Cisco IOS XE Software for 1000 Series Aggregation Services Routers (ASR) contains the following denial of service (DoS) vulnerabilities: Cisco IOS XE Software IPv6 Multicast Traffic Denial of Service Vulnerability Cisco IOS XE Software MVPNv6 Traffic Denial of Service Vulnerability Cisco IOS XE Software L2TP Traffic Denial of Service Vulnerability Cisco IOS XE Software Bridge Domain Interface Denial of Service Vulnerability Cisco IOS XE Software SIP Traffic Denial of Service Vulnerability These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of any of these vulnerabilities could allow an unauthenticated remote attacker to trigger a reload of the Embedded Services Processors (ESP) card or the Route Processor (RP) card, causing an interruption of services. Repeated exploitation could result in a sustained DoS condition. Note: Cisco IOS Software and Cisco IOS-XR Software are not affected by these vulnerabilities. Cisco has released software updates that address these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-asr1000
There is currently no way to determine if Cisco MLRE is enabled on the device.asr1004# show run | include ipv6.(enable|address)
ipv6 enable ipv6 address dhcp rapid-commit
ipv6 address autoconfig ipv6 address MANAGEMENT ::1FFF:0:0:0:3560/128
ipv6 address 2001:DB8::1/64
To verify if xconnect is enabled on a device use the show run | include xconnect|l2tpv3 privileged EXEC command. The presence of encapsulation l2tpv3 and xconnect in the output of show run | include xconnect|l2tpv3 indicates that xconnect is enabled.asr1004#sho running-config | include accept-dialin
accept-dialin
asr1004#sho running-config | include xconnect|l2tpv3
encapsulation l2tpv3 xconnect 10.0.0.1 1000 encapsulation l2tpv3 pw-class my_class
asr1004#sho running-config | section interfaceNote: This feature was introduced on the Cisco ASR 1000 Series Aggregation Services Routers in Cisco IOS XE Software version 3.2.0S.
interface GigabitEthernet0/0/3
ip address 192.168.2.1 255.255.255.0
! interface BDI20 ip address 192.168.1.1 255.255.255.0!interface GigabitEthernet0/0/4 no ip address negotiation auto service instance 1 ethernet encapsulation dot1q 201 rewrite egress tag pop 1 symmetric bridge-domain 20
asr1004#show running-config | include ip (nat | .* vrf .*)
ip nat inside
ip nat outside
ip nat inside source static 192.168.1.100 10.0.0.1 vrf VRF-SIP
If the output is empty, the Cisco IOS XE Software release running on a given device is not vulnerable. If the output returned is not empty, SIP ALG services may be explicitly disabled under NAT configuration. To determine whether SIP ALG is disabled under NAT configuration, use the show run | include ip nat privileged EXEC command. The presence of no ip nat service sip in the output of show run | include ip nat indicates that SIP ALG is disabled under NAT configuration.
The following is the output of show run | include ip nat in Cisco IOS XE Software that has the SIP ALG disabled under NAT configuration:
asr1004#show running-config | include ip nat
ip nat inside
ip nat outside
ip nat inside source static 192.168.1.100 10.0.0.1 vrf sip
no ip nat service sip udp port 5060
no ip nat service sip tcp port 5060
asr1004#show version
Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.2(2)S2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 07-Aug-12 13:40 by mcpre
No workarounds are available to mitigate these vulnerabilities.
When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Each Cisco IOS XE Software release is classified as either a Standard Support or an Extended Support release. A Standard Support release has a total engineering support lifetime of one year, with two scheduled rebuilds. The Extended Support release provides a total engineering support lifetime of two years, with four scheduled rebuilds.
