Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Multiple Vulnerabilities in Cisco IOS XE Software for 1000 Series Aggregation Services Routers

Related Vulnerabilities: CVE-2013-1164   CVE-2013-1165   CVE-2013-1166   CVE-2013-1167   CVE-2013-2779  

Cisco IOS XE Software for 1000 Series Aggregation Services Routers (ASR) contains the following denial of service (DoS) vulnerabilities: Cisco IOS XE Software IPv6 Multicast Traffic Denial of Service Vulnerability Cisco IOS XE Software MVPNv6 Traffic Denial of Service Vulnerability Cisco IOS XE Software L2TP Traffic Denial of Service Vulnerability Cisco IOS XE Software Bridge Domain Interface Denial of Service Vulnerability Cisco IOS XE Software SIP Traffic Denial of Service Vulnerability These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of any of these vulnerabilities could allow an unauthenticated remote attacker to trigger a reload of the Embedded Services Processors (ESP) card or the Route Processor (RP) card, causing an interruption of services. Repeated exploitation could result in a sustained DoS condition. Note: Cisco IOS Software and Cisco IOS-XR Software are not affected by these vulnerabilities. Cisco has released software updates that address these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-asr1000

Source

Summary

  • Cisco IOS XE Software for 1000 Series Aggregation Services Routers (ASR) contains the following denial of service (DoS) vulnerabilities:

    • Cisco IOS XE Software IPv6 Multicast Traffic Denial of Service Vulnerability
    • Cisco IOS XE Software MVPNv6 Traffic Denial of Service Vulnerability
    • Cisco IOS XE Software L2TP Traffic Denial of Service Vulnerability
    • Cisco IOS XE Software Bridge Domain Interface Denial of Service Vulnerability
    • Cisco IOS XE Software SIP Traffic Denial of Service Vulnerability

    These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others.

    Successful exploitation of any of these vulnerabilities could allow an unauthenticated remote attacker to trigger a reload of the Embedded Services Processors (ESP) card or the Route Processor (RP) card, causing an interruption of services.
    Repeated exploitation could result in a sustained DoS condition.

    Note: Cisco IOS Software and Cisco IOS-XR Software are not affected by these vulnerabilities.

    Cisco has released software updates that address these vulnerabilities.

    This advisory is available at the following link:
    http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-asr1000

Affected Products

  • Cisco IOS XE Software for 1000 Series ASR contains multiple DoS vulnerabilities. Affected versions of Cisco IOS XE Software for 1000 Series ASR will vary depending on the specific vulnerability. Consult the Software Versions and Fixes section of this security advisory for more information about the affected versions.


    Vulnerable Products

    For specific version information, refer to the Software Versions and Fixes section of this advisory.


    Cisco IOS XE Software IPv6 Multicast Traffic Denial of Service Vulnerability and Cisco IOS XE Software MVPNv6 Traffic Denial of Service Vulnerability

    These vulnerabilities are triggered when a fragmented multicast IP version 6 (IPv6) or a fragmented IPv6 Multicast VPN (MVPNv6) packet is received by an affected Cisco ASR device. The fragmented multicast packet processed by Cisco Multicast Leaf Recycle Elimination (MLRE) may cause a Cisco ESP card on the Cisco ASR device to reload.
    Multiple features configured on the Cisco ASR 1000 may trigger this kind of processing that will lead to a crash.

    Cisco IOS XE Software may be affected if IPv6 is enabled on an interface that is processing traffic and MLRE is enabled on the affected device.

    To determine whether IPv6 is enabled on an interface use the show run | include ipv6.(enable|address)
    privileged EXEC command. The presence of ipv6 enable and ipv6 address in the output of show run | include ipv6.(enable|address) indicates that IPv6 is enabled.

    The following is the output of the show run | include ipv6.(enable|address) in a Cisco IOS XE Software that shows the device is configured for IPv6:
    asr1004# show run | include ipv6.(enable|address)
     ipv6 enable
 ipv6 address dhcp rapid-commit
     ipv6 address autoconfig
 ipv6 address MANAGEMENT ::1FFF:0:0:0:3560/128
     ipv6 address 2001:DB8::1/64

    There is currently no way to determine if Cisco MLRE is enabled on the device.

