Cisco Security Advisory
TCP Vulnerabilities in Multiple IOS-Based Cisco Products
-
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain a TCP stack are susceptible to this vulnerability.
This advisory is available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20040420-tcp-ios, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20040420-tcp-nonios.
-
This section provides details on affected products.
Vulnerable Products
Products which contain a TCP stack are susceptible to this vulnerability. All Cisco products and models are affected. The severity of the exposure depends upon the protocols and applications that utilize TCP.
This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer), and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router).
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
TCP is the transport layer protocol designed to provide connection-oriented reliable delivery of a data stream. To accomplish this, TCP uses a mixture of flags to indicate state and sequence numbers to identify the order in which the packets are to be reassembled. TCP also provides a number, called an acknowledgement number, that is used to indicate the sequence number of the next packet expected. The packets are reassembled by the receiving TCP implementation only if their sequence numbers fall within a range of the acknowledgement number (called a "window"). The acknowledgement number is not used in a packet with the reset (RST) flag set because a reset does not expect a packet in return. The full specification of the TCP protocol can be found at http://www.ietf.org/rfc/rfc0793.txt .
According to the RFC793 specification, it is possible to reset an established TCP connection by sending a packet with the RST or synchronize (SYN) flag set. In order for this to occur, the 4-tuple must be known or guessed (source and destination IP address and ports) together with a sequence number. However, the sequence number does not have to be an exact match; it is sufficient to fall within the advertised window. This significantly decreases the effort required by an adversary: the larger the window, the easier it is to reset the connection. While source and destination IP addresses may be relatively easy to determine, the source TCP port must be guessed. The destination TCP port is usually known for all standard services (for example, 23 for Telnet, 80 for HTTP). Cisco IOS software uses predictable ephemeral ports for known services with a predictable increment (the next port which will be used for a subsequent connection). These values, while constant for a particular Cisco IOS software version and protocol, can vary from one release to another.
Here is an example of a normal termination of a TCP session:
Host(1) Host(2) | | | | | ACK ack=1001, window=5000 | |<----------------------------| | | Host(1) is closing the session | RST seq=1001 | |---------------------------->| | | Host(2) is closing the session
In addition, the following scenario is also permitted:
Host(1) Host(2) | | | | | ACK ack=1001, window=5000 | |<----------------------------| | | Host(1) is closing the session | RST seq=4321 | |---------------------------->| | | Host(2) is closing the session
Note how, in the second example, the RST packet was able to terminate the session although the sequence number was not the next expected one (which is 1001). It was sufficient for the sequence number to fall within the advertised "window". In this example, Host(2) was accepting sequence numbers from 1001 to 6001 and 4321 is clearly within the acceptable range.
Cisco fixed this vulnerability in accordance with the http://www.watersprings.org/pub/id/draft-ietf-tcpm-tcpsecure-01.txt.
As a general rule, all protocols where a TCP connection stays established for longer than one minute should be considered exposed.
The exposure on this vulnerability can be described as follows:
-
Cisco IOS - All devices running Cisco IOS software
are vulnerable. Only TCP sessions that are terminating on the device itself are
affected since this vulnerability only affects the endpoints of a session.
Sessions passing through the device are vulnerable only if the originating or
receiving device is vulnerable, but they cannot be attacked on the router
itself. This vulnerability does not compromise data integrity or
confidentiality. It only affects availability.
This vulnerability is documented in the Cisco Bug Toolkit as Bug IDs CSCed27956 ( registered customers only) and CSCed38527 ( registered customers only) .
-
Cisco IOS Firewall (IOS FW) - The Cisco IOS FW
monitors packets passing throughout the router and maintains the session state
internally. This way, it is possible to "open" required ports and allow traffic
to pass and then close them after the session has finished. Since Cisco IOS FW
intercepts and examines all packets passing through the device, all TCP
sessions passing through the Cisco IOS FW are vulnerable to this attack. This
is valid even if the originating and receiving devices themselves are not
vulnerable.
This vulnerability is documented in the Cisco Bug Toolkit as Bug ID CSCed93836 ( registered customers only) .
-
Network Address Translation (NAT) - This
vulnerability does not have any effect on NAT. The NAT functionality simply
rewrites ports and IP addresses. This feature does not interpret TCP flags and
therefore is not vulnerable to this attack. However, the attacking packet will
be passed through the router and the receiving device can be affected.
