| VID |
12043 |
| Severity |
40 |
| Port |
|
| Protocol |
53,55,77,103 |
| Class |
CISCO |
| Detailed Description |
The Cisco IOS is vulnerable to a denial of service attack via malicious IPv4 packets.
Multiple Cisco routers and switches running Cisco Internetwork Operating System Software (IOS) are vulnerable to a denial of service vulnerability that affects the vast majority of its line of IPv4 devices. This vulnerability exists in all hardware platforms that run Cisco IOS versions 11.x through 12.x.
The vulnerability is caused by flawed packet processing routines that do not correctly process an abnormal and specific sequence of IPv4 traffic. If such a sequence is encountered, IOS incorrectly flags the input queue on the network interface as full. After a specific time-out period, the affected device will stop processing routing and ARP protocols. This effectively stops the interface from processing any traffic.
By sending a special sequence of IPv4 packets, a remote attacker can cause the device to flag the input queue as being full, which causes the input interface to stop processing traffic.
The attack can be repeated against a targeted device to disable all network interfaces. Devices that enter this state can not be reset without user intervention and a cold restart.
* Note: The Cisco device will have been crashed by a this check. Therefore restarting the device is required in order to regain normal functionality.
Before scanning, you have to set an appropriate value as the hop count being assigned to this check item, "CISCO/IOS/IPv4_DoS_by_test" from the Policy Editor. The number of hops between this scanner and the router, the time to live (ttl) should be 0 when the packet is received by the Cisco device.
* References:
http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml
http://www.cert.org/advisories/CA-2003-15.html
http://www.kb.cert.org/vuls/id/411332
* Platforms Affected:
Cisco IOS 11.x
Cisco IOS 12.x |
| Recommendation |
Upgrade to one of the fixed versions of Cisco IOS, as listed in the "Software Versions and Fixes" of Cisco Security Advisory (Cisco IOS Interface Blocked by IPv4 Packets): http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml
Upgrades should be obtained through the Software Center on Cisco's worldwide website at
http://www.cisco.com/tacpage/sw-center/sw-ios.shtml
As a workaround, Cisco recommends that all IOS devices which process IPv4 packets be configured to block traffic directed to the router from any unauthorized source with the use of Access Control Lists (ACLs).
The following access list is specifically designed to block attack traffic. This access list should be applied to all interfaces of the device, and should include topology-specific filters.
access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny 103 any any
!--- insert any other previously applied ACL entries here
!--- you must permit other protocols through to allow normal
!--- traffic -- previously defined permit lists will work
!--- or you may use the permit ip any any shown here
access-list 101 permit ip any any
For details, see http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml |
| Related URL |
CVE-2003-0567 (CVE) |
| Related URL |
8211 (SecurityFocus) |
| Related URL |
12631 (ISS) |
|
