| VID |
29051 |
| Severity |
20 |
| Port |
161 |
| Protocol |
UDP |
| Class |
CISCO |
| Detailed Description |
The CISCO IOS has a ARP table overwrite vulnerability(CISCO Bug ID CSCdu81936).
This vulnerability can cause a Cisco Router to be vulnerable to a Denial-of-Service attack, once the ARP table entries time out. But, It does not result in a failure of confidentiality of information stored on the unit, nor does this defect allow hostile code to be loaded onto a Cisco device. This attack is only successful against devices on the segment local to the attacker or attacking host. It is possible to send an Address Resolution Protocol (ARP) packet on a local broadcast interface (for example, Ethernet, cable, Token Ring, FDDI) which could cause a router or switch running specific versions of Cisco IOS Software Release to stop sending and receiving ARP packets on the local router interface. This will in a short time cause the router and local hosts to be unable to send packets to each other. ARP packets, both request and reply, received by the router for the router's own interface address or global Network Address Translation (NAT) entries, but with a different MAC address, will overwrite the router's MAC address in the router's ARP table with the one in the ARP request or reply.
* Note: This check solely relied on the version number of the remote system to assess this vulnerability, so this might be a false positive. Also, it requires a read access SNMP community string to collect the version number. To provide this access, add the valid community string to the check item, "snmp/guessable/r" from the Policy Editor.
* References:
http://www.cisco.com/warp/public/707/IOS-arp-overwrite-vuln-pub.shtml
http://www.kb.cert.org/vuls/id/399355
* Platforms Affected:
Cisco IOS Any version |
| Recommendation |
Upgrade to the latest version of Cisco IOS, as listed in "Software Versions and Fixes" of Cisco Security Advisory, http://www.cisco.com/warp/public/707/IOS-arp-overwrite-vuln-pub.shtml
As a workaround, enter the router interface MAC address into the arp table with a configuration entry, sometimes known as "hard coding" the ARP table entry, using the following command:
arp <ip-address> <hardware-address> <type>
The caveat to this workaround is identified with defect CSCdv04366, which will clear all manually entered MAC addresses from the ARP table, when they are the same as the interface MAC address, when the command "clear arp" is issued on the router. This workaround does not survive a reboot of the router, and must be re-written to the configuration after any reload or reboot. |
| Related URL |
CVE-2001-0895 (CVE) |
| Related URL |
3547 (SecurityFocus) |
| Related URL |
7547 (ISS) |
|
