search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Cisco IOS vulnerable to denial of service via Cisco Discovery Protocol

Vulnerability Note VU#139491

Original Release Date: 2001-10-10 | Last Revised: 2001-10-11

Overview

The Cisco IOS contains a denial-of-service vulnerability that allows nearby remote attackers to crash or temporarily disable affected network devices.

Description

The Cisco Internetwork Operating System (IOS) contains a vulnerability in its processing of Cisco Discovery Protocol (CDP) packets. By sending large numbers of crafted CDP packets to an affected device, a nearby remote attacker can consume all available memory resources, causing the device to either crash or stop responding. It is important to note that the CDP protocol operates at the data link layer of the ISO/OSI model, so it cannot be propagated by network and transport layer protocols such as IP and TCP, respectively. As such, attackers will only be able to attack devices on networks they can access directly (ie. without IP routing). However, this also means that many of the strategies commonly used to block malicious traffic (such as port filtering) cannot be used to prevent attackers from reaching an affected host.

Impact

This vulnerability allows a nearby remote attacker to crash or consume the memory resources of an affected switch, router, or other network device.

Solution

Disable the Cisco Discovery Protocol

Sites that do not require the Cisco Discovery Protocol may disable it for a single interface by issuing the "no cdp enable" command on the interface. Alternatively, CDP can be disabled for the entire device by issuing the "no cdp run" command.

Vendor Information

139491
 

Cisco Affected

Notified:  October 09, 2001 Updated: October 10, 2001

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

This is not a Cisco security advisory.

There is a vulnerability in how Cisco routers are handling CDP.
By sending a large amount of CDP neighbor announcements it is
possible to consume all available router's memory. That will cause
a crash or some other abnormal behavior. This vulnerability is
assigned a Cisco bug ID CSCdu09909. You can see details of it
if you have a valid CCO account. This vulnerability was
discovered by fx@phenoelit.de

In order to trigger this vulnerability an attacker must be on the same
segment as the target router. This vulnerability can not be exploited
over the Internet unless an attacker has a helper program already
planted on the internal network.

The workaround for this vulnerability is to disable CDP. In order to
disable CDP for the whole router execute the following global command:

Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# no cdp run

Alternatively, CDP can be disabled on a particular interface. This
can be done using the following commands:

Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# interface Ethernet0
Router(config-if)# no cdp enable

In this particular case we advise all customers to disable CDP for
the whole router.

This vulnerability has ben fixed in the following interim images:

12.2(3.6)B
12.2(4.1)S
12.2(3.6)PB
12.2(3.6)T
12.1(10.1)
12.2(3.6)

All higher IOS releases should contain this fix.

Please note that interim images are built at regular intervals between
maintenance releases and receives less testing. Interims should be selected
only if there is no other suitable release that addresses the vulnerability,
and interim images should be upgraded to the next available maintenance
release as soon as possible. Interim releases are not available via
manufacturing, and usually they are not available for customer
download from CCO without prior arrangement with the Cisco TAC.

We would like to thank Phenoelit on his co-operation on this issue.

Gaus

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.3

iQEVAwUBO8MJHg/VLJ+budTTAQGpxAgAydE4X125IB9yzCb+uEExB9PjMpfLrRfH
ONbLmUfLi242ubhqb8kfOc+gGziB3YuNJck+N5YPcdT7ql0jpPOpltVQdoevNFBD
AhCZT1Eyp/Fi7npv5BDsX/Y4Jd1yTYjGUEIbZJLFJ2lFL9ip4z+bEFYfQ+Bdy0zt
7k8YckcJt2qxOnhGEZaU5tZMzP/Sc3NysZbUOmlCyI1t1cLocKzd81SC/LNsWyDF
Rac/7ZFb8LrvNQxVLt3d1/7jpVtuYFgXDdZhDOwaXem1T5r430AYE9hTRLwUwUE5
U6Sq6kdEjJyGkX3Tqwb/+/g5ERGkrwBtR95eiV13Kw8i2ehqlQ1rNQ==
=2DU0
-----END PGP SIGNATURE-----
==============
Damir Rajnovic <psirt@cisco.com>, PSIRT Incident Manager, Cisco Systems
<http://www.cisco.com/warp/public/707/sec_incident_response.shtml>
Phone: +44 7715 546 033
4 The Square, Stockley Park, Uxbridge, MIDDLESEX UB11 1BN, GB
==============

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was discovered by the Phenoelit Group and reported to the Bugtraq mailing list on October 9, 2001.

This document was written by Jeffrey P. Lanza.

Other Information

CVE IDs: CVE-2001-1071
Severity Metric: 19.69
Date Public: 2001-10-09
Date First Published: 2001-10-10
Date Last Updated: 2001-10-11 22:56 UTC
Document Revision: 12

Sponsored by CISA.