A vulnerability in the RSVP feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger an interface queue wedge on the affected device.
The vulnerability is due to improper parsing of UDP RSVP packets. An attacker could exploit this vulnerability by sending UDP RSVP packets to the vulnerable device. An exploit could cause Cisco IOS Software and Cisco IOS XE Software to incorrectly process incoming packets, resulting in an interface queue wedge, which can lead to loss of connectivity, loss of routing protocol adjacency, and other DoS conditions.
Cisco has confirmed the vulnerability in a security advisory and has released software updates.
Indicators of Compromise
Cisco has published a list of affected Cisco IOS Software releases in the security advisory. The "Vendor Announcements" section of this alert contains a link to the advisory.
The vulnerability is due to improper parsing of UDP RSVP packets by Cisco IOS and Cisco IOS XE Software.
An unauthenticated, remote attacker with some knowledge of the affected infrastructure could exploit this vulnerability by sending UDP RSVP network packets with crafted conditions to a targeted device. When the malicious traffic is processed by the affected software, packets queued by a Cisco IOS router or switch are never removed from the queue, leading to an interface queue wedge. A successful exploit could allow the attacker to interrupt traffic processing on the device. Repeated exploitation could cause a sustained DoS condition.
To exploit this vulnerability, an attacker may require access to trusted, internal networks to send crafted requests to the affected software. This access requirement could limit the likelihood of a successful exploit.
Valid UDP RSVP traffic could trigger this vulnerability on affected devices. Recovery from the interface queue wedge requires a reload of the device.
Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.
A Cisco IOS Embedded Event Manager (EEM) policy can be used to identify and detect an interface queue wedge that is caused by this vulnerability. The policy allows administrators to monitor the interfaces for Cisco IOS devices and detect when the interface input queues are full. The script is available for download at the following link: Cisco Beyond: Embedded Event Manager (EEM) Scripting Community
Administrators are advised to apply the appropriate updates.
Administrators are advised to allow only trusted users to have network access.
Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.
Administrators may consider applying the global configuration command ip rsvp listener vrf vrf-nameip-address udp 1698 announce, where the IP address is one that does not exist on the device or in the routing tables. See the "Workarounds" section of the vendor advisory for more information.
Administrators may consider implementing Infrastructure Access Control Lists (iACL) and Unicast Reverse Path Forwarding (uRPF). See the "Workarounds" section of the vendor advisory for more information.
Administrators may consider implementing Control Plane Policing (CoPP).
For more information about queue wedges and a few detection mechanisms that may be used to identify a blocked interface on Cisco IOS Software (including a white paper describing how this condition can be detected using SNMP), see Cisco IOS Queue Wedges Explained.
Understanding activity on the network provides information and visibility that can be used to identify potential security incidents. Organizations should log events from devices and review the logged data to provide insight into anomalies or malicious activity. For logging best practices, consult the Cisco Guide to Harden Cisco IOS Devices.
Cisco customers with active contracts can obtain updates through the Software Center at the following link: Cisco. Cisco customers without contracts can obtain upgrades by contacting the Cisco Technical Assistance Center at 1-800-553-2447 or 1-408-526-7209 or via email at firstname.lastname@example.org
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM
THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products
Cisco Multivendor Vulnerability Alerts respond to vulnerabilities identified in third-party vendors' products. These alerts contain information compiled from diverse sources and provide comprehensive technical descriptions, objective analytical assessments, workarounds and practical safeguards, and links to vendor advisories and patches.