Cisco Security Advisory
Cisco IOS XR Software SSHv1 Denial of Service Vulnerability
This vulnerability affects Cisco IOS XR devices that are running affected software releases and are configured to accept SSHv1 connections. When an SSHv1 connection is made to the SSH server that is running on a Cisco IOS XR device, a file is created in the /tmp directory. This file begins with the text "sshd_lock" and may not be properly removed when the session ends. Multiple connections may consume all available space in the /tmp filesystem and cause the system to crash, leading to a denial of service condition.
SSHv1 can be disabled by configuring the SSH server to only accept SSHv2 connections. In order to configure a device to only accept SSHv2 connections, administrators can issue the command ssh server v2. Administrators should manually remove lock files after disabling SSHv1 or after the server is upgraded to a non-vulnerable version. The command run rm /tmp/sshd_lock* will delete any sshd_lock files on the system.
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
This bug was introduced in Cisco IOS XR Software release 3.6.2 and is fixed with SMU hfr-k9sec-3.6.2.CSCtd74795. The SMU ID for this fix in 3.6.2 is AA03656. This vulnerability has been fixed in 3.8.3, 3.9.1, and 4.0.0 for customers running later software versions. Software version 3.7 is not affected by this vulnerability.
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
Customers encountering device crashes during normal network operations reported this vulnerability to Cisco.