    Note: The Cisco MLRE feature is introduced in Cisco IOS XE Software Release 3.4.1S and is enabled by default on all later versions of Cisco IOS XE Software on the Cisco ASR 1000 Series Aggregation Services Routers with Embedded Services Processor 40 (ASR1000-ESP40) or Embedded Services Processor 100 (ASR1000-ESP100). Only Cisco ASR 1000 Series Aggregation Services Routers with Embedded Services Processor 40 (ASR1000-ESP40) or Embedded Services Processor 100 (ASR1000-ESP100) are affected by this vulnerability.

    To determine whether a Cisco ASR 1000 device has ASR1000-ESP40 or ASR1000-ESP100 installed, administrators can issue the show inventory command. The following is the output of the show inventory in a Cisco IOS XE Software running on a Cisco ASR 1006 Router with Embedded Services Processor 40 (ASR1000-ESP40):


    asr1006#show inventory NAME: "Chassis", DESCR: "Cisco ASR1006 Chassis" PID: ASR1006 NAME: "module F1", DESCR: "Cisco ASR1000 Embedded Services Processor, 40Gbps" PID: ASR1000-ESP40

    Note: Cisco IOS devices configured to process multicast IPv6 or MVPNv6 traffic are not affected by this vulnerability. Only Cisco ASR 1000 Series Aggregation Services Routers running affected versions of Cisco IOS XE Software are affected by this vulnerability.



    Cisco IOS XE Software L2TP Traffic Denial of Service Vulnerability

    Cisco IOS XE Software contains a vulnerability that may cause an affected device to reload when processing of a large amount of specific Layer 2 Tunneling Protocol (L2TP) packets when L2TP Network Server (LNS) termination or L2TPv3 Ethernet Pseudowire (xconnect) is enabled. L2TP LNS termination and xconnect are not enabled by default.

    To verify if L2TP LNS termination is enabled on a device use the show run | include accept-dialin privileged EXEC command. The presence of accept-dialin in the output of show run | include accept-dialin indicates that L2TP LNS termination is enabled.

    The following is the output of the show run | include accept-dialin on Cisco IOS XE Software that is configured as an L2TP Network Server (LNS):
    asr1004#sho running-config | include accept-dialin
    accept-dialin
    To verify if xconnect is enabled on a device use the show run | include xconnect|l2tpv3 privileged EXEC command. The presence of encapsulation l2tpv3 and xconnect in the output of show run | include xconnect|l2tpv3 indicates that xconnect is enabled.

    The following is the output of the show run | include xconnect|l2tpv3 on Cisco IOS XE Software that is configured for xconnect:

    asr1004#sho running-config | include xconnect|l2tpv3
    encapsulation l2tpv3
xconnect 10.0.0.1 1000 encapsulation l2tpv3 pw-class my_class

    Note: Cisco IOS devices configured with L2TPv3 Ethernet Pseudowire (xconnect) or as L2TP LNS are not affected by this vulnerability. Only Cisco ASR 1000 Series Aggregation Services Routers running affected versions of Cisco IOS XE Software are affected by this vulnerability.



    Cisco IOS XE Software Bridge Domain Interface Denial of Service Vulnerability

    Cisco IOS XE Software contains a vulnerability that may cause an affected device to reload during the processing of packets when the bridge domain interface (BDI) feature is configured.

    Cisco IOS XE Software may be affected by this vulnerability if all of the following conditions are satisfied:
    • The physical interface that processes the packet on the ingress path is the layer 3 interface that has the encapsulation type set to untagged.
    • The incoming packet is routed through a BDI interface.
    • The egress physical interface of the packet has the encapsulation set to rewrite VLAN.
    Note: The BDI feature is not configured by default.

    To verify if the above conditions are satisfied on a device use the show run | section interface privileged EXEC command. The following is the output of show run | section interface in Cisco IOS XE software on a device configured with the vulnerable BDI setting:
    	asr1004#sho running-config | section interface

    	interface GigabitEthernet0/0/3
            ip address 192.168.2.1 255.255.255.0
            !
            interface BDI20
        ip address 192.168.1.1 255.255.255.0

    	!
            interface GigabitEthernet0/0/4
        no ip address
        negotiation auto
        service instance 1 ethernet
        encapsulation dot1q 201
        rewrite egress tag pop 1 symmetric
        bridge-domain 20
    Note: This feature was introduced on the Cisco ASR 1000 Series Aggregation Services Routers in Cisco IOS XE Software version 3.2.0S.

    Note: Cisco IOS devices configured for BDI are not affected by this vulnerability. Only Cisco ASR 1000 Series Aggregation Services Routers running affected versions of Cisco IOS XE Software are affected by this vulnerability.