-
Cisco IOS - All devices running Cisco IOS software
are vulnerable. Only TCP sessions that are terminating on the device itself are
affected since this vulnerability only affects the endpoints of a session.
Sessions passing through the device are vulnerable only if the originating or
receiving device is vulnerable, but they cannot be attacked on the router
itself. This vulnerability does not compromise data integrity or
confidentiality. It only affects availability.
-
The effectiveness of any workaround is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround is the most appropriate for use in the intended network before it is deployed.
There are no workarounds available to mitigate the effects of this vulnerability on Cisco IOS Firewall.
For BGP, we will present the workaround and only a few mitigation techniques.
-
BGP MD5 secret
The workaround for BGP is to configure MD5 secret for each session between peers. This can be configured as shown in the following example:
router(config)#router bgp <AS-_number> router(config-router)#neighbor <IP_address> password <enter_your_secret_here>
If the BGP session is passing through a firewall, it is important to disable TCP sequence randomization. Some firewalls modify the TCP sequence numbers in order to protect hosts behind them. If you do not disable that feature, the BGP session will not be established, and the following error message will be displayed on the router's console:
%TCP-6-BADAUTH: Invalid MD5 digest from
to
static (inside,outside)
It is possible to mitigate the exposure for BGP on this vulnerability by applying one or more of the following measures which will lessen the potential for the necessary spoofing required to implement a successful attack:
-
Blocking access to the core infrastructure
Although it is often difficult to block traffic transiting your network, it is possible to identify traffic which should never be allowed to target your infrastructure devices and block that traffic at the border of your network. Infrastructure access control lists (ACLs) are considered a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The white paper entitled "Protecting Your Core: Infrastructure Protection Access Control Lists", available at http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml, presents guidelines and recommended deployment techniques for infrastructure protection ACLs. Exceptions would include any devices which have a legitimate reason to access your infrastructure (for example, BGP peers, NTP sources, DNS serves, and so on). All other traffic must be able to traverse your network without terminating on any of your devices.
-
Configure anti-spoofing measures on the network edge
In order for an adversary to use the attack vector described in this advisory, it must send packets with the source IP address equal to one of the BGP peers. You can block spoofed packets either using the Unicast Reverse Path Forwarding (uRPF) feature or by using access control lists (ACLs).
By enabling uRPF, all spoofed packets will be dropped at the first device. To enable uRPF, use the following commands:
router(config)# ip cef router(config)# interface
ACLs should also be deployed as close to the edge as possible. Unlike uRPF, you must specify the exact IP range that is permitted. Specifying which addresses should be blocked is not the optimal solution because it tends to be harder to maintain.
Caution: In order for anti-spoofing measures to be effective, they must be deployed at least one hop away from the devices which are being protected. Ideally, they will be deployed at the network edge facing your customers.
-
Packet rate limiting
RST packets are rate-limited in Cisco IOS software by default. This feature is introduced in Cisco IOS Software Release 10.2. In the case of a storm of RST packets, they are effectively limited to one packet per second. In order to be successful, an attacker must terminate connection with the first few packets. Otherwise, the attack is deemed to be impracticably long. On the other hand, SYN packets are not rate-limited in any way.
Rate limiting can be accomplished either by using Committed Access Rate (CAR) or by Control Plane Policing (CPP). While CPP is the recommended approach, it is available only for Cisco IOS Software Releases 12.2(18)S and 12.3(4)T. It is currently supported only on the following routers: 1751, 2600/2600-XM, 3700, 7200, and 7500 Series.
CAR can be configured as follows:
router(config)#access-list 103 deny tcp any host 10.1.1.1 established router(config)#access-list 103 permit tcp any host 10.1.1.1 router(config)#interface <interface> <interface #> router(config-if)#rate-limit input access-group 103 8000 8000 8000 conform-action transmit exceed-action drop
-
BGP MD5 secret
-
Be advised that Cisco released multiple advisories on 2004-April-20.
Each row of the table describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix and the anticipated date of availability for each are listed in the Rebuild, Interim, and Maintenance columns. In some cases, no rebuild of a particular release is planned; this is marked with the label "Not scheduled." A device running any release in the given train that is earlier than the release in a specific column (less than the earliest fixed release) is known to be vulnerable, and it should be upgraded at least to the indicated release or a later version (greater than the earliest fixed release label).
