Vulnerability Alert

Cisco IOS Software RSVP Interface Queue Wedge Vulnerability

 
Threat Type:CWE-20: Input Validation
IntelliShield ID:30701
Version:1
First Published:2013 September 25 16:28 GMT
Last Published:2013 September 25 16:28 GMT
Port: Not available
CVE:CVE-2013-5478
Urgency:Unlikely Use
Credibility:Confirmed
Severity:Mild Damage
CVSS Base:7.8 CVSS Calculator
CVSS Version 2.0
CVSS Temporal:6.4
 
Version Summary:Cisco IOS Software and Cisco IOS XE Software contain a vulnerability that could allow an unauthenticated, remote attacker to trigger an interface queue wedge on the affected device. Updates are available.
 
 
Description
A vulnerability in the RSVP feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger an interface queue wedge on the affected device.

The vulnerability is due to improper parsing of UDP RSVP packets. An attacker could exploit this vulnerability by sending UDP RSVP packets to the vulnerable device. An exploit could cause Cisco IOS Software and Cisco IOS XE Software to incorrectly process incoming packets, resulting in an interface queue wedge, which can lead to loss of connectivity, loss of routing protocol adjacency, and other DoS conditions.

Cisco has confirmed the vulnerability in a security advisory and has released software updates.
 
Warning Indicators
Cisco has published a list of affected Cisco IOS Software releases in the security advisory. The "Vendor Announcements" section of this alert contains a link to the advisory.
 
IntelliShield Analysis
To exploit this vulnerability, an attacker may require access to trusted, internal networks to send crafted requests to the affected software. This access requirement could limit the likelihood of a successful exploit.

Valid UDP RSVP traffic could trigger this vulnerability on affected devices. Recovery from the interface queue wedge requires a reload of the device.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.

A Cisco IOS Embedded Event Manager (EEM) policy can be used to identify and detect an interface queue wedge that is caused by this vulnerability. The policy allows administrators to monitor the interfaces for Cisco IOS devices and detect when the interface input queues are full. The script is available for download at the following link: Cisco Beyond: Embedded Event Manager (EEM) Scripting Community
 
Vendor Announcements
Cisco has released a security advisory for bug ID CSCuf17023 at the following link: cisco-sa-20130925-rsvp
 
Impact
An unauthenticated, remote attacker could exploit this vulnerability to cause a DoS condition on a targeted device.
 
Technical Information
The vulnerability is due to improper parsing of UDP RSVP packets by Cisco IOS and Cisco IOS XE Software.

An unauthenticated, remote attacker with some knowledge of the affected infrastructure could exploit this vulnerability by sending UDP RSVP network packets with crafted conditions to a targeted device. When the malicious traffic is processed by the affected software, packets queued by a Cisco IOS router or switch are never removed from the queue, leading to an interface queue wedge. A successful exploit could allow the attacker to interrupt traffic processing on the device. Repeated exploitation could cause a sustained DoS condition.
 
Safeguards
Administrators are advised to apply the appropriate updates.

Administrators are advised to allow only trusted users to have network access.

Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.

Administrators may consider applying the global configuration command ip rsvp listener vrf vrf-name ip-address udp 1698 announce, where the IP address is one that does not exist on the device or in the routing tables. See the "Workarounds" section of the vendor advisory for more information.

Administrators may consider implementing Infrastructure Access Control Lists (iACL) and Unicast Reverse Path Forwarding (uRPF). See the "Workarounds" section of the vendor advisory for more information.

Administrators may consider implementing Control Plane Policing (CoPP).

The Cisco Applied Intelligence team has created the following companion document to guide administrators in identifying and mitigating attempts to exploit this vulnerability prior to applying updated software: Identifying and Mitigating Exploitation of Cisco IOS Software RSVP Interface Queue Wedge Vulnerability

For more information about queue wedges and a few detection mechanisms that may be used to identify a blocked interface on Cisco IOS Software (including a white paper describing how this condition can be detected using SNMP), see Cisco IOS Queue Wedges Explained.

Apply hardware rate limiter features to limit packets requiring processing by the device's CPU to mitigate DoS attacks. See the vendor's documentation for specific configuration instructions. For hardware rate limiting configuration details, consult the Cisco Catalyst 6500 Denial of Service (DoS) Protection Configuration Guide.

Understanding activity on the network provides information and visibility that can be used to identify potential security incidents. Organizations should log events from devices and review the logged data to provide insight into anomalies or malicious activity. For logging best practices, consult the Cisco Guide to Harden Cisco IOS Devices.

Administrators are advised to monitor network traffic for security-related network activity. Cisco NetFlow can identify such activity. For more information about Cisco NetFlow, see Introduction to Cisco IOS NetFlow - A Technical Overview.

Administrators are advised to monitor affected systems.
 
