Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Cisco IOS Software DHCP Denial of Service Vulnerability

Related Vulnerabilities: CVE-2013-5475  

A vulnerability in the DHCP implementation of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability occurs during the parsing of crafted DHCP packets. An attacker could exploit this vulnerability by sending crafted DHCP packets to an affected device that has the DHCP server or DHCP relay feature enabled. An exploit could allow the attacker to cause a reload of an affected device. Cisco has released software updates that address this vulnerability. There are no workarounds to this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-dhcp Note: The September 25, 2013, Cisco IOS Software Security Advisory bundled publication includes eight Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the September 2013 bundled publication. Individual publication links are in "Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication" at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep13.html

Source

Summary

  • A vulnerability in the DHCP implementation of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

    The vulnerability occurs during the parsing of crafted DHCP packets. An attacker could exploit this vulnerability by sending crafted DHCP packets to an affected device that has the DHCP server or DHCP relay feature enabled. An exploit could allow the attacker to cause a reload of an affected device.

    Cisco has released software updates that address this vulnerability. There are no workarounds to this vulnerability.

    This advisory is available at the following link:
    http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-dhcp

    Note: The September 25, 2013, Cisco IOS Software Security Advisory bundled publication includes eight Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the September 2013 bundled publication.

    Individual publication links are in "Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication" at the following link:

    http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep13.html



Affected Products


  • Vulnerable Products

    Cisco devices that are running affected Cisco IOS Software or Cisco IOS XE Software with the DHCP server or DHCP relay feature enabled are vulnerable. The DHCP server or DHCP relay feature is not enabled by default. Cisco devices that are configured as DHCP clients are not affected by this vulnerability.

    To determine whether a Cisco IOS device or Cisco IOS XE device is configured as a DHCP server, issue the show ip dhcp pool command.

    The following example shows a Cisco IOS device that is affected by this vulnerability. The device is vulnerable because the DHCP server feature is enabled and the configured pool has at least one subnet that serves IP addresses:

    Router#show ip dhcp pool 

    Pool test :
     Utilization mark (high/low)    : 100 / 0
     Subnet size (first/next)       : 0 / 0 
     Total addresses                : 254
     Leased addresses               : 0
     Pending event                  : none
     1 subnet is currently in the pool :
     Current index        IP address range                    Leased addresses
     192.168.1.1          192.168.1.1      - 192.168.1.254         0


    To determine whether a Cisco IOS device or Cisco IOS XE device is configured as a DHCP relay agent, issue the show run | include helper-address command.

    The following example shows a Cisco IOS device that is affected by this vulnerability. The device is vulnerable because the DHCP relay agent feature is enabled, based on the ip helper-address output:

    Router#show run | include helper-address
     ip helper-address 10.1.1.2

    To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software." The image name displays in parentheses, followed by "Version" and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output.

    The following example identifies a Cisco product that is running Cisco IOS Software Release 15.0(1)M1 with an installed image name of C3900-UNIVERSALK9-M:

    Router> show version 
    Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2009 by Cisco Systems, Inc.
    Compiled Wed 02-Dec-09 17:17 by prod_rel_team
    !--- output truncated

    Additional information about Cisco IOS Software release naming conventions is available in "White Paper: Cisco IOS and NX-OS Software Reference Guide" at http://www.cisco.com/web/about/security/intelligence/ios-ref.html.


    Products Confirmed Not Vulnerable

    Cisco IOS XR Software is not affected by this vulnerability.

    No other Cisco products are currently known to be affected by this vulnerability.

Details

  • The DHCP server feature in Cisco IOS Software and Cisco IOS XE Software is a DHCP server implementation that assigns and manages IP version 4 (IPv4) addresses, prefixes, and other information from specified address pools to DHCP clients.
    A DHCP relay agent feature in Cisco IOS Software and Cisco IOS XE Software forwards DHCP packets between clients and servers. Relay agents are used to forward requests and replies between clients and servers when they are not on the same physical subnet.

    Cisco IOS Software and Cisco IOS XE Software contain a vulnerability that could allow an unauthenticated, remote attacker to cause a DoS condition. An attacker could exploit this vulnerability by sending a crafted request to an affected device that has the DHCP server or DHCP relay agent feature enabled, causing a reload.

    The vulnerability is triggered when the affected Cisco IOS device attempts to process a crafted DHCP packet. Valid DHCP packets will not trigger this vulnerability. DHCP packets that the Cisco IOS device forwards (for example, transit DHCP traffic) will not trigger this vulnerability, but the packets forwarded to the DHCP relay agent will trigger the vulnerability.

    Cisco IOS devices that are configured as a DHCP version 6 (DHCPv6) server for IP version 6 (IPv6) are not affected by this vulnerability.

    This vulnerability has been documented in Cisco bug ID CSCug31561 (registered customers only). This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) ID CVE-2013-5475.

Workarounds

  • There are no workarounds for this vulnerability.

Fixed Software

Exploitation and Public Announcements

  • The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

    This vulnerability was identified during an internal security review of the affected product.


Cisco Security Vulnerability Policy

  • To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

Action Links for This Advisory

Related to This Advisory

URL

Revision History

  • Revision 1.0 2013-September-25 Initial public release

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started