Cisco Security Advisory
Cisco IOS Next Hop Resolution Protocol Vulnerability
AV:R/AC:H/Au:NR/C:C/I:C/A:C/B:N/E:P/RL:O/RC:C
-
The Cisco Next Hop Resolution Protocol (NHRP) feature in Cisco IOS contains a vulnerability that can result in a restart of the device or possible remote code execution.
NHRP is a primary component of the Dynamic Multipoint Virtual Private Network (DMVPN) feature.
NHRP can operate in three ways: at the link layer (Layer 2), over Generic Routing Encapsulation (GRE) and multipoint GRE (mGRE) tunnels and directly on IP (IP protocol number 54). This vulnerability affects all three methods of operation.
NHRP is not enabled by default for Cisco IOS.
This vulnerability is addressed by Cisco bug IDs CSCin95836 ( registered customers only) for non-12.2 mainline releases and CSCsi23231 ( registered customers only) for 12.2 mainline releases.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070808-nhrp.
Note: The August 08, 2007 publication includes four Security Advisories and one Security Response. The advisories all affect IOS, one additionally affects Cisco Unified Communications Manager as well. Each advisory lists the releases that correct the vulnerability described in the advisory, and the advisories also detail the releases that correct the vulnerabilities in all four advisories. Individual publication links are listed below:
-
Cisco IOS Information Leakage Using IPv6 Routing Header
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070808-IOS-IPv6-leak
-
Cisco IOS Next Hop Resolution Protocol Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070808-nhrp
-
Cisco IOS Secure Copy Authorization Bypass Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070808-scp
-
Voice Vulnerabilities in Cisco IOS and Cisco Unified Communications
Manager
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070808-IOS-voice
-
Cisco Unified MeetingPlace XSS Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070808-mp
-
Cisco IOS Information Leakage Using IPv6 Routing Header
-
Vulnerable Products
Cisco devices running IOS that are configured for NHRP functionality are affected. NHRP is also used in conjunction with the DMVPN feature.
Affected devices may have the following command in the running configuration:
ip nhrp network-id
After the above command is configured, simply removing the command from the running configuration is not sufficient to disable the NHRP service. Customers can check the output of the following command to see if the NHRP process is enabled:
router#show processes | include NHRP 42 Mwe F8B8CC 24 76 315 7836/12000 0 NHRP
If the preceding command displays the NHRP process, NHRP is running on the IOS device.
Customers who do not have NHRP configured but see the process in the process table can take the following action to eliminate their exposure:
Ensure that NHRP is not configured in the device's startup configuration and reload the device. After the device is restarted with NHRP removed from the configuration, the NHRP process will not be running.
Products Confirmed Not Vulnerable
-
Cisco devices that do not run Cisco IOS are not affected.
-
Cisco devices that are running Cisco IOS XR are not affected.
No other Cisco devices are known to be affected.
-
Cisco devices that do not run Cisco IOS are not affected.
-
NHRP is a standards-based protocol that is aimed at providing Layer 2 to Layer 3 resolution for Nonbroadcast Multiaccess networks (NBMA).
Network devices and hosts can use NHRP to discover the addresses of other devices connected to an NBMA network.
For more information on NHRP, see http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iad_cfg_nhrp_ps6441_TSD_Products_Configuration_Guide_Chapter.html
NHRP is an open standard and the public RFC is on the web at:
http://www.rfc-editor.org/rfc/rfc2332.txt
NHRP has extended uses in DMVPNs, can be carried in GRE and mGRE tunnels or can be transported directly within IP datagrams as IP protocol number 54.
Workarounds are available for protecting routers from NHRP packets sent over GRE or mGRE tunnels or sent as NHRP directly in IP datagrams.
No workarounds exist for blocking Layer 2 NHRP packets. However, Layer 2 NHRP packets are not routable and must be sent by a Layer 2-adjacent device.
This vulnerability was addressed by two different bug IDs. A Cisco IOS release only needs to contain one of these bug fixes to be repaired for this vulnerablility. The bug IDs are CSCin95836 ( registered customers only) (for non-12.2 mainline releases) and CSCsi23231 ( registered customers only) (for 12.2 mainline releases).
-
Customers who do not need NHRP functionality may disable the NHRP service and eliminate the exposure to this vulnerability.
For customers who require NHRP functionality, this section provides some workarounds to help reduce exposure.
If NHRP is required, the only complete resolution to this issue is to upgrade to a fixed version of software.
Additional mitigations that can be deployed on Cisco devices within the network are discussed in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link:
Because this attack can be sent from spoofed source addresses, anti-spoofing techniques are required for the workarounds in this section to be most effective.
