Cisco Security Advisory
Cisco IOS Virtual Private Dial-up Network Denial of Service Vulnerability

AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
-
Two vulnerabilities exist in the virtual private dial-up network (VPDN) solution when Point-to-Point Tunneling Protocol (PPTP) is used in certain Cisco IOS releases prior to 12.3. PPTP is only one of the supported tunneling protocols used to tunnel PPP frames within the VPDN solution.
The first vulnerability is a memory leak that occurs as a result of PPTP session termination. The second vulnerability may consume all interface descriptor blocks on the affected device because those devices will not reuse virtual access interfaces. If these vulnerabilities are repeatedly exploited, the memory and/or interface resources of the attacked device may be depleted.
Cisco has made free software available to address these vulnerabilities for affected customers.
There are no workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080326-pptp.
Note: The March 26, 2008 publication includes five security advisories. The advisories all address vulnerabilities in Cisco's IOS software. Each advisory lists the releases that correct the vulnerability described in the advisory, and also lists the releases that correct the vulnerabilities in the other five advisories.
Individual publication links are listed below:
-
Cisco IOS Virtual Private Dial-up Network Denial of Service
Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080326-pptp
-
Multiple DLSw Denial of Service Vulnerabilities in Cisco IOS
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080326-dlsw
-
Cisco IOS User Datagram Protocol Delivery Issue For IPv4/IPv6
Dual-stack Routers
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080326-IPv4IPv6
-
Vulnerability in Cisco IOS with OSPF, MPLS VPN, and Supervisor 32,
Supervisor 720, or Route Switch Processor 720
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080326-queue
-
Cisco IOS Multicast Virtual Private Network (MVPN) Data Leak
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080326-mvpn
-
Cisco IOS Virtual Private Dial-up Network Denial of Service
Vulnerability
-
Devices that are running certain Cisco IOS versions prior to 12.3 with VPDN enabled may be affected by these vulnerabilities.
Vulnerable Products
Devices that are running affected versions of Cisco IOS with VPDN enabled and are configured to accept termination of PPTP sessions are vulnerable.
To determine whether VPDN is enabled on your device, log in to the device and issue the command-line interface (CLI) command show running-config. If the output contains vpdn enable along with a vpdn-group
command, VPDN is enabled on the device. The device will accept termination of PPTP sessions if the command protocol any or protocol pptp is defined under the vpdn-group command. The following example shows a device that is running VPDN and will accept termination of PPTP sessions: Router#show running-config Building configuration... ! !--- Output truncated. ! vpdn enable ! vpdn-group test_only ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 ! !---Remaining output truncated.
To determine the software version running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS." On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the IOS release name. Other Cisco devices will not have the show version command or will give different output.
The following example identifies a Cisco product that is running Cisco IOS release 12.2(7):
Cisco Internetwork Operating System Software IOS (tm) 7200 Software (C7200-IS-M), Version 12.2(7), RELEASE SOFTWARE (fc1) Copyright (c) 1986-2002 by cisco Systems, Inc. Compiled Tue 15-Jan-02 18:31 by pwade Image text-base: 0x600089C0, data-base: 0x613A6000
Additional information about Cisco IOS release naming can be found at http://www.cisco.com/warp/public/620/1.html.
Products Confirmed Not Vulnerable
Devices that are running Cisco IOS versions 12.3 and later are not affected by these vulnerabilities. Devices that are explicitly configured for VPDN protocols other than PPTP are not affected.
Devices that are running Cisco IOS versions prior to 12.3 and do not have VPDN enabled are not affected by these vulnerabilities.
Cisco IOS XR is not affected by these vulnerabilities.
-
VPDNs securely carry private data over a public network, allowing remote users to access a private network over a shared infrastructure such as the Internet. VPDNs maintain the same security and management policies as a private network, while providing a cost-effective method for point-to-point connections between remote users and a central network.
PPTP is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a VPDN across TCP/IP-based data networks. PPTP supports on-demand, multiprotocol, virtual private networking over public networks, such as the Internet.
Details regarding the two known vulnerabilities in Cisco IOS devices that are running affected versions of system software follow:
-
Memory Leak due to PPTP Session Termination
Upon completion of a PPTP session, memory is leaked from the processor memory on the terminating device. This is shown in the output of show process memory under the *Dead* process. The *Dead* process is not a real process. Its function is to account for the memory that is allocated under the context of another process which has terminated, in this case PPTP. When the administrator is logged into the device, if the device is under exploitation, the Holding entry of the *Dead* process under the show process memory command will be increasing. Following is an example showing a device that is holding *Dead* memory:
Router#show process memory Total: 199718560, Used: 11147828, Free: 188570732 PID TTY Allocated Freed Holding Getbufs Retbufs Process 0 0 99812 1848 8415816 0 0 *Init* 0 0 444 778840 444 0 0 *Sched* 0 0 17481700 4930848 819672 180908 0 *Dead* 1 0 284 284 3828 0 0 Load Meter !--- Output truncated.
Router#show memory dead Head Total(b) Used(b) Free(b) Lowest(b) Largest(b) Processor 6225FF40 224002240 11906736 212095504 212082872 212084464 I/O 20000000 33554440 994136 32560304 32560304 32560252 I/O-2 F800000 8388616 1020632 7367984 7367984 7367932 Processor memory Address Bytes Prev Next Ref PrevF NextF Alloc PC what 62275DC8 0000000048 62275D68 62275E24 001 ------- ------- 60654230 PPTP create idb 62275E24 0000000052 62275DC8 62275E84 001 ------- ------- 60654230 PPTP create idb 62275E84 0000000052 62275E24 62275EE4 001 ------- ------- 60654230 PPTP create idb .... !--- remaining output truncated.
-
Virtual Access Interfaces Are Not Re-used
Upon completion of a PPTP session, affected devices do not remove the virtual access interface that is associated with the PPTP session and do not reuse the interfaces in any future connections.
This situation can result in an exhaustion of the interface descriptor block (IDB) limit, which will prevent any new interfaces being created within Cisco IOS, effectively blocking all new VPDN connections, even though the router may still have enough processor memory to remain up and running. A reload of the device is required to remove the interfaces.
An IDB is a Cisco IOS internal data structure that contains information such as the IP address, interface state, and packet statistics. Cisco IOS software maintains one IDB for each interface present on a platform and one IDB for each subinterface.
Further documentation on Cisco IOS IDBs can be found at: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_tech_note09186a0080094322.shtml
This vulnerability is documented in Cisco bug ID CSCdv59309 ( registered customers only) and Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-1150 has been assigned to this vulnerability.
-
Memory Leak due to PPTP Session Termination
-
There are no workarounds for these vulnerabilities. Cisco recommends upgrading to the fixed version of Cisco IOS.
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table.
Major Release
Availability of Repaired Releases
Affected 12.0-Based Releases
First Fixed Release
Recommended Release
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Releases prior to 12.0(7)XE2 are vulnerable, release 12.0(7)XE2 and later are not vulnerable;
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Affected 12.1-Based Releases
First Fixed Release
Recommended Release
Not Vulnerable
Not Vulnerable
Not Vulnerable
Releases prior to 12.1(22)AY1 are vulnerable, release 12.1(22)AY1 and later are not vulnerable;
12.1(22)EA11
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Vulnerable; first fixed in 12.2B
12.4(18a)
Vulnerable; contact TAC
Releases prior to 12.1(11)EA1 are vulnerable, release 12.1(11)EA1 and later are not vulnerable;
12.1(22)EA11
Not Vulnerable
Vulnerable; first fixed in 12.2BC
12.3(23)BC1
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Vulnerable; contact TAC
Not Vulnerable
Vulnerable; contact TAC
Not Vulnerable
Not Vulnerable
Vulnerable; migrate to any release in 12.3
12.3(26)
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Vulnerable; first fixed in 12.2T
12.3(26)
Not Vulnerable
Vulnerable; first fixed in 12.2T
12.3(26)
Vulnerable; first fixed in 12.2T
12.3(26)
Not Vulnerable
Not Vulnerable
Vulnerable; first fixed in 12.2T
12.3(26)
Vulnerable; first fixed in 12.2T
12.3(26)
Vulnerable; first fixed in 12.2T
12.3(26)
Vulnerable; migrate to any release in 12.3
12.3(26)
Vulnerable; first fixed in 12.2T
12.3(26)
Not Vulnerable
Vulnerable; first fixed in 12.2XB
12.3(26)
Not Vulnerable
Not Vulnerable
Vulnerable; migrate to any release in 12.3
12.3(26)
Not Vulnerable
Vulnerable; first fixed in 12.2T
12.3(26)
Vulnerable; first fixed in 12.2T
12.3(26)
Vulnerable; first fixed in 12.2T
12.3(26)
Vulnerable; first fixed in 12.2T
12.3(26)
Releases prior to 12.1(5)YE6 are vulnerable, release 12.1(5)YE6 and later are not vulnerable; first fixed in 12.2T
12.3(26)
Vulnerable; first fixed in 12.2T
12.3(26)
Not Vulnerable
Not Vulnerable
Vulnerable; first fixed in 12.2T
12.3(26)
Not Vulnerable
Affected 12.2-Based Releases
First Fixed Release
Recommended Release
Vulnerable; migrate to any release in 12.3
12.3(26)
12.2(4)B5
12.4(18a)
12.2(15)BC1e
12.2(15)BC2d
12.2(8)BC1
12.3(23)BC1
12.2(4)BW1
12.2(4)BW1a
12.3(26)
12.2(8)BY
12.4(18a)
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Vulnerable; contact TAC
Vulnerable; first fixed in 12.2B
12.4(18a)
Vulnerable; first fixed in 12.2B
12.4(18a)
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Releases prior to 12.2(18)S are vulnerable, release 12.2(18)S and later are not vulnerable; migrate to any release in 12.2SRC
12.2(25)S15
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Vulnerable; migrate to any release in 12.3T
12.4(18a)
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Releases prior to 12.2(17a)SX are vulnerable, release 12.2(17a)SX and later are not vulnerable; migrate to any release in 12.2SXF
12.2(18)SXF13
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Vulnerable; migrate to any release in 12.2SXB
12.2(18)SXF13
Vulnerable; migrate to any release in 12.2SRC
12.2(25)S15
12.2(31)SB11
12.2(33)SRC
12.2(15)T4e
12.2(8)T
12.3(26)
Not Vulnerable
Not Vulnerable
Vulnerable; first fixed in 12.2T
12.3(26)
12.2(2)XB5
12.3(26)
Vulnerable; migrate to any release in 12.3T
12.4(18a)
Vulnerable; first fixed in 12.2T
12.3(26)
Vulnerable; first fixed in 12.2T
12.3(26)
Vulnerable; first fixed in 12.2BC
12.3(23)BC1
Vulnerable; first fixed in 12.2T
12.3(26)
Vulnerable; first fixed in 12.2T
12.3(26)
Vulnerable; first fixed in 12.2T
12.3(26)
Vulnerable; first fixed in 12.2T
12.3(26)
Vulnerable; first fixed in 12.2T
12.3(26)
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Vulnerable; first fixed in 12.2T
12.3(26)
Not Vulnerable
Vulnerable; first fixed in 12.2T
12.3(26)
Vulnerable; first fixed in 12.2T
12.3(26)
Vulnerable; migrate to any release in 12.3
12.3(26)
Vulnerable; migrate to any release in 12.3
12.3(26)
Not Vulnerable
Not Vulnerable
Not Vulnerable
Vulnerable; first fixed in 12.2T
12.3(26)
Not Vulnerable
Vulnerable; migrate to any release in 12.2SRC
12.2(25)S15
12.2(31)SB11
12.2(33)SRC
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Vulnerable; migrate to any release in 12.2SXB
12.2(18)SXF13
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Vulnerable; migrate to any release in 12.3T
12.4(18a)
Not Vulnerable
Vulnerable; migrate to any release in 12.2SRC
12.2(25)S15
12.2(31)SB11
12.2(33)SRC
Vulnerable; migrate to any release in 12.2SXB
12.2(18)SXF13
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Not Vulnerable
Affected 12.3-Based Releases
First Fixed Release
Recommended Release
There are no affected 12.3 based releases
Affected 12.4-Based Releases
First Fixed Release
Recommended Release
There are no affected 12.4 based releases
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
We would like to thank Martin Kluge of Elxsi Security for reporting these vulnerabilities to us. We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist with security vulnerability reports against Cisco products.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.2
2008-June-27
Updated Summary to remove link and verbiage.
Revision 1.1
2008-March-29
Updated Software Table for 12.0S, 12.0SY, 12.0SX and 12.0SZ due to new information on advisory ID cisco-sa-20080326-IPv4IPv6, the March 26th advisory on IPv4IPv6 Dual Stack Routers.
Revision 1.0
2008-March-26
Initial public release
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.