA
12.4
12.4MR
12.4T
12.4XA
12.4XC
12.4XD
12.4XE
12.4XF
12.4XJ
12.4XK
12.4XT
12.4XV 
12.4XW
12.4XY
12.4XZ
12.4YA

 
IntelliShield Analysis

Few details regarding what type of network traffic can exploit this vulnerability are publicly available. Successful exploitation could allow an attacker to cause the Cisco IOS device to crash or possibly hang, resulting in a DoS condition.

Only devices that are configured with the Cisco IOS IPS feature are vulnerable.

Cisco indicated through CVSS scoring the existence of functional exploit code; however, this exploit code is not known to be publicly available.

 
Vendor Announcements

Cisco has released a security advisory for Cisco bug ID CSCsq13348 at the following link: cisco-sa-20080924-iosips

 
Impact

An unauthenticated, remote attacker could exploit this vulnerability to cause a crash of the Cisco IOS device or cause it to hang, resulting in a DoS condition.
 
Technical Information

The vulnerability affects devices running the Cisco IOS IPS feature and exists due to an error when handling certain network traffic that triggers certain IPS signatures on the SERVICE.DNS signature engine. An unauthenticated, remote attacker could exploit this vulnerability by submitting such network traffic that triggers the IPS signatures on the SERVICE.DNS signature engine to cause the device to crash or hang, resulting in a DoS condition.
 
Safeguards

Administrators are advised to apply the appropriate updates.

Administrators are advised to implement access control lists (ACLs) on each Cisco IOS IPS policy that is configured on the affected device to ensure that network traffic on ports 53 TCP and UDP is not inspected by the IPS feature.

Administrators are advised to monitor critical systems for service failures.
 
Patches/Software

Cisco customers with active contracts can obtain updates through the Software Center at the following link: Cisco. Cisco customers without contracts can obtain upgrades by contacting the Cisco Technical Assistance Center at 1-800-553-2447 or 1-408-526-7209 or via e-mail at tac@cisco.com.
 
Alert History
 

Initial Release

Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
CiscoIOS12.3T Base | 12.3XL Base | 12.3XQ Base | 12.3XR Base | 12.3XS Base | 12.3XX Base | 12.3YA Base | 12.3YD Base | 12.3YG Base | 12.3YH Base | 12.3YI Base | 12.3YK Base | 12.3YM Base | 12.3YS Base | 12.3YT Base | 12.3YZ Base | 12.3ZA Base | 12.4 Base | 12.4MR Base | 12.4T Base | 12.4XA Base | 12.4XC Base | 12.4XD Base | 12.4XE Base | 12.4XF Base | 12.4XJ Base | 12.4XK Base | 12.4XT Base | 12.4XV Base | 12.4XW Base | 12.4XY Base | 12.4XZ Base | 12.4YA Base

Associated Products:
N/A


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.

Related Links

Feedback

 Which alert section is most useful?
 Affected Products/Versions
Patches/Software Updates
Safeguards
Technical Information/Analysis
Description
 
What additional information should IntelliShield alerts include?
 
Do you use the CVSS scoring provided in alerts? Why?