When selecting a release, keep in mind the following definitions:
-
Maintenance
Most heavily tested and highly recommended release of any label in a given row of the table.
-
Rebuild
Constructed from the previous maintenance or major release in the same train, it contains the fix for a specific vulnerability. Although it receives less testing, it contains only the minimal changes necessary to effect the repair. Cisco has made available several rebuilds of mainline trains to address this vulnerability, but strongly recommends running only the latest maintenance release on mainline trains.
-
Interim
Built at regular intervals between maintenance releases and receives less testing. Interims should be selected only if there is no other suitable release that addresses the vulnerability, and interim images should be upgraded to the next available maintenance release as soon as possible. Interim releases are not available through manufacturing, and usually they are not available for customer download from CCO without prior arrangement with the Cisco Technical Assistance Center (TAC).
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco TAC for assistance, as shown in the section following this table.
Fixed Cisco IOS Software Images for Cisco IOS Firewall
Major Release
Availability of Repaired Releases*
Affected 12.1-Based Release
Rebuild
Interim**
Maintenance
12.1
12.1(22c)
12.1E
12.1(19)E7
12.1(13)E14
Affected 12.2-Based Release
Rebuild
Interim**
Maintenance
12.2
12.2(21b)
12.2(23a)
12.2T
12.2(11)T11
12.2(13)T12
12.2(15)T12
Affected 12.3-Based Release
Rebuild
Interim**
Maintenance
12.3
12.3(5c)
12.3(6a)
12.3T
12.3(4)T6 Available 2004-May-31
Fixed Cisco IOS Software Releases and Migration Path
Major Release
Availability of Repaired Releases*
Affected 11.1 -Based Release
Rebuild
Interim**
Maintenance
11.1
11.1 Vulnerable. Migrate to 11.2
11.1AA
11.1AA Vulnerable. Migrate to 11.2P
11.1CC
11.1CC Vulnerable. Migrate to 12.0
Affected 11.2 -Based Release
Rebuild
Interim**
Maintenance
11.2
11.2(26f) Available on 2004-Apr-21
11.2P
11.2(26)P6 Available on 2004-Apr-21
11.2SA
11.2(8.12)SA6
Affected 11.3 -Based Release
Rebuild
Interim**
Maintenance
11.3
11.3 Vulnerable. Migrate to 12.0
11.3(11b)T4 Available on 2004-Apr-21
11.3(11e) Available on 2004-Apr-21
Affected 12.0 -Based Release
Rebuild
Interim**
Maintenance
12.0
12.0(28)
12.0DA
12.0DA Vulnerable. Migrate to 12.2DA
12.0DB
12.0DB Vulnerable. Migrate to 12.1DB
12.0DC
12.0DC Vulnerable. Migrate to 12.1DC
12.0S
12.0(21)S8
12.0(27)S
12.0(26)S2
12.0(16)S11
12.0(24)S5
12.0(25)S3
12.0(23)S6
12.0SL
12.0SL Vulnerable. Migrate to 12.0(23)S6
12.0ST
12.0ST Vulnerable. Migrate to 12.0(26)S2
12.0SX
12.0(25)SX4 Not built - contact TAC
12.0SZ
12.0SZ Vulnerable. Migrate to 12.0(26)S2
12.0T
12.0T Vulnerable. Migrate to 12.1
12.0W5
12.0(25)W5(27b) Available 2004-May
12.0(28)W5(30)
12.0WC
12.0(5)WC9a Available on 2004-Apr-21
12.0WT
12.0(13)WT Vulnerable. End of Engineering
12.0WX
12.0(4)WX Vulnerable. Migrate to 12.0W5
12.0XA
12.0(1)XA Vulnerable. Migrate to 12.1 Latest
12.0XB
12.0(1)XB Vulnerable. Migrate to 12.2(15)T12
12.0XC
12.0(2)XC Vulnerable. Migrate to 12.1 Latest
12.0XD
12.0(2)XD Vulnerable. Migrate to 12.1 Latest
12.0XE
12.0(7)XE Vulnerable. Migrate to 12.1E Latest
12.0XG
12.0(3)XG Vulnerable. Migrate to 12.1 Latest
12.0XH
12.0(4)XH Vulnerable. Migrate to 12.1
12.0XI
12.0(4)XI Vulnerable. Migrate to 12.1
12.0XJ
12.0(4)XJ Vulnerable. Migrate to 12.1 Latest
12.0XK
12.0(7)XK Vulnerable. Migrate to 12.1T Latest
12.0XL
12.0(4)XL Vulnerable. Migrate to 12.2 Latest
12.0XM
12.0(4)XM Vulnerable. Migrate to 12.2(15)T12
12.0XN
12.0(5)XN Vulnerable. Migrate to 12.1 Latest
12.0XP
12.0(5.1)XP Vulnerable. Migrate to 12.0(5)WC9a
12.0XQ
12.0(5)XQ Vulnerable. Migrate to 12.1 Latest
12.0XR
12.0(7)XR Vulnerable. Migrate to 12.2 Latest
12.0XS
12.0(5)XS Vulnerable. Migrate to 12.1E Latest
12.0XU
12.0(5)XU Vulnerable. Migrate to 12.0(5)WC
12.0XV
12.0(7)XV Vulnerable. Migrate to 12.2(15)T12
Affected 12.1 -Based Release
Rebuild
Interim**
Maintenance
12.1
12.1(20a)
12.1(4c)
12.1(22b) Without IOS FW fix
12.1(22c) With IOS FW fix
12.1AA
12.1(10)AA Vulnerable. Migrate to 12.2 Latest
12.1AX
12.1(14)AX
12.1AY
12.1(13)AY Vulnerable. Migrate to 12.1EA
12.1DA
12.1DA Vulnerable Migrate to 12.2DA
12.1DB
12.1(5)DB Vulnerable. Migrate to 12.2B
12.1E
12.1(19)E7
12.1(22)E1
12.1(11b)E14
12.1(20)E2
12.1(19)E6
12.1(13)E13 Without IOS FW fix
12.1(8b)E18
12.1(14)E10
12.1(13)E14 With IOS FW fix
12.1EA
12.1(19)EA1b (Catalyst 3560 only)
12.1(19)EA1c (Catalyst 2940, 2950, 2950-LRE, 2955, 2970, 3550, 3560, and 3750)
12.1EB
12.1(20)EB
12.1EC
12.1(20)EC
12.1EO
12.1(20)EO
12.1(19)EO2 Available on 2004-Apr-25
12.1EU
12.1(20)EU
12.1EV
12.1(12c)EV Vulnerable. Migrate to 12.2(RLS4)S
12.1EW
12.1(20)EW2
12.1EX
12.1EX Vulnerable. Migrate to 12.1(14)E
12.1EY
12.1(10)EY Vulnerable. Migrate to 12.1(14)E
12.1T
12.1(5)T17
12.1XA
12.1(1)XA Vulnerable. Migrate to 12.1(5)T18
12.1XB
12.1(1)XB Vulnerable. Migrate to 12.2(15)T12
12.1XC
12.1(1)XC Vulnerable. Migrate to 12.2
12.1XD
12.1(1)XD Vulnerable. Migrate to 12.2
12.1XE
12.1(1)XE Vulnerable. Migrate to 12.1E Latest
12.1XF
12.1(2)XF Vulnerable. Migrate to 12.2(15)T12
12.1XG
12.1(3)XG Vulnerable. Migrate to 12.2(15)T12
12.1XH
12.1(2a)XH Vulnerable. Migrate to 12.2
12.1XI
12.1(3a)XI Vulnerable. Migrate to 12.2 Latest
12.1XJ
12.1(3)XJ Vulnerable. Migrate to 12.2(15)T12
