Vulnerability Note VU#341288
Cisco IOS fails to properly process certain packets containing a crafted IP option
OverviewCisco IOS software contains a vulnerablity that may allow an attacker to execute arbitrary code or create a denial of service condition.
I. DescriptionCisco IOS is an operating system that is used on Cisco network devices. The Internet Control Message Protocol (ICMP) is a protocol commonly used for testing connections and diagnosing problems.
A vulnerability exists in the way Cisco IOS processes the following types of packets sent to an IPv4 address on an affected system.
- ICMP - Echo (Type 8)
- ICMP - Timestamp (Type 13)
- ICMP - Information Request (Type 15)
- ICMP - Address Mask Request (Type 17)
- PIMv2 - IP protocol 103
- PGM - IP protocol 113
- URD - TCP Port 465
An attacker may be able to exploit the vulnerability by sending a packet with a specially crafted IP header to an IP address on a vulnerable system. Note that ICMP is often enabled on network infrastructure switches and routers for troubleshooting purposes.
II. ImpactA remote unauthenticated attacker may be able to execute arbitrary code or create a denial of service condition. Note that a vulnerable system would have to be the destination for the specially crafted packet.
III. SolutionUpgrade
See the Software Version and Fixes section of Cisco Security Advisory 20070124 for information on available upgrades.
Restrict Access
Restricitng public access to vulnerable systems mitigate this vulnerability. Access control lists, management VLANs, or alternate connection methods such as modem or console ports can be used to allow restricted access to the device.
Disable Services
Disabling IPv4 functionality on devices using IPv6 may prevent this vulnerability from being exploited.
For more information about these and other workarounds, see the workarounds section of Cisco Security Advisory 20070124.
Systems Affected
References
http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
http://www.cisco.com/univercd/cc/td/doc/product/lan/c2900xl/29_35wc/sc/swgvlans.htm#xtocid119662
http://en.wikipedia.org/wiki/Access_control_list
http://en.wikipedia.org/wiki/IPv6
http://tools.ietf.org/html/rfc791
http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml#fixes
http://en.wikipedia.org/wiki/Cisco_IOS
http://tools.ietf.org/html/rfc792
http://www.cisco.com/warp/public/707/cisco-sa-20070124-bundle.shtml
http://secunia.com/advisories/23867/
http://www.cisco.com/en/US/products/products_security_response09186a00807cb0da.html
http://www.securityfocus.com/bid/22211
Credit
Thanks to Cisco for information that was used in this report.
This document was written by Ryan Giobbi.
Other Information
| Date Public | 01/24/2007 |
| Date First Published | 01/24/2007 04:34:22 PM |
| Date Last Updated | 01/31/2007 |
| CERT Advisory | |
| CVE-ID(s) | |
| NVD-ID(s) | |
| US-CERT Technical Alerts | |
| Metric | 18.15 |
| Document Revision | 19 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|