Infrastructure ACLs
Although it is often difficult to block traffic transiting the network, it is possible to identify traffic that should never be allowed to target infrastructure devices and block that traffic at the border of the network. Infrastructure ACLs are considered a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The following ACL example should be included as part of the deployed infrastructure access list that will protect all devices with IP addresses in the infrastructure IP address range.
!--- Permit NHRP/GRE services from trusted hosts destined !--- to infrastructure addresses. access-list 150 permit 47 TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK access-list 150 permit 54 TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK !--- Deny NHRP/GRE packets from all other sources destined !--- to infrastructure addresses. access-list 150 deny 47 any INFRASTRUCTURE_ADDRESSES MASK access-list 150 deny 54 any INFRASTRUCTURE_ADDRESSES MASK !--- Permit all other traffic to transit the device. access-list 150 permit IP any any interface serial 2/0 ip access-group 150 in
The white paper entitled "Protecting Your Core: Infrastructure Protection Access Control Lists" presents guidelines and recommended deployment techniques for infrastructure protection access lists. This white paper is on the web at
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml
Control Plane Policing
Control Plane Policing (CoPP) can be used to block untrusted NHRP (IP protocol number 54) and GRE (IP protocol number 47) access to the affected device. Cisco IOS Software releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support the CoPP feature. Administrators can configure CoPP on a device to help protect the management and control planes. Configuring CoPP can minimize the risk and effectiveness of direct infrastructure attacks by explicitly permitting only authorized traffic sent to infrastructure devices in accordance with existing security policies and configurations. Administrators can adapt the following example to their networks.
!--- Deny NHRP (IP protocol number 54) and GRE (IP protocol number 47) !--- traffic from trusted hosts to all IP addresses configured !--- on all interfaces of the affected device so that it will !--- be allowed by the CoPP feature. ! access-list 111 deny 54 TRUSTED_ADDRESSES MASK any access-list 111 deny 47 TRUSTED_ADDRESSES MASK any ! !--- Permit all other NHRP (IP protocol number 54) and GRE (IP protocol !--- number 47) traffic sent to all IP addresses configured on !--- all interfaces of the affected device so that it will be !--- policed and dropped by the CoPP feature. ! access-list 111 permit 54 any any access-list 111 permit 47 any any ! !--- Permit (Police or Drop)/Deny (Allow) all other Layer3 !--- and Layer4 traffic in accordance with existing security !--- policies and configurations for traffic that is authorized !--- to be sent to infrastructure devices. ! !--- Create a class map for traffic to be policed by the CoPP !--- feature. ! class-map match-all drop-NHRP-class match access-group 111 ! !--- Create a policy map that will be applied to the control plane !--- of the affected device. ! policy-map drop-NHRP-traffic class drop-NHRP-class drop ! !--- Apply the policy map to the control plane of the device !--- device. ! control-plane service-policy input drop-NHRP-traffic !
In the preceding CoPP example, the access control list entries (ACEs) that match the potential exploit packets with the "permit" action result in the discarding of these packets by the policy-map "drop" function, whereas packets that match the "deny" action (not shown) are not affected by the policy-map drop function. Please note that in the 12.2S and 12.0S Cisco IOS Software trains, the policy-map syntax is different:
policy-map drop-NHRP-traffic class drop-NHRP-class police 32000 1500 1500 conform-action drop exceed-action drop
Additional information on the configuration and use of the CoPP feature is on the web at
and
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table.
For further information about how Cisco IOS is built, numbered and maintained, please see the following URL: http://www.cisco.com/warp/public/620/1.html.