12.1XL
12.1(3)XL Vulnerable. Migrate to 12.2T Latest
12.1XM
12.1(5)XM Vulnerable. Migrate to 12.2T Latest
12.1XP
12.1(3)XP Vulnerable. Migrate to 12.2(15)T12
12.1XQ
12.1(3)XQ Vulnerable. Migrate to 12.2T Latest
12.1XR
12.1(5)XR Vulnerable. Migrate to 12.2T Latest
12.1XT
12.1(3)XT Vulnerable. Migrate to 12.2(15)T12
12.1XU
12.1(5)XU Vulnerable. Migrate to 12.2T Latest
12.1XV
12.1(5)XV Vulnerable. Migrate to 12.2XB
12.1YA
12.1(5)YA Vulnerable. Migrate to 12.2(8)T
12.1YB
12.1(5)YB Vulnerable. Migrate to 12.2(15)T12
12.1YC
12.1(5)YC Vulnerable. Migrate to 12.2(15)T12
12.1YD
12.1(5)YD Vulnerable. Migrate to 12.2(8)T
12.1YE
12.1(5)YE5 Vulnerable. Migrate to 12.2(2)YC
12.1YF
12.1(5)YF2 Vulnerable. Migrate to 12.2(2)YC
12.1YH
12.1(5)YH2 Vulnerable. Migrate to 12.2(13)T
12.1YI
12.1(5)YI2 Vulnerable. Migrate to 12.2(2)YC
12.1YJ
12.1(11)YJ Vulnerable. Migrate to 12.1EA Latest
Affected 12.2 -Based Release
Rebuild
Interim**
Maintenance
12.2
12.2(19b)
12.2(16f)
12.2(21a)
12.2(23)
12.2(12i)
12.2(10g)
12.2(13e)
12.2(17d)
12.2(21b)
12.2(23a)
12.2B
12.2(2)B - 12.2(4)B7 Vulnerable. Migrate to 12.2(13)T12
12.2(4)B8 AND FWD Vulnerable. Migrate to 12.3(5a)B1
12.2BC
12.2(15)BC1C
12.2BW
12.2(4)BW Vulnerable. Migrate to 12.2(15)T12
12.2BX
12.2(16)BX3 Available mid-May
12.2BY
12.2(4)BY Vulnerable. Migrate to 12.2(15)B
12.2(8)BY Vulnerable. Migrate to 12.2(8)ZB
12.2(2)BY Vulnerable. Migrate to 12.2(8)BZ
12.2BZ
12.2(15)BZ Vulnerable. Migrate to 12.2(16)BX
12.2CX
12.2(11)CX Vulnerable. Migrate to 12.2(15)BC
12.2CY
12.2(11)CY Vulnerable. Migrate to 12.2(13)BC1C
12.2DA
12.2(12)DA6 Available 2004-May-13
12.2DD
12.2DD Vulnerable. Migrate to 12.2(4)B1
12.2DX
12.2(1)DX Vulnerable. Migrate to 12.2DD
12.2(2)DX Vulnerable. Migrate to 12.2B Latest
12.2EW
12.2(18)EW
12.2JA
12.2(11)JA3
12.2(13)JA4
12.2(15)JA
12.2MC
12.2(15)MC1B
12.2S
12.2(22)S
12.2(14)S7
12.2(20)S1
12.2(20)S3 Available on 2004-May-25
12.2(18)S3
12.2SE
12.2(18)SE
12.2SW
12.2(21)SW
12.2SX
12.2(17a)SX2 Without IOS FW fix, 12.2(17a)SX4 With IOS FW fix
12.2SXA
12.2(17b)SXA2
12.2SXB
12.2(17d)SXB1 With IOS FW fix
12.2(17d)SXB Without IOS FW fix
12.2SY
12.2(14)SY3
12.2SZ
12.2(14)SZ6
12.2T
12.2(15)T11
12.2(13)T12 With IOS FW fix
12.2(11)T11 Available on 2004-Apr-26
12.2(13)T11 Without IOS FW fix
12.2XA
12.2(2)XA Vulnerable. Migrate to 12.2(11)T
12.2XB
12.2(2)XB Vulnerable. Migrate to 12.3
12.2XC
12.2(2)XC Vulnerable. Migrate to 12.2(8)ZB
12.2XD
12.2(1)XD Vulnerable. Migrate to 12.2(15)T12
12.2XE
12.2(1)XE Vulnerable. Migrate to 12.2(15)T12
12.2XF
12.2(1)XF1 Vulnerable. Migrate to 12.2(4)BC1C
12.2XG
12.2(2)XG Vulnerable. Migrate to 12.2(8)T
12.2XH
12.2(2)XH Vulnerable. Migrate to 12.2(15)T12
12.2XI
12.2(2)XI2 Vulnerable. Migrate to 12.2(15)T12