    Cisco IOS XE Software SIP Traffic Denial of Service Vulnerability

    Cisco IOS XE Software contains a vulnerability that may cause an affected device to reload while processing Session Initiation Protocol (SIP) packets that undergo Network Address Translation (NAT) within Virtual Routing and Forwarding (VRF) instance and SIP Application Layer Gateway (ALG) inspection. An attacker could exploit this vulnerability by sending a large number of SIP packets traversing a device configured for NAT.

    Cisco IOS XE Software may be affected by this vulnerability if VRF-aware NAT and SIP ALG is enabled on an affected device; these services are not enabled by default.

    SIP ALG is enabled on a device as soon as NAT is enabled. Administrators can choose to disable SIP ALG inspection under NAT configuration.

    SIP ALG can also be enabled under Zone-Based Policy Firewall (ZBFW) configuration. Devices configured for SIP ALG under ZBFW are not affected by this vulnerability.

    To determine whether VRF-aware NAT has been enabled in the Cisco IOS XE Software configuration, either ip nat inside or ip nat outside commands must be present in different interfaces, and at least one ip nat global configuration command must have a vrf keyword.

    The show running-config | include ip (nat | .* vrf .*) command can be used to determine whether VRF-aware NAT is present in the configuration, as illustrated in the following example of a vulnerable configuration:

    asr1004#show running-config | include ip (nat | .* vrf .*)
     ip nat inside
     ip nat outside
     ip nat inside source static 192.168.1.100 10.0.0.1 vrf VRF-SIP


    If the output is empty, the Cisco IOS XE Software release running on a given device is not vulnerable. If the output returned is not empty, SIP ALG services may be explicitly disabled under NAT configuration. To determine whether SIP ALG is disabled under NAT configuration, use the show run | include ip nat privileged EXEC command. The presence of no ip nat service sip in the output of show run | include ip nat indicates that SIP ALG is disabled under NAT configuration.

    The following is the output of show run | include ip nat in Cisco IOS XE Software that has the SIP ALG disabled under NAT configuration:

          asr1004#show running-config | include ip nat
           ip nat inside
           ip nat outside
           ip nat inside source static 192.168.1.100 10.0.0.1 vrf sip
           no ip nat service sip udp port 5060
           no ip nat service sip tcp port 5060

    If no ip nat service sip is not present in the output of show run | include ip nat, the Cisco IOS XE Software release running on the device is vulnerable.

    Note: Cisco IOS devices configured for SIP ALG inspection are not affected by this vulnerability. Only Cisco ASR 1000 Series Aggregation Services Routers running affected versions of Cisco IOS XE Software are affected by this vulnerability.


    Determine the Running Software Version

    Cisco ASR 1000 Series Aggregation Services Routers IOS XE Software releases correspond to the Cisco IOS Software releases. For example, Cisco IOS XE Software Release 3.6.2S is the software release for Cisco ASR 1000 Series Aggregation Services Routers IOS Software Release 15.2(2)S2.
    For more information about mappings between the Cisco IOS XE Software releases and their associated Cisco IOS Software releases, see:
    http://www.cisco.com/en/US/docs/routers/asr1000/release/notes/asr1k_rn_intro.html

    To determine whether a vulnerable version of Cisco IOS XE Software is running on a device, administrators can issue the show version command. The following example shows a Cisco IOS XE Software that is running IOS XE software version 3.6.2S, IOS version 15.2(2)S2:

    asr1004#show version 
    Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.2(2)S2, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2012 by Cisco Systems, Inc.
    Compiled Tue 07-Aug-12 13:40 by mcpre

    Note: A Cisco IOS XE Software image consists of seven individual modules, also referred to as subpackages. The packages are designed to use the In Service Software Upgrade (ISSU) capability of the Cisco IOS XE Software. Customers have the capability to upgrade only those packages that need to be upgraded. For more information about the Cisco IOS XE Software packaging, see:
    http://www.cisco.com/en/US/partner/prod/collateral/routers/ps9343/product_bulletin_c25-448387.html

    If packages are upgraded individually, the output of the show version command may vary.

    Products Confirmed Not Vulnerable

    Products running Cisco IOS Software or Cisco IOS-XR Software are not affected by any of these vulnerabilities.

    With the exception of the Cisco IOS XE Software for 1000 Series ASR, no other Cisco products are currently known to be affected by these vulnerabilities.

Details

  • The following section provides additional information about each vulnerability.

    Cisco IOS XE Software IPv6 Multicast Traffic Denial of Service Vulnerability

    Cisco IOS XE Software contains a vulnerability that could allow an unauthenticated remote attacker to cause a DoS condition.