Major Release
Availability of Repaired Releases
Affected 12.0-Based Release
First Fixed Release
Recommended Release
12.0
Vulnerable; first fixed in 12.2(46)
12.2(46a)
12.0DA
Not Vulnerable
12.0DB
Not Vulnerable
12.0DC
Vulnerable; first fixed in 12.3(14)T5
12.4(12c)
12.4(3h)
12.4(5c)
12.4(8d); available 03-Sep-07
12.4(7f)
12.4(16)
12.4(10c)
12.4(13d)
12.0S
12.0(32)S8; available 21-Aug-07
12.0(32)S8; available 21-Aug-07
12.0SC
Vulnerable; first fixed in 12.3(17a)BC
12.3(17b)BC8
12.3(21a)BC3
12.0SL
Vulnerable; first fixed in 12.0(32)S8; available 21-Aug-07
12.0(32)S8; available 21-Aug-07
12.0SP
Vulnerable; first fixed in 12.0(32)S8 available 21-Aug-07
12.0(32)S8; available 21-Aug-07
12.0ST
Vulnerable; first fixed in 12.0(32)S8; available 21-Aug-07
12.0(32)S8; available 21-Aug-07
12.0SX
Vulnerable; first fixed in 12.0(32)S8; available 21-Aug-07
12.0(32)S8; available 21-Aug-07
12.0SY
12.0(32)SY4; available 21-Aug-07
12.0(32)SY4; available 21-Aug-07
12.0SZ
Vulnerable; first fixed in 12.0(32)S8; available 21-Aug-07
12.0T
Vulnerable; first fixed in 12.2(46)
12.2(46a)
12.0W
Not Vulnerable
12.0WC
Not Vulnerable
12.0WT
Not Vulnerable
12.0XA
Vulnerable; first fixed in 12.2(46)
12.2(46a)
12.0XB
Not Vulnerable
12.0XC
Vulnerable; first fixed in 12.2(46)
12.2(46a)
12.0XD
Vulnerable; first fixed in 12.2(46)
12.2(46a)
12.0XE
Vulnerable; first fixed in 12.1(27b)E3; available 10-Aug-07
12.0XF
Not Vulnerable
12.0XG
Vulnerable; first fixed in 12.2(46)
12.2(46a)
12.0XH
Vulnerable; first fixed in 12.2(46)
12.2(46a)
12.0XI
Vulnerable; first fixed in 12.2(46)
12.2(46a)
12.0XJ
Vulnerable; first fixed in 12.2(46)
12.2(46a)
12.0XK
Vulnerable; first fixed in 12.2(46)
12.2(46a)
12.0XL
Vulnerable; first fixed in 12.2(46)
12.2(46a)
12.0XM
Not Vulnerable
12.0XN
Vulnerable; first fixed in 12.2(46)
12.2(46a)
12.0XQ
Vulnerable; first fixed in 12.2(46)
12.2(46a)
12.0XR
Vulnerable; first fixed in 12.2(46)
12.2(46a)
12.0XS
Not Vulnerable
12.0XV
Not Vulnerable
12.0XW
Not Vulnerable
Affected 12.1-Based Release
First Fixed Release
Recommended Release
12.1
Vulnerable; first fixed in 12.2(46)
12.2(46a)
12.1AA
Vulnerable; first fixed in 12.2(46)
12.2(46a)
12.1AX
Not Vulnerable
12.1AY
Not Vulnerable
12.1AZ
Not Vulnerable
12.1CX
Vulnerable; first fixed in 12.2(46)
12.2(46a)
12.1DA
12.2(10)DA8
12.2(12)DA12
12.2(10)DA8
12.2(12)DA12
12.1DB
Not Vulnerable
12.1DC
Vulnerable; first fixed in 12.3(14)T5
12.4(12c)
12.4(3h)
12.4(5c)
12.4(8d); available 03-Sep-07
12.4(7f)
12.4(16)
12.4(10c)
12.4(13d)
12.1E
12.1(27b)E3; available 5-Mar-08
12.1EA
Not Vulnerable
12.1EB
Not Vulnerable
12.1EC
Vulnerable; first fixed in 12.3(17a)BC
12.3(17b)BC8
12.3(21a)BC3
12.1EO
Not Vulnerable
12.1EU
Vulnerable; first fixed in 12.2(25)EWA10
12.2(25)EWA10
12.1EV
Not Vulnerable
12.1EW
Vulnerable; first fixed in 12.2(25)EWA10
All Cat4K platforms:
12.2(25)EWA10
12.2(31)SGA3
12.2(37)SG1
12.2(40)SG; available Oct-07
12.1EX
Vulnerable; first fixed in 12.1(27b)E3; available 5-Mar-08
12.1EY
Not Vulnerable
12.1EZ
Vulnerable; first fixed in 12.1(27b)E3; available 5-Mar-08
12.1GA
Vulnerable; first fixed in 12.2(46)
12.2(46a)
12.1GB
Vulnerable; first fixed in 12.2(46)
12.2(46a)
12.1T
Vulnerable; first fixed in 12.2(46)
12.2(46a)
12.1XA