12.2XJ
12.2(2)XJ Vulnerable. Migrate to 12.2(13)T12
12.2XK
12.2(2)XK Vulnerable. Migrate to 12.2(15)T12
12.2XL
12.2(4)XL Vulnerable. Migrate to 12.2(15)T12
12.2XM
12.2(4)XM Vulnerable. Migrate to 12.2(15)T12
12.2XN
12.2(2)XN Vulnerable. Migrate to 12.2(11)T
12.2XQ
12.2(2)XQ Vulnerable. Migrate to 12.2(15)T12
12.2XS
12.2(1)XS Vulnerable. Migrate to 12.2(11)T
12.2XT
12.2(2)XT Vulnerable. Migrate to 12.2(11)T
12.2XU
12.2(2)XU Vulnerable. Migrate to 12.2(15)T12
12.2XW
12.2(4)XW Vulnerable. Migrate to 12.2(13)T12
12.2YA
12.2(4)YA Vulnerable. Migrate to 12.2(15)T12
12.2YB
12.2(4)YB Vulnerable. Migrate to 12.2(15)T12
12.2YC
12.2(2)YC Vulnerable. Migrate to 12.2(11)T11
12.2YD
12.2(8)YD Vulnerable. Migrate to 12.2(8)YY
12.2YE
12.2(9)YE Vulnerable. Migrate to 12.2S
12.2YF
12.2(4)YF Vulnerable. Migrate to 12.2(15)T12
12.2YG
12.2(4)YG Vulnerable. Migrate to 12.2(13)T12
12.2YH
12.2(4)YH Vulnerable. Migrate to 12.2(15)T12
12.2YJ
12.2(8)YJ Vulnerable. Migrate to 12.2(15)T12
12.2YK
12.2(2)YK Vulnerable. Migrate to 12.2(13)ZC
12.2YL
12.2(8)YL Vulnerable. Migrate to 12.3(2)T
12.2YM
12.2(8)YM Vulnerable. Migrate to 12.3(2)T
12.2YN
12.2(8)YN Vulnerable. Migrate to 12.3(2)T
12.2YO
12.2(9)YO Vulnerable. Migrate to 12.2(14)SY
12.2YP
12.2(11)YP Vulnerable. Migrate to 12.2T Latest
12.2YQ
12.2(11)YQ Vulnerable. Migrate to 12.3(2)T
12.2YR
12.2(11)YR Vulnerable. Migrate to 12.3(2)T
12.2YS
12.2(11)YS Vulnerable. Migrate to 12.3T
12.2YT
12.2(11)YT Vulnerable. Migrate to 12.2(15)T
12.2YU
12.2(11)YU Vulnerable. Migrate to 12.3(2)T
12.2YV
12.2(11)YV Vulnerable. Migrate to 12.3(4)T
12.2YW
12.2(8)YW Vulnerable. Migrate to 12.3(2)T
12.2YX
12.2(11)YX Vulnerable. Migrate to 12.2(RLS3)S
12.2YY
12.2(8)YY Vulnerable. Migrate to 12.3(1)T
12.2YZ
12.2(11)YZ Vulnerable. Migrate to 12.2(14)SZ
12.2ZA
12.2(14)ZA6
12.2ZB
12.2(8)ZB Vulnerable. Migrate to 12.3T
12.2ZC
12.2(13)ZC Vulnerable. Migrate to 12.3T
12.2ZD
12.2(13)ZD1
12.2ZE
12.2(13)ZE Vulnerable. Migrate to 12.3
12.2ZF
12.2(13)ZF Vulnerable. Migrate to 12.3(4)T
12.2ZG
12.2(13)ZG Vulnerable. Migrate to 12.3(4)T
12.2ZH
12.2(13)ZH Vulnerable. Migrate to 12.3(4)T
12.2ZI
12.2(11)ZI Vulnerable. Migrate to 12.2(18)S
12.2ZJ
12.2(15)ZJ5
12.2(15)ZJ4
12.2ZK
12.2(15)ZK Vulnerable. Migrate to 12.3T
12.2ZL
12.2(15)ZL Vulnerable. Migrate to 12.3(7)T
12.2ZN
12.2(15)ZN Vulnerable. Migrate to 12.3(2)T
12.2ZP
12.2(13)ZP3
Affected 12.3 -Based Release
Rebuild
Interim**
Maintenance
12.3
12.3(3e)
12.3(6)
12.3(5b)
12.3B
12.3(5a)B
12.3(3)B1
12.3BW
12.3(1a)BW Vulnerable. Migrate to 12.3B
12.3T
12.3(2)T4
12.3(7)T1 Available on 2004-Apr-26
12.3(4)T3
12.3(4)T6 With IOS FW fix, available 2004-May-31
12.3XA
12.3(2)XA Vulnerable. Contact TAC.
