| VID |
29073 |
| Severity |
40 |
| Port |
161 |
| Protocol |
UDP |
| Class |
SNMP |
| Detailed Description |
The version of the Cisco IOS has a denial of service vulnerability via malicious IPv4 packets.
Multiple Cisco routers and switches running Cisco Internetwork Operating System Software (IOS) are vulnerable to a denial of service vulnerability that affects the vast majority of its line of IPv4 devices. This vulnerability exists in all hardware platforms that run Cisco IOS versions 11.x through 12.x.
The vulnerability is caused by flawed packet processing routines that do not correctly process an abnormal and specific sequence of IPv4 traffic. If such a sequence is encountered, IOS incorrectly flags the input queue on the network interface as full. After a specific time-out period, the affected device will stop processing routing and ARP protocols. This effectively stops the interface from processing any traffic.
By sending a special sequence of IPv4 packets, a remote attacker can cause the device to flag the input queue as being full, which causes the input interface to stop processing traffic.
The attack can be repeated against a targeted device to disable all network interfaces. Devices that enter this state can not be reset without user intervention and a cold restart.
* Note: This check solely relied on the version number of the remote system to assess this vulnerability, so this might be a false positive. Also, it requires a read access SNMP community string to collect the version number. To provide this access, add the valid community string to the check item, "snmp/guessable/r" from the Policy Editor.
* References:
http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml
http://www.cert.org/advisories/CA-2003-15.html
http://www.kb.cert.org/vuls/id/411332 |
| Recommendation |
Upgrade to one of the fixed versions of Cisco IOS, as listed in the "Software Versions and Fixes" of Cisco Security Advisory (Cisco IOS Interface Blocked by IPv4 Packets): http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml
Upgrades should be obtained through the Software Center on Cisco's worldwide website at
http://www.cisco.com/tacpage/sw-center/sw-ios.shtml
As a workaround, Cisco recommends that all IOS devices which process IPv4 packets be configured to block traffic directed to the router from any unauthorized source with the use of Access Control Lists (ACLs).
The following access list is specifically designed to block attack traffic. This access list should be applied to all interfaces of the device, and should include topology-specific filters.
access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny 103 any any
!--- insert any other previously applied ACL entries here
!--- you must permit other protocols through to allow normal
!--- traffic -- previously defined permit lists will work
!--- or you may use the permit ip any any shown here
access-list 101 permit ip any any
For details, see http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml |
| Related URL |
CVE-2003-0567 (CVE) |
| Related URL |
8211 (SecurityFocus) |
| Related URL |
12631 (ISS) |
|