For more information about the Cisco IOS XE Software end-of-life policy and associated support milestones for specific Cisco IOS XE Software releases, see:
http://www.cisco.com/en/US/prod/collateral/routers/ps9343/product_bulletin_c25-448258.html
Vulnerability | Major Release |
Extended Release | First Fixed Release |
CSCtz97563 |
2.x | - |
Not affected |
3.1 | Yes | Not affected | |
3.2 | No |
Not affected |
|
3.3 | No |
Not affected | |
3.4 | Yes |
3.4.4S | |
3.5 | No |
Vulnerable; migrate to one of the extended releases |
|
3.6 | No | Vulnerable; migrate to one of the extended releases |
|
3.7 | Yes |
Not affected |
|
3.8 | No | Not affected |
Vulnerability | Major Release |
Extended Release |
First Fixed Release |
CSCub34945 |
2.x | - |
Not affected |
3.1 | Yes | Not affected | |
3.2 | No |
Not affected | |
3.3 | No |
Not affected | |
3.4 | Yes |
3.4.5S | |
3.5 | No |
Vulnerable; migrate to one of the extended releases |
|
3.6 | No | Vulnerable; migrate to one of the extended releases |
|
3.7 | Yes |
3.7.1S | |
3.8 | No | Not affected |
Vulnerability | Major Release |
Extended Release |
First Fixed Release |
CSCtz23293 |
2.x | - |
Vulnerable; migrate to one of the extended releases |
3.1 | Yes | Vulnerable; migrate to one of the extended releases |
|
3.2 | No |
Vulnerable; migrate to one of the extended releases |
|
3.3 | No |
Vulnerable; migrate to one of the extended releases |
|
3.4 | Yes |
3.4.5S | |
3.5 | No |
Vulnerable; migrate to one of the extended releases |
|
3.6 | No | Vulnerable; migrate to one of the extended releases |
|
3.7 | Yes | 3.7.1S | |
3.8 | No | Not affected |
Vulnerability | Major Release |
Extended Release |
First Fixed Release |
CSCtt11558 |
2.x | - |
Not affected |
3.1 | Yes | Not affected | |
3.2 | No |
Vulnerable; migrate to one of the extended releases |
|
3.3 | No |
Vulnerable; migrate to one of the extended releases |
|
3.4 | Yes |
3.4.2S | |
3.5 | No |
Vulnerable; migrate to one of the extended releases |
|
3.6 | No | Not affected | |
3.7 | Yes |
Not affected | |
3.8 | No | Not affected |
Vulnerability | Major Release |
Extended Release |
First Fixed Release |
CSCuc65609 |
2.x | - |
Not affected |
3.1 | Yes | Not affected | |
3.2 | No | Not affected |
|
3.3 | No |
Not affected |
|
3.4 | Yes |
3.4.5S | |
3.5 | No |
Not affected |
|
3.6 | No | Not affected |
|
3.7 | Yes | Not affected | |
3.8 | No | Not affected |
When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Affected Release |
Recommended Release |
Extended Release |
2.x | Vulnerable; migrate to one of the recommended extended releases |
- |
3.1 | Vulnerable; migrate to one of the recommended extended releases |
Yes |
3.2 | Vulnerable; migrate to one of the recommended extended releases |
No |
3.3 | Vulnerable; migrate to one of the recommended extended releases |
No |
3.4 | 3.4.5S |
Yes |
3.5 | Vulnerable; migrate to one of the recommended extended releases |
No |
3.6 | Vulnerable; migrate to one of the recommended extended releases |
No |
3.7 | 3.7.1S | Yes |
3.8 | Not vulnerable; | No |
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.
Cisco IOS XE Software Bridge Domain Interface Denial of Service Vulnerability was found during the troubleshooting of customer service requests.To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Revision 1.3 | 2013-April-17 | Updated CVE assignment. MITRE reassigned CVE-2013-2779 to the MVPNv6 vulnerability. |
Revision 1.2 | 2013-April-15 | Updated software table for SIP vulnerability |
Revision 1.1 | 2013-April-10 | Added xconnect to L2TP traffic section of "Vulnerable Products." |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.