Patches/Software
Cisco customers with active contracts can obtain updates through the Software Center at the following link: Cisco. Cisco customers without contracts can obtain upgrades by contacting the Cisco Technical Assistance Center at 1-800-553-2447 or 1-408-526-7209 or via email at tac@cisco.com
 
Alert History
 
Initial Release


Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
CiscoIOS 15.0M 15.0(1)M, 15.0(1)M1, 15.0(1)M10, 15.0(1)M2, 15.0(1)M3, 15.0(1)M4, 15.0(1)M5, 15.0(1)M6, 15.0(1)M6a, 15.0(1)M7, 15.0(1)M8, 15.0(1)M9 | 15.0SY 15.0(1)SY, 15.0(1)SY1, 15.0(1)SY2, 15.0(1)SY3, 15.0(1)SY4 | 15.0XA 15.0(1)XA, 15.0(1)XA1, 15.0(1)XA2, 15.0(1)XA3, 15.0(1)XA4, 15.0(1)XA5 | 15.1EY 15.1(2)EY, 15.1(2)EY1, 15.1(2)EY1a, 15.1(2)EY2, 15.1(2)EY2a, 15.1(2)EY3, 15.1(2)EY4 | 15.1GC 15.1(2)GC, 15.1(2)GC1, 15.1(2)GC2, 15.1(4)GC, 15.1(4)GC1 | 15.1M 15.1(4)M, 15.1(4)M0a, 15.1(4)M0b, 15.1(4)M1, 15.1(4)M2, 15.1(4)M3, 15.1(4)M3a, 15.1(4)M4, 15.1(4)M5, 15.1(4)M6 | 15.1MR 15.1(1)MR, 15.1(1)MR1, 15.1(1)MR2, 15.1(1)MR3, 15.1(1)MR4, 15.1(1)MR5, 15.1(1)MR6, 15.1(3)MR | 15.1MRA 15.1(3)MRA, 15.1(3)MRA1 | 15.1S 15.1(1)S, 15.1(1)S1, 15.1(1)S2, 15.1(2)S, 15.1(2)S1, 15.1(2)S2, 15.1(3)S, 15.1(3)S0a, 15.1(3)S1, 15.1(3)S2, 15.1(3)S3, 15.1(3)S4, 15.1(3)S5, 15.1(3)S5a | 15.1SA 15.1(1)SA, 15.1(1)SA1, 15.1(1)SA2 | 15.1SNG 15.1(2)SNG | 15.1SNH 15.1(2)SNH, 15.1(2)SNH1 | 15.1SNI 15.1(2)SNI, 15.1(2)SNI1 | 15.1SY 15.1(1)SY, 15.1(1)SY1 | 15.1T 15.1(1)T, 15.1(1)T1, 15.1(1)T2, 15.1(1)T3, 15.1(1)T4, 15.1(1)T5, 15.1(2)T, 15.1(2)T0a, 15.1(2)T1, 15.1(2)T2, 15.1(2)T2a, 15.1(2)T3, 15.1(2)T4, 15.1(2)T5, 15.1(3)T, 15.1(3)T1, 15.1(3)T2, 15.1(3)T3, 15.1(3)T4 | 15.1XB 15.1(1)XB, 15.1(1)XB1, 15.1(1)XB2, 15.1(1)XB3, 15.1(4)XB4, 15.1(4)XB5, 15.1(4)XB5a, 15.1(4)XB6, 15.1(4)XB7, 15.1(4)XB8a | 15.2GC 15.2(1)GC, 15.2(1)GC1, 15.2(1)GC2, 15.2(2)GC, 15.2(3)GC, 15.2(3)GC1 | 15.2GCA 15.2(3)GCA | 15.2M 15.2(4)M, 15.2(4)M1, 15.2(4)M2, 15.2(4)M3 | 15.2S 15.2(1)S, 15.2(1)S1, 15.2(1)S2, 15.2(2)S, 15.2(2)S0a, 15.2(2)S0c, 15.2(2)S0d, 15.2(2)S1, 15.2(2)S2, 15.2(4)S, 15.2(4)S0c, 15.2(4)S1, 15.2(4)S2, 15.2(4)S3, 15.2(4)S3a | 15.2SA 15.2(1)SA | 15.2SB 15.2(1)SB, 15.2(1)SB1, 15.2(1)SB3, 15.2(1)SB4 | 15.2SC 15.2(1)SC1a, 15.2(1)SC2 | 15.2SNG 15.2(2)SNG | 15.2SNH 15.2(2)SNH, 15.2(2)SNH1 | 15.2SNI 15.2(2)SNI | 15.2T 15.2(1)T, 15.2(1)T1, 15.2(1)T2, 15.2(1)T3, 15.2(1)T3a, 15.2(1)T4, 15.2(2)T, 15.2(2)T1, 15.2(2)T2, 15.2(2)T3, 15.2(3)T, 15.2(3)T1, 15.2(3)T2, 15.2(3)T3 | 15.2XA 15.2(3)XA | 15.2XB 15.2(4)XB10 | 15.3S 15.3(1)S, 15.3(1)S1, 15.3(1)S1e, 15.3(1)S2 | 15.3T 15.3(1)T, 15.3(1)T1, 15.3(2)T
CiscoCisco IOS XE Software 3.2S .0, .1, .2 | 3.3S .0, .1, .2 | 3.4S .0, .1, .2, .3, .4, .5 | 3.5S Base, .0, .1, .2 | 3.6S Base, .0, .1, .2 | 3.7S Base, .0, .1, .2, .3 | 3.8S Base, .0, .1, .2

Associated Products:
N/A




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield