Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Cisco Products IPv6 Neighbor Discovery Crafted Packet Denial of Service Vulnerability

Related Vulnerabilities: CVE-2016-1409  

A vulnerability in the IP Version 6 (IPv6) packet processing functions of multiple Cisco products could allow an unauthenticated, remote attacker to cause an affected device to stop processing IPv6 traffic, leading to a denial of service (DoS) condition on the device. The vulnerability is due to insufficient processing logic for crafted IPv6 packets that are sent to an affected device. An attacker could exploit this vulnerability by sending crafted IPv6 Neighbor Discovery (ND) packets to an affected device for processing. A successful exploit could allow the attacker to cause the device to stop processing IPv6 traffic, leading to a DoS condition on the device. This vulnerability is not Cisco specific: any IPv6 processing unit not capable of dropping such packets early in the processing path or in hardware is affected by this vulnerability. Cisco will release software updates that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160525-ipv6

Source

Summary

  • A vulnerability in the IP Version 6 (IPv6) packet processing functions of multiple Cisco products could allow an unauthenticated, remote attacker to cause an affected device to stop processing IPv6 traffic, leading to a denial of service (DoS) condition on the device.

    The vulnerability is due to insufficient processing logic for crafted IPv6 packets that are sent to an affected device. An attacker could exploit this vulnerability by sending crafted IPv6 Neighbor Discovery (ND) packets to an affected device for processing. A successful exploit could allow the attacker to cause the device to stop processing IPv6 traffic, leading to a DoS condition on the device.

    This vulnerability is not Cisco specific: any IPv6 processing unit not capable of dropping such packets early in the processing path or in hardware is affected by this vulnerability.

    Cisco will release software updates that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160525-ipv6

Affected Products

  • Cisco is currently investigating its product line to determine which products may be affected by this vulnerability and the impact of the vulnerability on each affected product. As the investigation progresses, Cisco will update this advisory with information about affected products, including the ID of the Cisco bug for each affected product. The bugs will be accessible through the Cisco Bug Search Tool and will contain additional platform-specific information, including any available workarounds and fixed software releases.

    Vulnerable Products

    Cisco has confirmed that Cisco IOS XR Software, Cisco IOS Software, Cisco IOS XE Software, Cisco NX-OS Software, Cisco ASA Software, and Cisco StarOS Software are affected by the vulnerability described in this advisory.

    Note: Affected devices that are configured with a global IPv6 address on at least one interface and are processing traffic can be exploited by a remote attacker. Affected devices that are configured with only a link-local address on interfaces and are processing IPv6 traffic can be exploited with crafted packets only by a Layer 2 adjacent attacker.

    For information about which software releases are affected, see the "Fixed Software" section of this advisory.

    Cisco IOS XR Software

    The following Cisco products are affected by this vulnerability if they are running an affected release of Cisco IOS XR Software and IPv6 is enabled on one or more interfaces:
    • Cisco 12000 Series Routers
    • Cisco ASR 9000 Series Aggregation Services Routers
    • Cisco Carrier Routing System
    • Cisco Network Convergence System 4000 Series
    • Cisco Network Convergence System 6000 Series Routers

    All types of line cards on those platforms are affected by this vulnerability.

    If a device is running an affected release of Cisco IOS XR Software and IPv6 is enabled, administrators can identify interfaces that have assigned IPv6 addresses by using the show ipv6 interface brief command in the command-line interface (CLI). The following example shows the output of the command on a device that is running Cisco IOS XR Software with IPv6 enabled:
    RP/0/RP0/CPU0:router# show ipv6 interface brief

      
     GigabitEthernet0/2/0/0 [Up/Up]
     fe80::212:daff:fe62:c150 
     202::1
    In addition, if IPv6 is enabled, the ipv6 enable interface configuration command is present in the configuration. The following example shows the output of a vulnerable configuration:
    RP/0/RP0/CPU0:router(config)# interface GigabitEthernet0/2/0/0
    	
      RP/0/RP0/CPU0:router(config-if)# ipv6 enable
    If IPv6 is not supported by the Cisco IOS XR Software release that is running on a device, use of the show ipv6 interface brief command produces an error message. If IPv6 is not enabled on the device, use of the show ipv6 interface brief command does not show any interfaces with IPv6 addresses. In either scenario, the device is not affected by this vulnerability.

    Cisco IOS Software

    Cisco products are affected by this vulnerability if they are running an affected release of Cisco IOS Software and IPv6 is enabled on one or more interfaces. By default, IPv6 is not enabled.