    The vulnerability is due to improper handling of fragmented IPv6 multicast traffic by Cisco 1000 Series ASR with ASR1000-ESP40 or ASR1000-ESP100. An attacker could exploit this vulnerability by sending fragmented IPv6 multicast packets either traversing or destined to a vulnerable system.

    A successful exploit could allow the attacker to cause a system to reload, resulting in a DoS condition. Repeated exploitation could result in a sustained DoS condition.


    This vulnerability is documented in Cisco bug ID CSCtz97563 (registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2013-1164


    Cisco IOS XE Software MVPNv6 Traffic Denial of Service Vulnerability

    Cisco IOS XE Software contains a vulnerability that could allow an unauthenticated remote attacker to cause a DoS condition.

    The vulnerability is due to improper handling of fragmented IPv6 MVPN traffic by Cisco 1000 Series ASR with ASR1000-ESP40 or ASR1000-ESP100. An attacker could exploit this vulnerability by sending fragmented IPv6 MVPN packets either traversing or destined to a vulnerable system.

    A successful exploit could allow the attacker to cause a system to reload, resulting in a DoS condition. Repeated exploitation could result in a sustained DoS condition.


    This vulnerability is documented in Cisco bug ID CSCub34945 (registered customers only) and has been assigned CVE ID CVE-2013-2779


    Cisco IOS XE Software L2TP Traffic Denial of Service Vulnerability

    Cisco IOS XE Software contains a vulnerability that could allow an unauthenticated remote attacker to cause a DoS condition.

    The vulnerability is due to improper handling of specific L2TP packets by Cisco 1000 ASR. An attacker could exploit this vulnerability by sending a large number of specific L2TP packets to a vulnerable system; this vulnerability cannot be triggered by L2TP traffic transiting a vulnerable device.

    A successful exploit could allow the attacker to cause a system to reload, resulting in a DoS condition. Repeated exploitation could result in a sustained DoS condition.

    This vulnerability is documented in Cisco bug ID CSCtz23293 (registered customers only) and has been assigned CVE ID CVE-2013-1165


    Cisco IOS XE Software Bridge Domain Interface Denial of Service Vulnerability

    Cisco IOS XE Software contains a vulnerability that could allow an unauthenticated remote attacker to cause a denial of service (DoS) condition.

    The vulnerability is due to improper handling of packets by Cisco 1000 Series ASR configured for bridge domain interface (BDI). An attacker could exploit this vulnerability by sending packets that will traverse a vulnerable system. This vulnerability cannot be triggered by sending traffic to a vulnerable device.

    A successful exploit could allow the attacker to cause a system to reload, resulting in a DoS condition. Repeated exploitation could result in a sustained DoS condition.

    This vulnerability is documented in Cisco bug ID CSCtt11558 (registered customers only) and has been assigned CVE ID CVE-2013-1167


    Cisco IOS XE Software SIP Traffic Denial of Service Vulnerability

    Cisco IOS XE Software contains a vulnerability that could allow an unauthenticated, remote attacker to cause a DoS condition.

    The vulnerability is due to improper handling of SIP packets by Cisco 1000 Series ASR when configured for VRF-aware NAT and SIP ALG. An attacker could exploit this vulnerability by sending a large number of SIP packets traversing a device configured for NAT; this vulnerability cannot be triggered by SIP traffic destined to a vulnerable device.

    A successful exploit could allow the attacker to cause a system to reload, resulting in a DoS condition. Repeated exploitation could result in a sustained DoS condition.


    This vulnerability is documented in Cisco bug ID CSCuc65609 (registered customers only) and has been assigned CVE ID CVE-2013-1166

Workarounds

  • No workarounds are available to mitigate these vulnerabilities.


Fixed Software

  • When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

    Each Cisco IOS XE Software release is classified as either a Standard Support or an Extended Support release. A Standard Support release has a total engineering support lifetime of one year, with two scheduled rebuilds. The Extended Support release provides a total engineering support lifetime of two years, with four scheduled rebuilds.