Vulnerable; first fixed in 12.2(46)
12.2(46a)
12.1XB
Not Vulnerable
12.1XC
Vulnerable; first fixed in 12.2(46)
12.2(46a)
12.1XD
Vulnerable; first fixed in 12.2(46)
12.2(46a)
12.1XE
Not Vulnerable
12.1XF
Not Vulnerable
12.1XG
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.1XH
Vulnerable; first fixed in 12.2(46)
12.2(46a)
12.1XI
Vulnerable; first fixed in 12.2(46)
12.2(46a)
12.1XJ
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.1XK
Not Vulnerable
12.1XL
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.1XM
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.1XN
Not Vulnerable
12.1XO
Not Vulnerable
12.1XP
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.1XQ
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.1XR
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.1XS
Vulnerable; first fixed in 12.2(46)
12.2(46a)
12.1XT
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.1XU
Not Vulnerable
12.1XV
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.1XW
Vulnerable; first fixed in 12.2(46)
12.2(46a)
12.1XX
Vulnerable; first fixed in 12.2(46)
12.2(46a)
12.1XY
Vulnerable; first fixed in 12.2(46)
12.2(46a)
12.1XZ
Vulnerable; first fixed in 12.2(46)
12.2(46a)
12.1YA
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.1YB
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.1YC
Not Vulnerable
12.1YD
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.1YE
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.1YF
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.1YG
Not Vulnerable
12.1YH
Not Vulnerable
12.1YI
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.1YJ
Not Vulnerable
Affected 12.2-Based Release
First Fixed Release
Recommended Release
12.2
12.2(26c); available 14-Aug-07
12.2(27c); available 14-Aug-07
12.2(28d); available 14-Aug-07
12.2(29b); available 14-Aug-07
12.2(46)
12.2(46a)
12.2B
Vulnerable; first fixed in 12.3(14)T5
12.4(12c)
12.4(3h)
12.4(5c)
12.4(8d); available 03-Sep-07
12.4(7f)
12.4(16)
12.4(10c)
12.4(13d)
12.2BC
Vulnerable; first fixed in 12.3(17a)BC
12.3(17b)BC8
12.3(21a)BC3
12.2BW
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.2BY
Vulnerable; first fixed in 12.3(14)T5
12.4(12c)
12.4(3h)
12.4(5c)
12.4(8d); available 03-Sep-07
12.4(7f)
12.4(16)
12.4(10c)
12.4(13d)
12.2BZ
Vulnerable; first fixed in 12.3(7)XI10a available 21-Aug-07
12.3(7)XI10a; available 21-Aug-07
12.2CX
Vulnerable; first fixed in 12.3(17a)BC
12.3(17b)BC8
12.3(21a)BC3
12.2CY
Vulnerable; first fixed in 12.3(17a)BC
12.3(17b)BC8
12.3(21a)BC3
12.2CZ
Not Vulnerable
12.2DA
12.2(10)DA8
12.2(12)DA12
12.2(10)DA8
12.2(12)DA12
12.2DD
Vulnerable; first fixed in 12.3(14)T5
12.4(12c)
12.4(3h)
12.4(5c)
12.4(8d); available 03-Sep-07
12.4(7f)
12.4(16)
12.4(10c)
12.4(13d)
12.2DX
Vulnerable; first fixed in 12.3(14)T5
12.4(12c)
12.4(3h)
12.4(5c)
12.4(8d); available 03-Sep-07
12.4(7f)
12.4(16)
12.4(10c)
12.4(13d)
12.2EU
Vulnerable; first fixed in 12.2(25)EWA10
All Cat4K platforms:
12.2(25)EWA10
12.2(31)SGA3
12.2(37)SG1
12.2(40)SG; available Oct-07
12.2EW
Vulnerable; first fixed in 12.2(25)EWA10
All Cat4K platforms:
12.2(25)EWA10
12.2(31)SGA3
12.2(37)SG1
12.2(40)SG; available Oct-07
12.2EWA
12.2(25)EWA10
All Cat4K platforms:
12.2(25)EWA10
12.2(31)SGA3
12.2(37)SG1
12.2(40)SG; available Oct-07
12.2EX
Not Vulnerable
12.2EY
Not Vulnerable
12.2EZ
Not Vulnerable
12.2FX
Not Vulnerable
12.2FY
Not Vulnerable
12.2FZ
Not Vulnerable
12.2IXA
Not Vulnerable
12.2IXB
Not Vulnerable
12.2IXC
Not Vulnerable
12.2IXD
Not Vulnerable
12.2IXE
Not Vulnerable
12.2JA
Not Vulnerable
12.2JK
Not Vulnerable
12.2MB
Vulnerable; first fixed in 12.2(25)SW11
12.2(25)SW11
12.2MC
12.2(15)MC2h
12.2(15)MC2j
12.2(15)MC2j
12.2S
12.2(14)S19
12.2(18)S13
12.2(20)S14
12.2(25)S13
12.2(25)S13
12.2(14)S19
12.2SB
12.2(28)SB9
12.2(31)SB6
12.2(28)SB9; available 15-Aug-07
12.2(31)SB6
12.2SBC
Vulnerable; first fixed in 12.2(31)SB6
12.2(28)SB9; available 15-Aug-07
12.2(31)SB6
12.2SE
Not Vulnerable
12.2SEA
Not Vulnerable
12.2SEB
Not Vulnerable
12.2SEC
Not Vulnerable
12.2SED
Not Vulnerable
12.2SEE
Not Vulnerable
12.2SEF
Not Vulnerable
12.2SEG
Not Vulnerable
12.2SG
12.2(25)SG2; available 13-Aug-07
12.2(31)SG2; available 13-Aug-07
12.2(37)SG1; available 13-Aug-07
12.2(40)SG; available 24-Oct-07
All Cat4K platforms:
12.2(25)SG2
12.2(37)SG1
12.2(31)SG2
12.2(40)SG; available Oct-07
12.2SGA
12.2(31)SGA3
12.2(31)SGA4; available 15-Oct-07
All Cat4K platforms:
12.2(31)SGA3
12.2(37)SG1
12.2(40)SG; available Oct-07
12.2SL
Not Vulnerable
12.2SM
12.2(29)SM2; available 22-Aug-07
12.2(29)SM2; available 10-Aug-07
12.2SO
Not Vulnerable
12.2SRA
Not Vulnerable
12.2SRB
Not Vulnerable
12.2SU
Vulnerable; first fixed in 12.3(14)T5
12.4(12c)
12.4(3h)
12.4(5c)
12.4(8d); available 03-Sep-07
12.4(7f)
12.4(16)
12.4(10c)
12.4(13d)
12.2SV
12.2(29)SV4; available 14-Oct-07
12.2(29)SV4; available 14-Oct-07
12.2SVA
Not Vulnerable
12.2SVC
Not Vulnerable
12.2SW
12.2(25)SW11
12.2(25)SW11
12.2SX
Vulnerable; first fixed in 12.2(18)SXE4
12.2SXA
Vulnerable; first fixed in 12.2(18)SXE4
12.2SXB
Vulnerable; first fixed in 12.2(18)SXE4
12.2(18)SXF10
12.2SXD
Vulnerable; contact TAC
12.2SXE
12.2(18)SXE4
12.2(18)SXF10
12.2SXF
Not Vulnerable
12.2SXH
Not Vulnerable
12.2SY
Vulnerable; first fixed in 12.2(18)SXE4
12.2SZ
Vulnerable; first fixed in 12.2(25)S13
12.2(25)S13
12.2(14)S19
12.2T
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.2TPC
12.2(8)TPC10c; available 17-Aug-07
12.2(8)TPC10c
12.2UZ
Vulnerable; first fixed in 12.2(31)SB6
12.2(28)SB9; available 15-Aug-07
12.2(31)SB6
12.2VZ
Vulnerable; first fixed in 12.2(31)SB6
12.2(28)SB9; available 15-Aug-07
12.2(31)SB6
12.2XA
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.2XB
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.2XC
Vulnerable; first fixed in 12.3(14)T5
12.4(12c)
12.4(3h)
12.4(5c)
12.4(8d); available 03-Sep-07
12.4(7f)
12.4(16)
12.4(10c)
12.4(13d)
12.2XD
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.2XE
Not Vulnerable
12.2XF
Vulnerable; first fixed in 12.3(17a)BC
12.3(17b)BC8
12.3(21a)BC3
12.2XG
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.2XH
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.2XI
Not Vulnerable
12.2XJ
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.2XK
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.2XL
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.2XM
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.2XN
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.2XQ
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.2XR
12.3(2)JA3
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.2XS
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.2XT
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.2XU
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.2XV
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.2XW
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.2YA
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.2YB
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.2YC
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.2YD
Vulnerable; first fixed in 12.3(14)T5
12.4(12c)
12.4(3h)
12.4(5c)
12.4(8d); available 03-Sep-07
12.4(7f)
12.4(16)
12.4(10c)
12.4(13d)
12.2YE
Vulnerable; first fixed in 12.2(25)S13
12.2(25)S13
12.2(14)S19
12.2YF
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.2YG
Not Vulnerable
12.2YH
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.2YJ
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.2YK
Not Vulnerable
12.2YL
Vulnerable; first fixed in 12.3(14)T5
12.4(12c)
12.4(3h)
12.4(5c)
12.4(8d); available 03-Sep-07
12.4(7f)
12.4(16)
12.4(10c)
12.4(13d)
12.2YM
Vulnerable; first fixed in 12.3(14)T5
12.4(12c)
12.4(3h)
12.4(5c)
12.4(8d); available 03-Sep-07
12.4(7f)
12.4(16)
12.4(10c)
12.4(13d)
12.2YN
Vulnerable; first fixed in 12.3(14)T5
12.4(12c)
12.4(3h)
12.4(5c)
12.4(8d); available 03-Sep-07
12.4(7f)
12.4(16)
12.4(10c)
12.4(13d)
12.2YO
Not Vulnerable
12.2YP
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.2YQ
Vulnerable; first fixed in 12.3(14)T5
12.4(12c)
12.4(3h)
12.4(5c)
12.4(8d); available 03-Sep-07
12.4(7f)
12.4(16)
12.4(10c)
12.4(13d)
12.2YR
Vulnerable; first fixed in 12.3(14)T5
12.4(12c)
12.4(3h)
12.4(5c)
12.4(8d); available 03-Sep-07
12.4(7f)
12.4(16)
12.4(10c)
12.4(13d)
12.2YS
Not Vulnerable
12.2YT
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.2YU
Vulnerable; first fixed in 12.3(14)T5
12.4(12c)
12.4(3h)
12.4(5c)
12.4(8d); available 03-Sep-07
12.4(7f)
12.4(16)
12.4(10c)
12.4(13d)
12.2YV
Vulnerable; first fixed in 12.3(14)T5
12.4(12c)
12.4(3h)
12.4(5c)
12.4(8d); available 03-Sep-07
12.4(7f)
12.4(16)
12.4(10c)
12.4(13d)
12.2YW
Vulnerable; first fixed in 12.3(14)T5
12.4(12c)
12.4(3h)
12.4(5c)
12.4(8d); available 03-Sep-07
12.4(7f)
12.4(16)
12.4(10c)
12.4(13d)
12.2YX
Vulnerable; first fixed in 12.3(14)T5
12.4(12c)
12.4(3h)
12.4(5c)
12.4(8d); available 03-Sep-07
12.4(7f)
12.4(16)
12.4(10c)
12.4(13d)
12.2YY
Vulnerable; first fixed in 12.3(14)T5
12.4(12c)
12.4(3h)
12.4(5c)
12.4(8d); available 03-Sep-07
12.4(7f)
12.4(16)
12.4(10c)
12.4(13d)
12.2YZ
Vulnerable; first fixed in 12.2(25)S13
12.2(25)S13
12.2(14)S19
12.2ZA
Vulnerable; first fixed in 12.2(18)SXE4
12.2ZB
Vulnerable; first fixed in 12.3(14)T5
12.4(12c)
12.4(3h)
12.4(5c)
12.4(8d); available 03-Sep-07
12.4(7f)
12.4(16)
12.4(10c)
12.4(13d)
12.2ZC
Not Vulnerable
12.2ZD
Vulnerable; contact TAC
12.2ZE
Vulnerable; first fixed in 12.3(17a)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.2ZF
Vulnerable; first fixed in 12.3(14)T5
12.4(12c)
12.4(3h)
12.4(5c)
12.4(8d); available 03-Sep-07
12.4(7f)
12.4(16)
12.4(10c)
12.4(13d)
12.2ZG
Vulnerable; contact TAC
12.3(2)XA6
12.3(8)YG6; available 16-Aug-07
