Cisco IOS XE Software for 1000 Series Aggregation Services Routers (ASR) contains the following denial of service (DoS) vulnerabilities: Cisco IOS XE Software Malformed ICMP Packet Denial of Service Vulnerability Cisco IOS XE Software PPTP Traffic Denial of Service Vulnerability Cisco IOS XE Software TCP Segment Reassembly Denial of Service Vulnerability Cisco IOS XE Software Malformed EoGRE Packet Denial of Service Vulnerability These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of any of these vulnerabilities could allow an unauthenticated remote attacker to trigger a reload of the embedded services processors (ESP) card or the route processor (RP) card, causing an interruption of services. Repeated exploitation could result in a sustained DoS condition. Note: Cisco IOS Software and Cisco IOS-XR Software are not affected by these vulnerabilities. Cisco has released software updates that address these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131030-asr1000
Router#show policy-map type inspect zone-pair
Zone-pair: clients-servers
Service-policy inspect : clients-servers-policy
Class-map: L4-inspect-class (match-any)
Match: protocol tcp
Match: protocol udp
Match: protocol icmp
Inspect
Note: Cisco IOS devices configured with a ZBFW are not affected by this vulnerability. Only Cisco ASR 1000 Series Aggregation Services Routers running affected versions of Cisco IOS XE Software are affected by this vulnerability.
asr1004#show running-config | include ip nat
ip nat inside
ip nat outside
ip nat inside source static 192.168.1.100 10.0.0.1
If the output is empty, the Cisco IOS XE Software release running on a given device is not vulnerable. If the output returned is not empty, PPTP ALG services may be explicitly disabled in the NAT configuration. To determine whether PPTP ALG is disabled in the NAT configuration, use the show run | include ip nat privileged EXEC command. The presence of no ip nat service pptp in the output of show run | include ip nat indicates that PPTP ALG is disabled in the NAT configuration.
The following is the output of show run | include ip nat in Cisco IOS XE Software that has the PPTP ALG disabled under NAT configuration:
asr1004#show running-config | include ip nat
ip nat inside
ip nat outside
ip nat inside source static 192.168.1.100 10.0.0.1
no ip nat service pptp
asr1004#show running-config | include ip nat
ip nat inside
ip nat outside
ip nat inside source static 192.168.1.100 10.0.0.1
Only Cisco ASR 1000 Series Aggregation Services Routers with embedded services processor 100 (ASR1000-ESP100) and Cisco ASR1002-X Series Routers are affected by this vulnerability.
To determine whether a Cisco ASR 1000 device has ASR1000-ESP100 installed or is a Cisco ASR1002-X Series Router, administrators can issue the show inventory command. The following is the output of the show inventory in Cisco IOS XE Software running on a Cisco ASR 1006 Router with ASR1000-ESP100:
asr1006#show inventory
NAME: "Chassis", DESCR: "Cisco ASR1006 Chassis"
PID: ASR1006
NAME: "module F1", DESCR: "Cisco ASR1000 Embedded Services Processor, 10 0Gbps"
PID: ASR1000-ESP10 0
Cisco IOS XE Software contains a vulnerability that may cause an affected device to reload while processing malformed IP version 4 (IPv4) or IP version 6 (IPv6) Ethernet over Generic Routing Encapsulation (EoGRE) packets on an interface configured with EoGRE.
EoGRE is not enabled by default.
To determine whether EoGRE has been enabled in the Cisco IOS XE Software configuration, the tunnel mode ethernet gre ipv4 or tunnel mode ethernet gre ipv6 commands must be present on a tunnel interface configuration and at least one IP address must be configured on that interface.
The show running-config | include Tunnel|(tunnel mode|ip address .) command can be used to determine whether EoGRE is present in the configuration, as illustrated in the following example of a vulnerable configuration:
asr1004#show running-config | include Tunnel|(tunnel mode|ip address .)
interface Tunnel0
ip address 192.168.1.1 255.255.255.0
tunnel mode ethernet gre ipv4
asr1004#show version
Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.2(2)S2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 07-Aug-12 13:40 by mcpre
No workarounds are available to mitigate these vulnerabilities.