    For more information about the Cisco IOS XE Software end-of-life policy and associated support milestones for specific Cisco IOS XE Software releases, see:
    http://www.cisco.com/en/US/prod/collateral/routers/ps9343/product_bulletin_c25-448258.html


    Cisco IOS XE Software IPv6 Multicast Traffic Denial of Service Vulnerability

    Vulnerability Major Release
    		 Extended Release First Fixed Release
    CSCtz97563

    		 2.x -
    		 Not affected
    3.1 Yes Not affected
    3.2 No
    		 Not affected
    3.3 No
    		 Not affected
    3.4 Yes
    		 3.4.4S
    3.5 No
    		 Vulnerable; migrate to one of the extended releases
    3.6 No Vulnerable; migrate to one of the extended releases
    3.7 Yes
    		 Not affected
    3.8 No Not affected


    Cisco IOS XE Software MVPNv6 Traffic Denial of Service Vulnerability

    Vulnerability Major Release
    		 Extended Release
    		 First Fixed Release
    CSCub34945
    		 2.x -
    		 Not affected
    3.1 Yes Not affected
    3.2 No
    		 Not affected
    3.3 No
    		 Not affected
    3.4 Yes
    		 3.4.5S
    3.5 No
    		 Vulnerable; migrate to one of the extended releases
    3.6 No Vulnerable; migrate to one of the extended releases
    3.7 Yes
    		 3.7.1S
    3.8 No Not affected


    Cisco IOS XE Software L2TP Traffic Denial of Service Vulnerability

    Vulnerability Major Release
    		 Extended Release
    		 First Fixed Release
    CSCtz23293
    		 2.x -
    		 Vulnerable; migrate to one of the extended releases
    3.1 Yes Vulnerable; migrate to one of the extended releases
    3.2 No
    		 Vulnerable; migrate to one of the extended releases
    3.3 No
    		 Vulnerable; migrate to one of the extended releases
    3.4 Yes
    		 3.4.5S
    3.5 No
    		 Vulnerable; migrate to one of the extended releases
    3.6 No Vulnerable; migrate to one of the extended releases
    3.7 Yes 3.7.1S
    3.8 No Not affected


    Cisco IOS XE Software Bridge Domain Interface Denial of Service Vulnerability

    Vulnerability Major Release
    		 Extended Release
    		 First Fixed Release
    CSCtt11558
    		 2.x -
    		 Not affected
    3.1 Yes Not affected
    3.2 No
    		 Vulnerable; migrate to one of the extended releases
    3.3 No
    		 Vulnerable; migrate to one of the extended releases
    3.4 Yes
    		 3.4.2S
    3.5 No
    		 Vulnerable; migrate to one of the extended releases
    3.6 No Not affected
    3.7 Yes
    		 Not affected
    3.8 No Not affected


    Cisco IOS XE Software SIP Traffic Denial of Service Vulnerability

    Vulnerability Major Release
    		 Extended Release
    		 First Fixed Release
    CSCuc65609
    		 2.x -
    		 Not affected
    3.1 Yes Not affected
    3.2 No Not affected
    3.3 No
    		 Not affected
    3.4 Yes
    		 3.4.5S
    3.5 No
    		 Not affected
    3.6 No Not affected
    3.7 Yes Not affected
    3.8 No Not affected

    When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.


    Recommended Releases

    The Recommended Release table lists the releases that have fixes for all the published vulnerabilities at the time of this advisory. Cisco recommends upgrading to a release equal to or later than the release in the following table.


    Affected Release

    Recommended Release

    Extended Release

    2.x Vulnerable; migrate to one of the recommended extended releases
    		 -
    3.1 Vulnerable; migrate to one of the recommended extended releases
    		 Yes
    3.2 Vulnerable; migrate to one of the recommended extended releases
    		 No
    3.3 Vulnerable; migrate to one of the recommended extended releases
    		 No
    3.4 3.4.5S
    		 Yes
    3.5 Vulnerable; migrate to one of the recommended extended releases
    		 No
    3.6 Vulnerable; migrate to one of the recommended extended releases
    		 No
    3.7 3.7.1S Yes
    3.8 Not vulnerable; No


Exploitation and Public Announcements

  • The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.

    Cisco IOS XE Software Bridge Domain Interface Denial of Service Vulnerability was found during the troubleshooting of customer service requests.
    Other vulnerabilities were found during internal testing.

Cisco Security Vulnerability Policy

  • To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

Action Links for This Advisory

Related to This Advisory

URL

Revision History

  • Revision 1.3 2013-April-17 Updated CVE assignment. MITRE reassigned CVE-2013-2779 to the MVPNv6 vulnerability.
    Revision 1.2 2013-April-15 Updated software table for SIP vulnerability
    Revision 1.1 2013-April-10 Added xconnect to L2TP traffic section of "Vulnerable Products."
    Revision 1.0 2013-April-10 Initial public release
    Show Complete History...

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started