12.2ZH
Vulnerable; contact TAC
12.2(13)ZH9
12.2ZJ
Vulnerable; first fixed in 12.3(14)T5
12.4(12c)
12.4(3h)
12.4(5c)
12.4(8d); available 03-Sep-07
12.4(7f)
12.4(16)
12.4(10c)
12.4(13d)
12.2ZL
Vulnerable, first fixed in 12.3(14)T5 for the Cisco 17xx;
first fixed in 12.4(1c) for the Cisco 3200;
first fixed in 12.3(7)XR7, available 13-Aug-07 for the ICS7750
12.2ZP
Not Vulnerable
12.2ZR
Vulnerable; contact TAC
12.2ZU
Not Vulnerable
12.2ZW
Not Vulnerable
12.2ZY
Not Vulnerable
Affected 12.3-Based Release
First Fixed Release
Recommended Release
12.3
12.3(17a)
12.3(18)
12.3(19)
12.3(20)
12.3(21)
12.3(22)
12.3(23)
12.3(23)
12.3(20a)
12.3(21b)
12.3(22a)
12.3(18a)
12.3(19a); available 16-Aug-07
12.3(17c); available 16-Aug-07
12.3B
Vulnerable; first fixed in 12.3(14)T5
12.4(12c)
12.4(3h)
12.4(5c)
12.4(8d); available 03-Sep-07
12.4(7f)
12.4(16)
12.4(10c)
12.4(13d)
12.3BC
12.3(17a)BC
12.3(21)BC
12.3(17b)BC8
12.3(21a)BC3
12.3BW
Vulnerable; first fixed in 12.3(14)T5
12.4(12c)
12.4(3h)
12.4(5c)
12.4(8d); available 03-Sep-07
12.4(7f)
12.4(16)
12.4(10c)
12.4(13d)
12.3EU
Not Vulnerable
12.3JA
Not Vulnerable
12.3JEA
Not Vulnerable
12.3JEB
Not Vulnerable
12.3JK
Not Vulnerable
12.3JL
Not Vulnerable
12.3JX
Not Vulnerable
12.3T
Limited platform support is available
12.3(11)T12; available 16-Aug-07
12.3(14)T5
12.4(12c)
12.4(3h)
12.4(5c)
12.4(8d); available 03-Sep-07
12.4(7f)
12.4(16)
12.4(10c)
12.4(13d)
12.3TPC
12.3(4)TPC11b; available 17-Aug-07
12.3(4)TPC11b; available 17-Aug-07
12.3VA
Not Vulnerable
12.3XA
12.3(2)XA6
12.3(2)XA6
12.3XB
Vulnerable; first fixed in 12.3(14)T5
12.4(12c)
12.4(3h)
12.4(5c)
12.4(8d); available 03-Sep-07
12.4(7f)
12.4(16)
12.4(10c)
12.4(13d)
12.3XC
12.3(2)XC5
12.3(2)XC5
12.3XD
Vulnerable; first fixed in 12.3(14)T5
12.4(12c)
12.4(3h)
12.4(5c)
12.4(8d); available 03-Sep-07
12.4(7f)
12.4(16)
12.4(10c)
12.4(13d)
12.3XE
12.3(2)XE5; available 17-Aug-07
12.3(2)XE5
12.3XF
Vulnerable; first fixed in 12.3(14)T5
12.4(12c)
12.4(3h)
12.4(5c)
12.4(8d); available 03-Sep-07
12.4(7f)
12.4(16)
12.4(10c)
12.4(13d)
12.3XG
Vulnerable; contact TAC
12.4(12c)
12.4(3h)
12.4(5c)
12.4(8d); available 03-Sep-07
12.4(7f)
12.4(16)
12.4(10c)
12.4(13d)
12.3XH
Vulnerable; first fixed in 12.3(14)T5
12.4(12c)
12.4(3h)
12.4(5c)
12.4(8d); available 03-Sep-07
12.4(7f)
12.4(16)
12.4(10c)
12.4(13d)
12.3XI
12.3(7)XI10a; available 21-Aug-07
12.3(7)XI10a; available 21-Aug-07
12.3XJ
Vulnerable; first fixed in 12.3(14)YX8
12.3(14)YX9; available 13-Aug-07
12.3XK
Vulnerable; first fixed in 12.3(14)T5
12.4(12c)
12.4(3h)
12.4(5c)
12.4(8d); available 03-Sep-07
12.4(7f)
12.4(16)
12.4(10c)
12.4(13d)
12.3XQ
Vulnerable; first fixed in 12.4(1c)
12.4(12c)
12.4(3h)
12.4(5c)
12.4(8d); available 03-Sep-07
12.4(7f)
12.4(16)
12.4(10c)
12.4(13d)
12.3XR
12.3(7)XR7; available 17-Aug-07
12.3(7)XR7; available 17-Aug-07
12.3XS
Vulnerable; first fixed in 12.4(1c)
12.4(12c)
12.4(3h)
12.4(5c)
12.4(8d); available 03-Sep-07
12.4(7f)
12.4(16)
12.4(10c)
12.4(13d)
12.3XU
Vulnerable; first fixed in 12.4(4)T
12.4(11)T3
12.4(9)T5; available 24-Aug-07
12.4(2)T6; available 20-Aug-07
12.4(4)T8; available 28-Aug-07
12.4(6)T8
12.4(15)T1
12.3XW
Vulnerable; first fixed in 12.3(14)YX8
12.3(14)YX9; available 13-Aug-07
12.3XY
Not Vulnerable
12.3YA
Vulnerable; first fixed in 12.4(1c)
12.4(12c)
12.4(3h)
12.4(5c)
12.4(8d); available 03-Sep-07
12.4(7f)
12.4(16)
12.4(10c)
12.4(13d)
12.3(8)YG6; available 16-Aug-07
12.3YD
Vulnerable; first fixed in 12.4(4)T
12.4(11)T3
12.4(9)T5; available 24-Aug-07
12.4(2)T6; available 20-Aug-07
12.4(4)T8; available 28-Aug-07
12.4(6)T8
12.4(15)T1
12.3YF
Vulnerable; first fixed in 12.3(14)YX8
12.3(14)YX9; available 13-Aug-07
12.3YG
12.3(8)YG6; available 16-Aug-07
12.3(8)YG6; available 16-Aug-07
12.3YH
Vulnerable; first fixed in 12.4(4)T
12.4(11)T3
12.4(9)T5; available 24-Aug-07
12.4(2)T6; available 20-Aug-07
12.4(4)T8; available 28-Aug-07
12.4(6)T8
12.4(15)T1
12.3YI
Vulnerable; first fixed in 12.4(4)T
12.4(11)T3
12.4(9)T5; available 24-Aug-07
12.4(2)T6; available 20-Aug-07
12.4(4)T8; available 28-Aug-07
12.4(6)T8
12.4(15)T1
12.3YJ
Vulnerable; first fixed in 12.4(4)T
12.4(11)T3
12.4(9)T5; available 24-Aug-07
12.4(2)T6; available 20-Aug-07
12.4(4)T8; available 28-Aug-07
12.4(6)T8
12.4(15)T1
12.3YK
12.3(11)YK3; available 20-Aug-07
12.3(11)YK3; available 20-Aug-07
12.3YM
12.3(14)YM5
12.3(14)YM11; available 23-Aug-07
12.3YQ
Vulnerable; first fixed in 12.4(4)T
12.4(11)T3
12.4(9)T5; available 24-Aug-07
12.4(2)T6; available 20-Aug-07
12.4(4)T8; available 28-Aug-07
12.4(6)T8
12.4(15)T1
12.3YS
12.3(11)YS2; available 17-Aug-07
12.3(11)YS2
12.3YT
Vulnerable; first fixed in 12.4(4)T
12.4(11)T3
12.4(9)T5; available 24-Aug-07
12.4(2)T6; available 20-Aug-07
12.4(4)T8; available 28-Aug-07
12.4(6)T8
12.4(15)T1
12.3YU
Vulnerable; first fixed in 12.4(2)XB6 available 16-Aug-07
12.4(2)XB6; available 16-Aug-07
12.3YX
12.3(14)YX8
12.3(14)YX9; available 13-Aug-07
12.3YZ
12.3(11)YZ2; available 17-Aug-07
12.3(11)YZ2; available 17-Aug-07
Affected 12.4-Based Release
First Fixed Release
Recommended Release
12.4
12.4(1c)
12.4(10)
12.4(12)
12.4(13)
12.4(16)
12.4(3b)
12.4(5)
12.4(7)
12.4(8)
12.4(12c)
12.4(3h)
12.4(5c)
12.4(8d); available 03-Sep-07
12.4(7f)
12.4(16)
12.4(10c)
12.4(13d)
12.4JA
Not Vulnerable
12.4JX
Not Vulnerable
12.4MD
Not Vulnerable
12.4MR
12.4(12)MR1
12.4(11)MR
12.4(12)MR
12.4(12)MR2; available 14-Aug-07
12.4(4)MR
12.4(6)MR
12.4(9)MR
12.4(12)MR2
12.4SW
Not Vulnerable
12.4T
12.4(11)T
12.4(15)T
12.4(2)T3
12.4(4)T
12.4(6)T
12.4(9)T
12.4(11)T3
12.4(9)T5; available 24-Aug-07
12.4(2)T6; available 20-Aug-07
12.4(4)T8; available 28-Aug-07
12.4(6)T8
12.4(15)T1
12.4XA
Not Vulnerable
12.4XB
12.4(2)XB6; available 16-Aug-07
12.4(2)XB6; available 16-Aug-07
12.4XC
Not Vulnerable
12.4XD
Not Vulnerable
12.4XE
Not Vulnerable
12.4XF
Not Vulnerable
12.4XG
Not Vulnerable
12.4XJ
Not Vulnerable
12.4XK
Not Vulnerable
12.4XT
Not Vulnerable
12.4XV
Not Vulnerable
12.4XW
Not Vulnerable
-
No known exploitation has occurred, exploit code has been made available on a public mailing list by the researcher.
This vulnerability was reported to Cisco by Martin Kluge.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.2
2008-April-25
Updated links to CVSS scores for CSCin95836 and CSCin23231 .
Revision 1.1
2007-August-09
Updated Exploitation and Public Announcements section with public exploit code information.
Revision 1.0
2007-August-08
Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.