When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Each Cisco IOS XE Software release is classified as either a Standard Support or an Extended Support release. A Standard Support release has a total engineering support lifetime of one year, with two scheduled rebuilds. The Extended Support release provides a total engineering support lifetime of two years, with four scheduled rebuilds.
For more information about the Cisco IOS XE Software End-of-Life policy and associated support milestones for specific Cisco IOS XE Software releases, see:
Cisco IOS XE Software Support Timeline up to IOS XE 3.9S and Cisco IOS XE Software Support Timeline Starting with Cisco IOS XE Software Release 3.10S
Vulnerability | Major Release |
Extended Release | First Fixed Release |
CSCtt26470 |
2.x | - |
Not affected |
3.1 | Yes | Not affected | |
3.2 | No |
Not affected |
|
3.3 | No |
Not affected | |
3.4 | Yes |
3.4.2S | |
3.5 | No |
3.5.1S |
|
3.6 | No | Not affected |
|
3.7 | Yes |
Not affected |
|
3.8 | No | Not affected |
|
3.9 | No | Not affected | |
3.10 | Yes | Not affected |
Vulnerability | Major Release |
Extended Release | First Fixed Release | |
CSCuh49936 |
2.x | - |
Not affected |
|
3.1 | Yes | Not affected | ||
3.2 | No |
Not affected |
||
3.3 | No |
Not affected | ||
3.4 | Yes |
Not affected |
||
3.5 | No |
Not affected |
||
3.6 | No | Not affected |
||
3.7 | Yes |
Not affected |
||
3.8 | No | Not affected |
||
3.9 | No | 3.9.2S | ||
3.10 | Yes | Not affected |
Vulnerability | Major Release |
Extended Release | First Fixed Release | |
CSCud72509 |
2.x | - |
Not affected |
|
3.1 | Yes | Not affected | ||
3.2 | No |
Not affected |
||
3.3 | No |
Not affected | ||
3.4 | Yes |
Not affected | ||
3.5 | No |
Not affected |
||
3.6 | No | Not affected |
||
3.7 | Yes |
3.7.3S | ||
3.8 | No | 3.8.1S |
||
3.9 | No | Not affected | ||
3.10 | Yes | Not affected |
Vulnerability | Major Release |
Extended Release | First Fixed Release | |
CSCuf08269 |
2.x | - |
Not affected |
|
3.1 | Yes | Not affected | ||
3.2 | No |
Not affected |
||
3.3 | No |
Not affected | ||
3.4 | Yes |
Not affected | ||
3.5 | No |
Not affected |
||
3.6 | No | Not affected |
||
3.7 | Yes |
Not affected |
||
3.8 | No | Not affected |
||
3.9 | No | 3.9.2S | ||
3.10 | Yes | Not affected |
The Recommended Release table lists the releases that have fixes for all the published vulnerabilities at the time of this advisory. Cisco recommends upgrading to a release equal to or later than the release in the following table.
Affected Release |
Recommended Release |
Extended Release |
2.x | Not vulnerable |
- |
3.1 | Not vulnerable |
Yes |
3.2 | Not vulnerable |
No |
3.3 | Not vulnerable |
No |
3.4 | 3.4.2S |
Yes |
3.5 | 3.5.1S |
No |
3.6 | Not vulnerable |
No |
3.7 | 3.7.3S | Yes |
3.8 | 3.8.1S | No |
3.9 | 3.9.2S | No |
3.10 | Not vulnerable |
Yes |
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.
Cisco IOS XE Software Malformed ICMP Packet Denial of Service Vulnerability and Cisco IOS XE Software TCP Segment Reassembly Denial of Service Vulnerability were discovered during the resolution of customer support cases.
The remaining vulnerabilities described in this security advisory were discovered during internal security testing.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Revision 1.0 | 2013-October-30 | Initial public release |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.