Cisco Security Advisory
Cisco IOS Software TFTP Server Denial of Service Vulnerability
Click Icon to Copy Verbose Score
AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
-
A vulnerability in the TFTP server feature of Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.
The TFTP server feature is not enabled by default.
Cisco has released software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150722-tftp
-
Vulnerable Products
Cisco IOS and Cisco IOS XE Software devices that are running an affected version of software are vulnerable if the TFTP server is configured on the device.
To determine whether a device has the TFTP server configured, use the show running-config | include ^tftp-server command-line interface exec command. If the device is not configured with a TFTP server, the command will return no output. If the device is configured with a TFTP server the output will show one or more lines beginning with the keyword tftp-server. In the following example the TFTP server is not enabled:
In the following example the TFTP server is enabled:Router#show running-config | include ^tftp-server
Router#
Router#show running-config | include ^tftp-server tftp-server flash:c2800nm-adventerprisek9-mz.124-1 tftp-server flash:
Router#To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software. The image name displays in parentheses, followed by the Cisco IOS Software release number and release name. Other Cisco devices do not have the show version command or may provide different output.
The following example identifies a Cisco product that is running Cisco IOS Software Release 15.2(4)M5 with an installed image name of C3900-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.2(4)M5, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Fri 13-Sep-13 16:44 by prod_rel_team!--- output truncatedAdditional information about Cisco IOS Software release naming conventions is available in White Paper: Cisco IOS and NX-OS Software Reference Guide.
Products Confirmed Not Vulnerable
The following products are confirmed not affected by this vulnerability:
- Cisco IOS XR Software
- Cisco NX-OS Software
-
A vulnerability in TFTP server functionality of Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause the device to reload or hang.
The vulnerability is due to incorrect management of memory when handling TFTP requests. An attacker could exploit this vulnerability by making a number of TFTP requests to the affected device. A successful exploit could allow the attacker to cause the device to reload or hang.
Devices running Cisco IOS and Cisco IOS XE Software that have the TFTP server enabled are affected.
This vulnerability is documented in Cisco bug ID CSCts66733 (registered customers only) and has been assigned Common Vulnerabilities and Exposure (CVE) ID CVE-2015-0681.
Exploit code for this vulnerability does exist, but the code does not execute consistently across platforms and software versions.
-
TFTP Access Lists
Warning: Because the features in this vulnerability use UDP as a transport, it is possible to spoof the sender's IP address, which may defeat access control lists (ACLs) that permit communication to these ports from trusted IP addresses. Consider using Unicast RPF in conjunction with TFTP access lists to offer a better mitigation solution.
The following TFTP ACL example should be included as part of the deployed Cisco IOS TFTP server deployments as a best practice.
Anchor each file that is being served using the TFTP server to the TFTP ACL by including the ACL number at the end of the tftp-server statement:!---!--- Define requesting segments or individual hosts!--- The following example allows hosts on network 192.168.22.X to!--- make TFTP requests to the router.!---access-list 1 permit 192.168.22.0 0.0.0.255
Completely Disable the TFTP Servertftp-server flash:c2800nm-adventerprisek9-mz.124-1 1
Cisco IOS Software provides TFTP server functionality to helps transfer of Cisco IOS images when another TFTP server may not be available. If the TFTP server functionality is not currently needed, the following steps may be taken to disable the TFTP server:- While in enable mode on the router, issue the command show running-config and look for lines starting with tftp-server.
- Copy each of the lines that start with tftp-server and paste into a text editor.
- Prepend each line with the word no followed by a space.
- Copy each of the lines that you have edited, and on the router in configuration mode, paste the copied lines to the configuration.
- Exit configuration mode and issue the command show running-config and look for lines starting with tftp-server.
- Confirm there are no lines in the output.
- Save the new configuration.
-
Cisco IOS Software
Cisco has provided a tool to help customers determine their exposure to vulnerabilities in Cisco IOS Software. The Cisco IOS Software Checker allows customers to perform the following tasks:
- Initiate a search by selecting releases from the drop-down menu or uploading a file from a local system
- Enter show version command output for the tool to parse
- Create a customized search by including all previously published Cisco Security Advisories or a specific publication
The tool will identify any Cisco Security Advisories that impact a queried software release and the earliest release that corrects all vulnerabilities in each Cisco Security Advisory ("First Fixed"). If applicable, the tool will also return the earliest possible release that corrects all vulnerabilities in all displayed advisories ("Combined First Fixed"). Please visit the Cisco IOS Software Checker.
Cisco IOS XE Software
Cisco IOS XE Software is affected by the vulnerability described in this advisory.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, and Cisco IOS XE 3SG Release Notes.
Cisco IOS XE Software Release First Fixed Release 2.5.x Vulnerable, migrate to 3.6.0S or later
2.6.x Vulnerable, migrate to 3.6.0S or later 3.1.xS Vulnerable, migrate to 3.6.0S or later
3.1.xSG Vulnerable, migrate to 3.4.0SG or later 3.2.xS Vulnerable, migrate to 3.6.0S or later 3.2.xSE Vulnerable, migrate to 3.3.0SE or later 3.2.xSG Vulnerable, migrate to 3.4.0SG or later 3.2.xXO Vulnerable, migrate to 3.3.0XO or later 3.2.xSQ Vulnerable, contact support organization 3.3.xS Vulnerable, migrate to 3.6.0S or later 3.3.xSE Not vulnerable 3.3.xSG Vulnerable, migrate to 3.4.0SG or later 3.3.xXO Not vulnerable 3.3.xSQ Vulnerable, contact support organization 3.4.xS Vulnerable, migrate to 3.6.0S or later 3.4.xSG Not vulnerable 3.4.xSQ Vulnerable, contact support organization 3.5.xS Vulnerable, migrate to 3.6.0S or later 3.5.xE Not vulnerable 3.6.xS Not vulnerable 3.6.xE Not vulnerable 3.7.xS Not vulnerable 3.7.xE Not vulnerable 3.8.xS Not vulnerable 3.9.xS Not vulnerable 3.10.xS Not vulnerable 3.11.xS Not vulnerable 3.12.xS Not vulnerable 3.13.xS Not vulnerable 3.14.xS
Not vulnerable
3.15.xS
Not vulnerable
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
This vulnerability was discovered during Cisco internal testing, and Zhangzhibing of team vhunter also discovered this vulnerability and has developed publicly available exploit code.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show LessRevision 1.0 2015-July-22 Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.