Cisco IOS XR Software for Cisco ASR 9001 Aggregation Services Routers Fragmented Packet Denial of Service Vulnerability

Summary

• A vulnerability in the driver processing functions of Cisco IOS XR Software for Cisco ASR 9001 Aggregation Services Routers could allow an unauthenticated, remote attacker to cause a memory leak on the route processor (RP) of an affected device, which could cause the device to drop all control-plane protocols and lead to a denial of service condition (DoS) on a targeted system.
  
  The vulnerability is due to improper handling of crafted, fragmented packets that are directed to an affected device. An attacker could exploit this vulnerability by sending crafted, fragmented packets to an affected device for processing and reassembly. A successful exploit could allow the attacker to cause a memory leak on the RP of the device, which could cause the device to drop all control-plane protocols and eventually lead to a DoS condition on the targeted system.
  
  Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. However, there are mitigations for this vulnerability.
  
  This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160810-iosxr

Affected Products

• Vulnerable Products

  This vulnerability affects Cisco IOS XR Software Releases 5.1.x, 5.2.x, and 5.3.x, prior to the first fixed release or applicable update for those releases, running on Cisco ASR 9001 Aggregation Services Routers. Cisco ASR 9001 Aggregation Services Routers are vulnerable by default if they are running a vulnerable release of Cisco IOS XR Software.
  
  This vulnerability can be exploited by sending crafted, fragmented IPv4 or IPv6 packets requiring reassembly to the IPv4 or IPv6 unicast address of any interface that is configured on an affected device. The vulnerability can be triggered only by traffic that is destined to an affected device. It cannot be triggered by traffic that is transiting an affected device.
  
  Determining the Cisco IOS XR Software Release
  
  To determine which Cisco IOS XR Software release is running on a device and the name of the device on which it is running, administrators can log in to the device and use the show version command in the command-line interface (CLI). If the device is running Cisco IOS XR Software, Cisco IOS XR Software or similar text appears in the system banner. The name of the hardware product appears on the line after the location of the system image file.
  
  The following example shows the output of the show version command on a Cisco ASR 9001 Aggregation Services Router that is running Cisco IOS XR Software Release 5.1.3:
  
  

  RP/0/RSP0/CPU0:router#show version
  
  Cisco IOS XR Software, Version 5.1.3[Default]
  Copyright (c) 2015 by Cisco Systems, Inc.
  
  ROM: System Bootstrap, Version 2.04(20140227:092320) [ASR9K ROMMON],  
  
  router uptime is 2 days, 12 hours, 2 minutes
  System image file is "bootflash:disk0/asr9k-os-mbi-5.1.3.sp7-1.0.0/0x100000/mbiasr9k-rp.vm"
  
  
  cisco ASR9K Series (P4040) processor with 8388608K bytes of memory.
  P4040 processor at 1500MHz, Revision 2.0
  ASR-9001 Chassis
  .
  
  .
  
  .

  
  

  Products Confirmed Not Vulnerable

  No other Cisco products are currently known to be affected by this vulnerability. Cisco has confirmed that this vulnerability affects only Cisco ASR 9001 Aggregation Services Routers that are running a vulnerable release of Cisco IOS XR Software.
  
  Cisco has also confirmed that this vulnerability does not affect Cisco ASR 9006, ASR 9010, ASR 9904, ASR 9910, ASR 9912, or ASR 9922 Aggregation Services Routers. In addition, this vulnerability does not affect Cisco 12000 Series Routers, Cisco Carrier Routing System, Cisco Network Convergence System (NCS) 6000 Series Routers, Cisco NCS 5000 Series Routers, or Cisco NCS 4000 Series Routers that are running Cisco IOS XR Software.

Indicators of Compromise

• Exploitation of this vulnerability could cause a memory leak in the Software Packet Path (SPP) process on the RP of an affected device, which will cause the device to start dropping routing-protocol packets and management connections and may eventually cause the RP to reload. While experiencing these problems, all traffic that is destined to a device and, depending on the information learned from the routing protocols, all pass-through traffic will be dropped, resulting in a DoS condition. Repeated exploitation could result in a sustained DoS condition.
  
  If a device is exploited, administrators can use the CLI to manually restart the SPP process on the RP, recover leaked buffers, and allow routing-protocol packets and management connections to build. The following example shows how to restart the SPP process and recover leaked buffers:
  
  

  RP/0/RSP0/CPU0:router#process restart spp location 0/rSP0/CPU0 
  Sun Jun 24 15:56:46.656 UTC
  RP/0/RSP0/CPU0:Jun 24 15:56:46.709 : sysmgr_control[65747]: %OS-SYSMGR-4-PROC_RESTART_NAME : User root (con0_RSP0_CPU0)
  requested a restart of process spp at 0/RSP0/CPU0
  

  
  

Workarounds

• There are no workarounds that address this vulnerability. However, administrators can use an access control list (ACL) with the fragments keyword to configure an affected device to drop noninitial fragments. To avoid dropping valid fragmented traffic, implementation of this mitigation requires detailed knowledge of the network and careful configuration by a network administrator. For information about how the fragments keyword changes ACL behavior, see the Access Control Lists and IP Fragments white paper.

Fixed Software

• Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
  http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
  
  Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
  
  When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
  
  In all cases, customers should ensure that the devices to upgrade contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
  
  Customers Without Service Contracts
  
  Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC):
  http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
  
  Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
  
  Fixed Releases
  
  This vulnerability has been corrected in Cisco IOS XR Software Release 5.3.3 for Cisco ASR 9001 Aggregation Services Routers.
  
  This vulnerability has also been corrected in the following Software Maintenance Updates (SMUs) for Cisco IOS XR Software:
  

  • asr9k-px-5.3.2.CSCux26791.pie for Releases 5.3.x
  • asr9k-px-5.2.4.CSCux26791.pie for Releases 5.2.x
  • asr9k-px-5.1.3.CSCux26791.pie for Releases 5.1.x

  Note that Cisco IOS XR Software Releases 6.0.x are not affected by this vulnerability.
  
  Customers are advised to upgrade to an appropriate release or install an appropriate SMU as indicated in this section.

Exploitation and Public Announcements

• The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Source

• This vulnerability was found during the resolution of a support case.

URL

• http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160810-iosxr

Revision History

• Version	Description	Section	Status	Date
  1.1	Added CVE ID.	Header	Final	2016-August-10
  1.0	Initial public release.	-	Final	2016-August-10

  Show Less