Cisco IOS is Affected by Multiple Vulnerabilities

Systems Affected

• Cisco network devices running IOS in various configurations

Overview

Several vulnerabilities have been discovered in Cisco's Internet Operating System (IOS). A remote attacker may be able to execute arbitrary code on an affected device, cause an affected device to reload the operating system, or cause other types of denial of service.

I. Description

Cisco has published three advisories describing flaws in IOS with various security impacts, the most serious of which could allow a remote attacker to execute arbitrary code on an affected system. Further details are available in the following vulnerability notes:

VU#217912 - Cisco IOS fails to properly process TCP packets

The Cisco IOS Transmission Control Protocol listener in certain versions of Cisco IOS software contains a memory leak. This memory leak may allow an attacker to create a denial-of-service condition.

VU#341288 - Cisco IOS fails to properly prcoess certain packets containing a crafted IP option

A vulnerability exists in the way Cisco IOS processes a number of different types of IPv4 packets containing a specially crafted IP option. Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code on an affected device or create a denial-of-service condition

VU#274760 - Cisco IOS fails to properly process specially crafted IPv6 packets

Cisco IOS fails to properly process IPv6 packets with specially crafted routing headers. Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code on an affected device or create a denial-of-service condition.

II. Impact

Although the resulting impacts of these three vulnerabilities is slightly different, in the case of VU#341288 and VU#274760, a remote attacker could cause an affected device to reload the operating system. In some cases, this creates a secondary denial-of-service condition because packets are not forwarded through the affected device while it is reloading. Repeated exploitation of these vulnerabilites may result in a sustained denial-of-service condition.

Because devices running IOS may transmit traffic for a number of other networks, the secondary impacts of a denial of service may be severe.

Also in the case of VU#341288 and VU#274760, successful exploitation may allow a remote attacker to execute arbitrary code on an affected device.

III. Solution

Upgrade to a fixed version of IOS

Cisco has updated versions of its IOS software to address these vulnerabilities. Please refer to the "Software Versions and Fixes" sections of the Cisco Security Advisories listed in the References section of this document for more information on upgrading.

Workaround

Cisco has also published practical workarounds for these vulnerabilities. Please refer to the "Workarounds" section of each Cisco Security Advisory listed in the References section of this document for more information.

Sites that are unable to install an upgraded version of IOS are encouraged to implement these workarounds.

IV. References

• US-CERT Vulnerability Note VU#217912 - <http://www.kb.cert.org/vuls/id/217912>
• US-CERT Vulnerability Note VU#341288 - <http://www.kb.cert.org/vuls/id/341288>
• US-CERT Vulnerability Note VU#274760 - <http://www.kb.cert.org/vuls/id/274760>
• Cisco Security Advisory: Crafted TCP Packet Can Cause Denial of Service - <http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml>
• Cisco Security Advisory: Crafted IP Option Vulnerability - <http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml>
• Cisco Security Advisory: Cisco Security Advisory: IPv6 Routing Header Vulnerability - <http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml>

Feedback can be directed to US-CERT.

Produced 2007 by US-CERT, a government organization. Terms of use

Revision History

January 24, 2007: Initial release