The Cisco IOS contains a denial-of-service vulnerability that allows nearby remote attackers to crash or temporarily disable affected network devices.
The Cisco Internetwork Operating System (IOS) contains a vulnerability in its processing of Cisco Discovery Protocol (CDP) packets. By sending large numbers of crafted CDP packets to an affected device, a nearby remote attacker can consume all available memory resources, causing the device to either crash or stop responding. It is important to note that the CDP protocol operates at the data link layer of the ISO/OSI model, so it cannot be propagated by network and transport layer protocols such as IP and TCP, respectively. As such, attackers will only be able to attack devices on networks they can access directly (ie. without IP routing). However, this also means that many of the strategies commonly used to block malicious traffic (such as port filtering) cannot be used to prevent attackers from reaching an affected host.
This vulnerability allows a nearby remote attacker to crash or consume the memory resources of an affected switch, router, or other network device.
Disable the Cisco Discovery Protocol
Sites that do not require the Cisco Discovery Protocol may disable it for a single interface by issuing the "no cdp enable" command on the interface. Alternatively, CDP can be disabled for the entire device by issuing the "no cdp run" command.
This vulnerability was discovered by the Phenoelit Group and reported to the Bugtraq mailing list on October 9, 2001.
This document was written by Jeffrey P. Lanza.
|Date First Published:||2001-10-10|
|Date Last Updated:||2001-10-11 22:56 UTC|