    To determine whether IPv6 is enabled on one or more interfaces, administrators can use the show running-config | include ipv6.(enable|address) privileged EXEC command in the CLI. If IPv6 is enabled, ipv6 enable and ipv6 address appear in the output of the command.

    The following example shows the output of the show running-config | include ipv6.(enable|address) command on a device that is running Cisco IOS XE Software with IPv6 configured:
    Router# show running-config | include ipv6.(enable|address)
     ipv6 enable  
 ipv6 address dhcp rapid-commit
     ipv6 address autoconfig  
 ipv6 address MANAGEMENT ::1FFF:0:0:0:3560/128
     ipv6 address 2001:DB8::1/64

    Cisco IOS XE Software

    The following Cisco products are affected by this vulnerability if they are running an affected release of Cisco IOS XE Software and IPv6 is enabled on one or more interfaces that process traffic:
    • Cisco 4300 Series Integrated Services Routers
    • Cisco 4400 Series Integrated Services Routers
    • Cisco ASR 900 Series Aggregation Services Routers
    • Cisco ASR 1000 Series Aggregation Services Routers
    • Cisco Cloud Services Router 1000V Series
    • Switches running Cisco IOS XE Software

    By default, IPv6 is not enabled.

    This vulnerability does not depend on any specific combination of Embedded Services Processor (ESP) and Route Processor (RP) installations on the chassis. Any combination of ESP and RP chassis installations is affected by this vulnerability.

    To determine whether IPv6 is enabled on one or more interfaces, administrators can use the show running-config | include ipv6.(enable|address) privileged EXEC command in the CLI. If IPv6 is enabled, ipv6 enable or ipv6 address appear in the output of the command.

    The following example shows the output of the show running-config | include ipv6.(enable|address) command on a device that is running Cisco IOS XE Software with IPv6 configured:
    Router# show running-config | include ipv6.(enable|address)
     ipv6 enable  
 ipv6 address dhcp rapid-commit
     ipv6 address autoconfig  
 ipv6 address MANAGEMENT ::1FFF:0:0:0:3560/128
     ipv6 address 2001:DB8::1/64

    Cisco NX-OS Software

    All Cisco products running Cisco NX-OS Software are affected by this vulnerability if IPv6 is enabled on one or more interfaces that process traffic. By default, IPv6 is not enabled.

    To determine whether IPv6 is enabled on one or more interfaces, administrators can use the show running-config | include ipv6.address privileged EXEC command in the CLI. If IPv6 is enabled, ipv6 address appears in the output of the command.

    The following example shows the output of the show running-config | include ipv6.address command on a device that is running Cisco NX-OS Software with IPv6 enabled:
    Router# show running-config | include ipv6.address
     ipv6 address 2001:DB8::1/64

    Cisco ASA Software

    IPv6 is not enabled by default. To enable IPv6 on a Cisco ASA or Cisco ASASM, at a minimum a link-local address needs to be configured for IPv6 to operate correctly. If a global address is configured, a link-local address is automatically configured on each interface.

    To verify that the Cisco ASA or Cisco ASASM has IPv6 enabled, administrators can use the show ipv6 interface command in the CLI and confirm that the command returns output. The following example shows a Cisco ASA that has two interfaces (inside and outside) configured and IPv6 enabled:

    ciscoasa# show ipv6 interface
outside is up, line protocol is up
  IPv6 is enabled, link-local address is fe80::219:2fff:fe83:4f42
  No global unicast address is configured
  Joined group address(es):
    ff02::1
    ff02::1:ff83:4f42
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds
  ND advertised retransmit interval is 1000 milliseconds
  Hosts use stateless autoconfig for addresses.
inside is up, line protocol is up
  IPv6 is enabled, link-local address is fe80::219:2fff:fe83:4f43
  No global unicast address is configured
  Joined group address(es):
    ff02::1
    ff02::1:ff83:4f43
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds
  ND advertised retransmit interval is 1000 milliseconds
  Hosts use stateless autoconfig for addresses.


    Cisco StarOS Software

    Cisco ASR 5000 Series devices running Cisco StarOS Software are affected by this vulnerability if IPv6 is enabled on one or more interfaces that process traffic. By default, IPv6 is not enabled.

    To determine whether IPv6 is enabled on one or more interfaces, administrators can use the show ipv6 interface summary privileged EXEC command in the CLI. If IPv6 is enabled, an IPv6 address appears in the output of the command.