12.3XB
12.3(2)XB2
12.3XC
12.3(2)XC2
12.3XD
12.3(4)XD1
12.3XE
12.3(2)XE Vulnerable. Migrate to 12.3T
12.3XF
12.3(2)XF Vulnerable. Contact TAC if needed.
12.3XG
12.3(4)XG
12.3XH
12.3(4)XH
12.3XI
12.3(7)XI Vulnerable. Migrate to 12.3T
12.3XJ
12.3(7)XJ Vulnerable. Contact TAC if needed
12.3XK
12.3(4)XK
12.3XL
12.3(7)XL Vulnerable. Contact TAC if needed
12.3XM
12.3(9)XM Vulnerable. Contact TAC if needed.
12.3XN
12.3(4)XN Vulnerable. Contact TAC if needed.
12.3XQ
12.3(4)XQ Vulnerable. Contact TAC if needed.
* All dates are estimated and subject to change.
** Interim releases are subjected to less rigorous testing than regular maintenance releases, and may have serious bugs.
-
Maintenance
-
This vulnerability was presented at the public conference. The Cisco PSIRT is not aware malicious use of the vulnerability described in this advisory.
The exploitation of the vulnerability with packets having RST flag set (reset packets) was discovered by Paul (Tony) Watson of OSVDB.org. The extension of the attack vector to packets with SYN flag was discovered by the vendors cooperating on the resolution of this issue.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 2.1
2005-April-13
Fixed broken link in Details section.
Revision 2.0
2004-July-14
Updated Fixed Cisco IOS Software Releases and Migration Path table with revision for 12.0SL.
Revision 1.9
2004-June-16
Updated Fixed Cisco IOS Software Release and Migration Path table with new line in section 12.0S
Revision 1.8
2004-May-20
Status changed to final.
Revision 1.7
2004-May-10
Updated the Fixed Cisco IOS Software Images for Cisco IOS Firewall table maintenance revisions for 12.0(28), 12.0(27)S, 12.2(23), 12.2(22)S, 12.3(6), and 12.2JA.
Revision 1.6
2004-May-04
In Software Versions and Fixes section, updated entries for 12.0W5 and 12.2SX. Updated Workarounds section with information on BGP MD5 secret.
Revision 1.5
2004-Apr-30
In Software Versions and Fixes section, updated entries for 12.1, 12.3T FW, and 12.1DA. Added new sections in 12.3T IOS main and 12.2-based releases.
Revision 1.4
2004-Apr-28
In the Details section added link to the DoD Draft TCP protocol.
In the Exploitation and Public Announcement section, changed wording of initial sentence.
Revision 1.3
2004-Apr-25
In Software Versions and Fixes section, added introductory paragraphs with advisory.
In Software Versions and Fixes section, updated Cisco IOS Software Releases and Migration Path table for entries 12.1AY, 12.2BX, 12.2XB, 12.2T, and 12.2SXB.
In Workarounds section, updated the command sequence for the Configure anti-spoofing measures on the network edge entry.
Revision 1.2
2004-Apr-22
In Software Versions and Fixes section, updated Cisco IOS Firewall table for 12.1E entry.
In Software Versions and Fixes section, updated Cisco IOS Software Releases and Migration Path table for entries 12.2SXA, 12.2SXB, 12.1EW, 12.2S, 12.3T, 12.2JA, 12.1EA.
Revision 1.1
2004-Apr-21
In Software Versions and Fixes section, Cisco IOS Software Releases and Migration Path table, updated 12.1(20)E2 entry.
In Software Versions and Fixes section, Cisco IOS Software Releases and Migration Path table, 12.1E section, updated 12.1(13)E13 entry.
In Software Versions and Fixes section, Cisco IOS Software Releases and Migration Path table, 12.1E section, updated 12.1(13)E14 entry.
In Software Versions and Fixes section, Cisco IOS Software Releases and Migration Path table, 12.2T section, updated 12.2(13)T12 entry.
In Software Versions and Fixes section, Cisco IOS Software Releases and Migration Path table, 12.2T section, updated 12.2(13)T11 entry.
In Workaround section, Packet rate limiting sub-section, updated this line: access-list 103 permit tcp any host 10.1.1.1
Revision 1.0
2004-Apr-20
Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.