Cisco

Notified:  October 09, 2001 Updated: October 10, 2001

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- This is not a Cisco security advisory. There is a vulnerability in how Cisco routers are handling CDP. By sending a large amount of CDP neighbor announcements it is possible to consume all available router's memory. That will cause a crash or some other abnormal behavior. This vulnerability is assigned a Cisco bug ID CSCdu09909. You can see details of it if you have a valid CCO account. This vulnerability was discovered by fx@phenoelit.de In order to trigger this vulnerability an attacker must be on the same segment as the target router. This vulnerability can not be exploited over the Internet unless an attacker has a helper program already planted on the internal network. The workaround for this vulnerability is to disable CDP. In order to disable CDP for the whole router execute the following global command: Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# no cdp run Alternatively, CDP can be disabled on a particular interface. This can be done using the following commands: Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# interface Ethernet0 Router(config-if)# no cdp enable In this particular case we advise all customers to disable CDP for the whole router. This vulnerability has ben fixed in the following interim images: 12.2(3.6)B 12.2(4.1)S 12.2(3.6)PB 12.2(3.6)T 12.1(10.1) 12.2(3.6) All higher IOS releases should contain this fix. Please note that interim images are built at regular intervals between maintenance releases and receives less testing. Interims should be selected only if there is no other suitable release that addresses the vulnerability, and interim images should be upgraded to the next available maintenance release as soon as possible. Interim releases are not available via manufacturing, and usually they are not available for customer download from CCO without prior arrangement with the Cisco TAC. We would like to thank Phenoelit on his co-operation on this issue. Gaus -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.3 iQEVAwUBO8MJHg/VLJ+budTTAQGpxAgAydE4X125IB9yzCb+uEExB9PjMpfLrRfH ONbLmUfLi242ubhqb8kfOc+gGziB3YuNJck+N5YPcdT7ql0jpPOpltVQdoevNFBD AhCZT1Eyp/Fi7npv5BDsX/Y4Jd1yTYjGUEIbZJLFJ2lFL9ip4z+bEFYfQ+Bdy0zt 7k8YckcJt2qxOnhGEZaU5tZMzP/Sc3NysZbUOmlCyI1t1cLocKzd81SC/LNsWyDF Rac/7ZFb8LrvNQxVLt3d1/7jpVtuYFgXDdZhDOwaXem1T5r430AYE9hTRLwUwUE5 U6Sq6kdEjJyGkX3Tqwb/+/g5ERGkrwBtR95eiV13Kw8i2ehqlQ1rNQ== =2DU0 -----END PGP SIGNATURE----- Damir Rajnovic , PSIRT Incident Manager, Cisco Systems Phone: +44 7715 546 033 4 The Square, Stockley Park, Uxbridge, MIDDLESEX UB11 1BN, GB

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.