    The following example shows the output of the show ipv6 interface summary command on a device that is running Cisco StarOS Software with IPv6 enabled:

    [local]router# show ipv6 interface summary 
    Friday February 21 09:00:07 UTC 2014
    Interface Name                 Address/Mask        Port               Status
    ============================== =================== ================== ======
    int1_test_v6                    2001:db8::1/64 	   20/1 vlan 122      UP
    int2_test_v6                    2001:db8::2/64 	   21/1 vlan 122      UP
    int3_test_v6                    2001:db8::3/64 	   22/1 vlan 122      UP
    int4_test_v6                    2001:db8::4/64 	   23/1 vlan 130      UP


    Determining the Cisco IOS XR Software Release

    To determine which Cisco IOS XR Software release is running on a device and the name of the device on which it is running, administrators can log in to the device and use the show version command in the CLI. If the device is running Cisco IOS XR Software, Cisco IOS XR Software or similar text appears in the system banner. The location and name of the system image file that is currently running on the device appears next to the System image file is text. The name of the hardware product appears on the line after the name of the system image file.

    The following example shows the output of the show version command on a device that is running Cisco IOS XR Software Release 4.1.0 with an installed image name of mbihfr-rp.vm:
    RP/0/RP0/CPU0:router# show version
     Mon May 31 02:14:12.722 DST

     Cisco IOS XR Software, Version 4.1.0
     Copyright (c) 2010 by Cisco Systems, Inc.

     ROM: System Bootstrap, Version 2.100(20100129:213223) [CRS-1 ROMMON],  

     router uptime is 1 week, 6 days, 4 hours, 22 minutes
     System image file is "bootflash:disk0/hfr-os-mbi-4.1.0/mbihfr-rp.vm"

     cisco CRS-8/S (7457) processor with 4194304K bytes of memory.
     7457 processor at 1197Mhz, Revision 1.2

    Determining the Cisco IOS Software Release

    To determine which Cisco IOS Software release is running on a Cisco product, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS Software, the system banner displays text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The image name appears in parentheses followed by the Cisco IOS Software release number and release name. Some Cisco devices do not support the show version command or may provide different output.

    The following example identifies a Cisco product that is running Cisco IOS Software Release 15.5(2)T1 with an installed image name of C2951-UNIVERSALK9-M:

    Router> show version 
    Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2015 by Cisco Systems, Inc.
    Compiled Mon 22-Jun-15 09:32 by prod_rel_team
    .
    .
    .

    Determining the Cisco IOS XE Software Release

    To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device and use the show version command in the CLI. If the device is running Cisco IOS XE Software, Cisco IOS XE Software or similar text appears in the system banner.

    The following example shows the output of the show version command on a device that is running Cisco IOS XE Software Release 3.6.2S, which maps to Cisco IOS Software Release 15.2(2)S2: 
    Router# show version 
    Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.2(2)S2, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2012 by Cisco Systems, Inc.
    Compiled Tue 07-Aug-12 13:40 by mcpre
    Determining the Cisco NX-OS Software Release

    To determine which Cisco NX-OS Software release is running on a device, administrators can log in to the device and use the show version command in the CLI. If the device is running Cisco NX-OS Software, Cisco Nexus Operating System (NX-OS) Software or similar text appears in the system banner.

    The following example shows the output of the show version command for a Cisco Nexus 5000 Series Switch running Cisco NX-OS Software Release 7.1(1)N1(1): 
    # show version
    Cisco Nexus Operating System (NX-OS) Software
    TAC support: http://www.cisco.com/tac
    Documents: http://www.cisco.com/en/US/products/ps9372/tsd_products_support_series_home.html
    Copyright (c) 2002-2012, Cisco Systems, Inc. All rights reserved.
    The copyrights to certain works contained herein are owned by
    other third parties and are used and distributed under license.
    Some parts of this software are covered under the GNU Public
    License. A copy of the license is available at
    http://www.gnu.org/licenses/gpl.html.

    Software
    BIOS:      version 3.6.0
    loader:    version N/A
    kickstart: version 7.1(1)N1(1)
    system:    version 7.1(1)N1(1)

    Determining the Cisco ASA Software Release

    To determine whether a vulnerable version of Cisco ASA Software is running on an appliance, administrators can issue the show version command. The following example shows a device running Cisco ASA Software Release 8.4(1):
    ciscoasa#show version | include Version
    Cisco Adaptive Security Appliance Software Version 8.4(1) 
    Device Manager Version 6.4(1)
    Customers who use Cisco ASDM to manage devices can locate the software release in the table that appears in the login window or the upper-left corner of the Cisco ASDM window.


    Determining the Cisco StarOS Software Release

    To determine which Cisco StarOS Software release is running on a Cisco product, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. Each software image can be identified by its release version and its corresponding build number.

    The following example identifies a Cisco product that is running Cisco StarOS Software Release 15.0 (49328):

    [local# show version
    Active Software:
     Image Version: 15.0 (49328)
     Image Branch Version: 015.000(001)
     Image Description: Production_Build
     Image Date: Tue Apr 23 00:45:12 EDT 2013
     Boot Image: Unknown

    Products Confirmed Not Vulnerable

    No other Cisco products are currently known to be affected by this vulnerability.

Indicators of Compromise

  • Exploitation of this vulnerability could cause high CPU usage on an affected platform. It could also cause an affected device to stop processing all IPv6 traffic. On some devices, exploitation of this vulnerability could cause a temporary loss of services for traffic that terminates on the device, in addition to IPv6 traffic.

Workarounds

  • Any workarounds, when available, will be documented in the Cisco bugs, which are accessible through the Cisco Bug Search Tool.

    Customers should rely on external mitigation techniques, such as denying IPv6 ND packets in an access control list (ACL) placed on an Internet edge router, to protect infrastructure devices behind those routers. IPv6 ND packets should be limited to local links and dropping them on the edge can help protect the infrastructure. It is a commonly accepted best practice to drop these packets at the Internet edge. Alternatively, configuring static IPv6 neighbors where possible and denying all IPv6 ND packets at the edge will help mitigate this vulnerability.

Fixed Software

  • All releases of Cisco IOS XR Software, Cisco IOS Software, Cisco IOS XE Software, and Cisco NX-OS Software are affected by the vulnerability described in this advisory.

    Not all hardware platforms are affected equally. Where software fixes are applicable, updates for affected software releases will be published when they are available and information about those updates will be documented in Cisco bugs, which are accessible from the Cisco Bug Search Tool. Where software updates are not applicable, guidance will be provided in the respective Cisco bug release notes.

    When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

    In all cases, customers should ensure that the devices to upgrade contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Exploitation and Public Announcements

  • As of May 26, 2016, the Cisco Product Security Incident Response Team (PSIRT) is aware of disruptions for some Cisco customers who are running the affected platforms.

Source

  • This vulnerability was found during the resolution of a support case.

Cisco Security Vulnerability Policy

  • To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

Action Links for This Advisory

URL

Revision History

  • Version Description Section Status Date
    1.16 Added Cisco bugs CSCvb19057 and CSCva17794. Changed status to Final. Cisco Bug IDs, Status of this Notice Final 2019-September-16
    1.15 Added Cisco bugs CSCva94139, CSCva61877 Cisco Bug IDs Interim 2016-September-14
    1.14 Added Cisco bug CSCva3353. Cisco Bug IDs Interim 2016-August-09
    1.13 Added Cisco bug CSCva39982. Cisco Bug IDs Interim 2016-July-12
    1.12 Updated Summary and Workarounds to include information about potential mitigation. Summary, Workarounds Interim 2016-July-06
    1.11 Updated information about products under investigation and fixed software Affected Products, Fixed Software Interim 2016-July-01
    1.10 Updated information about fixed software. Fixed Software Interim 2016-June-20
    1.9 Updated information about fixed software. Fixed Software Interim 2016-June-16
    1.8 Updated information about products under investigation and confirmed as vulnerable. Affected Products Interim 2016-June-13
    1.7 Updated information about fixed software. Fixed Software Interim 2016-June-10
    1.6 Updated information about products under investigation. Affected Products Interim 2016-June-08
    1.5 Updated information about fixed software. Fixed Software Interim 2016-June-06
    1.4 Updated information about products under investigation and confirmed as vulnerable. Affected Products Interim 2016-June-03
    1.3 Updated Summary and Workarounds to include information about potential mitigation. Summary, Workarounds Interim 2016-June-01
    1.2 Updated information about products under investigation and confirmed as vulnerable. Added information about possible indicators of compromise and service disruption. Affected Products Interim 2016-May-31
    1.1 Updated information about products under investigation and confirmed as vulnerable. Added information about possible indicators of compromise and service disruption. Affected Products, Indicators of Compromise, Exploitation and Public Announcements Interim 2016-May-26
    1.0 Initial public release. - Interim 2016-May-25
    Show Complete History...

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started