Summary

• A vulnerability in the parsing of malformed IP version 6 (IPv6) packets in Cisco IOS XR Software for Cisco Network Convergence System 6000 (NCS 6000) and Cisco Carrier Routing System (CRS-X) could allow an unauthenticated, remote attacker to cause a reload of a line card that is processing traffic.
  
  The vulnerability is due to improper processing of malformed IPv6 packets carrying extension headers. An attacker could exploit this vulnerability by sending a malformed IPv6 packet, carrying extension headers, through an affected Cisco IOS XR device line card. An exploit could allow the attacker to cause a reload of the line card on the affected Cisco IOS XR device.
  
  
  Cisco has released software updates that address this vulnerability.
  
  There are no workarounds that address this vulnerability.
  
  This advisory is available at the following link:
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150220-ipv6

Affected Products

• Vulnerable Products

  
  Cisco Network Convergence System 6000 (NCS 6000) and Cisco Carrier Routing System X (CRS-X) running an affected version of Cisco IOS XR Software are affected by this vulnerability.
  
  All flavors of Cisco CRS-X line cards are affected by this vulnerability, including Cisco CRS-X 400-Gbps Modular Services Card (MSC-X) and Cisco CRS-X 400-Gbps Forwarding Processor Cards (FP-X).
  

  
  

  Consult the "Software Versions and Fixes" section of this advisory for the details of affected releases.
  
  A device running an affected version of Cisco IOS XR Software release that has IPv6 enabled will display interfaces with assigned IPv6 addresses when the show ipv6 interface brief command is issued.
  
  The show ipv6 interface brief command will produce an error message if the running version of Cisco IOS XR Software does not support IPv6, or will not show any interfaces with IPv6 addresses if IPv6 is disabled. The system is not vulnerable in either scenario.
  
  The following example shows the output from the show ipv6 interface brief command issued on a device running Cisco IOS XR Software with IPv6 enabled:
  
  

  RP/0/RP0/CPU0:router# show ipv6 interface brief
  
    
   GigabitEthernet0/2/0/0 [Up/Up]
   fe80::212:daff:fe62:c150 
   202::1 
  
  

  The IPv6 protocol is enabled if the interface configuration command ipv6 enable is present in the configuration. The following examples show a vulnerable configuration:
  
  

  RP/0/RP0/CPU0:router(config)# interface GigabitEthernet0/2/0/0
  	
    RP/0/RP0/CPU0:router(config-if)# ipv6 enable
  
  

  
  To determine the Cisco IOS XR Software release and the exact name of the product on which it runs, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS XR Software by displaying "Cisco IOS XR Software" or similar text.
  
  The location and name of the system image file currently running on the router are displayed under the "System image file is" text. The hardware product is indicated in the line following the name of the system image file.
  
  The following example identifies a Cisco product that is running Cisco IOS XR Software Release 4.1.0 with an installed image name of mbihfr-rp.vm:
  

  
  

  
  
  

  RP/0/RP0/CPU0:router# show version
   Mon May 31 02:14:12.722 DST
  
   Cisco IOS XR Software, Version 4.1.0
   Copyright (c) 2010 by Cisco Systems, Inc.
  
   ROM: System Bootstrap, Version 2.100(20100129:213223) [CRS-1 ROMMON],  
  
   router uptime is 1 week, 6 days, 4 hours, 22 minutes
   System image file is "bootflash:disk0/hfr-os-mbi-4.1.0/mbihfr-rp.vm"
  
   cisco CRS-8/S (7457) processor with 4194304K bytes of memory.
   7457 processor at 1197Mhz, Revision 1.2

  
  

  Products Confirmed Not Vulnerable

  Only the following products are affected by this vulnerability:
  

  • Cisco NCS 6000
  • All flavors of Cisco CRS-X line cards, including Cisco CRS-X Modular Services Card (MSC-X) and Cisco CRS-X 400-Gbps Forwarding Processor Cards (FP-X).

  
  Cisco 12000 Series Routers, Cisco ASR 9000 Series Aggregation Services Routers, Cisco Carrier Routing System 1 (CRS-1) or Cisco Carrier Routing System 3 (CRS-3) running Cisco IOS XR Software are not affected by this vulnerability.
  
  No other Cisco products are currently known to be affected by this vulnerability.

Details

• A vulnerability in the parsing of malformed IP version 6 (IPv6) packets in Cisco IOS XR Software for Cisco Network Convergence System 6000 (NCS 6000) and Cisco Carrier Routing System (CRS-X) could allow an unauthenticated, remote attacker to cause a reload of a line card that is processing traffic.
  
  The vulnerability is due to improper processing of malformed IPv6 packets carrying extension headers. An attacker could exploit this vulnerability by sending a malformed IPv6 packet, carrying extension headers, through an affected Cisco IOS XR device line card. An exploit could allow the attacker to cause a reload of the line card on the affected Cisco IOS XR device.
  
  
  This vulnerability could be exploited repeatedly to cause an extended DoS condition.
  
  A device is vulnerable only if it is configured to process IPv6 traffic passing through the device.
  
  This vulnerability can be exploited using only IPv6 packets. A crafted IPv6 packet carrying extension headers can trigger the vulnerability.
  
  This vulnerability can only be triggered by the traffic transiting an affected device. IPv4 traffic, or IPv6 traffic destined to an affected device cannot be used to exploit this vulnerability on an affected device.
  
  While certain intermediate devices may block malformed IPv6 packets, the possibility still exists for a malformed packet to originate from a remote network and exploit this vulnerability on an affected device.
  
  This vulnerability has been documented in Cisco bug ID CSCuq95241 (registered customers only) and has been assigned the Common Vulnerabilities and Exposures (CVE) CVE-2015-0618.

  
  

  
  

Workarounds

• There are no workarounds that address this vulnerability.

Fixed Software

• When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

  In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
  
  Cisco IOS XR release version 5.2.3 for Cisco NCS 6000 is not affected by this vulnerability. All other releases of Cisco IOS XR for Cisco NCS 6000 are affected by this vulnerability.
  
  Cisco IOS XR release version 5.3.0 for CRS-X is not affected by this vulnerability. All other releases of Cisco IOS XR for CRS-X that have a support for Cisco CRS-X line cards, including Cisco CRS-X 400-Gbps Modular Service Card (MSC-X) and Cisco CRS-X 400-Gbps Forwarding Processor Cards (FP-X) are affected by this vulnerability.
  
  
  This vulnerability is corrected in the following Cisco IOS XR Software software maintenance updates (SMUs):
  
  ncs6k-5.0.1.CSCuq95241.smu for version 5.0.1 for NCS 6000
  ncs6k-5.2.1.CSCuq95241.smu for version 5.2.1 for NCS 6000
  
  hfr-px-5.1.1.CSCus54167.pie for versions 5.1.1 for CRS-X
  hfr-px-5.1.2.CSCus54167.pie for versions 5.1.2 for CRS-X
  hfr-px-5.1.3.CSCuq95241.pie for version 5.1.3 for CRS-X
  hfr-px-5.1.4.CSCuq95241.pie for version 5.1.4 for CRS-X
  
  Note: Cisco IOS XR Software SMUs for additional versions will be published when available.

Exploitation and Public Announcements

• The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

  This vulnerability was discovered during internal testing.

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150220-ipv6

Revision History

• Revision 1.1	2015-February-24	Software Versions and Fixes updated
  Revision 1.0	2015-February-20	Initial public release

  Show Less