| VID |
29058 |
| Severity |
30 |
| Port |
161 |
| Protocol |
UDP |
| Class |
CISCO |
| Detailed Description |
The Cisco 12000 Series Internet Router has a ICMP Unreachable Vulnerability(Cisco Bug ID CSCdr46528, CSCdt66560, CSCds36541).
Exploitation of these vulnerabilities may lead to the Denial-of-Service. The router's performance will degrade and, in the worst case scenario, the router will stop forwarding packets. Whenever a packet is dropped the router must send an ICMP unreachable packet back to the source. When a high volume of traffic is sent to the router that requires ICMP unreachable replies, the processing of the replies can saturate the CPU. This condition can happen when the router is "Black Hole" filtering, dropping packets sent to it as the network's default path, or from a direct Denial of Service (DOS) against the router. For further information of "Black Hole" filtering consult the document: Essential IOS Features Every ISP Should Consider, section "Black Hole Routing as a Packet Filter", available from http://www.cisco.com/public/cons/isp/documents/IOSEssentialsPDF.zip .
* Note: This check solely relied on the version number of the remote system to assess this vulnerability, so this might be a false positive. Also, it requires a read access SNMP community string to collect the version number. To provide this access, add the valid community string to the check item, "snmp/guessable/r" from the Policy Editor.
* References:
http://www.cisco.com/warp/public/707/GSR-unreachables-pub.shtml
* Platforms Affected:
Cisco 12000 Series Internet Routers
Cisco IOS Software Release 12.0S
Cisco IOS Software Release 12.0ST |
| Recommendation |
Upgrade to the fixed version of Cisco IOS, as listed in "Software Versions and Fixes" of Cisco Security Advisory (ICMP Unreachable Vulnerability), http://www.cisco.com/warp/public/707/GSR-unreachables-pub.shtml . Upgrades should be obtained through the Software Center on Cisco's Worldwide Web site at http://www.cisco.com .
For a workaround, prevent the router from sending ICMP unreachables at all using the following command. This command should be applied on an interface.
router(config)#interface ethernet 0
router(config-if)#no ip unreachables
-- OR --
Set rate-limit number of ICMP unreachables packets that are sent.
router(config)#ip icmp rate-limit unreachable n
Where n is the number of milliseconds between two consecutive ICMP unreachable packets. The default value is 500.
For details, see http://www.cisco.com/warp/public/707/GSR-unreachables-pub.shtml |
| Related URL |
CVE-2001-0861,CVE-2001-0862,CVE-2001-0863,CVE-2001-0864,CVE-2001-0865,CVE-2001-0866,CVE-2001-0867 (CVE) |
| Related URL |
3534,3535,3536,3537,3538,3539,3540 (SecurityFocus) |
| Related URL |
7536,7550,7551,7552,7553,7554,7555 (ISS) |
|
