Cisco Systems Inc. Information for VU#24346

Cisco IOS software vulnerable to DoS via HTTP request containing "%%"



Vendor Statement

From the Cisco Advisory:

The following list of products are affected if they are running a release of Cisco IOS software that has the defect. To determine if a Cisco product is running IOS, log in to the device and issue the command show version. Classic Cisco IOS software will identify itself simply as "Internetwork Operating System Software" or "IOS (tm)" software and will display a version number. Other Cisco devices either will not have the show version command, or will give different output. Compare the version number obtained from the router with the versions presented in the Software Versions and Fixes section below.

Cisco devices that may be running affected releases include:

    • Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, 2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700, AS5200,
    • AS5300, AS5800, 6400, 7000, 7200, ubr7200, 7500, and 12000 series.
    • Most recent versions of the LS1010 ATM switch.
    • The Catalyst 6000 if it is running IOS.
    • Some versions of the Catalyst 2900XL LAN switch.
    • The Cisco DistributedDirector.

For some products, the affected software releases are relatively new and may not be available on every device listed above.

If you are not running classic Cisco IOS software then you are not affected by this vulnerability. Cisco products that do not run classic Cisco IOS software and thus are not affected by this defect include:
    • 700 series dialup routers (750, 760, and 770 series) are not affected.
    • Catalyst 1900, 2800, 2900, 3000, and 5000 series LAN switches are not affected except for some versions of the Catalyst 2900XL.
    • However, optional router modules running Cisco IOS software in switch backplanes, such as the RSM module for the Catalyst 5000 and
    • 5500, are affected (see the Affected Products section above).
    • The Catalyst 6000 is not affected if it is not running IOS.
    • WAN switching products in the IGX and BPX lines are not affected.
    • The MGX (formerly known as the AXIS shelf) is not affected.
    • No host-based software is affected.
    • The Cisco PIX Firewall is not affected.
    • The Cisco LocalDirector is not affected.
    • The Cisco Cache Engine is not affected.

      Vendor Information

      The vendor has not provided us with any further information regarding this vulnerability.

      Vendor References



      For the latest information on this vulnerability, please consult the following Cisco Security Advisory: